sig_cloud
/
sig-cloud-instance-images
mirror of https://github.com/rocky-linux/sig-cloud-instance-images.git
5
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

deploy: 9faa504140

This commit is contained in:
NeilHanlon 2022-08-30 13:15:33 +00:00
parent 778ee185e9
commit a36f09b9e4
2 changed files with 245 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
index.html
View File

@ -51,7 +51,7 @@
}
a.toggle-more-links { cursor: pointer; }
</style>
<title>docker.io/rockylinux/rockylinux:8 (rocky 8.6) - Trivy Report - 2022-08-29 13:14:10.374556942 +0000 UTC m=+1.546012454 </title>
<title>docker.io/rockylinux/rockylinux:8 (rocky 8.6) - Trivy Report - 2022-08-30 13:15:32.273291924 +0000 UTC m=+1.568723264 </title>
<script>
window.onload = function() {
document.querySelectorAll('td.links').forEach(function(linkCell) {
@ -81,7 +81,7 @@
</script>
</head>
<body>
<h1>docker.io/rockylinux/rockylinux:8 (rocky 8.6) - Trivy Report - 2022-08-29 13:14:10.374608242 +0000 UTC m=+1.546063654</h1>
<h1>docker.io/rockylinux/rockylinux:8 (rocky 8.6) - Trivy Report - 2022-08-30 13:15:32.273331124 +0000 UTC m=+1.568762564</h1>
<table>
<tr class="group-header"><th colspan="6">rocky</th></tr>
<tr class="sub-header">
@ -92,6 +92,96 @@
<th>Fixed Version</th>
<th>Links</th>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">curl</td>
<td>CVE-2022-32206</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">7.61.1-22.el8_6.3</td>
<td>7.61.1-22.el8_6.4</td>
<td class="links" data-more-links="off">
<a href="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json">https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json</a>
<a href="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json">https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json</a>
<a href="https://access.redhat.com/security/cve/CVE-2022-32206">https://access.redhat.com/security/cve/CVE-2022-32206</a>
<a href="https://curl.se/docs/CVE-2022-32206.html">https://curl.se/docs/CVE-2022-32206.html</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206</a>
<a href="https://hackerone.com/reports/1570651">https://hackerone.com/reports/1570651</a>
<a href="https://linux.oracle.com/cve/CVE-2022-32206.html">https://linux.oracle.com/cve/CVE-2022-32206.html</a>
<a href="https://linux.oracle.com/errata/ELSA-2022-6159.html">https://linux.oracle.com/errata/ELSA-2022-6159.html</a>
<a href="https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html">https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/</a>
<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-32206">https://nvd.nist.gov/vuln/detail/CVE-2022-32206</a>
<a href="https://ubuntu.com/security/notices/USN-5495-1">https://ubuntu.com/security/notices/USN-5495-1</a>
<a href="https://www.debian.org/security/2022/dsa-5197">https://www.debian.org/security/2022/dsa-5197</a>
</td>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">curl</td>
<td>CVE-2022-32208</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">7.61.1-22.el8_6.3</td>
<td>7.61.1-22.el8_6.4</td>
<td class="links" data-more-links="off">
<a href="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json">https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json</a>
<a href="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json">https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json</a>
<a href="https://access.redhat.com/security/cve/CVE-2022-32208">https://access.redhat.com/security/cve/CVE-2022-32208</a>
<a href="https://curl.se/docs/CVE-2022-32208.html">https://curl.se/docs/CVE-2022-32208.html</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208</a>
<a href="https://hackerone.com/reports/1590071">https://hackerone.com/reports/1590071</a>
<a href="https://linux.oracle.com/cve/CVE-2022-32208.html">https://linux.oracle.com/cve/CVE-2022-32208.html</a>
<a href="https://linux.oracle.com/errata/ELSA-2022-6159.html">https://linux.oracle.com/errata/ELSA-2022-6159.html</a>
<a href="https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html">https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/</a>
<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-32208">https://nvd.nist.gov/vuln/detail/CVE-2022-32208</a>
<a href="https://ubuntu.com/security/notices/USN-5495-1">https://ubuntu.com/security/notices/USN-5495-1</a>
<a href="https://ubuntu.com/security/notices/USN-5499-1">https://ubuntu.com/security/notices/USN-5499-1</a>
<a href="https://www.debian.org/security/2022/dsa-5197">https://www.debian.org/security/2022/dsa-5197</a>
</td>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">libcurl-minimal</td>
<td>CVE-2022-32206</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">7.61.1-22.el8_6.3</td>
<td>7.61.1-22.el8_6.4</td>
<td class="links" data-more-links="off">
<a href="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json">https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json</a>
<a href="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json">https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json</a>
<a href="https://access.redhat.com/security/cve/CVE-2022-32206">https://access.redhat.com/security/cve/CVE-2022-32206</a>
<a href="https://curl.se/docs/CVE-2022-32206.html">https://curl.se/docs/CVE-2022-32206.html</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206</a>
<a href="https://hackerone.com/reports/1570651">https://hackerone.com/reports/1570651</a>
<a href="https://linux.oracle.com/cve/CVE-2022-32206.html">https://linux.oracle.com/cve/CVE-2022-32206.html</a>
<a href="https://linux.oracle.com/errata/ELSA-2022-6159.html">https://linux.oracle.com/errata/ELSA-2022-6159.html</a>
<a href="https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html">https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/</a>
<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-32206">https://nvd.nist.gov/vuln/detail/CVE-2022-32206</a>
<a href="https://ubuntu.com/security/notices/USN-5495-1">https://ubuntu.com/security/notices/USN-5495-1</a>
<a href="https://www.debian.org/security/2022/dsa-5197">https://www.debian.org/security/2022/dsa-5197</a>
</td>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">libcurl-minimal</td>
<td>CVE-2022-32208</td>
<td class="severity">MEDIUM</td>
<td class="pkg-version">7.61.1-22.el8_6.3</td>
<td>7.61.1-22.el8_6.4</td>
<td class="links" data-more-links="off">
<a href="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json">https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json</a>
<a href="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json">https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json</a>
<a href="https://access.redhat.com/security/cve/CVE-2022-32208">https://access.redhat.com/security/cve/CVE-2022-32208</a>
<a href="https://curl.se/docs/CVE-2022-32208.html">https://curl.se/docs/CVE-2022-32208.html</a>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208</a>
<a href="https://hackerone.com/reports/1590071">https://hackerone.com/reports/1590071</a>
<a href="https://linux.oracle.com/cve/CVE-2022-32208.html">https://linux.oracle.com/cve/CVE-2022-32208.html</a>
<a href="https://linux.oracle.com/errata/ELSA-2022-6159.html">https://linux.oracle.com/errata/ELSA-2022-6159.html</a>
<a href="https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html">https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html</a>
<a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/</a>
<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-32208">https://nvd.nist.gov/vuln/detail/CVE-2022-32208</a>
<a href="https://ubuntu.com/security/notices/USN-5495-1">https://ubuntu.com/security/notices/USN-5495-1</a>
<a href="https://ubuntu.com/security/notices/USN-5499-1">https://ubuntu.com/security/notices/USN-5499-1</a>
<a href="https://www.debian.org/security/2022/dsa-5197">https://www.debian.org/security/2022/dsa-5197</a>
</td>
</tr>
<tr class="severity-MEDIUM">
<td class="pkg-name">vim-minimal</td>
<td>CVE-2022-1785</td>

156
trivy-results.sarif
View File

@ -9,6 +9,60 @@
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "CVE-2022-32206",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2022-32206"
},
"fullDescription": {
"text": "curl \u0026lt; 7.84.0 supports \u0026#34;chained\u0026#34; HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \u0026#34;links\u0026#34; in this \u0026#34;decompression chain\u0026#34; was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \u0026#34;malloc bomb\u0026#34;, makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2022-32206",
"help": {
"text": "Vulnerability CVE-2022-32206\nSeverity: MEDIUM\nPackage: libcurl-minimal\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)\ncurl \u003c 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.",
"markdown": "**Vulnerability CVE-2022-32206**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcurl-minimal|7.61.1-22.el8_6.4|[CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)|\n\ncurl \u003c 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors."
},
"properties": {
"precision": "very-high",
"security-severity": "5.5",
"tags": [
"vulnerability",
"security",
"MEDIUM"
]
}
},
{
"id": "CVE-2022-32208",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2022-32208"
},
"fullDescription": {
"text": "When curl \u0026lt; 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2022-32208",
"help": {
"text": "Vulnerability CVE-2022-32208\nSeverity: MEDIUM\nPackage: libcurl-minimal\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)\nWhen curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.",
"markdown": "**Vulnerability CVE-2022-32208**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcurl-minimal|7.61.1-22.el8_6.4|[CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)|\n\nWhen curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client."
},
"properties": {
"precision": "very-high",
"security-severity": "5.5",
"tags": [
"vulnerability",
"security",
"MEDIUM"
]
}
},
{
"id": "CVE-2022-1785",
"name": "OsPackageVulnerability",
@ -96,9 +150,105 @@
},
"results": [
{
"ruleId": "CVE-2022-1785",
"ruleId": "CVE-2022-32206",
"ruleIndex": 0,
"level": "warning",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32206\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rockylinux/rockylinux",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
}
}
]
},
{
"ruleId": "CVE-2022-32208",
"ruleIndex": 1,
"level": "warning",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32208\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rockylinux/rockylinux",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
}
}
]
},
{
"ruleId": "CVE-2022-32206",
"ruleIndex": 0,
"level": "warning",
"message": {
"text": "Package: libcurl-minimal\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32206\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rockylinux/rockylinux",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
}
}
]
},
{
"ruleId": "CVE-2022-32208",
"ruleIndex": 1,
"level": "warning",
"message": {
"text": "Package: libcurl-minimal\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32208\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rockylinux/rockylinux",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
}
}
]
},
{
"ruleId": "CVE-2022-1785",
"ruleIndex": 2,
"level": "warning",
"message": {
"text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1785\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1785](https://avd.aquasec.com/nvd/cve-2022-1785)"
},
@ -121,7 +271,7 @@
},
{
"ruleId": "CVE-2022-1897",
"ruleIndex": 1,
"ruleIndex": 3,
"level": "warning",
"message": {
"text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1897\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1897](https://avd.aquasec.com/nvd/cve-2022-1897)"
@ -145,7 +295,7 @@
},
{
"ruleId": "CVE-2022-1927",
"ruleIndex": 2,
"ruleIndex": 4,
"level": "warning",
"message": {
"text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1927\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1927](https://avd.aquasec.com/nvd/cve-2022-1927)"