omegavveapon / kopf-k8s-sidecar Goto Github PK
View Code? Open in Web Editor NEWAn implementation of k8s-sidecar using k8s operators via kopf
License: GNU General Public License v3.0
kopf-k8s-sidecar's People
Contributors
Stargazers
Watchers
kopf-k8s-sidecar's Issues
Add hook capability like kiwi grid sidecar
We use the kiwigrid sidecar as part of our Jenkins deployments. However we're getting hit by the watch bug. I looked at switching to kopf-k8s-sidecar, but we rely on the hook functionality to trigger a config reload when the configmaps change.
Configmap removals not being recognized in WATCH mode
I've just switched over to kopf-k8s-sidecar due to this issue. It's working fine as a drop-in replacement, but it does not recognize when configmaps are removed. I'm using it for the standard Grafana dashboard sidecar use case, and I've shown the service account and role below. Here is the warning in the logs that looks relevant:
[2021-07-09 18:16:16,990] sidecar_settings [INFO ] Looking for resources with LABEL 'grafana_dashboard'
[2021-07-09 18:16:16,990] sidecar_settings [INFO ] The default FOLDER to write files to is /tmp/dashboards
[2021-07-09 18:16:16,990] sidecar_settings [INFO ] FOLDER_ANNOTATION for the destination folder is 'k8s-sidecar-target-directory'
[2021-07-09 18:16:16,990] sidecar_settings [INFO ] Looking for resources ONLY in the ['cortex-dashboards'] namespaces
[2021-07-09 18:16:16,990] sidecar_settings [INFO ] Monitoring configmap and secret resources for changes
[2021-07-09 18:16:16,990] sidecar_settings [INFO ] Using the WATCH METHOD
[2021-07-09 18:16:16,990] sidecar_settings [INFO ] DEFAULT_FILE_MODE is None
[2021-07-09 18:16:16,991] sidecar_settings [INFO ] Client watching requests using a timeout of 660 seconds
[2021-07-09 18:16:16,991] sidecar_settings [INFO ] Server watching requests using a timeout of 600 seconds
[2021-07-09 18:16:17,000] kopf._core.reactor.r [WARNING ] OS signals are ignored: running not in the main thread.
[2021-07-09 18:16:17,000] kopf.activities.star [INFO ] Activity 'startup_tasks' succeeded.
[2021-07-09 18:16:17,001] kopf._core.engines.a [INFO ] Initial authentication has been initiated.
[2021-07-09 18:16:17,003] kopf.activities.auth [INFO ] Activity 'login_via_pykube' succeeded.
[2021-07-09 18:16:17,003] kopf._core.engines.a [INFO ] Initial authentication has finished.
[2021-07-09 18:16:17,077] kopf._core.reactor.o [WARNING ] Not enough permissions to watch for resources: changes (creation/deletion/updates) will not be noticed; the resources are only refreshed on operator restarts.
...
serviceAccount: prometheus-legacy-infra-grafana
serviceAccountName: prometheus-legacy-infra-grafana
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from prometheus-legacy-infra-grafana-token-r2wh4 (ro)
docker-desktop# kubectl get clusterrolebinding prometheus-legacy-infra-grafana-clusterrolebinding -n cortex -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: prometheus-legacy-infra
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: grafana
app.kubernetes.io/version: 8.0.3
argocd.argoproj.io/instance: prometheus-legacy-infra
helm.sh/chart: grafana-6.13.2
name: prometheus-legacy-infra-grafana-clusterrolebinding
resourceVersion: "37673562"
uid: 5ab6eed0-dc0d-439b-a0c5-256e5efc4811
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-legacy-infra-grafana-clusterrole
subjects:
- kind: ServiceAccount
name: prometheus-legacy-infra-grafana
namespace: cortex
docker-desktop# kubectl get clusterrole prometheus-legacy-infra-grafana-clusterrole -n cortex -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: prometheus-legacy-infra
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: grafana
app.kubernetes.io/version: 8.0.3
argocd.argoproj.io/instance: prometheus-legacy-infra
helm.sh/chart: grafana-6.13.2
name: prometheus-legacy-infra-grafana-clusterrole
resourceVersion: "37673555"
uid: 3d1216f5-8110-44d5-a4f6-c1947f8cb6cd
rules:
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- get
- watch
- list
Enhance the robustness of the sidecar of the WATCH method startup
Looks like an error in reaching the k8s API caused the resource observer to not get created properly.
Setting USER environment variable to 472
[2021-06-01 12:04:40,102[] kopf.activities.star [INFO [] Using the WATCH METHOD
[2021-06-01 12:04:40,103[] kopf.reactor.running [WARNING [] OS signals are ignored: running not in the main thread.
[2021-06-01 12:04:40,103[] kopf.activities.star [INFO [] The default FOLDER to write files to is /tmp/dashboards
[2021-06-01 12:04:40,103[] kopf.activities.star [INFO [] FOLDER_ANNOTATION not set. Defaulting to look for 'k8s-sidecar-target-directory'
[2021-06-01 12:04:40,103[] kopf.activities.star [INFO [] Looking for resources with LABEL 'grafana_dashboard'
[2021-06-01 12:04:40,103[] kopf.activities.star [INFO [] Monitoring configmap and secret resources for changes
[2021-06-01 12:04:40,103[] kopf.activities.star [INFO [] Looking for resources in the entire cluster
[2021-06-01 12:04:40,103[] kopf.activities.star [INFO [] Client watching requests using a timeout of 660 seconds
[2021-06-01 12:04:40,103[] kopf.activities.star [INFO [] Server watching requests using a timeout of 600 seconds
[2021-06-01 12:04:40,104[] kopf.activities.star [INFO [] Activity 'startup_tasks' succeeded.
[2021-06-01 12:04:40,104[] kopf.reactor.activit [INFO [] Initial authentication has been initiated.
[2021-06-01 12:04:40,105[] kopf.activities.auth [INFO [] Activity 'login_via_pykube' succeeded.
[2021-06-01 12:04:40,106[] kopf.reactor.activit [INFO [] Initial authentication has finished.
[2021-06-01 12:04:40,293[] kopf.reactor.running [ERROR [] Resource observer has failed: (None, None)
Traceback (most recent call last):
File "/.venv/lib/python3.8/site-packages/kopf/clients/errors.py", line 133, in check_response
response.raise_for_status()
File "/.venv/lib/python3.8/site-packages/aiohttp/client_reqrep.py", line 1000, in raise_for_status
raise ClientResponseError(
aiohttp.client_exceptions.ClientResponseError: 503, message='Service Unavailable', url=URL('https://192.168.0.1:443/apis/external.metrics.k8s.io/v1beta1')
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/.venv/lib/python3.8/site-packages/kopf/utilities/aiotasks.py", line 69, in guard
await coro
File "/.venv/lib/python3.8/site-packages/kopf/reactor/observation.py", line 104, in resource_observer
resources = await scanning.scan_resources(groups=group_filter)
File "/.venv/lib/python3.8/site-packages/kopf/clients/auth.py", line 44, in wrapper
return await fn(*args, **kwargs, context=context)
File "/.venv/lib/python3.8/site-packages/kopf/clients/scanning.py", line 22, in scan_resources
resources.update(await coro)
File "/usr/local/lib/python3.8/asyncio/tasks.py", line 619, in _wait_for_one
return f.result() # May raise f.exception().
File "/.venv/lib/python3.8/site-packages/kopf/clients/scanning.py", line 72, in _read_new_apis
resources.update(await coro)
File "/usr/local/lib/python3.8/asyncio/tasks.py", line 619, in _wait_for_one
return f.result() # May raise f.exception().
File "/.venv/lib/python3.8/site-packages/kopf/clients/scanning.py", line 85, in _read_version
rsp = await errors.parse_response(await context.session.get(url))
File "/.venv/lib/python3.8/site-packages/kopf/clients/errors.py", line 144, in parse_response
await check_response(response)
File "/.venv/lib/python3.8/site-packages/kopf/clients/errors.py", line 135, in check_response
raise cls(payload, status=response.status) from e
kopf.clients.errors.APIError: (None, None)
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/threading.py", line 932, in _bootstrap_inner
self.run()
File "/usr/local/lib/python3.8/threading.py", line 870, in run
self._target(*self._args, **self._kwargs)
File "sidecar.py", line 82, in kopf_thread
loop.run_until_complete(kopf.operator(
File "/usr/local/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
return future.result()
File "/.venv/lib/python3.8/site-packages/kopf/reactor/running.py", line 118, in operator
await run_tasks(operator_tasks, ignored=existing_tasks)
File "/.venv/lib/python3.8/site-packages/kopf/reactor/running.py", line 355, in run_tasks
await aiotasks.reraise(root_done | root_cancelled | hung_done | hung_cancelled)
File "/.venv/lib/python3.8/site-packages/kopf/utilities/aiotasks.py", line 199, in reraise
task.result() # can raise the regular (non-cancellation) exceptions.
File "/.venv/lib/python3.8/site-packages/kopf/clients/scanning.py", line 85, in _read_version
rsp = await errors.parse_response(await context.session.get(url))
File "/.venv/lib/python3.8/site-packages/aiohttp/client.py", line 520, in _request
conn = await self._connector.connect(
File "/.venv/lib/python3.8/site-packages/aiohttp/connector.py", line 538, in connect
raise ClientConnectionError("Connector is closed.")
aiohttp.client_exceptions.ClientConnectionError: Connector is closed.
This is a similar issue to #20 where bad k8s API servers can cause unrecoverable issues during startup.
Luckily, it looks like once the operator is going, it can recover from issues like these by itself.
Will still need to find a way to induce bad API connection issues to test for conditions like these that don't happen in healthy k8s clusters.
Support relative paths for FOLDER_ANNOTATION
Running into this issue when trying to replace the default Grafana sidecar by this one.
The Kiwigrid sidecar supports the path in the FOLDER_ANNOTATION value to be relative.
Its documentation says:
The annotation the sidecar will look for in configmaps to override the destination folder for files.
The annotation value can be either an absolute or a relative path. Relative paths will be relative to FOLDER.
This sidecar does not seem to support relative paths:
[2021-11-05 13:03:44,649] kopf.objects [ERROR ] Failed to write file kubernetes/scheduler.json
I prefer to use relative paths so teams adding files via ConfigMaps don't have to be bothered with the actual path where the file is being copied. E.g. /tmp/dashboards in case of Grafana dashboards.
KeyError: 'getpwuid(): uid not found: 472'
In order to resolve the WATCH hang issue with the grafana helm chart I switched over to this sidecar from kiwigrid. Whenever the sidecar starts up I keep getting uid not found for 472:
# kubectl logs isa-kube-prometheus-grafana-b6669d485-v6wbz -c grafana-sc-datasources
Traceback (most recent call last):
File "/.venv/bin/kopf", line 8, in <module>
[2021-01-20 17:31:42,887] kopf.activities.star [INFO ] Folder /etc/grafana/provisioning/datasources already exists. Skipping creation.
[2021-01-20 17:31:42,887] kopf.activities.star [INFO ] Client watching requests using a timeout of 660 seconds
[2021-01-20 17:31:42,887] kopf.activities.star [INFO ] Server watching requests using a timeout of 600 seconds
sys.exit(main())
File "/.venv/lib/python3.7/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/.venv/lib/python3.7/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/.venv/lib/python3.7/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/.venv/lib/python3.7/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/.venv/lib/python3.7/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/.venv/lib/python3.7/site-packages/kopf/cli.py", line 50, in wrapper
return fn(*args, **kwargs)
File "/.venv/lib/python3.7/site-packages/click/decorators.py", line 73, in new_func
return ctx.invoke(f, obj, *args, **kwargs)
File "/.venv/lib/python3.7/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/.venv/lib/python3.7/site-packages/kopf/cli.py", line 101, in run
vault=__controls.vault,
File "/.venv/lib/python3.7/site-packages/kopf/reactor/running.py", line 107, in run
vault=vault,
File "/usr/local/lib/python3.7/asyncio/base_events.py", line 587, in run_until_complete
return future.result()
File "/.venv/lib/python3.7/site-packages/kopf/reactor/running.py", line 149, in operator
vault=vault,
File "/.venv/lib/python3.7/site-packages/kopf/reactor/running.py", line 249, in spawn_tasks
id=peering.detect_own_id(), priority=priority,
File "/.venv/lib/python3.7/site-packages/kopf/engines/peering.py", line 300, in detect_own_id
user = getpass.getuser()
File "/usr/local/lib/python3.7/getpass.py", line 169, in getuser
return pwd.getpwuid(os.getuid())[0]
KeyError: 'getpwuid(): uid not found: 472'
The comment that pointed me to this sidecar:
kiwigrid/k8s-sidecar#85 (comment)
The healthcheck port should be configurable
As said in title.
Users are utilizing the sidecar in setups outside the typical grafana setups we're accustomed to and those pods may already be using port 8080.
We should allow that port to be set to something else by the user.
Feature request: Support env _ METHOD_
Hi,
thank you for your great work on this project. Like many, we faced issues with kiwigrid/k8s-sidecar loop getting stuck and hence seek for alternatives.
We use it as part of grafana, since it is the default.
For feature matching with kiwigrid we would need the flag _ METHOD_ which allows to run the container once and then exit. In grafana, the same image for init container (fetching datasources) and sidecar (fetching dashboards) is used.
In order to replace it with kopf-k8s-sidecar one need to make a lot of changes and hacks there due to the missing flag here.
Enhance the robustness for LIST METHOD
The LIST method is a one-time run that occurs in order to load up the datasources as part of the initContainer.
It was added because:
- The Grafana Helm chart needs it
- Grafana itself does NOT support dynamic loading of datasources (like they do with dashboards)
However, if the connection with the k8s control plane fails, it's possible for the initContainer to fail to come up.
Need to add additional logging and retry handling to make this area more robust.
Here's one such situation of that issue:
Setting USER environment variable to 472
2021-05-19 16:53:06,618 Using the LIST METHOD
2021-05-19 16:53:06,618 The default FOLDER to write files to is /etc/grafana/provisioning/datasources
2021-05-19 16:53:06,619 FOLDER_ANNOTATION not set. Defaulting to look for 'k8s-sidecar-target-directory'
2021-05-19 16:53:06,619 Looking for resources with LABEL 'grafana_datasource'
2021-05-19 16:53:06,619 Monitoring configmap and secret resources for changes
2021-05-19 16:53:06,619 Looking for resources in the entire cluster
2021-05-19 16:54:19,920 [CREATE:ConfigMap] Writing content to file /etc/grafana/provisioning/datasources/datasource.yaml
Traceback (most recent call last):
File "/.venv/lib/python3.8/site-packages/urllib3/response.py", line 697, in _update_chunk_length
self.chunk_left = int(line, 16)
ValueError: invalid literal for int() with base 16: b''
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/.venv/lib/python3.8/site-packages/urllib3/response.py", line 438, in _error_catcher
yield
File "/.venv/lib/python3.8/site-packages/urllib3/response.py", line 764, in read_chunked
self._update_chunk_length()
File "/.venv/lib/python3.8/site-packages/urllib3/response.py", line 701, in _update_chunk_length
raise InvalidChunkLength(self, line)
urllib3.exceptions.InvalidChunkLength: InvalidChunkLength(got length b'', 0 bytes read)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/.venv/lib/python3.8/site-packages/requests/models.py", line 753, in generate
for chunk in self.raw.stream(chunk_size, decode_content=True):
File "/.venv/lib/python3.8/site-packages/urllib3/response.py", line 572, in stream
for line in self.read_chunked(amt, decode_content=decode_content):
File "/.venv/lib/python3.8/site-packages/urllib3/response.py", line 793, in read_chunked
self._original_response.close()
File "/usr/local/lib/python3.8/contextlib.py", line 131, in __exit__
self.gen.throw(type, value, traceback)
File "/.venv/lib/python3.8/site-packages/urllib3/response.py", line 455, in _error_catcher
raise ProtocolError("Connection broken: %r" % e, e)
urllib3.exceptions.ProtocolError: ("Connection broken: InvalidChunkLength(got length b'', 0 bytes read)", InvalidChunkLength(got length b'', 0 bytes read))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "sidecar.py", line 109, in <module>
main()
File "sidecar.py", line 104, in main
one_run()
File "/list_mode.py", line 54, in one_run
for secret in secrets:
File "/.venv/lib/python3.8/site-packages/pykube/query.py", line 195, in __iter__
return iter(self.query_cache["objects"])
File "/.venv/lib/python3.8/site-packages/pykube/query.py", line 185, in query_cache
cache["response"] = self.execute().json()
File "/.venv/lib/python3.8/site-packages/pykube/query.py", line 159, in execute
r = self.api.get(**kwargs)
File "/.venv/lib/python3.8/site-packages/pykube/http.py", line 431, in get
return self.session.get(*args, **self.get_kwargs(**kwargs))
File "/.venv/lib/python3.8/site-packages/requests/sessions.py", line 555, in get
return self.request('GET', url, **kwargs)
File "/.venv/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/.venv/lib/python3.8/site-packages/requests/sessions.py", line 697, in send
r.content
File "/.venv/lib/python3.8/site-packages/requests/models.py", line 831, in content
self._content = b''.join(self.iter_content(CONTENT_CHUNK_SIZE)) or b''
File "/.venv/lib/python3.8/site-packages/requests/models.py", line 756, in generate
raise ChunkedEncodingError(e)
requests.exceptions.ChunkedEncodingError: ("Connection broken: InvalidChunkLength(got length b'', 0 bytes read)", InvalidChunkLength(got length b'', 0 bytes read))
More frequent Docker image builds
This repo is pretty stable, so it will sit on the same version for many months. The problem is that the Docker image is not getting rebuilt periodically, so we are not refreshing the python:3.8-alpine base layer to pick up CVE security fixes in the underlying alpine image.
Simply building and pushing a new docker tag every week or so would be sufficient to help with this. You would have to incorporate a build counter of some sort. It would be something like: 1.4.0-1, 1.4.0-2, 1.4.0-3. And then you would still have your existing 1.4.0 tag, but it would always point at the latest docker image for 1.4.0. You can see similar patterns for this in other projects. Take Kafka for example, it actually runs a docker build daily for each version: 2.8.1-debian-10-r191, 2.8.1-debian-10-r192, 2.8.1-debian-10-r193, and then they also push a tag for 2.8.1 that maps to whatever the latest 2.8.1 is.
https://hub.docker.com/r/bitnami/kafka/tags?page=1&name=2.8.1
The minimal, near term request is simply one more docker build in the near future 🙏
Reference:
Current CVEs against 1.4.0 are for alpine-3.14.2
CVE-2022-23852 - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
CVE-2022-23990 - Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
CVE-2022-25236 - xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
CVE-2022-25314 - In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
CVE-2022-25235 - xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
CVE-2022-25315 - In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
CVE-2021-42375 - An incorrect handling of a special element in Busybox\'s ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.
CVE-2021-42374 - An out-of-bounds heap read in Busybox\'s unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that
Security issues in the underlying Alpine version in the latest docker image
Hello,
We are seeing a bunch of CVEs being reported for the underlying Alpine version that the docker image is using.
Here are the list of the CVEs:
| Issue id | CVES | CVSS2 score | CVSS2 vector | CVSS3 score | CVSS3 vector | Vulnerable Component | Component Physical Path | Summary | Fixed versions | Package type | Severity |
|---|---|---|---|---|---|---|---|---|---|---|---|
| XRAY-198320 | CVE-2022-25236 | 7.5 | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. | 2.4.5-r0 | alpine | Critical | |
| XRAY-184739 | 9.3 | CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C | 9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:gdbm:1.19-r0 | GNU dbm (GDBM) gdbmopen.c Multiple Function DBM File Header Validation Heap Buffer Overflow | alpine | Critical | |||
| XRAY-198615 | CVE-2022-25315 | 7.5 | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. | 2.4.5-r0 | alpine | Critical | |
| XRAY-209584 | CVE-2022-1292 | 10 | CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:libcrypto1.1:1.1.1l-r0 | The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). | alpine | Critical | ||
| XRAY-194159 | CVE-2022-22824 | 7.5 | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | 2.4.3-r0 | alpine | Critical | |
| XRAY-203005 | CVE-2022-28391 | 7.5 | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:ssl_client:1.33.1-r3 | BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. | 1.33.1-r7 | alpine | Critical | |
| XRAY-198321 | CVE-2022-25235 | 7.5 | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. | 2.4.5-r0 | alpine | Critical | |
| XRAY-194330 | CVE-2022-22823 | 7.5 | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | 2.4.3-r0 | alpine | Critical | |
| XRAY-209584 | CVE-2022-1292 | 10 | CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:libssl1.1:1.1.1l-r0 | The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). | alpine | Critical | ||
| XRAY-190220 | CVE-2021-42377 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:busybox:1.33.1-r3 | An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. | alpine | Critical | ||
| XRAY-203005 | CVE-2022-28391 | 7.5 | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:busybox:1.33.1-r3 | BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. | 1.33.1-r7 | alpine | Critical | |
| XRAY-194331 | CVE-2022-22822 | 7.5 | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | 2.4.3-r0 | alpine | Critical | |
| XRAY-196306 | CVE-2022-23852 | 7.5 | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. | 2.4.4-r0 | alpine | Critical | |
| XRAY-196527 | CVE-2022-23990 | 7.5 | CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. | 2.4.4-r0 | alpine | Critical | |
| XRAY-197184 | 9.3 | CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C | 9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:gdbm:1.19-r0 | GNU dbm (GDBM) /bucket.c _gdbm_split_bucket() Function Heap Buffer Overflow | alpine | Critical | |||
| XRAY-190220 | CVE-2021-42377 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:ssl_client:1.33.1-r3 | An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. | alpine | Critical | ||
| XRAY-186944 | CVE-2021-39537 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | alpine://3.14:ncurses-terminfo-base:6.2_p20210612-r0 | An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow. | alpine | High | ||
| XRAY-194158 | CVE-2022-22825 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | 2.4.3-r0 | alpine | High | |
| XRAY-190227 | CVE-2021-42383 | 6.5 | CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:busybox:1.33.1-r3 | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function | 1.33.1-r6 | alpine | High | |
| XRAY-190219 | CVE-2021-42385 | 6.5 | CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:busybox:1.33.1-r3 | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function | 1.33.1-r6 | alpine | High | |
| XRAY-193425 | CVE-2021-45960 | 9 | CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). | 2.4.3-r0 | alpine | High | |
| XRAY-97724 | CVE-2018-20225 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | pypi://pip:21.3.1 | omegavveapon/kopf-k8s-sidecar/1.4.0/sha256__2a802ddd300a33bce2415c0c0a98c0948be8fe8432352e8e504d0a6cdfc94af9.tar.gz/pip:21.3.1 | ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. | pypi | High | |
| XRAY-180064 | 7.1 | CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:C | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | alpine://3.14:sqlite-libs:3.35.5-r0 | SQLite btree.c balance_nonroot() Function Database File Oversized Cell Handling DoS | alpine | High | |||
| XRAY-178121 | CVE-2021-3601 | 4 | CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:N | 7.4 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | alpine://3.14:libcrypto1.1:1.1.1l-r0 | OpenSSL Basic Constraints Extension Missing Chain Extension Check Certificate Validation Weakness | 1.1.1-r3 | alpine | High | |
| XRAY-193947 | CVE-2021-46143 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. | alpine | High | ||
| XRAY-190229 | CVE-2021-42381 | 6.5 | CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:busybox:1.33.1-r3 | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function | 1.33.1-r6 | alpine | High | |
| XRAY-192263 | CVE-2021-30569 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | alpine://3.14:sqlite-libs:3.35.5-r0 | Use after free in sqlite in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | alpine | High | ||
| XRAY-97724 | CVE-2018-20225 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | pypi://pip:21.2.4 | omegavveapon/kopf-k8s-sidecar/1.4.0/sha256__cd0ff252a09b361fb128506e8e67141bcfe91081bbda23ec460bf0437dbccde7.tar.gz/pip:21.2.4 | ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. | pypi | High | |
| XRAY-159073 | CVE-2021-3450 | 5.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N | 7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | alpine://3.14:libcrypto1.1:1.1.1l-r0 | The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j). | 1.1.1k-r0 | alpine | High | |
| XRAY-198600 | CVE-2022-25314 | 5 | CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | alpine://3.14:expat:2.4.1-r0 | In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. | 2.4.5-r0 | alpine | High | |
| XRAY-190226 | CVE-2021-42384 | 6.5 | CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:busybox:1.33.1-r3 | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function | 1.33.1-r6 | alpine | High | |
| XRAY-209793 | 4.3 | CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | alpine://3.14:sqlite-libs:3.35.5-r0 | SQLite wherecode.c filterPullDown() Function Bloom Filter Pull-down Optimization NULL Key Handling Infinite Loop DoS | alpine | High | |||
| XRAY-208462 | CVE-2022-29458 | 5.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:P | 7.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H | alpine://3.14:ncurses-terminfo-base:6.2_p20210612-r0 | ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library. | alpine | High | ||
| XRAY-97724 | CVE-2018-20225 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | pypi://pip:21.1.1 | omegavveapon/kopf-k8s-sidecar/1.4.0/sha256__5e6f9a3065f19547192c18fa1ed3dd5ec163a387fa47d78aec28e960f5c1097c.tar.gz/usr/local/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl | ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. | pypi | High | |
| XRAY-194156 | CVE-2022-22827 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | 2.4.3-r0 | alpine | High | |
| XRAY-147853 | 7.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:C | 8.2 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H | alpine://3.14:gdbm:1.19-r0 | GNU dbm (GDBM) bucket.c _gdbm_get_bucket() Function Improper Bucket Re-initialization Out-of-bounds Read Issue | alpine | High | |||
| XRAY-178121 | CVE-2021-3601 | 4 | CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:N | 7.4 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | alpine://3.14:libssl1.1:1.1.1l-r0 | OpenSSL Basic Constraints Extension Missing Chain Extension Check Certificate Validation Weakness | 1.1.1-r3 | alpine | High | |
| XRAY-190231 | CVE-2021-42379 | 6.5 | CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:busybox:1.33.1-r3 | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function | 1.33.1-r6 | alpine | High | |
| XRAY-208462 | CVE-2022-29458 | 5.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:P | 7.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H | alpine://3.14:ncurses-libs:6.2_p20210612-r0 | ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library. | alpine | High | ||
| XRAY-185556 | 7.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:C | 8.2 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H | alpine://3.14:gdbm:1.19-r0 | GNU dbm (GDBM) gdbmseq.c gdbm_valid_key_p() Function Directory Entry Index Handling Out-of-bounds Read Issue | alpine | High | |||
| XRAY-190230 | CVE-2021-42380 | 6.5 | CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:busybox:1.33.1-r3 | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function | 1.33.1-r6 | alpine | High | |
| XRAY-193403 | 7.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:C | 8.2 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H | alpine://3.14:sqlite-libs:3.35.5-r0 | SQLite ext/fts5/fts5_index.c fts5SegIterReverseNewPage() Function FTS5 Record Handling Out-of-bounds Read Issue | alpine | High | |||
| XRAY-190232 | CVE-2021-42378 | 6.5 | CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:busybox:1.33.1-r3 | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function | 1.33.1-r6 | alpine | High | |
| XRAY-190218 | CVE-2021-42386 | 6.5 | CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:busybox:1.33.1-r3 | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function | 1.33.1-r6 | alpine | High | |
| XRAY-186944 | CVE-2021-39537 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | alpine://3.14:ncurses-libs:6.2_p20210612-r0 | An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow. | alpine | High | ||
| XRAY-190228 | CVE-2021-42382 | 6.5 | CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | alpine://3.14:busybox:1.33.1-r3 | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function | 1.33.1-r6 | alpine | High | |
| XRAY-147947 | 7.1 | CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:C | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | alpine://3.14:gdbm:1.19-r0 | GNU dbm (GDBM) gdbmopen.c gdbm_avail_block_validate() Function Block Validation Out-of-bounds Read DoS | alpine | High | |||
| XRAY-194157 | CVE-2022-22826 | 6.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P | 8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | alpine://3.14:expat:2.4.1-r0 | nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | 2.4.3-r0 | alpine | High | |
| XRAY-187364 | 7.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:C | 8.2 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H | alpine://3.14:xz-libs:5.2.5-r0 | XZ Utils liblzma/lzma/lzma_decoder.c lzma_decode() Function Out-of-bounds Read Issue | alpine | High | |||
| XRAY-159073 | CVE-2021-3450 | 5.8 | CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N | 7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | alpine://3.14:libssl1.1:1.1.1l-r0 | The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j). | 1.1.1k-r0 | alpine | High |
Are there any plans to fix these issues in the future releases?
Thanks,
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.