VYPR

apk package

wolfi/apache-pulsar-4.1

pkg:apk/wolfi/apache-pulsar-4.1

Vulnerabilities (6)

  • CVE-2026-42577HigMay 13, 2026
    affected < 4.1.3-r11fixed 4.1.3-r11

    Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some

  • CVE-2026-6860MedMay 6, 2026
    affected < 4.1.3-r11fixed 4.1.3-r11

    A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.

  • CVE-2026-5598HigApr 15, 2026
    affected < 4.1.3-r14fixed 4.1.3-r14

    Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.

  • CVE-2026-24308Mar 7, 2026
    affected < 4.1.3-r7fixed 4.1.3-r7

    Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering p

  • CVE-2026-24281Mar 7, 2026
    affected < 4.1.3-r7fixed 4.1.3-r7

    Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note

  • CVE-2025-67721Dec 12, 2025
    affected < 4.1.3-r2fixed 4.1.3-r2

    Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffe