rpm package
almalinux/python3-criu
pkg:rpm/almalinux/python3-criu
Vulnerabilities (101)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-25173 | — | < 3.18-4.module_el8.9.0+3643+9234dc3b | 3.18-4.module_el8.9.0+3643+9234dc3b | Feb 16, 2023 | containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group acces | ||
| CVE-2022-3064 | — | < 3.15-3.module_el8.6.0+3137+d33c3efb | 3.15-3.module_el8.6.0+3137+d33c3efb | Dec 27, 2022 | Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. | ||
| CVE-2022-41717 | — | < 3.15-3.module_el8.7.0+3407+95aa0ca9 | 3.15-3.module_el8.7.0+3407+95aa0ca9 | Dec 8, 2022 | An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s | ||
| CVE-2022-41715 | — | < 3.15-3.module_el8.6.0+3137+d33c3efb | 3.15-3.module_el8.6.0+3137+d33c3efb | Oct 14, 2022 | Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm | ||
| CVE-2022-2880 | — | < 3.15-3.module_el8.6.0+3137+d33c3efb | 3.15-3.module_el8.6.0+3137+d33c3efb | Oct 14, 2022 | Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s | ||
| CVE-2022-2879 | — | < 3.15-3.module_el8.6.0+3137+d33c3efb | 3.15-3.module_el8.6.0+3137+d33c3efb | Oct 14, 2022 | Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 Mi | ||
| CVE-2022-2990 | — | < 3.15-3.module_el8.7.0+3407+95aa0ca9 | 3.15-3.module_el8.7.0+3407+95aa0ca9 | Sep 13, 2022 | An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissi | ||
| CVE-2022-2989 | — | < 3.15-3.module_el8.7.0+3407+95aa0ca9 | 3.15-3.module_el8.7.0+3407+95aa0ca9 | Sep 13, 2022 | An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissio | ||
| CVE-2022-27664 | — | < 3.15-3.module_el8.7.0+3407+95aa0ca9 | 3.15-3.module_el8.7.0+3407+95aa0ca9 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. | ||
| CVE-2022-32148 | — | < 3.15-1.module_el8.6.0+2876+9ed4eae2 | 3.15-1.module_el8.6.0+2876+9ed4eae2 | Aug 9, 2022 | Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the | ||
| CVE-2022-1962 | — | < 3.15-1.module_el8.6.0+2876+9ed4eae2 | 3.15-1.module_el8.6.0+2876+9ed4eae2 | Aug 9, 2022 | Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. | ||
| CVE-2022-32189 | — | < 3.15-3.module_el8.7.0+3407+95aa0ca9 | 3.15-3.module_el8.7.0+3407+95aa0ca9 | Aug 9, 2022 | A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. | ||
| CVE-2022-30629 | — | < 3.15-3.module_el8.7.0+3407+95aa0ca9 | 3.15-3.module_el8.7.0+3407+95aa0ca9 | Aug 9, 2022 | Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. | ||
| CVE-2022-30630 | — | < 3.15-1.module_el8.6.0+2876+9ed4eae2 | 3.15-1.module_el8.6.0+2876+9ed4eae2 | Aug 9, 2022 | Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. | ||
| CVE-2022-1705 | — | < 3.15-1.module_el8.6.0+2876+9ed4eae2 | 3.15-1.module_el8.6.0+2876+9ed4eae2 | Aug 9, 2022 | Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. | ||
| CVE-2022-30631 | — | < 3.15-1.module_el8.6.0+2876+9ed4eae2 | 3.15-1.module_el8.6.0+2876+9ed4eae2 | Aug 9, 2022 | Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. | ||
| CVE-2022-30633 | — | < 3.15-1.module_el8.6.0+2876+9ed4eae2 | 3.15-1.module_el8.6.0+2876+9ed4eae2 | Aug 9, 2022 | Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag. | ||
| CVE-2022-30635 | — | < 3.15-3.module_el8.7.0+3407+95aa0ca9 | 3.15-3.module_el8.7.0+3407+95aa0ca9 | Aug 9, 2022 | Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. | ||
| CVE-2022-30632 | — | < 3.15-1.module_el8.6.0+2876+9ed4eae2 | 3.15-1.module_el8.6.0+2876+9ed4eae2 | Aug 9, 2022 | Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. | ||
| CVE-2022-28131 | — | < 3.15-1.module_el8.6.0+2876+9ed4eae2 | 3.15-1.module_el8.6.0+2876+9ed4eae2 | Aug 9, 2022 | Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. |
- CVE-2023-25173Feb 16, 2023affected < 3.18-4.module_el8.9.0+3643+9234dc3bfixed 3.18-4.module_el8.9.0+3643+9234dc3b
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group acces
- CVE-2022-3064Dec 27, 2022affected < 3.15-3.module_el8.6.0+3137+d33c3efbfixed 3.15-3.module_el8.6.0+3137+d33c3efb
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
- CVE-2022-41717Dec 8, 2022affected < 3.15-3.module_el8.7.0+3407+95aa0ca9fixed 3.15-3.module_el8.7.0+3407+95aa0ca9
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s
- CVE-2022-41715Oct 14, 2022affected < 3.15-3.module_el8.6.0+3137+d33c3efbfixed 3.15-3.module_el8.6.0+3137+d33c3efb
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm
- CVE-2022-2880Oct 14, 2022affected < 3.15-3.module_el8.6.0+3137+d33c3efbfixed 3.15-3.module_el8.6.0+3137+d33c3efb
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s
- CVE-2022-2879Oct 14, 2022affected < 3.15-3.module_el8.6.0+3137+d33c3efbfixed 3.15-3.module_el8.6.0+3137+d33c3efb
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 Mi
- CVE-2022-2990Sep 13, 2022affected < 3.15-3.module_el8.7.0+3407+95aa0ca9fixed 3.15-3.module_el8.7.0+3407+95aa0ca9
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissi
- CVE-2022-2989Sep 13, 2022affected < 3.15-3.module_el8.7.0+3407+95aa0ca9fixed 3.15-3.module_el8.7.0+3407+95aa0ca9
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissio
- CVE-2022-27664Sep 6, 2022affected < 3.15-3.module_el8.7.0+3407+95aa0ca9fixed 3.15-3.module_el8.7.0+3407+95aa0ca9
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
- CVE-2022-32148Aug 9, 2022affected < 3.15-1.module_el8.6.0+2876+9ed4eae2fixed 3.15-1.module_el8.6.0+2876+9ed4eae2
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the
- CVE-2022-1962Aug 9, 2022affected < 3.15-1.module_el8.6.0+2876+9ed4eae2fixed 3.15-1.module_el8.6.0+2876+9ed4eae2
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
- CVE-2022-32189Aug 9, 2022affected < 3.15-3.module_el8.7.0+3407+95aa0ca9fixed 3.15-3.module_el8.7.0+3407+95aa0ca9
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
- CVE-2022-30629Aug 9, 2022affected < 3.15-3.module_el8.7.0+3407+95aa0ca9fixed 3.15-3.module_el8.7.0+3407+95aa0ca9
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
- CVE-2022-30630Aug 9, 2022affected < 3.15-1.module_el8.6.0+2876+9ed4eae2fixed 3.15-1.module_el8.6.0+2876+9ed4eae2
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
- CVE-2022-1705Aug 9, 2022affected < 3.15-1.module_el8.6.0+2876+9ed4eae2fixed 3.15-1.module_el8.6.0+2876+9ed4eae2
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
- CVE-2022-30631Aug 9, 2022affected < 3.15-1.module_el8.6.0+2876+9ed4eae2fixed 3.15-1.module_el8.6.0+2876+9ed4eae2
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
- CVE-2022-30633Aug 9, 2022affected < 3.15-1.module_el8.6.0+2876+9ed4eae2fixed 3.15-1.module_el8.6.0+2876+9ed4eae2
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
- CVE-2022-30635Aug 9, 2022affected < 3.15-3.module_el8.7.0+3407+95aa0ca9fixed 3.15-3.module_el8.7.0+3407+95aa0ca9
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
- CVE-2022-30632Aug 9, 2022affected < 3.15-1.module_el8.6.0+2876+9ed4eae2fixed 3.15-1.module_el8.6.0+2876+9ed4eae2
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
- CVE-2022-28131Aug 9, 2022affected < 3.15-1.module_el8.6.0+2876+9ed4eae2fixed 3.15-1.module_el8.6.0+2876+9ed4eae2
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
Page 4 of 6