VYPR

rpm package

opensuse/apptainer&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/apptainer&distro=openSUSE%20Tumbleweed

Vulnerabilities (32)

  • CVE-2026-39821CriMay 22, 2026
    affected < 1.4.5-6.1fixed 1.4.5-6.1

    The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program

  • CVE-2026-39835MedMay 22, 2026
    affected < 1.4.5-5.1fixed 1.4.5-5.1

    SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

  • CVE-2026-39832CriMay 22, 2026
    affected < 1.4.5-5.1fixed 1.4.5-5.1

    When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now

  • CVE-2026-39831CriMay 22, 2026
    affected < 1.4.5-5.1fixed 1.4.5-5.1

    The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the

  • CVE-2026-39827MedMay 22, 2026
    affected < 1.4.5-5.1fixed 1.4.5-5.1

    An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state

  • CVE-2026-33814HigMay 7, 2026
    affected < 1.4.5-5.1fixed 1.4.5-5.1

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-34986HigApr 6, 2026
    affected < 1.4.5-4.1fixed 1.4.5-4.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-33186CriMar 20, 2026
    affected < 1.4.5-4.1fixed 1.4.5-4.1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2025-58190Feb 5, 2026
    affected < 1.4.5-2.1fixed 1.4.5-2.1

    The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

  • CVE-2025-47911Feb 5, 2026
    affected < 1.4.5-2.1fixed 1.4.5-2.1

    The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

  • CVE-2026-24137MedJan 23, 2026
    affected < 1.4.5-4.1fixed 1.4.5-4.1

    sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target na

  • CVE-2025-65105MedDec 2, 2025
    affected < 1.4.5-1.1fixed 1.4.5-1.1

    Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor: and --security=selinux: which otherwise put restricti

  • CVE-2025-58181MedNov 19, 2025
    affected < 1.4.5-1.1fixed 1.4.5-1.1

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-47914MedNov 19, 2025
    affected < 1.4.5-1.1fixed 1.4.5-1.1

    SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

  • CVE-2025-47913HigNov 13, 2025
    affected < 1.4.5-1.1fixed 1.4.5-1.1

    SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

  • CVE-2025-8556LowAug 6, 2025
    affected < 1.4.5-1.1fixed 1.4.5-1.1

    A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.

  • CVE-2025-22872MedApr 16, 2025
    affected < 1.4.5-1.1fixed 1.4.5-1.1

    The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul

  • CVE-2025-22870MedMar 12, 2025
    affected < 1.3.6-5.1fixed 1.3.6-5.1

    Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

  • CVE-2025-22869HigFeb 26, 2025
    affected < 1.3.6-5.1fixed 1.3.6-5.1

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

  • CVE-2025-27144MedFeb 24, 2025
    affected < 1.3.6-5.1fixed 1.3.6-5.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

Page 1 of 2