Skip to content
This repository has been archived by the owner on Mar 16, 2022. It is now read-only.

Releases: cloudfoundry/cflinuxfs2

1.274.0

12 Mar 20:21
@cf-buildpacks-eng cf-buildpacks-eng
1.274.0
49c6f9e
Compare
Choose a tag to compare
1.274.0

Notably, this release addresses:

USN-3906-1 USN-3906-1: LibTIFF vulnerabilities:

  • CVE-2018-10779: TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based bufferover-read, as demonstrated by bmp2tiff.
  • CVE-2018-12900: Heap-based buffer overflow in the cpSeparateBufToContigBuf function intiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial ofservice (crash) or possibly have unspecified other impact via a craftedTIFF file.
  • CVE-2018-17000: A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c(called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allowsan attacker to cause a denial-of-service through a crafted tiff file. Thisvulnerability can be triggered by the executable tiffcp.
  • CVE-2018-19210: In LibTIFF 4.0.9, there is a NULL pointer dereference in theTIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denialof service attack, as demonstrated by tiffset.
  • CVE-2019-6128: The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak,as demonstrated by pal2rgb.
  • CVE-2019-7663: An Invalid Address dereference was discovered inTIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remoteattackers could leverage this vulnerability to cause a denial-of-servicevia a crafted tiff file. This is different from CVE-2018-12900.
-ii  libtiff5:amd64     4.0.3-7ubuntu0.10  amd64  Tag Image File Format (TIFF) library
-ii  libtiff5-dev:amd64 4.0.3-7ubuntu0.10  amd64  Tag Image File Format library (TIFF), development files
-ii  libtiffxx5:amd64   4.0.3-7ubuntu0.10  amd64  Tag Image File Format (TIFF) library -- C++ interface
+ii  libtiff5:amd64     4.0.3-7ubuntu0.11  amd64  Tag Image File Format (TIFF) library
+ii  libtiff5-dev:amd64 4.0.3-7ubuntu0.11  amd64  Tag Image File Format library (TIFF), development files
+ii  libtiffxx5:amd64   4.0.3-7ubuntu0.11  amd64  Tag Image File Format (TIFF) library -- C++ interface
Assets 3
Loading

1.273.0

05 Mar 17:34
@cf-buildpacks-eng cf-buildpacks-eng
1.273.0
9379bd9
Compare
Choose a tag to compare
1.273.0

Notably, this release addresses:

USN-3885-2 USN-3885-2: OpenSSH vulnerability:

  • CVE-2019-6111: An issue was discovered in OpenSSH 7.9. Due to the scp implementation beingderived from 1983 rcp, the server chooses which files/directories are sentto the client. However, the scp client only performs cursory validation ofthe object name returned (only directory traversal attacks are prevented).A malicious scp server (or Man-in-The-Middle attacker) can overwritearbitrary files in the scp client target directory. If recursive operation(-r) is performed, the server can manipulate subdirectories as well (forexample, to overwrite the .ssh/authorized_keys file).
-ii  openssh-client      1:6.6p1-2ubuntu2.12  amd64  secure shell (SSH) client, for secure access to remote machines
-ii  openssh-server      1:6.6p1-2ubuntu2.12  amd64  secure shell (SSH) server, for secure access from remote machines
-ii  openssh-sftp-server 1:6.6p1-2ubuntu2.12  amd64  secure shell (SSH) sftp server module, for SFTP access from remote machines
+ii  openssh-client      1:6.6p1-2ubuntu2.13  amd64  secure shell (SSH) client, for secure access to remote machines
+ii  openssh-server      1:6.6p1-2ubuntu2.13  amd64  secure shell (SSH) server, for secure access from remote machines
+ii  openssh-sftp-server 1:6.6p1-2ubuntu2.13  amd64  secure shell (SSH) sftp server module, for SFTP access from remote machines
Assets 3
Loading

1.272.0

05 Mar 17:33
@cf-buildpacks-eng cf-buildpacks-eng
1.272.0
aac3950
Compare
Choose a tag to compare
1.272.0 
-ii  base-files  7.2ubuntu5.5  amd64  Debian base system miscellaneous files
+ii  base-files  7.2ubuntu5.6  amd64  Debian base system miscellaneous files
Assets 3
Loading

1.271.0

04 Mar 15:06
@cf-buildpacks-eng cf-buildpacks-eng
1.271.0
e443292
Compare
Choose a tag to compare
1.271.0

Notably, this release addresses:

USN-3900-1 USN-3900-1: GD vulnerabilities:

  • CVE-2019-6977: gdImageColorMatch in gd_color_match.c in the GD Graphics Library (akaLibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40,7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has aheap-based buffer overflow. This can be exploited by an attacker who isable to trigger imagecolormatch calls with crafted image data.
  • CVE-2019-6978: The GD Graphics Library (aka LibGD) 2.2.5 has a double free in thegdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE:PHP is unaffected.
-ii  libgd-dev:amd64  2.1.0-3ubuntu0.10  amd64 GD Graphics Library (development version)
-ii  libgd2-noxpm-dev 2.1.0-3ubuntu0.10  all   GD Graphics Library (transitional package)
-ii  libgd3:amd64     2.1.0-3ubuntu0.10  amd64 GD Graphics Library
+ii  libgd-dev:amd64  2.1.0-3ubuntu0.11  amd64 GD Graphics Library (development version)
+ii  libgd2-noxpm-dev 2.1.0-3ubuntu0.11  all   GD Graphics Library (transitional package)
+ii  libgd3:amd64     2.1.0-3ubuntu0.11  amd64 GD Graphics Library
Assets 3
Loading

1.270.0

04 Mar 15:06
@cf-buildpacks-eng cf-buildpacks-eng
1.270.0
6a3447e
Compare
Choose a tag to compare
1.270.0 
-ii  apt                  1.0.1ubuntu2.19  amd64  commandline package manager
-ii  apt-utils            1.0.1ubuntu2.19  amd64  package management related utility programs
+ii  apt                  1.0.1ubuntu2.20  amd64  commandline package manager
+ii  apt-utils            1.0.1ubuntu2.20  amd64  package management related utility programs
-ii  libapt-inst1.5:amd64 1.0.1ubuntu2.19  amd64  deb package format runtime library
-ii  libapt-pkg4.12:amd64 1.0.1ubuntu2.19  amd64  package management runtime library
+ii  libapt-inst1.5:amd64 1.0.1ubuntu2.20  amd64  deb package format runtime library
+ii  libapt-pkg4.12:amd64 1.0.1ubuntu2.20  amd64  package management runtime library
-ii  libsqlite3-0:amd64   3.8.2-1ubuntu2.1 amd64  SQLite 3 shared library
-ii  libsqlite3-dev:amd64 3.8.2-1ubuntu2.1 amd64  SQLite 3 development files
+ii  libsqlite3-0:amd64   3.8.2-1ubuntu2.2 amd64  SQLite 3 shared library
+ii  libsqlite3-dev:amd64 3.8.2-1ubuntu2.2 amd64  SQLite 3 development files
Assets 3
Loading

1.269.0

04 Mar 15:06
@cf-buildpacks-eng cf-buildpacks-eng
1.269.0
e4f285c
Compare
Choose a tag to compare
1.269.0

No changes.

Assets 3
Loading

1.268.0

27 Feb 20:38
@cf-buildpacks-eng cf-buildpacks-eng
1.268.0
4639b4b
Compare
Choose a tag to compare
1.268.0 
-ii  bind9-host  1:9.9.5.dfsg-3ubuntu0.18  amd64  Version of 'host' bundled with BIND 9.X
+ii  bind9-host  1:9.9.5.dfsg-3ubuntu0.19  amd64  Version of 'host' bundled with BIND 9.X
-ii  dnsutils    1:9.9.5.dfsg-3ubuntu0.18  amd64  Clients provided with BIND
+ii  dnsutils    1:9.9.5.dfsg-3ubuntu0.19  amd64  Clients provided with BIND
-ii  libbind9-90 1:9.9.5.dfsg-3ubuntu0.18  amd64  BIND9 Shared Library used by BIND
+ii  libbind9-90 1:9.9.5.dfsg-3ubuntu0.19  amd64  BIND9 Shared Library used by BIND
-ii  libdns100   1:9.9.5.dfsg-3ubuntu0.18  amd64  DNS Shared Library used by BIND
+ii  libdns100   1:9.9.5.dfsg-3ubuntu0.19  amd64  DNS Shared Library used by BIND
-ii  libisc95    1:9.9.5.dfsg-3ubuntu0.18  amd64  ISC Shared Library used by BIND
-ii  libisccc90  1:9.9.5.dfsg-3ubuntu0.18  amd64  Command Channel Library used by BIND
-ii  libisccfg90 1:9.9.5.dfsg-3ubuntu0.18  amd64  Config File Handling Library used by BIND
+ii  libisc95    1:9.9.5.dfsg-3ubuntu0.19  amd64  ISC Shared Library used by BIND
+ii  libisccc90  1:9.9.5.dfsg-3ubuntu0.19  amd64  Command Channel Library used by BIND
+ii  libisccfg90 1:9.9.5.dfsg-3ubuntu0.19  amd64  Config File Handling Library used by BIND
-ii  liblwres90  1:9.9.5.dfsg-3ubuntu0.18  amd64  Lightweight Resolver Library used by BIND
+ii  liblwres90  1:9.9.5.dfsg-3ubuntu0.19  amd64  Lightweight Resolver Library used by BIND
Assets 3
Loading

1.267.0

27 Feb 20:38
@cf-buildpacks-eng cf-buildpacks-eng
1.267.0
bc1cccf
Compare
Choose a tag to compare
1.267.0 
-ii  libmariadbclient-dev     5.5.61-1ubuntu0.14.04.1  amd64 MariaDB database development files
-ii  libmariadbclient18:amd64 5.5.61-1ubuntu0.14.04.1  amd64 MariaDB database client library
+ii  libmariadbclient-dev     5.5.63-1ubuntu0.14.04.1  amd64 MariaDB database development files
+ii  libmariadbclient18:amd64 5.5.63-1ubuntu0.14.04.1  amd64 MariaDB database client library
-ii  mariadb-common           5.5.61-1ubuntu0.14.04.1  all   MariaDB common metapackage
+ii  mariadb-common           5.5.63-1ubuntu0.14.04.1  all   MariaDB common metapackage
Assets 3
Loading

1.266.0

07 Feb 21:33
@cf-buildpacks-eng cf-buildpacks-eng
1.266.0
162f117
Compare
Choose a tag to compare
1.266.0

Notably, this release addresses:

USN-3885-1 USN-3885-1: OpenSSH vulnerabilities:

  • CVE-2018-20685: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypassintended access restrictions via the filename of . or an empty filename.The impact is modifying the permissions of the target directory on theclient side.
  • CVE-2019-6109: An issue was discovered in OpenSSH 7.9. Due to missing character encodingin the progress display, a malicious server (or Man-in-The-Middle attacker)can employ crafted object names to manipulate the client output, e.g., byusing ANSI control codes to hide additional files being transferred. Thisaffects refresh_progress_meter() in progressmeter.c.
  • CVE-2019-6111: An issue was discovered in OpenSSH 7.9. Due to the scp implementation beingderived from 1983 rcp, the server chooses which files/directories are sentto the client. However, the scp client only performs cursory validation ofthe object name returned (only directory traversal attacks are prevented).A malicious scp server (or Man-in-The-Middle attacker) can overwritearbitrary files in the scp client target directory. If recursive operation(-r) is performed, the server can manipulate subdirectories as well (forexample, to overwrite the .ssh/authorized_keys file).
-ii  openssh-client      1:6.6p1-2ubuntu2.11  amd64  secure shell (SSH) client, for secure access to remote machines
-ii  openssh-server      1:6.6p1-2ubuntu2.11  amd64  secure shell (SSH) server, for secure access from remote machines
-ii  openssh-sftp-server 1:6.6p1-2ubuntu2.11  amd64  secure shell (SSH) sftp server module, for SFTP access from remote machines
+ii  openssh-client      1:6.6p1-2ubuntu2.12  amd64  secure shell (SSH) client, for secure access to remote machines
+ii  openssh-server      1:6.6p1-2ubuntu2.12  amd64  secure shell (SSH) server, for secure access from remote machines
+ii  openssh-sftp-server 1:6.6p1-2ubuntu2.12  amd64  secure shell (SSH) sftp server module, for SFTP access from remote machines
Assets 3
Loading

1.265.0

07 Feb 19:04
@cf-buildpacks-eng cf-buildpacks-eng
1.265.0
6102bc5
Compare
Choose a tag to compare
1.265.0

Notably, this release addresses:

USN-3884-1 USN-3884-1: libarchive vulnerabilities:

  • CVE-2019-1000019: libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards(release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Readvulnerability in 7zip decompression, archive_read_support_format_7zip.c,header_bytes() that can result in a crash (denial of service). This attackappears to be exploitable via the victim opening a specially crafted 7zipfile.
  • CVE-2019-1000020: libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards(version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable ExitCondition ('Infinite Loop') vulnerability in ISO9660 parser,archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that canresult in DoS by infinite loop. This attack appears to be exploitable viathe victim opening a specially crafted ISO9660 file.
-ii  libarchive13:amd64  3.1.2-7ubuntu2.7  amd64  Multi-format archive and compression library (shared library)
+ii  libarchive13:amd64  3.1.2-7ubuntu2.8  amd64  Multi-format archive and compression library (shared library)
Assets 3
Loading