CVEs related to bugs in StarlingX

Open bugs

Bug CVE(s)
Bug #1801798: CVE-2018-18074: python-requests package may reveal credentials CVE-2018-18074
StarlingX Triaged, assigned to Ghada Khalil
Bug #1902149: CVE-2019-5482: curl: heap overflow in TFTP CVE-2019-5482
StarlingX Triaged, assigned to Joe Slater
Bug #1906470: CVE-2019-11068: libxslt: bypass of protection mechanism CVE-2019-11068
StarlingX Triaged, assigned to Joe Slater
Bug #1906471: CVE-2019-17006: nss: crypto primitives missing length checks CVE-2019-17006
StarlingX Triaged (unassigned)

Resolved bugs

Bug CVE(s)
Bug #1791835: CVE-2017-1000433: Known moderate severity security vulnerability detected in pysaml2 <= 4.5.0 CVE-2017-1000433
StarlingX Won't fix, assigned to Ken Young
Bug #1794868: lshell component is not maintained and has pending CVEs CVE-2016-6902
CVE-2016-6903
StarlingX Won't fix, assigned to Ken Young
Bug #1796941: CVE-2018-7536: Moderate Django Vulnerability in django.utils.html.urlize() CVE-2018-7536
StarlingX Won't fix, assigned to Ken Young
Bug #1805759: CVE: CVE-2018-5391: kernel: IP fragment re-assembly allows DOS (FragmentSmack) CVE-2018-5391
StarlingX Fix released, assigned to Lin Shuicheng
Bug #1806749: CVE-2018-1002105 Kubernetes priviledge escalation CVE-2018-1002105
StarlingX Fix released, assigned to Frank Miller
Bug #1815641: CVE-2019-5736 affecting docker-ce 18.03 CVE-2019-5736
StarlingX Fix released, assigned to Brent Rowsell
Bug #1820756: CVE-2018-15688: systemd-network does not correctly keep track of a buffer size CVE-2018-15688
StarlingX Fix released, assigned to Mawrer Amed Ramirez Martinez
Bug #1820757: CVE-2018-18311: Perl Buffer Overflow CVE-2018-18311
StarlingX Fix released, assigned to Mawrer Amed Ramirez Martinez
Bug #1820759: CVE-2018-19115: keepalived has a Heap-based buffer overflow vulnerability CVE-2018-19115
StarlingX Fix released, assigned to Mawrer Amed Ramirez Martinez
Bug #1830487: CVEs by modern implementation of the "fill buffer" mechanism CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2019-11091
StarlingX Fix released, assigned to zhao.shuai
Bug #1836685: CVE: integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs) CVE-2019-11477
CVE-2019-11478
CVE-2019-11479
StarlingX Fix released, assigned to zhao.shuai
Bug #1840771: CVE-2018-14618:NTLM buffer overflow via integer overflow CVE-2017-8816
CVE-2018-14618
StarlingX Fix released, assigned to zhao.shuai
Bug #1840778: CVE-2019-11811:use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed CVE-2019-11811
StarlingX Fix released, assigned to zhao.shuai
Bug #1847817: CVE-2019-14835: kernel: vhost-net: guest to host kernel escape during migration CVE-2019-14835
StarlingX Fix released, assigned to Robin Lu
Bug #1849195: CVE-2018-1000076: rubygems: Improper verification of signatures in tarball allows to install mis-signed gem CVE-2018-1000076
StarlingX Fix released, assigned to Jim Somerville
Bug #1849197: CVE-2018-12327:ntp: buffer overflow in ntpq and ntpdc CVE-2018-12327
StarlingX Fix released, assigned to Jim Somerville
Bug #1849198: CVE-2018-14599: libX11: Off-by-one error in XListExtensions in ListExt.c CVE-2018-14599
StarlingX Fix released, assigned to Robin Lu
Bug #1849199: CVE-2018-14600: libX11: Out of Bounds write in XListExtensions in ListExt.c CVE-2018-14600
StarlingX Fix released, assigned to Robin Lu
Bug #1849200: CVE-2018-15686: systemd: state injection during daemon-reexec CVE-2018-15686
StarlingX Fix released, assigned to Jim Somerville
Bug #1849201: CVE-2018-16402: elfutils: Double-free due to double decompression CVE-2018-16402
StarlingX Fix released, assigned to Jim Somerville
Bug #1849202: CVE-2018-19788: polkit: Improper handling of uid CVE-2018-19788
StarlingX Fix released, assigned to Jim Somerville
Bug #1849203: CVE-2018-8780: ruby: Unintentional directory traversal by poisoned NULL byte in Dir CVE-2018-8780
StarlingX Fix released, assigned to Jim Somerville
Bug #1849204: Fix CVE-2019-0160 CVE-2019-0160
StarlingX Fix released, assigned to Ghada Khalil
Bug #1849205: CVE-2019-0160: OVMF: overflows with long file names and invalid UDF media CVE-2019-0160
StarlingX Fix released, assigned to Robin Lu
Bug #1849206: CVE-2019-11810: kernel: a NULL pointer dereference in drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS CVE-2019-11810
StarlingX Fix released, assigned to Robin Lu
Bug #1849209: CVE-2019-11811: kernel: use-after-free in IPMI CVE-2019-11811
StarlingX Fix released, assigned to Robin Lu
Bug #1849210: CVE-2019-5953: wget: do_conversion() buffer overflow CVE-2019-5953
StarlingX Fix released, assigned to Jim Somerville
Bug #1852825: CVE-2019-14287: sudo: can bypass certain policy blacklists CVE-2019-14287
StarlingX Fix released, assigned to Robin Lu
Bug #1864763: CVE-2019-10126 / CVE-2019-14895 / CVE-2019-17133 / CVE-2019-14901 / CVE-2019-16746: WiFi Driver Vulnerabilities CVE-2019-10126
CVE-2019-14895
CVE-2019-14901
CVE-2019-16746
CVE-2019-17133
StarlingX Invalid by Jim Somerville
Bug #1881425: CVE-2015-2716: expat: Buffer overflow in the XML parser CVE-2015-2716
StarlingX Fix released, assigned to Poornima Y N
Bug #1881426: CVE-2018-18751: gettext: double free in default_add_message CVE-2018-18751
StarlingX Fix released, assigned to Poornima Y N
Bug #1881428: CVE-2018-5819: glib2: libRaw "parse_sinar_ia()" function can be exploited CVE-2018-5819
StarlingX Invalid by Poornima Y N
Bug #1881429: CVE-2019-15916: kernel: memory leak in register_queue_kobjects CVE-2019-15916
StarlingX Fix released, assigned to Jim Somerville
Bug #1902993: CVE-2017-12652: libpng: does not check length of chunks CVE-2017-12652
StarlingX Fix released, assigned to Michel Thebeau [WIND]
Bug #1902995: CVE-2019-12450: glib2: file_copy_fallback does not restrict file permissions CVE-2019-12450
StarlingX Fix released, assigned to Michel Thebeau [WIND]
Bug #1902997: CVE-2018-20843: expat: XML input leads to high RAM and CPU CVE-2018-20843
StarlingX Fix released, assigned to Michel Thebeau [WIND]