github.com/argoproj/argo-cd/v3@v3.2.1/docs/snyk/v2.14.17/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="9 known vulnerabilities found in 86 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #030328; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card__labels { 205 position: absolute; 206 top: 1.1em; 207 left: 0; 208 display: flex; 209 align-items: center; 210 gap: 8px; 211 } 212 213 .card .label { 214 background-color: #767676; 215 border: 2px solid #767676; 216 color: white; 217 padding: 0.25rem 0.75rem; 218 font-size: 0.875rem; 219 text-transform: uppercase; 220 display: inline-block; 221 margin: 0; 222 border-radius: 0.25rem; 223 } 224 225 .card .label__text { 226 vertical-align: text-top; 227 font-weight: bold; 228 } 229 230 .card .label--critical { 231 background-color: #AB1A1A; 232 border-color: #AB1A1A; 233 } 234 235 .card .label--high { 236 background-color: #CE5019; 237 border-color: #CE5019; 238 } 239 240 .card .label--medium { 241 background-color: #D68000; 242 border-color: #D68000; 243 } 244 245 .card .label--low { 246 background-color: #88879E; 247 border-color: #88879E; 248 } 249 250 .severity--low { 251 border-color: #88879E; 252 } 253 254 .severity--medium { 255 border-color: #D68000; 256 } 257 258 .severity--high { 259 border-color: #CE5019; 260 } 261 262 .severity--critical { 263 border-color: #AB1A1A; 264 } 265 266 .card--vuln { 267 padding-top: 4em; 268 } 269 270 .card--vuln .card__labels > .label:first-child { 271 padding-left: 1.9em; 272 padding-right: 1.9em; 273 border-radius: 0 0.25rem 0.25rem 0; 274 } 275 276 .card--vuln .card__section h2 { 277 font-size: 22px; 278 margin-bottom: 0.5em; 279 } 280 281 .card--vuln .card__section p { 282 margin: 0 0 0.5em 0; 283 } 284 285 .card--vuln .card__meta { 286 padding: 0 0 0 1em; 287 margin: 0; 288 font-size: 1.1em; 289 } 290 291 .card .card__meta__paths { 292 font-size: 0.9em; 293 } 294 295 .card--vuln .card__title { 296 font-size: 28px; 297 margin-top: 0; 298 margin-right: 100px; /* Ensure space for the risk score */ 299 } 300 301 .card--vuln .card__cta p { 302 margin: 0; 303 text-align: right; 304 } 305 306 .risk-score-display { 307 position: absolute; 308 top: 1.5em; 309 right: 1.5em; 310 text-align: right; 311 z-index: 10; 312 } 313 314 .risk-score-display__label { 315 font-size: 0.7em; 316 font-weight: bold; 317 color: #586069; 318 text-transform: uppercase; 319 line-height: 1; 320 margin-bottom: 3px; 321 } 322 323 .risk-score-display__value { 324 font-size: 1.9em; 325 font-weight: 600; 326 color: #24292e; 327 line-height: 1; 328 } 329 330 .source-panel { 331 clear: both; 332 display: flex; 333 justify-content: flex-start; 334 flex-direction: column; 335 align-items: flex-start; 336 padding: 0.5em 0; 337 width: fit-content; 338 } 339 340 341 342 </style> 343 <style type="text/css"> 344 .metatable { 345 text-size-adjust: 100%; 346 -webkit-font-smoothing: antialiased; 347 -webkit-box-direction: normal; 348 color: inherit; 349 font-feature-settings: "pnum"; 350 box-sizing: border-box; 351 background: transparent; 352 border: 0; 353 font: inherit; 354 font-size: 100%; 355 margin: 0; 356 outline: none; 357 padding: 0; 358 text-align: left; 359 text-decoration: none; 360 vertical-align: baseline; 361 z-index: auto; 362 margin-top: 12px; 363 border-collapse: collapse; 364 border-spacing: 0; 365 font-variant-numeric: tabular-nums; 366 max-width: 51.75em; 367 } 368 369 tbody { 370 text-size-adjust: 100%; 371 -webkit-font-smoothing: antialiased; 372 -webkit-box-direction: normal; 373 color: inherit; 374 font-feature-settings: "pnum"; 375 border-collapse: collapse; 376 border-spacing: 0; 377 box-sizing: border-box; 378 background: transparent; 379 border: 0; 380 font: inherit; 381 font-size: 100%; 382 margin: 0; 383 outline: none; 384 padding: 0; 385 text-align: left; 386 text-decoration: none; 387 vertical-align: baseline; 388 z-index: auto; 389 display: flex; 390 flex-wrap: wrap; 391 } 392 393 .meta-row { 394 text-size-adjust: 100%; 395 -webkit-font-smoothing: antialiased; 396 -webkit-box-direction: normal; 397 color: inherit; 398 font-feature-settings: "pnum"; 399 border-collapse: collapse; 400 border-spacing: 0; 401 box-sizing: border-box; 402 background: transparent; 403 border: 0; 404 font: inherit; 405 font-size: 100%; 406 outline: none; 407 text-align: left; 408 text-decoration: none; 409 vertical-align: baseline; 410 z-index: auto; 411 display: flex; 412 align-items: start; 413 border-top: 1px solid #d3d3d9; 414 padding: 8px 0 0 0; 415 border-bottom: none; 416 margin: 8px; 417 width: 47.75%; 418 } 419 420 .meta-row-label { 421 text-size-adjust: 100%; 422 -webkit-font-smoothing: antialiased; 423 -webkit-box-direction: normal; 424 font-feature-settings: "pnum"; 425 border-collapse: collapse; 426 border-spacing: 0; 427 color: #4c4a73; 428 box-sizing: border-box; 429 background: transparent; 430 border: 0; 431 font: inherit; 432 margin: 0; 433 outline: none; 434 text-decoration: none; 435 z-index: auto; 436 align-self: start; 437 flex: 1; 438 font-size: 1rem; 439 line-height: 1.5rem; 440 padding: 0; 441 text-align: left; 442 vertical-align: top; 443 text-transform: none; 444 letter-spacing: 0; 445 } 446 447 .meta-row-value { 448 text-size-adjust: 100%; 449 -webkit-font-smoothing: antialiased; 450 -webkit-box-direction: normal; 451 color: inherit; 452 font-feature-settings: "pnum"; 453 border-collapse: collapse; 454 border-spacing: 0; 455 word-break: break-word; 456 box-sizing: border-box; 457 background: transparent; 458 border: 0; 459 font: inherit; 460 font-size: 100%; 461 margin: 0; 462 outline: none; 463 padding: 0; 464 text-align: right; 465 text-decoration: none; 466 vertical-align: baseline; 467 z-index: auto; 468 } 469 </style> 470 </head> 471 472 <body class="section-projects"> 473 <main class="layout-stacked"> 474 <div class="layout-stacked__header header"> 475 <header class="project__header"> 476 <div class="layout-container"> 477 <a class="brand" href="https://snyk.io" title="Snyk"> 478 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 479 <title>Snyk - Open Source Security</title> 480 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 481 <g fill="#fff"> 482 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 483 </g> 484 </g> 485 </svg> 486 </a> 487 <div class="header-wrap"> 488 <h1 class="project__header__title">Snyk test report</h1> 489 490 <p class="timestamp">September 14th 2025, 12:29:57 am (UTC+00:00)</p> 491 </div> 492 <div class="source-panel"> 493 <span>Scanned the following path:</span> 494 <ul> 495 <li class="paths">public.ecr.aws/docker/library/haproxy:2.6.17-alpine/docker/library/haproxy (apk)</li> 496 </ul> 497 </div> 498 499 <div class="meta-counts"> 500 <div class="meta-count"><span>9</span> <span>known vulnerabilities</span></div> 501 <div class="meta-count"><span>86 vulnerable dependency paths</span></div> 502 <div class="meta-count"><span>18</span> <span>dependencies</span></div> 503 </div><!-- .meta-counts --> 504 </div><!-- .layout-container--short --> 505 </header><!-- .project__header --> 506 </div><!-- .layout-stacked__header --> 507 <section class="layout-container"> 508 <table class="metatable"> 509 <tbody> 510 <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|public.ecr.aws/docker/library/haproxy</td></tr> 511 <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">public.ecr.aws/docker/library/haproxy:2.6.17-alpine/docker/library/haproxy</td></tr> 512 <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr> 513 514 </tbody> 515 </table> 516 </section> 517 <div class="layout-container" style="padding-top: 35px;"> 518 <div class="cards--vuln filter--patch filter--ignore"> 519 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 520 <h2 class="card__title">Access of Resource Using Incompatible Type ('Type Confusion')</h2> 521 <div class="card__section"> 522 523 <div class="card__labels"> 524 <div class="label label--high"> 525 <span class="label__text">high severity</span> 526 </div> 527 </div> 528 529 <hr/> 530 531 <ul class="card__meta"> 532 <li class="card__meta__item"> 533 Package Manager: alpine:3.20 534 </li> 535 <li class="card__meta__item"> 536 Vulnerable module: 537 538 openssl/libcrypto3 539 </li> 540 541 <li class="card__meta__item">Introduced through: 542 543 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and openssl/libcrypto3@3.3.0-r2 544 545 </li> 546 </ul> 547 548 <hr/> 549 550 551 <h3 class="card__section__title">Detailed paths</h3> 552 553 <ul class="card__meta__paths"> 554 <li> 555 <span class="list-paths__item__introduced"><em>Introduced through</em>: 556 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 557 <span class="list-paths__item__arrow">›</span> 558 openssl/libcrypto3@3.3.0-r2 559 560 </span> 561 562 </li> 563 <li> 564 <span class="list-paths__item__introduced"><em>Introduced through</em>: 565 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 566 <span class="list-paths__item__arrow">›</span> 567 .haproxy-rundeps@20240524.005458 568 <span class="list-paths__item__arrow">›</span> 569 openssl/libcrypto3@3.3.0-r2 570 571 </span> 572 573 </li> 574 <li> 575 <span class="list-paths__item__introduced"><em>Introduced through</em>: 576 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 577 <span class="list-paths__item__arrow">›</span> 578 apk-tools/apk-tools@2.14.4-r0 579 <span class="list-paths__item__arrow">›</span> 580 openssl/libcrypto3@3.3.0-r2 581 582 </span> 583 584 </li> 585 <li> 586 <span class="list-paths__item__introduced"><em>Introduced through</em>: 587 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 588 <span class="list-paths__item__arrow">›</span> 589 busybox/ssl_client@1.36.1-r28 590 <span class="list-paths__item__arrow">›</span> 591 openssl/libcrypto3@3.3.0-r2 592 593 </span> 594 595 </li> 596 <li> 597 <span class="list-paths__item__introduced"><em>Introduced through</em>: 598 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 599 <span class="list-paths__item__arrow">›</span> 600 ca-certificates/ca-certificates@20240226-r0 601 <span class="list-paths__item__arrow">›</span> 602 openssl/libcrypto3@3.3.0-r2 603 604 </span> 605 606 </li> 607 <li> 608 <span class="list-paths__item__introduced"><em>Introduced through</em>: 609 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 610 <span class="list-paths__item__arrow">›</span> 611 .haproxy-rundeps@20240524.005458 612 <span class="list-paths__item__arrow">›</span> 613 openssl/libssl3@3.3.0-r2 614 <span class="list-paths__item__arrow">›</span> 615 openssl/libcrypto3@3.3.0-r2 616 617 </span> 618 619 </li> 620 <li> 621 <span class="list-paths__item__introduced"><em>Introduced through</em>: 622 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 623 <span class="list-paths__item__arrow">›</span> 624 openssl/libssl3@3.3.0-r2 625 626 </span> 627 628 </li> 629 <li> 630 <span class="list-paths__item__introduced"><em>Introduced through</em>: 631 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 632 <span class="list-paths__item__arrow">›</span> 633 .haproxy-rundeps@20240524.005458 634 <span class="list-paths__item__arrow">›</span> 635 openssl/libssl3@3.3.0-r2 636 637 </span> 638 639 </li> 640 <li> 641 <span class="list-paths__item__introduced"><em>Introduced through</em>: 642 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 643 <span class="list-paths__item__arrow">›</span> 644 apk-tools/apk-tools@2.14.4-r0 645 <span class="list-paths__item__arrow">›</span> 646 openssl/libssl3@3.3.0-r2 647 648 </span> 649 650 </li> 651 <li> 652 <span class="list-paths__item__introduced"><em>Introduced through</em>: 653 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 654 <span class="list-paths__item__arrow">›</span> 655 busybox/ssl_client@1.36.1-r28 656 <span class="list-paths__item__arrow">›</span> 657 openssl/libssl3@3.3.0-r2 658 659 </span> 660 661 </li> 662 </ul><!-- .list-paths --> 663 664 </div><!-- .card__section --> 665 666 <hr/> 667 <!-- Overview --> 668 <h2 id="nvd-description">NVD Description</h2> 669 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 670 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 671 <p>Issue summary: Applications performing certificate name checks (e.g., TLS 672 clients checking server certificates) may attempt to read an invalid memory 673 address resulting in abnormal termination of the application process.</p> 674 <p>Impact summary: Abnormal termination of an application can a cause a denial of 675 service.</p> 676 <p>Applications performing certificate name checks (e.g., TLS clients checking 677 server certificates) may attempt to read an invalid memory address when 678 comparing the expected name with an <code>otherName</code> subject alternative name of an 679 X.509 certificate. This may result in an exception that terminates the 680 application program.</p> 681 <p>Note that basic certificate chain validation (signatures, dates, ...) is not 682 affected, the denial of service can occur only when the application also 683 specifies an expected DNS name, Email address or IP address.</p> 684 <p>TLS servers rarely solicit client certificates, and even when they do, they 685 generally don't perform a name check against a reference identifier (expected 686 identity), but rather extract the presented identity after checking the 687 certificate chain. So TLS servers are generally not affected and the severity 688 of the issue is Moderate.</p> 689 <p>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.</p> 690 <h2 id="remediation">Remediation</h2> 691 <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.2-r0 or higher.</p> 692 <h2 id="references">References</h2> 693 <ul> 694 <li><a href="https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f">https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f</a></li> 695 <li><a href="https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6">https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6</a></li> 696 <li><a href="https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2">https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2</a></li> 697 <li><a href="https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0">https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0</a></li> 698 <li><a href="https://openssl-library.org/news/secadv/20240903.txt">https://openssl-library.org/news/secadv/20240903.txt</a></li> 699 <li><a href="http://www.openwall.com/lists/oss-security/2024/09/03/4">http://www.openwall.com/lists/oss-security/2024/09/03/4</a></li> 700 <li><a href="https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html">https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html</a></li> 701 <li><a href="https://security.netapp.com/advisory/ntap-20240912-0001/">https://security.netapp.com/advisory/ntap-20240912-0001/</a></li> 702 </ul> 703 704 <hr/> 705 706 <div class="cta card__cta"> 707 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-7895537">More about this vulnerability</a></p> 708 </div> 709 710 </div><!-- .card --> 711 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 712 <h2 class="card__title">Use After Free</h2> 713 <div class="card__section"> 714 715 <div class="card__labels"> 716 <div class="label label--medium"> 717 <span class="label__text">medium severity</span> 718 </div> 719 </div> 720 721 <hr/> 722 723 <ul class="card__meta"> 724 <li class="card__meta__item"> 725 Package Manager: alpine:3.20 726 </li> 727 <li class="card__meta__item"> 728 Vulnerable module: 729 730 busybox/busybox 731 </li> 732 733 <li class="card__meta__item">Introduced through: 734 735 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and busybox/busybox@1.36.1-r28 736 737 </li> 738 </ul> 739 740 <hr/> 741 742 743 <h3 class="card__section__title">Detailed paths</h3> 744 745 <ul class="card__meta__paths"> 746 <li> 747 <span class="list-paths__item__introduced"><em>Introduced through</em>: 748 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 749 <span class="list-paths__item__arrow">›</span> 750 busybox/busybox@1.36.1-r28 751 752 </span> 753 754 </li> 755 <li> 756 <span class="list-paths__item__introduced"><em>Introduced through</em>: 757 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 758 <span class="list-paths__item__arrow">›</span> 759 alpine-baselayout/alpine-baselayout@3.6.5-r0 760 <span class="list-paths__item__arrow">›</span> 761 busybox/busybox-binsh@1.36.1-r28 762 <span class="list-paths__item__arrow">›</span> 763 busybox/busybox@1.36.1-r28 764 765 </span> 766 767 </li> 768 <li> 769 <span class="list-paths__item__introduced"><em>Introduced through</em>: 770 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 771 <span class="list-paths__item__arrow">›</span> 772 busybox/busybox-binsh@1.36.1-r28 773 774 </span> 775 776 </li> 777 <li> 778 <span class="list-paths__item__introduced"><em>Introduced through</em>: 779 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 780 <span class="list-paths__item__arrow">›</span> 781 alpine-baselayout/alpine-baselayout@3.6.5-r0 782 <span class="list-paths__item__arrow">›</span> 783 busybox/busybox-binsh@1.36.1-r28 784 785 </span> 786 787 </li> 788 <li> 789 <span class="list-paths__item__introduced"><em>Introduced through</em>: 790 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 791 <span class="list-paths__item__arrow">›</span> 792 ca-certificates/ca-certificates@20240226-r0 793 <span class="list-paths__item__arrow">›</span> 794 busybox/busybox-binsh@1.36.1-r28 795 796 </span> 797 798 </li> 799 <li> 800 <span class="list-paths__item__introduced"><em>Introduced through</em>: 801 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 802 <span class="list-paths__item__arrow">›</span> 803 busybox/ssl_client@1.36.1-r28 804 805 </span> 806 807 </li> 808 </ul><!-- .list-paths --> 809 810 </div><!-- .card__section --> 811 812 <hr/> 813 <!-- Overview --> 814 <h2 id="nvd-description">NVD Description</h2> 815 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>busybox</code> package and not the <code>busybox</code> package as distributed by <code>Alpine</code>.</em> 816 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 817 <p>A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.</p> 818 <h2 id="remediation">Remediation</h2> 819 <p>Upgrade <code>Alpine:3.20</code> <code>busybox</code> to version 1.36.1-r29 or higher.</p> 820 <h2 id="references">References</h2> 821 <ul> 822 <li><a href="https://bugs.busybox.net/show_bug.cgi?id=15868">https://bugs.busybox.net/show_bug.cgi?id=15868</a></li> 823 </ul> 824 825 <hr/> 826 827 <div class="cta card__cta"> 828 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-BUSYBOX-7233533">More about this vulnerability</a></p> 829 </div> 830 831 </div><!-- .card --> 832 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 833 <h2 class="card__title">Use After Free</h2> 834 <div class="card__section"> 835 836 <div class="card__labels"> 837 <div class="label label--medium"> 838 <span class="label__text">medium severity</span> 839 </div> 840 </div> 841 842 <hr/> 843 844 <ul class="card__meta"> 845 <li class="card__meta__item"> 846 Package Manager: alpine:3.20 847 </li> 848 <li class="card__meta__item"> 849 Vulnerable module: 850 851 busybox/busybox 852 </li> 853 854 <li class="card__meta__item">Introduced through: 855 856 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and busybox/busybox@1.36.1-r28 857 858 </li> 859 </ul> 860 861 <hr/> 862 863 864 <h3 class="card__section__title">Detailed paths</h3> 865 866 <ul class="card__meta__paths"> 867 <li> 868 <span class="list-paths__item__introduced"><em>Introduced through</em>: 869 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 870 <span class="list-paths__item__arrow">›</span> 871 busybox/busybox@1.36.1-r28 872 873 </span> 874 875 </li> 876 <li> 877 <span class="list-paths__item__introduced"><em>Introduced through</em>: 878 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 879 <span class="list-paths__item__arrow">›</span> 880 alpine-baselayout/alpine-baselayout@3.6.5-r0 881 <span class="list-paths__item__arrow">›</span> 882 busybox/busybox-binsh@1.36.1-r28 883 <span class="list-paths__item__arrow">›</span> 884 busybox/busybox@1.36.1-r28 885 886 </span> 887 888 </li> 889 <li> 890 <span class="list-paths__item__introduced"><em>Introduced through</em>: 891 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 892 <span class="list-paths__item__arrow">›</span> 893 busybox/busybox-binsh@1.36.1-r28 894 895 </span> 896 897 </li> 898 <li> 899 <span class="list-paths__item__introduced"><em>Introduced through</em>: 900 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 901 <span class="list-paths__item__arrow">›</span> 902 alpine-baselayout/alpine-baselayout@3.6.5-r0 903 <span class="list-paths__item__arrow">›</span> 904 busybox/busybox-binsh@1.36.1-r28 905 906 </span> 907 908 </li> 909 <li> 910 <span class="list-paths__item__introduced"><em>Introduced through</em>: 911 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 912 <span class="list-paths__item__arrow">›</span> 913 ca-certificates/ca-certificates@20240226-r0 914 <span class="list-paths__item__arrow">›</span> 915 busybox/busybox-binsh@1.36.1-r28 916 917 </span> 918 919 </li> 920 <li> 921 <span class="list-paths__item__introduced"><em>Introduced through</em>: 922 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 923 <span class="list-paths__item__arrow">›</span> 924 busybox/ssl_client@1.36.1-r28 925 926 </span> 927 928 </li> 929 </ul><!-- .list-paths --> 930 931 </div><!-- .card__section --> 932 933 <hr/> 934 <!-- Overview --> 935 <h2 id="nvd-description">NVD Description</h2> 936 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>busybox</code> package and not the <code>busybox</code> package as distributed by <code>Alpine</code>.</em> 937 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 938 <p>A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.</p> 939 <h2 id="remediation">Remediation</h2> 940 <p>Upgrade <code>Alpine:3.20</code> <code>busybox</code> to version 1.36.1-r29 or higher.</p> 941 <h2 id="references">References</h2> 942 <ul> 943 <li><a href="https://bugs.busybox.net/show_bug.cgi?id=15871">https://bugs.busybox.net/show_bug.cgi?id=15871</a></li> 944 </ul> 945 946 <hr/> 947 948 <div class="cta card__cta"> 949 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-BUSYBOX-7233586">More about this vulnerability</a></p> 950 </div> 951 952 </div><!-- .card --> 953 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 954 <h2 class="card__title">CVE-2024-4741</h2> 955 <div class="card__section"> 956 957 <div class="card__labels"> 958 <div class="label label--low"> 959 <span class="label__text">low severity</span> 960 </div> 961 </div> 962 963 <hr/> 964 965 <ul class="card__meta"> 966 <li class="card__meta__item"> 967 Package Manager: alpine:3.20 968 </li> 969 <li class="card__meta__item"> 970 Vulnerable module: 971 972 openssl/libcrypto3 973 </li> 974 975 <li class="card__meta__item">Introduced through: 976 977 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and openssl/libcrypto3@3.3.0-r2 978 979 </li> 980 </ul> 981 982 <hr/> 983 984 985 <h3 class="card__section__title">Detailed paths</h3> 986 987 <ul class="card__meta__paths"> 988 <li> 989 <span class="list-paths__item__introduced"><em>Introduced through</em>: 990 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 991 <span class="list-paths__item__arrow">›</span> 992 openssl/libcrypto3@3.3.0-r2 993 994 </span> 995 996 </li> 997 <li> 998 <span class="list-paths__item__introduced"><em>Introduced through</em>: 999 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1000 <span class="list-paths__item__arrow">›</span> 1001 .haproxy-rundeps@20240524.005458 1002 <span class="list-paths__item__arrow">›</span> 1003 openssl/libcrypto3@3.3.0-r2 1004 1005 </span> 1006 1007 </li> 1008 <li> 1009 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1010 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1011 <span class="list-paths__item__arrow">›</span> 1012 apk-tools/apk-tools@2.14.4-r0 1013 <span class="list-paths__item__arrow">›</span> 1014 openssl/libcrypto3@3.3.0-r2 1015 1016 </span> 1017 1018 </li> 1019 <li> 1020 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1021 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1022 <span class="list-paths__item__arrow">›</span> 1023 busybox/ssl_client@1.36.1-r28 1024 <span class="list-paths__item__arrow">›</span> 1025 openssl/libcrypto3@3.3.0-r2 1026 1027 </span> 1028 1029 </li> 1030 <li> 1031 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1032 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1033 <span class="list-paths__item__arrow">›</span> 1034 ca-certificates/ca-certificates@20240226-r0 1035 <span class="list-paths__item__arrow">›</span> 1036 openssl/libcrypto3@3.3.0-r2 1037 1038 </span> 1039 1040 </li> 1041 <li> 1042 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1043 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1044 <span class="list-paths__item__arrow">›</span> 1045 .haproxy-rundeps@20240524.005458 1046 <span class="list-paths__item__arrow">›</span> 1047 openssl/libssl3@3.3.0-r2 1048 <span class="list-paths__item__arrow">›</span> 1049 openssl/libcrypto3@3.3.0-r2 1050 1051 </span> 1052 1053 </li> 1054 <li> 1055 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1056 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1057 <span class="list-paths__item__arrow">›</span> 1058 openssl/libssl3@3.3.0-r2 1059 1060 </span> 1061 1062 </li> 1063 <li> 1064 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1065 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1066 <span class="list-paths__item__arrow">›</span> 1067 .haproxy-rundeps@20240524.005458 1068 <span class="list-paths__item__arrow">›</span> 1069 openssl/libssl3@3.3.0-r2 1070 1071 </span> 1072 1073 </li> 1074 <li> 1075 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1076 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1077 <span class="list-paths__item__arrow">›</span> 1078 apk-tools/apk-tools@2.14.4-r0 1079 <span class="list-paths__item__arrow">›</span> 1080 openssl/libssl3@3.3.0-r2 1081 1082 </span> 1083 1084 </li> 1085 <li> 1086 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1087 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1088 <span class="list-paths__item__arrow">›</span> 1089 busybox/ssl_client@1.36.1-r28 1090 <span class="list-paths__item__arrow">›</span> 1091 openssl/libssl3@3.3.0-r2 1092 1093 </span> 1094 1095 </li> 1096 </ul><!-- .list-paths --> 1097 1098 </div><!-- .card__section --> 1099 1100 <hr/> 1101 <!-- Overview --> 1102 <h2 id="nvd-description">NVD Description</h2> 1103 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 1104 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 1105 <p>Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause 1106 memory to be accessed that was previously freed in some situations</p> 1107 <p>Impact summary: A use after free can have a range of potential consequences such 1108 as the corruption of valid data, crashes or execution of arbitrary code. 1109 However, only applications that directly call the SSL_free_buffers function are 1110 affected by this issue. Applications that do not call this function are not 1111 vulnerable. Our investigations indicate that this function is rarely used by 1112 applications.</p> 1113 <p>The SSL_free_buffers function is used to free the internal OpenSSL buffer used 1114 when processing an incoming record from the network. The call is only expected 1115 to succeed if the buffer is not currently in use. However, two scenarios have 1116 been identified where the buffer is freed even when still in use.</p> 1117 <p>The first scenario occurs where a record header has been received from the 1118 network and processed by OpenSSL, but the full record body has not yet arrived. 1119 In this case calling SSL_free_buffers will succeed even though a record has only 1120 been partially processed and the buffer is still in use.</p> 1121 <p>The second scenario occurs where a full record containing application data has 1122 been received and processed by OpenSSL but the application has only read part of 1123 this data. Again a call to SSL_free_buffers will succeed even though the buffer 1124 is still in use.</p> 1125 <p>While these scenarios could occur accidentally during normal operation a 1126 malicious attacker could attempt to engineer a stituation where this occurs. 1127 We are not aware of this issue being actively exploited.</p> 1128 <p>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.</p> 1129 <h2 id="remediation">Remediation</h2> 1130 <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.0-r3 or higher.</p> 1131 <h2 id="references">References</h2> 1132 <ul> 1133 <li><a href="https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177">https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177</a></li> 1134 <li><a href="https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d">https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d</a></li> 1135 <li><a href="https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac">https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac</a></li> 1136 <li><a href="https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8">https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8</a></li> 1137 <li><a href="https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4">https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4</a></li> 1138 <li><a href="https://www.openssl.org/news/secadv/20240528.txt">https://www.openssl.org/news/secadv/20240528.txt</a></li> 1139 </ul> 1140 1141 <hr/> 1142 1143 <div class="cta card__cta"> 1144 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-7218988">More about this vulnerability</a></p> 1145 </div> 1146 1147 </div><!-- .card --> 1148 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1149 <h2 class="card__title">CVE-2024-5535</h2> 1150 <div class="card__section"> 1151 1152 <div class="card__labels"> 1153 <div class="label label--low"> 1154 <span class="label__text">low severity</span> 1155 </div> 1156 </div> 1157 1158 <hr/> 1159 1160 <ul class="card__meta"> 1161 <li class="card__meta__item"> 1162 Package Manager: alpine:3.20 1163 </li> 1164 <li class="card__meta__item"> 1165 Vulnerable module: 1166 1167 openssl/libcrypto3 1168 </li> 1169 1170 <li class="card__meta__item">Introduced through: 1171 1172 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and openssl/libcrypto3@3.3.0-r2 1173 1174 </li> 1175 </ul> 1176 1177 <hr/> 1178 1179 1180 <h3 class="card__section__title">Detailed paths</h3> 1181 1182 <ul class="card__meta__paths"> 1183 <li> 1184 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1185 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1186 <span class="list-paths__item__arrow">›</span> 1187 openssl/libcrypto3@3.3.0-r2 1188 1189 </span> 1190 1191 </li> 1192 <li> 1193 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1194 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1195 <span class="list-paths__item__arrow">›</span> 1196 .haproxy-rundeps@20240524.005458 1197 <span class="list-paths__item__arrow">›</span> 1198 openssl/libcrypto3@3.3.0-r2 1199 1200 </span> 1201 1202 </li> 1203 <li> 1204 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1205 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1206 <span class="list-paths__item__arrow">›</span> 1207 apk-tools/apk-tools@2.14.4-r0 1208 <span class="list-paths__item__arrow">›</span> 1209 openssl/libcrypto3@3.3.0-r2 1210 1211 </span> 1212 1213 </li> 1214 <li> 1215 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1216 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1217 <span class="list-paths__item__arrow">›</span> 1218 busybox/ssl_client@1.36.1-r28 1219 <span class="list-paths__item__arrow">›</span> 1220 openssl/libcrypto3@3.3.0-r2 1221 1222 </span> 1223 1224 </li> 1225 <li> 1226 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1227 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1228 <span class="list-paths__item__arrow">›</span> 1229 ca-certificates/ca-certificates@20240226-r0 1230 <span class="list-paths__item__arrow">›</span> 1231 openssl/libcrypto3@3.3.0-r2 1232 1233 </span> 1234 1235 </li> 1236 <li> 1237 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1238 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1239 <span class="list-paths__item__arrow">›</span> 1240 .haproxy-rundeps@20240524.005458 1241 <span class="list-paths__item__arrow">›</span> 1242 openssl/libssl3@3.3.0-r2 1243 <span class="list-paths__item__arrow">›</span> 1244 openssl/libcrypto3@3.3.0-r2 1245 1246 </span> 1247 1248 </li> 1249 <li> 1250 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1251 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1252 <span class="list-paths__item__arrow">›</span> 1253 openssl/libssl3@3.3.0-r2 1254 1255 </span> 1256 1257 </li> 1258 <li> 1259 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1260 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1261 <span class="list-paths__item__arrow">›</span> 1262 .haproxy-rundeps@20240524.005458 1263 <span class="list-paths__item__arrow">›</span> 1264 openssl/libssl3@3.3.0-r2 1265 1266 </span> 1267 1268 </li> 1269 <li> 1270 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1271 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1272 <span class="list-paths__item__arrow">›</span> 1273 apk-tools/apk-tools@2.14.4-r0 1274 <span class="list-paths__item__arrow">›</span> 1275 openssl/libssl3@3.3.0-r2 1276 1277 </span> 1278 1279 </li> 1280 <li> 1281 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1282 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1283 <span class="list-paths__item__arrow">›</span> 1284 busybox/ssl_client@1.36.1-r28 1285 <span class="list-paths__item__arrow">›</span> 1286 openssl/libssl3@3.3.0-r2 1287 1288 </span> 1289 1290 </li> 1291 </ul><!-- .list-paths --> 1292 1293 </div><!-- .card__section --> 1294 1295 <hr/> 1296 <!-- Overview --> 1297 <h2 id="nvd-description">NVD Description</h2> 1298 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 1299 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 1300 <p>Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an 1301 empty supported client protocols buffer may cause a crash or memory contents to 1302 be sent to the peer.</p> 1303 <p>Impact summary: A buffer overread can have a range of potential consequences 1304 such as unexpected application beahviour or a crash. In particular this issue 1305 could result in up to 255 bytes of arbitrary private data from memory being sent 1306 to the peer leading to a loss of confidentiality. However, only applications 1307 that directly call the SSL_select_next_proto function with a 0 length list of 1308 supported client protocols are affected by this issue. This would normally never 1309 be a valid scenario and is typically not under attacker control but may occur by 1310 accident in the case of a configuration or programming error in the calling 1311 application.</p> 1312 <p>The OpenSSL API function SSL_select_next_proto is typically used by TLS 1313 applications that support ALPN (Application Layer Protocol Negotiation) or NPN 1314 (Next Protocol Negotiation). NPN is older, was never standardised and 1315 is deprecated in favour of ALPN. We believe that ALPN is significantly more 1316 widely deployed than NPN. The SSL_select_next_proto function accepts a list of 1317 protocols from the server and a list of protocols from the client and returns 1318 the first protocol that appears in the server list that also appears in the 1319 client list. In the case of no overlap between the two lists it returns the 1320 first item in the client list. In either case it will signal whether an overlap 1321 between the two lists was found. In the case where SSL_select_next_proto is 1322 called with a zero length client list it fails to notice this condition and 1323 returns the memory immediately following the client list pointer (and reports 1324 that there was no overlap in the lists).</p> 1325 <p>This function is typically called from a server side application callback for 1326 ALPN or a client side application callback for NPN. In the case of ALPN the list 1327 of protocols supplied by the client is guaranteed by libssl to never be zero in 1328 length. The list of server protocols comes from the application and should never 1329 normally be expected to be of zero length. In this case if the 1330 SSL_select_next_proto function has been called as expected (with the list 1331 supplied by the client passed in the client/client_len parameters), then the 1332 application will not be vulnerable to this issue. If the application has 1333 accidentally been configured with a zero length server list, and has 1334 accidentally passed that zero length server list in the client/client_len 1335 parameters, and has additionally failed to correctly handle a "no overlap" 1336 response (which would normally result in a handshake failure in ALPN) then it 1337 will be vulnerable to this problem.</p> 1338 <p>In the case of NPN, the protocol permits the client to opportunistically select 1339 a protocol when there is no overlap. OpenSSL returns the first client protocol 1340 in the no overlap case in support of this. The list of client protocols comes 1341 from the application and should never normally be expected to be of zero length. 1342 However if the SSL_select_next_proto function is accidentally called with a 1343 client_len of 0 then an invalid memory pointer will be returned instead. If the 1344 application uses this output as the opportunistic protocol then the loss of 1345 confidentiality will occur.</p> 1346 <p>This issue has been assessed as Low severity because applications are most 1347 likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not 1348 widely used. It also requires an application configuration or programming error. 1349 Finally, this issue would not typically be under attacker control making active 1350 exploitation unlikely.</p> 1351 <p>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.</p> 1352 <p>Due to the low severity of this issue we are not issuing new releases of 1353 OpenSSL at this time. The fix will be included in the next releases when they 1354 become available.</p> 1355 <h2 id="remediation">Remediation</h2> 1356 <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.1-r1 or higher.</p> 1357 <h2 id="references">References</h2> 1358 <ul> 1359 <li><a href="http://www.openwall.com/lists/oss-security/2024/08/15/1">http://www.openwall.com/lists/oss-security/2024/08/15/1</a></li> 1360 <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li> 1361 <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li> 1362 <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li> 1363 <li><a href="https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37">https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37</a></li> 1364 <li><a href="https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e">https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e</a></li> 1365 <li><a href="https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c">https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c</a></li> 1366 <li><a href="https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c">https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c</a></li> 1367 <li><a href="https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c">https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c</a></li> 1368 <li><a href="https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87">https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87</a></li> 1369 <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li> 1370 </ul> 1371 1372 <hr/> 1373 1374 <div class="cta card__cta"> 1375 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-7413532">More about this vulnerability</a></p> 1376 </div> 1377 1378 </div><!-- .card --> 1379 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1380 <h2 class="card__title">CVE-2024-9143</h2> 1381 <div class="card__section"> 1382 1383 <div class="card__labels"> 1384 <div class="label label--low"> 1385 <span class="label__text">low severity</span> 1386 </div> 1387 </div> 1388 1389 <hr/> 1390 1391 <ul class="card__meta"> 1392 <li class="card__meta__item"> 1393 Package Manager: alpine:3.20 1394 </li> 1395 <li class="card__meta__item"> 1396 Vulnerable module: 1397 1398 openssl/libcrypto3 1399 </li> 1400 1401 <li class="card__meta__item">Introduced through: 1402 1403 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and openssl/libcrypto3@3.3.0-r2 1404 1405 </li> 1406 </ul> 1407 1408 <hr/> 1409 1410 1411 <h3 class="card__section__title">Detailed paths</h3> 1412 1413 <ul class="card__meta__paths"> 1414 <li> 1415 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1416 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1417 <span class="list-paths__item__arrow">›</span> 1418 openssl/libcrypto3@3.3.0-r2 1419 1420 </span> 1421 1422 </li> 1423 <li> 1424 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1425 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1426 <span class="list-paths__item__arrow">›</span> 1427 .haproxy-rundeps@20240524.005458 1428 <span class="list-paths__item__arrow">›</span> 1429 openssl/libcrypto3@3.3.0-r2 1430 1431 </span> 1432 1433 </li> 1434 <li> 1435 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1436 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1437 <span class="list-paths__item__arrow">›</span> 1438 apk-tools/apk-tools@2.14.4-r0 1439 <span class="list-paths__item__arrow">›</span> 1440 openssl/libcrypto3@3.3.0-r2 1441 1442 </span> 1443 1444 </li> 1445 <li> 1446 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1447 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1448 <span class="list-paths__item__arrow">›</span> 1449 busybox/ssl_client@1.36.1-r28 1450 <span class="list-paths__item__arrow">›</span> 1451 openssl/libcrypto3@3.3.0-r2 1452 1453 </span> 1454 1455 </li> 1456 <li> 1457 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1458 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1459 <span class="list-paths__item__arrow">›</span> 1460 ca-certificates/ca-certificates@20240226-r0 1461 <span class="list-paths__item__arrow">›</span> 1462 openssl/libcrypto3@3.3.0-r2 1463 1464 </span> 1465 1466 </li> 1467 <li> 1468 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1469 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1470 <span class="list-paths__item__arrow">›</span> 1471 .haproxy-rundeps@20240524.005458 1472 <span class="list-paths__item__arrow">›</span> 1473 openssl/libssl3@3.3.0-r2 1474 <span class="list-paths__item__arrow">›</span> 1475 openssl/libcrypto3@3.3.0-r2 1476 1477 </span> 1478 1479 </li> 1480 <li> 1481 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1482 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1483 <span class="list-paths__item__arrow">›</span> 1484 openssl/libssl3@3.3.0-r2 1485 1486 </span> 1487 1488 </li> 1489 <li> 1490 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1491 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1492 <span class="list-paths__item__arrow">›</span> 1493 .haproxy-rundeps@20240524.005458 1494 <span class="list-paths__item__arrow">›</span> 1495 openssl/libssl3@3.3.0-r2 1496 1497 </span> 1498 1499 </li> 1500 <li> 1501 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1502 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1503 <span class="list-paths__item__arrow">›</span> 1504 apk-tools/apk-tools@2.14.4-r0 1505 <span class="list-paths__item__arrow">›</span> 1506 openssl/libssl3@3.3.0-r2 1507 1508 </span> 1509 1510 </li> 1511 <li> 1512 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1513 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1514 <span class="list-paths__item__arrow">›</span> 1515 busybox/ssl_client@1.36.1-r28 1516 <span class="list-paths__item__arrow">›</span> 1517 openssl/libssl3@3.3.0-r2 1518 1519 </span> 1520 1521 </li> 1522 </ul><!-- .list-paths --> 1523 1524 </div><!-- .card__section --> 1525 1526 <hr/> 1527 <!-- Overview --> 1528 <h2 id="nvd-description">NVD Description</h2> 1529 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 1530 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 1531 <p>Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted 1532 explicit values for the field polynomial can lead to out-of-bounds memory reads 1533 or writes.</p> 1534 <p>Impact summary: Out of bound memory writes can lead to an application crash or 1535 even a possibility of a remote code execution, however, in all the protocols 1536 involving Elliptic Curve Cryptography that we're aware of, either only "named 1537 curves" are supported, or, if explicit curve parameters are supported, they 1538 specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent 1539 problematic input values. Thus the likelihood of existence of a vulnerable 1540 application is low.</p> 1541 <p>In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, 1542 so problematic inputs cannot occur in the context of processing X.509 1543 certificates. Any problematic use-cases would have to be using an "exotic" 1544 curve encoding.</p> 1545 <p>The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), 1546 and various supporting BN_GF2m_*() functions.</p> 1547 <p>Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, 1548 that make it possible to represent invalid field polynomials with a zero 1549 constant term, via the above or similar APIs, may terminate abruptly as a 1550 result of reading or writing outside of array bounds. Remote code execution 1551 cannot easily be ruled out.</p> 1552 <p>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.</p> 1553 <h2 id="remediation">Remediation</h2> 1554 <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.2-r3 or higher.</p> 1555 <h2 id="references">References</h2> 1556 <ul> 1557 <li><a href="https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712">https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712</a></li> 1558 <li><a href="https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700">https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700</a></li> 1559 <li><a href="https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4">https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4</a></li> 1560 <li><a href="https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154">https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154</a></li> 1561 <li><a href="https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a">https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a</a></li> 1562 <li><a href="https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41">https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41</a></li> 1563 <li><a href="https://openssl-library.org/news/secadv/20241016.txt">https://openssl-library.org/news/secadv/20241016.txt</a></li> 1564 <li><a href="http://www.openwall.com/lists/oss-security/2024/10/16/1">http://www.openwall.com/lists/oss-security/2024/10/16/1</a></li> 1565 <li><a href="http://www.openwall.com/lists/oss-security/2024/10/23/1">http://www.openwall.com/lists/oss-security/2024/10/23/1</a></li> 1566 <li><a href="http://www.openwall.com/lists/oss-security/2024/10/24/1">http://www.openwall.com/lists/oss-security/2024/10/24/1</a></li> 1567 <li><a href="https://security.netapp.com/advisory/ntap-20241101-0001/">https://security.netapp.com/advisory/ntap-20241101-0001/</a></li> 1568 </ul> 1569 1570 <hr/> 1571 1572 <div class="cta card__cta"> 1573 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8235201">More about this vulnerability</a></p> 1574 </div> 1575 1576 </div><!-- .card --> 1577 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1578 <h2 class="card__title">CVE-2024-13176</h2> 1579 <div class="card__section"> 1580 1581 <div class="card__labels"> 1582 <div class="label label--low"> 1583 <span class="label__text">low severity</span> 1584 </div> 1585 </div> 1586 1587 <hr/> 1588 1589 <ul class="card__meta"> 1590 <li class="card__meta__item"> 1591 Package Manager: alpine:3.20 1592 </li> 1593 <li class="card__meta__item"> 1594 Vulnerable module: 1595 1596 openssl/libcrypto3 1597 </li> 1598 1599 <li class="card__meta__item">Introduced through: 1600 1601 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and openssl/libcrypto3@3.3.0-r2 1602 1603 </li> 1604 </ul> 1605 1606 <hr/> 1607 1608 1609 <h3 class="card__section__title">Detailed paths</h3> 1610 1611 <ul class="card__meta__paths"> 1612 <li> 1613 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1614 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1615 <span class="list-paths__item__arrow">›</span> 1616 openssl/libcrypto3@3.3.0-r2 1617 1618 </span> 1619 1620 </li> 1621 <li> 1622 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1623 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1624 <span class="list-paths__item__arrow">›</span> 1625 .haproxy-rundeps@20240524.005458 1626 <span class="list-paths__item__arrow">›</span> 1627 openssl/libcrypto3@3.3.0-r2 1628 1629 </span> 1630 1631 </li> 1632 <li> 1633 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1634 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1635 <span class="list-paths__item__arrow">›</span> 1636 apk-tools/apk-tools@2.14.4-r0 1637 <span class="list-paths__item__arrow">›</span> 1638 openssl/libcrypto3@3.3.0-r2 1639 1640 </span> 1641 1642 </li> 1643 <li> 1644 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1645 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1646 <span class="list-paths__item__arrow">›</span> 1647 busybox/ssl_client@1.36.1-r28 1648 <span class="list-paths__item__arrow">›</span> 1649 openssl/libcrypto3@3.3.0-r2 1650 1651 </span> 1652 1653 </li> 1654 <li> 1655 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1656 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1657 <span class="list-paths__item__arrow">›</span> 1658 ca-certificates/ca-certificates@20240226-r0 1659 <span class="list-paths__item__arrow">›</span> 1660 openssl/libcrypto3@3.3.0-r2 1661 1662 </span> 1663 1664 </li> 1665 <li> 1666 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1667 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1668 <span class="list-paths__item__arrow">›</span> 1669 .haproxy-rundeps@20240524.005458 1670 <span class="list-paths__item__arrow">›</span> 1671 openssl/libssl3@3.3.0-r2 1672 <span class="list-paths__item__arrow">›</span> 1673 openssl/libcrypto3@3.3.0-r2 1674 1675 </span> 1676 1677 </li> 1678 <li> 1679 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1680 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1681 <span class="list-paths__item__arrow">›</span> 1682 openssl/libssl3@3.3.0-r2 1683 1684 </span> 1685 1686 </li> 1687 <li> 1688 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1689 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1690 <span class="list-paths__item__arrow">›</span> 1691 .haproxy-rundeps@20240524.005458 1692 <span class="list-paths__item__arrow">›</span> 1693 openssl/libssl3@3.3.0-r2 1694 1695 </span> 1696 1697 </li> 1698 <li> 1699 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1700 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1701 <span class="list-paths__item__arrow">›</span> 1702 apk-tools/apk-tools@2.14.4-r0 1703 <span class="list-paths__item__arrow">›</span> 1704 openssl/libssl3@3.3.0-r2 1705 1706 </span> 1707 1708 </li> 1709 <li> 1710 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1711 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1712 <span class="list-paths__item__arrow">›</span> 1713 busybox/ssl_client@1.36.1-r28 1714 <span class="list-paths__item__arrow">›</span> 1715 openssl/libssl3@3.3.0-r2 1716 1717 </span> 1718 1719 </li> 1720 </ul><!-- .list-paths --> 1721 1722 </div><!-- .card__section --> 1723 1724 <hr/> 1725 <!-- Overview --> 1726 <h2 id="nvd-description">NVD Description</h2> 1727 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 1728 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 1729 <p>Issue summary: A timing side-channel which could potentially allow recovering 1730 the private key exists in the ECDSA signature computation.</p> 1731 <p>Impact summary: A timing side-channel in ECDSA signature computations 1732 could allow recovering the private key by an attacker. However, measuring 1733 the timing would require either local access to the signing application or 1734 a very fast network connection with low latency.</p> 1735 <p>There is a timing signal of around 300 nanoseconds when the top word of 1736 the inverted ECDSA nonce value is zero. This can happen with significant 1737 probability only for some of the supported elliptic curves. In particular 1738 the NIST P-521 curve is affected. To be able to measure this leak, the attacker 1739 process must either be located in the same physical computer or must 1740 have a very fast network connection with low latency. For that reason 1741 the severity of this vulnerability is Low.</p> 1742 <p>The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.</p> 1743 <h2 id="remediation">Remediation</h2> 1744 <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.2-r2 or higher.</p> 1745 <h2 id="references">References</h2> 1746 <ul> 1747 <li><a href="https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844">https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844</a></li> 1748 <li><a href="https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467">https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467</a></li> 1749 <li><a href="https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902">https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902</a></li> 1750 <li><a href="https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65">https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65</a></li> 1751 <li><a href="https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f">https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f</a></li> 1752 <li><a href="https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded">https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded</a></li> 1753 <li><a href="https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86">https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86</a></li> 1754 <li><a href="https://openssl-library.org/news/secadv/20250120.txt">https://openssl-library.org/news/secadv/20250120.txt</a></li> 1755 <li><a href="http://www.openwall.com/lists/oss-security/2025/01/20/2">http://www.openwall.com/lists/oss-security/2025/01/20/2</a></li> 1756 <li><a href="https://security.netapp.com/advisory/ntap-20250124-0005/">https://security.netapp.com/advisory/ntap-20250124-0005/</a></li> 1757 <li><a href="https://security.netapp.com/advisory/ntap-20250418-0010/">https://security.netapp.com/advisory/ntap-20250418-0010/</a></li> 1758 <li><a href="https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html">https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html</a></li> 1759 </ul> 1760 1761 <hr/> 1762 1763 <div class="cta card__cta"> 1764 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8690013">More about this vulnerability</a></p> 1765 </div> 1766 1767 </div><!-- .card --> 1768 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1769 <h2 class="card__title">CVE-2024-12797</h2> 1770 <div class="card__section"> 1771 1772 <div class="card__labels"> 1773 <div class="label label--low"> 1774 <span class="label__text">low severity</span> 1775 </div> 1776 </div> 1777 1778 <hr/> 1779 1780 <ul class="card__meta"> 1781 <li class="card__meta__item"> 1782 Package Manager: alpine:3.20 1783 </li> 1784 <li class="card__meta__item"> 1785 Vulnerable module: 1786 1787 openssl/libcrypto3 1788 </li> 1789 1790 <li class="card__meta__item">Introduced through: 1791 1792 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and openssl/libcrypto3@3.3.0-r2 1793 1794 </li> 1795 </ul> 1796 1797 <hr/> 1798 1799 1800 <h3 class="card__section__title">Detailed paths</h3> 1801 1802 <ul class="card__meta__paths"> 1803 <li> 1804 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1805 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1806 <span class="list-paths__item__arrow">›</span> 1807 openssl/libcrypto3@3.3.0-r2 1808 1809 </span> 1810 1811 </li> 1812 <li> 1813 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1814 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1815 <span class="list-paths__item__arrow">›</span> 1816 .haproxy-rundeps@20240524.005458 1817 <span class="list-paths__item__arrow">›</span> 1818 openssl/libcrypto3@3.3.0-r2 1819 1820 </span> 1821 1822 </li> 1823 <li> 1824 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1825 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1826 <span class="list-paths__item__arrow">›</span> 1827 apk-tools/apk-tools@2.14.4-r0 1828 <span class="list-paths__item__arrow">›</span> 1829 openssl/libcrypto3@3.3.0-r2 1830 1831 </span> 1832 1833 </li> 1834 <li> 1835 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1836 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1837 <span class="list-paths__item__arrow">›</span> 1838 busybox/ssl_client@1.36.1-r28 1839 <span class="list-paths__item__arrow">›</span> 1840 openssl/libcrypto3@3.3.0-r2 1841 1842 </span> 1843 1844 </li> 1845 <li> 1846 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1847 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1848 <span class="list-paths__item__arrow">›</span> 1849 ca-certificates/ca-certificates@20240226-r0 1850 <span class="list-paths__item__arrow">›</span> 1851 openssl/libcrypto3@3.3.0-r2 1852 1853 </span> 1854 1855 </li> 1856 <li> 1857 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1858 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1859 <span class="list-paths__item__arrow">›</span> 1860 .haproxy-rundeps@20240524.005458 1861 <span class="list-paths__item__arrow">›</span> 1862 openssl/libssl3@3.3.0-r2 1863 <span class="list-paths__item__arrow">›</span> 1864 openssl/libcrypto3@3.3.0-r2 1865 1866 </span> 1867 1868 </li> 1869 <li> 1870 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1871 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1872 <span class="list-paths__item__arrow">›</span> 1873 openssl/libssl3@3.3.0-r2 1874 1875 </span> 1876 1877 </li> 1878 <li> 1879 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1880 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1881 <span class="list-paths__item__arrow">›</span> 1882 .haproxy-rundeps@20240524.005458 1883 <span class="list-paths__item__arrow">›</span> 1884 openssl/libssl3@3.3.0-r2 1885 1886 </span> 1887 1888 </li> 1889 <li> 1890 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1891 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1892 <span class="list-paths__item__arrow">›</span> 1893 apk-tools/apk-tools@2.14.4-r0 1894 <span class="list-paths__item__arrow">›</span> 1895 openssl/libssl3@3.3.0-r2 1896 1897 </span> 1898 1899 </li> 1900 <li> 1901 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1902 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1903 <span class="list-paths__item__arrow">›</span> 1904 busybox/ssl_client@1.36.1-r28 1905 <span class="list-paths__item__arrow">›</span> 1906 openssl/libssl3@3.3.0-r2 1907 1908 </span> 1909 1910 </li> 1911 </ul><!-- .list-paths --> 1912 1913 </div><!-- .card__section --> 1914 1915 <hr/> 1916 <!-- Overview --> 1917 <h2 id="nvd-description">NVD Description</h2> 1918 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 1919 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 1920 <p>Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a 1921 server may fail to notice that the server was not authenticated, because 1922 handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode 1923 is set.</p> 1924 <p>Impact summary: TLS and DTLS connections using raw public keys may be 1925 vulnerable to man-in-middle attacks when server authentication failure is not 1926 detected by clients.</p> 1927 <p>RPKs are disabled by default in both TLS clients and TLS servers. The issue 1928 only arises when TLS clients explicitly enable RPK use by the server, and the 1929 server, likewise, enables sending of an RPK instead of an X.509 certificate 1930 chain. The affected clients are those that then rely on the handshake to 1931 fail when the server's RPK fails to match one of the expected public keys, 1932 by setting the verification mode to SSL_VERIFY_PEER.</p> 1933 <p>Clients that enable server-side raw public keys can still find out that raw 1934 public key verification failed by calling SSL_get_verify_result(), and those 1935 that do, and take appropriate action, are not affected. This issue was 1936 introduced in the initial implementation of RPK support in OpenSSL 3.2.</p> 1937 <p>The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.</p> 1938 <h2 id="remediation">Remediation</h2> 1939 <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.3-r0 or higher.</p> 1940 <h2 id="references">References</h2> 1941 <ul> 1942 <li><a href="https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9">https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9</a></li> 1943 <li><a href="https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7">https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7</a></li> 1944 <li><a href="https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699">https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699</a></li> 1945 <li><a href="https://openssl-library.org/news/secadv/20250211.txt">https://openssl-library.org/news/secadv/20250211.txt</a></li> 1946 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/11/3">http://www.openwall.com/lists/oss-security/2025/02/11/3</a></li> 1947 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/11/4">http://www.openwall.com/lists/oss-security/2025/02/11/4</a></li> 1948 <li><a href="https://security.netapp.com/advisory/ntap-20250214-0001/">https://security.netapp.com/advisory/ntap-20250214-0001/</a></li> 1949 </ul> 1950 1951 <hr/> 1952 1953 <div class="cta card__cta"> 1954 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8710359">More about this vulnerability</a></p> 1955 </div> 1956 1957 </div><!-- .card --> 1958 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1959 <h2 class="card__title">CVE-2025-26519</h2> 1960 <div class="card__section"> 1961 1962 <div class="card__labels"> 1963 <div class="label label--low"> 1964 <span class="label__text">low severity</span> 1965 </div> 1966 </div> 1967 1968 <hr/> 1969 1970 <ul class="card__meta"> 1971 <li class="card__meta__item"> 1972 Package Manager: alpine:3.20 1973 </li> 1974 <li class="card__meta__item"> 1975 Vulnerable module: 1976 1977 musl/musl 1978 </li> 1979 1980 <li class="card__meta__item">Introduced through: 1981 1982 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and musl/musl@1.2.5-r0 1983 1984 </li> 1985 </ul> 1986 1987 <hr/> 1988 1989 1990 <h3 class="card__section__title">Detailed paths</h3> 1991 1992 <ul class="card__meta__paths"> 1993 <li> 1994 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1995 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 1996 <span class="list-paths__item__arrow">›</span> 1997 musl/musl@1.2.5-r0 1998 1999 </span> 2000 2001 </li> 2002 <li> 2003 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2004 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2005 <span class="list-paths__item__arrow">›</span> 2006 .haproxy-rundeps@20240524.005458 2007 <span class="list-paths__item__arrow">›</span> 2008 musl/musl@1.2.5-r0 2009 2010 </span> 2011 2012 </li> 2013 <li> 2014 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2015 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2016 <span class="list-paths__item__arrow">›</span> 2017 apk-tools/apk-tools@2.14.4-r0 2018 <span class="list-paths__item__arrow">›</span> 2019 musl/musl@1.2.5-r0 2020 2021 </span> 2022 2023 </li> 2024 <li> 2025 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2026 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2027 <span class="list-paths__item__arrow">›</span> 2028 busybox/ssl_client@1.36.1-r28 2029 <span class="list-paths__item__arrow">›</span> 2030 musl/musl@1.2.5-r0 2031 2032 </span> 2033 2034 </li> 2035 <li> 2036 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2037 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2038 <span class="list-paths__item__arrow">›</span> 2039 ca-certificates/ca-certificates@20240226-r0 2040 <span class="list-paths__item__arrow">›</span> 2041 musl/musl@1.2.5-r0 2042 2043 </span> 2044 2045 </li> 2046 <li> 2047 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2048 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2049 <span class="list-paths__item__arrow">›</span> 2050 musl/musl-utils@1.2.5-r0 2051 <span class="list-paths__item__arrow">›</span> 2052 musl/musl@1.2.5-r0 2053 2054 </span> 2055 2056 </li> 2057 <li> 2058 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2059 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2060 <span class="list-paths__item__arrow">›</span> 2061 .haproxy-rundeps@20240524.005458 2062 <span class="list-paths__item__arrow">›</span> 2063 lua5.3/lua5.3-libs@5.3.6-r6 2064 <span class="list-paths__item__arrow">›</span> 2065 musl/musl@1.2.5-r0 2066 2067 </span> 2068 2069 </li> 2070 <li> 2071 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2072 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2073 <span class="list-paths__item__arrow">›</span> 2074 .haproxy-rundeps@20240524.005458 2075 <span class="list-paths__item__arrow">›</span> 2076 openssl/libcrypto3@3.3.0-r2 2077 <span class="list-paths__item__arrow">›</span> 2078 musl/musl@1.2.5-r0 2079 2080 </span> 2081 2082 </li> 2083 <li> 2084 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2085 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2086 <span class="list-paths__item__arrow">›</span> 2087 .haproxy-rundeps@20240524.005458 2088 <span class="list-paths__item__arrow">›</span> 2089 openssl/libssl3@3.3.0-r2 2090 <span class="list-paths__item__arrow">›</span> 2091 musl/musl@1.2.5-r0 2092 2093 </span> 2094 2095 </li> 2096 <li> 2097 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2098 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2099 <span class="list-paths__item__arrow">›</span> 2100 .haproxy-rundeps@20240524.005458 2101 <span class="list-paths__item__arrow">›</span> 2102 pcre2/pcre2@10.43-r0 2103 <span class="list-paths__item__arrow">›</span> 2104 musl/musl@1.2.5-r0 2105 2106 </span> 2107 2108 </li> 2109 <li> 2110 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2111 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2112 <span class="list-paths__item__arrow">›</span> 2113 apk-tools/apk-tools@2.14.4-r0 2114 <span class="list-paths__item__arrow">›</span> 2115 zlib/zlib@1.3.1-r1 2116 <span class="list-paths__item__arrow">›</span> 2117 musl/musl@1.2.5-r0 2118 2119 </span> 2120 2121 </li> 2122 <li> 2123 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2124 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2125 <span class="list-paths__item__arrow">›</span> 2126 musl/musl-utils@1.2.5-r0 2127 <span class="list-paths__item__arrow">›</span> 2128 pax-utils/scanelf@1.3.7-r2 2129 <span class="list-paths__item__arrow">›</span> 2130 musl/musl@1.2.5-r0 2131 2132 </span> 2133 2134 </li> 2135 <li> 2136 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2137 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2138 <span class="list-paths__item__arrow">›</span> 2139 alpine-baselayout/alpine-baselayout@3.6.5-r0 2140 <span class="list-paths__item__arrow">›</span> 2141 busybox/busybox-binsh@1.36.1-r28 2142 <span class="list-paths__item__arrow">›</span> 2143 busybox/busybox@1.36.1-r28 2144 <span class="list-paths__item__arrow">›</span> 2145 musl/musl@1.2.5-r0 2146 2147 </span> 2148 2149 </li> 2150 <li> 2151 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2152 docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine 2153 <span class="list-paths__item__arrow">›</span> 2154 musl/musl-utils@1.2.5-r0 2155 2156 </span> 2157 2158 </li> 2159 </ul><!-- .list-paths --> 2160 2161 </div><!-- .card__section --> 2162 2163 <hr/> 2164 <!-- Overview --> 2165 <h2 id="nvd-description">NVD Description</h2> 2166 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>musl</code> package and not the <code>musl</code> package as distributed by <code>Alpine</code>.</em> 2167 <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p> 2168 <p>musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.</p> 2169 <h2 id="remediation">Remediation</h2> 2170 <p>Upgrade <code>Alpine:3.20</code> <code>musl</code> to version 1.2.5-r1 or higher.</p> 2171 <h2 id="references">References</h2> 2172 <ul> 2173 <li><a href="https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da">https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da</a></li> 2174 <li><a href="https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659">https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659</a></li> 2175 <li><a href="https://www.openwall.com/lists/oss-security/2025/02/13/2">https://www.openwall.com/lists/oss-security/2025/02/13/2</a></li> 2176 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/2">http://www.openwall.com/lists/oss-security/2025/02/13/2</a></li> 2177 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/3">http://www.openwall.com/lists/oss-security/2025/02/13/3</a></li> 2178 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/4">http://www.openwall.com/lists/oss-security/2025/02/13/4</a></li> 2179 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/5">http://www.openwall.com/lists/oss-security/2025/02/13/5</a></li> 2180 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/14/5">http://www.openwall.com/lists/oss-security/2025/02/14/5</a></li> 2181 <li><a href="http://www.openwall.com/lists/oss-security/2025/02/14/6">http://www.openwall.com/lists/oss-security/2025/02/14/6</a></li> 2182 </ul> 2183 2184 <hr/> 2185 2186 <div class="cta card__cta"> 2187 <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-MUSL-8720638">More about this vulnerability</a></p> 2188 </div> 2189 2190 </div><!-- .card --> 2191 </div><!-- cards --> 2192 </div> 2193 </main><!-- .layout-stacked__content --> 2194 </body> 2195 2196 </html>