Skip to content

Deps: Bump github/codeql-action from 3.29.4 to 3.29.8 in the github-actions group#1241

Merged
greenbonebot merged 1 commit intomainfrom
dependabot/github_actions/github-actions-4729627fe5
Aug 12, 2025
Merged

Deps: Bump github/codeql-action from 3.29.4 to 3.29.8 in the github-actions group#1241
greenbonebot merged 1 commit intomainfrom
dependabot/github_actions/github-actions-4729627fe5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Aug 11, 2025

Bumps the github-actions group with 1 update: github/codeql-action.

Updates github/codeql-action from 3.29.4 to 3.29.8

Release notes

Sourced from github/codeql-action's releases.

v3.29.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.8 - 08 Aug 2025

  • Fix an issue where the Action would autodetect unsupported languages such as HTML. #3015

See the full CHANGELOG.md for more information.

v3.29.7

This is a re-release of v3.29.5 to mitigate an issue that was discovered with v3.29.6.

v3.29.6

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.6 - 07 Aug 2025

  • The cleanup-level input to the analyze Action is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. #2999
  • Update default CodeQL bundle version to 2.22.3. #3000

See the full CHANGELOG.md for more information.

v3.29.5

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.5 - 29 Jul 2025

  • Update default CodeQL bundle version to 2.22.2. #2986

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.29.8 - 08 Aug 2025

  • Fix an issue where the Action would autodetect unsupported languages such as HTML. #3015

3.29.7 - 07 Aug 2025

This release rolls back 3.29.6 to address issues with language autodetection. It is identical to 3.29.5.

3.29.6 - 07 Aug 2025

  • The cleanup-level input to the analyze Action is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. #2999
  • Update default CodeQL bundle version to 2.22.3. #3000

3.29.5 - 29 Jul 2025

  • Update default CodeQL bundle version to 2.22.2. #2986

3.29.4 - 23 Jul 2025

No user facing changes.

3.29.3 - 21 Jul 2025

No user facing changes.

3.29.2 - 30 Jun 2025

  • Experimental: When the quality-queries input for the init action is provided with an argument, separate .quality.sarif files are produced and uploaded for each language with the results of the specified queries. Do not use this in production as it is part of an internal experiment and subject to change at any time. #2935

3.29.1 - 27 Jun 2025

  • Fix bug in PR analysis where user-provided include query filter fails to exclude non-included queries. #2938
  • Update default CodeQL bundle version to 2.22.1. #2950

3.29.0 - 11 Jun 2025

  • Update default CodeQL bundle version to 2.22.0. #2925
  • Bump minimum CodeQL bundle version to 2.16.6. #2912

3.28.21 - 28 July 2025

No user facing changes.

... (truncated)

Commits
  • 76621b6 Merge pull request #3019 from github/update-v3.29.8-679a40d33
  • 29ac3ce Add release notes for 3.29.7
  • 737cfde Update changelog for v3.29.8
  • 679a40d Merge pull request #3014 from github/henrymercer/rebuild-dispatch
  • 6fe50b2 Merge pull request #3015 from github/henrymercer/language-autodetection-worka...
  • 6bc91d6 Add changelog note
  • 6b4fedc Bump Action patch version
  • 5794ffc Fix auto-detection of extractors that aren't languages
  • bd62bf4 Finish in-progress merges
  • 2afb4e6 Avoid specifying branch unnecessarily
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Aug 11, 2025
@dependabot dependabot bot requested review from a team as code owners August 11, 2025 14:56
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Aug 11, 2025
@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 11, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/github/codeql-action/analyze 76621b61decf072c1cee8dd1ce2d2a82d33c17ed UnknownUnknown
actions/github/codeql-action/init 76621b61decf072c1cee8dd1ce2d2a82d33c17ed UnknownUnknown

Scanned Files

  • .github/workflows/codeql-analysis-python.yml

@greenbonebot greenbonebot enabled auto-merge (rebase) August 11, 2025 14:56
@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 11, 2025

Conventional Commits Report

Type Number
Dependencies 1

🚀 Conventional commits found.

@dependabot @bjoernricks
Deps: Bump github/codeql-action in the github-actions group
4a166d1 
Bumps the github-actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 3.29.4 to 3.29.8
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@4e828ff...76621b6)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 3.29.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@bjoernricks bjoernricks force-pushed the dependabot/github_actions/github-actions-4729627fe5 branch from 53845d9 to 4a166d1 Compare August 12, 2025 07:06
@greenbonebot greenbonebot merged commit c365020 into main Aug 12, 2025
21 checks passed
@greenbonebot greenbonebot deleted the dependabot/github_actions/github-actions-4729627fe5 branch August 12, 2025 07:07
@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 12, 2025

🔍 Vulnerabilities of harbor-os.greenbone.net/community/gvm-tools:1241-merge-amd64

📦 Image Reference harbor-os.greenbone.net/community/gvm-tools:1241-merge-amd64
digestsha256:24823f836e1ac2b25d2c437e71ad8a3092915de9d6170f6f9c6df443010cd3d3
vulnerabilitiescritical: 1 high: 9 medium: 18 low: 23
size83 MB
packages180
📦 Base Image debian:stable-20250721-slim
also known as
  • stable-slim
digestsha256:3249eafa46d713ba80c92f750b222ba4bfb8a7a71f52ad9925cedbc2f11aa208
vulnerabilitiescritical: 0 high: 1 medium: 1 low: 24
critical: 1 high: 0 medium: 0 low: 0 zlib 1:1.2.13.dfsg-1 (deb)

pkg:deb/debian/zlib@1:1.2.13.dfsg-1?os_distro=trixie&os_name=debian&os_version=13

critical : CVE--2023--45853

Affected range<1:1.3.dfsg-2
Fixed version1:1.3.dfsg-2
EPSS Score0.51%
EPSS Percentile65th percentile
Description

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.

critical: 0 high: 2 medium: 7 low: 1 gnutls28 3.7.9-2+deb12u5 (deb)

pkg:deb/debian/gnutls28@3.7.9-2%2Bdeb12u5?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2024--0567

Affected range<3.8.3-1
Fixed version3.8.3-1
EPSS Score1.01%
EPSS Percentile76th percentile
Description

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

high : CVE--2024--0553

Affected range<3.8.3-1
Fixed version3.8.3-1
EPSS Score1.03%
EPSS Percentile76th percentile
Description

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

medium : CVE--2025--6395

Affected range<3.8.9-3
Fixed version3.8.9-3
EPSS Score0.05%
EPSS Percentile16th percentile
Description

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

medium : CVE--2025--32990

Affected range<3.8.9-3
Fixed version3.8.9-3
EPSS Score0.06%
EPSS Percentile18th percentile
Description

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

medium : CVE--2025--32988

Affected range<3.8.9-3
Fixed version3.8.9-3
EPSS Score0.05%
EPSS Percentile16th percentile
Description

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

medium : CVE--2023--5981

Affected range<3.8.2-1
Fixed version3.8.2-1
EPSS Score0.56%
EPSS Percentile67th percentile
Description

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

medium : CVE--2024--28834

Affected range<3.8.4-2
Fixed version3.8.4-2
EPSS Score1.54%
EPSS Percentile81st percentile
Description

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

[experimental] - gnutls28 3.8.4-1

medium : CVE--2024--12243

Affected range<3.8.9-2
Fixed version3.8.9-2
EPSS Score0.75%
EPSS Percentile72nd percentile
Description

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

[experimental] - gnutls28 3.8.9-1

medium : CVE--2024--28835

Affected range<3.8.4-2
Fixed version3.8.4-2
EPSS Score0.01%
EPSS Percentile2nd percentile
Description

A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

[experimental] - gnutls28 3.8.4-1

low : CVE--2025--32989

Affected range<3.8.9-3
Fixed version3.8.9-3
EPSS Score0.02%
EPSS Percentile4th percentile
Description

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.

critical: 0 high: 2 medium: 2 low: 0 systemd 252.38-1~deb12u1 (deb)

pkg:deb/debian/systemd@252.38-1~deb12u1?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2023--50868

Affected range<255.4-1
Fixed version255.4-1
EPSS Score47.86%
EPSS Percentile98th percentile
Description

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

high : CVE--2023--50387

Affected range<255.4-1
Fixed version255.4-1
EPSS Score37.71%
EPSS Percentile97th percentile
Description

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

medium : CVE--2023--7008

Affected range<255.1-3
Fixed version255.1-3
EPSS Score0.30%
EPSS Percentile52nd percentile
Description

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

medium : CVE--2025--4598

Affected range<257.6-1
Fixed version257.6-1
EPSS Score0.01%
EPSS Percentile1st percentile
Description

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

critical: 0 high: 2 medium: 1 low: 2 perl 5.36.0-7+deb12u2 (deb)

pkg:deb/debian/perl@5.36.0-7%2Bdeb12u2?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2023--31484

Affected range<5.38.2-2
Fixed version5.38.2-2
EPSS Score0.91%
EPSS Percentile75th percentile
Description

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

[experimental] - perl 5.38.0~rc2-1

high : CVE--2023--47038

Affected range<5.36.0-10
Fixed version5.36.0-10
EPSS Score0.14%
EPSS Percentile35th percentile
Description

A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.

medium : CVE--2025--40909

Affected range<5.40.1-5
Fixed version5.40.1-5
EPSS Score0.01%
EPSS Percentile0th percentile
Description

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

[experimental] - perl 5.40.1-4

low : CVE--2024--56406

Affected range<5.40.1-3
Fixed version5.40.1-3
EPSS Score0.05%
EPSS Percentile15th percentile
Description

A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

low : CVE--2023--31486

Affected range<5.38.2-2
Fixed version5.38.2-2
EPSS Score0.45%
EPSS Percentile63rd percentile
Description

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

critical: 0 high: 1 medium: 2 low: 1 pam 1.5.2-6+deb12u1 (deb)

pkg:deb/debian/pam@1.5.2-6%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2025--6020

Affected range<1.7.0-5
Fixed version1.7.0-5
EPSS Score0.02%
EPSS Percentile3rd percentile
Description

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

[experimental] - pam 1.7.0-4

medium : CVE--2024--22365

Affected range<1.5.3-4
Fixed version1.5.3-4
EPSS Score0.08%
EPSS Percentile24th percentile
Description

linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.

[experimental] - pam 1.5.3-2

medium : CVE--2024--10041

Affected range<1.7.0-2
Fixed version1.7.0-2
EPSS Score0.03%
EPSS Percentile7th percentile
Description

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.

[experimental] - pam 1.7.0-1

low : CVE--2024--10963

Affected range<1.7.0-5
Fixed version1.7.0-5
EPSS Score0.22%
EPSS Percentile44th percentile
Description

A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.

critical: 0 high: 1 medium: 1 low: 0 python3.13 3.13.5-2 (deb)

pkg:deb/debian/python3.13@3.13.5-2?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2025--8194

Affected range>=3.13.5-2
Fixed versionNot Fixed
EPSS Score0.09%
EPSS Percentile26th percentile
Description

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

medium : CVE--2025--6069

Affected range>=3.13.5-2
Fixed versionNot Fixed
EPSS Score0.08%
EPSS Percentile24th percentile
Description

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

critical: 0 high: 1 medium: 0 low: 0 dpkg 1.21.22 (deb)

pkg:deb/debian/dpkg@1.21.22?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2025--6297

Affected range<1.22.21
Fixed version1.22.21
EPSS Score0.08%
EPSS Percentile25th percentile
Description

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

critical: 0 high: 0 medium: 1 low: 1 tar 1.34+dfsg-1.2+deb12u1 (deb)

pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2023--39804

Affected range<1.34+dfsg-1.3
Fixed version1.34+dfsg-1.3
EPSS Score0.04%
EPSS Percentile10th percentile
Description

In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.

low : CVE--2022--48303

Affected range<1.34+dfsg-1.4
Fixed version1.34+dfsg-1.4
EPSS Score0.03%
EPSS Percentile7th percentile
Description

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.

critical: 0 high: 0 medium: 1 low: 1 shadow 1:4.13+dfsg1-1+deb12u1 (deb)

pkg:deb/debian/shadow@1:4.13%2Bdfsg1-1%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2023--4641

Affected range<1:4.13+dfsg1-2
Fixed version1:4.13+dfsg1-2
EPSS Score0.02%
EPSS Percentile2nd percentile
Description

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.

low : CVE--2023--29383

Affected range<1:4.13+dfsg1-2
Fixed version1:4.13+dfsg1-2
EPSS Score0.03%
EPSS Percentile7th percentile
Description

In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.

critical: 0 high: 0 medium: 1 low: 0 libcap2 1:2.66-4+deb12u1 (deb)

pkg:deb/debian/libcap2@1:2.66-4%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2025--1390

Affected range<1:2.73-4
Fixed version1:2.73-4
EPSS Score0.03%
EPSS Percentile6th percentile
Description

The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.

critical: 0 high: 0 medium: 1 low: 0 ncurses 6.5+20250216-2 (deb)

pkg:deb/debian/ncurses@6.5%2B20250216-2?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2025--6141

Affected range>=6.5+20250216-2
Fixed versionNot Fixed
EPSS Score0.02%
EPSS Percentile2nd percentile
Description

A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.

critical: 0 high: 0 medium: 1 low: 0 libtasn1-6 4.19.0-2+deb12u1 (deb)

pkg:deb/debian/libtasn1-6@4.19.0-2%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2024--12133

Affected range<4.20.0-1
Fixed version4.20.0-1
EPSS Score0.32%
EPSS Percentile55th percentile
Description

A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.

critical: 0 high: 0 medium: 0 low: 7 glibc 2.41-12 (deb)

pkg:deb/debian/glibc@2.41-12?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2019--9192

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.16%
EPSS Percentile38th percentile
Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

low : CVE--2019--1010025

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.23%
EPSS Percentile46th percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.

low : CVE--2019--1010024

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.38%
EPSS Percentile58th percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

low : CVE--2019--1010023

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.70%
EPSS Percentile71st percentile
Description

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

low : CVE--2019--1010022

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.14%
EPSS Percentile36th percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

low : CVE--2018--20796

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score2.00%
EPSS Percentile83rd percentile
Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

low : CVE--2010--4756

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.37%
EPSS Percentile58th percentile
Description

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

  • glibc (unimportant)
  • eglibc (unimportant)
    That's standard POSIX behaviour implemented by (e)glibc. Applications using
    glob need to impose limits for themselves
critical: 0 high: 0 medium: 0 low: 2 xz-utils 5.4.1-1 (deb)

pkg:deb/debian/xz-utils@5.4.1-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2025--31115

Affected range<5.8.1-1
Fixed version5.8.1-1
EPSS Score0.12%
EPSS Percentile32nd percentile
Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

low : CVE--2024--3094

Affected range<5.6.1+really5.4.5-1
Fixed version5.6.1+really5.4.5-1
EPSS Score83.74%
EPSS Percentile99th percentile
Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

critical: 0 high: 0 medium: 0 low: 2 coreutils 9.1-1 (deb)

pkg:deb/debian/coreutils@9.1-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2024--0684

Affected range<9.5-1
Fixed version9.5-1
EPSS Score0.07%
EPSS Percentile22nd percentile
Description

A flaw was found in the GNU coreutils "split" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.

low : CVE--2016--2781

Affected range<9.4-1
Fixed version9.4-1
EPSS Score0.07%
EPSS Percentile22nd percentile
Description

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

  • coreutils 9.4-1 (low; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816320)
    [bookworm] - coreutils (Minor issue)
    [bullseye] - coreutils (Minor issue)
    [buster] - coreutils (Minor issue)
    [stretch] - coreutils (Minor issue)
    [jessie] - coreutils (Minor issue)
    [wheezy] - coreutils (Minor issue)
    Restricting ioctl on the kernel side seems the better approach, but rejected by Linux upstream
    Fixing this issue via setsid() would introduce regressions:
    https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes
    Since Linux 6.4.4-1 (uploaded on 23 Jul 2023), TIOCSTI is disabled on the
    kernel side, marking the first coreutils upload after that date (9.4-1) as the
    fixed version
critical: 0 high: 0 medium: 0 low: 1 gcc-12 12.2.0-14+deb12u1 (deb)

pkg:deb/debian/gcc-12@12.2.0-14%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2023--4039

Affected range<12.3.0-9
Fixed version12.3.0-9
EPSS Score0.15%
EPSS Percentile36th percentile
Description

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

critical: 0 high: 0 medium: 0 low: 1 python-pip 25.1.1+dfsg-1 (deb)

pkg:deb/debian/python-pip@25.1.1%2Bdfsg-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2018--20225

Affected range>=25.1.1+dfsg-1
Fixed versionNot Fixed
EPSS Score2.54%
EPSS Percentile85th percentile
Description

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

critical: 0 high: 0 medium: 0 low: 1 sqlite3 3.46.1-7 (deb)

pkg:deb/debian/sqlite3@3.46.1-7?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2021--45346

Affected range>=3.46.1-7
Fixed versionNot Fixed
EPSS Score0.20%
EPSS Percentile43rd percentile
Description

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

critical: 0 high: 0 medium: 0 low: 1 openssl 3.5.1-1 (deb)

pkg:deb/debian/openssl@3.5.1-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2010--0928

Affected range>=3.2.1-3
Fixed versionNot Fixed
EPSS Score0.11%
EPSS Percentile30th percentile
Description

OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."

http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf
openssl/openssl#24540
Fault injection based attacks are not within OpenSSLs threat model according
to the security policy: https://www.openssl.org/policies/general/security-policy.html

critical: 0 high: 0 medium: 0 low: 1 gnupg2 2.2.40-1.1 (deb)

pkg:deb/debian/gnupg2@2.2.40-1.1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2025--30258

Affected range<2.2.46-5
Fixed version2.2.46-5
EPSS Score0.02%
EPSS Percentile3rd percentile
Description

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

critical: 0 high: 0 medium: 0 low: 1 util-linux 2.38.1-5+deb12u3 (deb)

pkg:deb/debian/util-linux@2.38.1-5%2Bdeb12u3?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2024--28085

Affected range<2.39.3-11
Fixed version2.39.3-11
EPSS Score11.73%
EPSS Percentile93rd percentile
Description

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjoernricks bjoernricks bjoernricks approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bjoernricks @greenbonebot