Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update access token for flowfuse dockerhub #282

Merged
merged 1 commit into from
Jan 18, 2024

Update access token for flowfuse dockerhub

5f9df0a
Select commit
Loading
Failed to load commit list.
Sign in for the full log view
Merged

Update access token for flowfuse dockerhub #282

Update access token for flowfuse dockerhub
5f9df0a
Select commit
Loading
Failed to load commit list.
GitHub Actions / file-server:main-linux-arm64 scan results succeeded Jan 18, 2024 in 0s

4 fail in 0s

4 tests   0 ✅  0s ⏱️
2 suites  0 💤
1 files    4 ❌

Results for commit 5f9df0a.

Annotations

Check warning on line 0 in libcrypto3-3.1.4-r2

See this annotation in the file changed.

@github-actions github-actions / file-server:main-linux-arm64 scan results

[MEDIUM] CVE-2023-6129 (libcrypto3-3.1.4-r2) failed

trivy-junit-results.xml
Raw output
openssl: POLY1305 MAC implementation corrupts vector registers on PowerPC
Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.

Impact summary: If an attacker can influence whether the POLY1305 MAC
algorithm is used, the application state might be corrupted with various
application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs restores the contents of vector registers in a different order
than they are saved. Thus the contents of some of these vector registers
are corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.

The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However unless the compiler uses the vector registers for storing
pointers, the most likely consequence, if any, would be an incorrect result
of some application dependent calculations or a crash leading to a denial of
service.

The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3. If this cipher is enabled on the server a malicious
client can influence whether this AEAD cipher is used. This implies that
TLS server applications using OpenSSL can be potentially impacted. However
we are currently not aware of any concrete application that would be affected
by this issue therefore we consider this a Low severity security issue.

Check warning on line 0 in libcrypto3-3.1.4-r2

See this annotation in the file changed.

@github-actions github-actions / file-server:main-linux-arm64 scan results

[MEDIUM] CVE-2023-6237 (libcrypto3-3.1.4-r2) failed

trivy-junit-results.xml
Raw output
openssl: Excessive time spent checking invalid RSA public keys
A flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.

Check warning on line 0 in libssl3-3.1.4-r2

See this annotation in the file changed.

@github-actions github-actions / file-server:main-linux-arm64 scan results

[MEDIUM] CVE-2023-6129 (libssl3-3.1.4-r2) failed

trivy-junit-results.xml
Raw output
openssl: POLY1305 MAC implementation corrupts vector registers on PowerPC
Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.

Impact summary: If an attacker can influence whether the POLY1305 MAC
algorithm is used, the application state might be corrupted with various
application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs restores the contents of vector registers in a different order
than they are saved. Thus the contents of some of these vector registers
are corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.

The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However unless the compiler uses the vector registers for storing
pointers, the most likely consequence, if any, would be an incorrect result
of some application dependent calculations or a crash leading to a denial of
service.

The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3. If this cipher is enabled on the server a malicious
client can influence whether this AEAD cipher is used. This implies that
TLS server applications using OpenSSL can be potentially impacted. However
we are currently not aware of any concrete application that would be affected
by this issue therefore we consider this a Low severity security issue.

Check warning on line 0 in libssl3-3.1.4-r2

See this annotation in the file changed.

@github-actions github-actions / file-server:main-linux-arm64 scan results

[MEDIUM] CVE-2023-6237 (libssl3-3.1.4-r2) failed

trivy-junit-results.xml
Raw output
openssl: Excessive time spent checking invalid RSA public keys
A flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.