diff --git a/.github/workflows/bigquery-ingestion.yaml b/.github/workflows/bigquery-ingestion.yaml index 4049e2581..66613b46d 100644 --- a/.github/workflows/bigquery-ingestion.yaml +++ b/.github/workflows/bigquery-ingestion.yaml @@ -36,7 +36,7 @@ jobs: gcloud run jobs execute --region us-central1 cve-advisory-cron - name: Post failure notice to Slack - uses: rtCamp/action-slack-notify@b24d75fe0e728a4bf9fc42ee217caa686d141ee8 # ratchet:rtCamp/action-slack-notify@v2.2.1 + uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # ratchet:rtCamp/action-slack-notify@v2.3.0 if: ${{ failure() }} env: SLACK_ICON: http://github.com/chainguard-dev.png?size=48 diff --git a/.github/workflows/build-and-publish-osv.yaml b/.github/workflows/build-and-publish-osv.yaml new file mode 100644 index 000000000..9bcb24049 --- /dev/null +++ b/.github/workflows/build-and-publish-osv.yaml @@ -0,0 +1,43 @@ +name: Build and publish OSV + +on: + push: + branches: + - main + workflow_dispatch: + +jobs: + build-publish: + name: Build and publish OSV + runs-on: ubuntu-latest + if: github.repository == 'wolfi-dev/advisories' + + permissions: + id-token: write + contents: read + + steps: + - uses: actions/checkout@v4 + + - uses: wolfi-dev/actions/build-and-publish-osv@main + with: + workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" + service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" + gcp_project_id: prod-images-c6e5 + wolfictl_args: "--ecosystem wolfi --advisories-repo-dir ." + gcs_apk_bucket_name: wolfi-production-registry-destination + gcs_apk_directory_name: os + + - name: Post failure notice to Slack + uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # ratchet:rtCamp/action-slack-notify@v2.3.0 + if: ${{ failure() }} + env: + SLACK_ICON: http://github.com/chainguard-dev.png?size=48 + SLACK_USERNAME: guardian + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_CHANNEL: 'eng-squad-lifecycle-alerts' + SLACK_COLOR: '#8E1600' + MSG_MINIMAL: 'true' + SLACK_TITLE: Build/Publish YAML for ${{ github.repository }} failed! + SLACK_MESSAGE: | + For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/.github/workflows/build-and-publish-secdb.yaml b/.github/workflows/build-and-publish-secdb.yaml index ec461a3cc..4cdd5925b 100644 --- a/.github/workflows/build-and-publish-secdb.yaml +++ b/.github/workflows/build-and-publish-secdb.yaml @@ -29,7 +29,7 @@ jobs: gcs_apk_directory_name: os - name: Post failure notice to Slack - uses: rtCamp/action-slack-notify@b24d75fe0e728a4bf9fc42ee217caa686d141ee8 # ratchet:rtCamp/action-slack-notify@v2.2.1 + uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # ratchet:rtCamp/action-slack-notify@v2.3.0 if: ${{ failure() }} env: SLACK_ICON: http://github.com/chainguard-dev.png?size=48 diff --git a/.github/workflows/build-and-publish-yaml.yaml b/.github/workflows/build-and-publish-yaml.yaml index 4e1516ec9..694ec3ca6 100644 --- a/.github/workflows/build-and-publish-yaml.yaml +++ b/.github/workflows/build-and-publish-yaml.yaml @@ -29,7 +29,7 @@ jobs: gcs_apk_directory_name: os - name: Post failure notice to Slack - uses: rtCamp/action-slack-notify@b24d75fe0e728a4bf9fc42ee217caa686d141ee8 # ratchet:rtCamp/action-slack-notify@v2.2.1 + uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # ratchet:rtCamp/action-slack-notify@v2.3.0 if: ${{ failure() }} env: SLACK_ICON: http://github.com/chainguard-dev.png?size=48 diff --git a/aactl.advisories.yaml b/aactl.advisories.yaml index c20dcac47..b3f4136da 100644 --- a/aactl.advisories.yaml +++ b/aactl.advisories.yaml @@ -231,6 +231,15 @@ advisories: data: fixed-version: 0.4.12-r7 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:17:04Z + type: fixed + data: + fixed-version: 0.4.12-r8 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 @@ -247,6 +256,10 @@ advisories: componentType: go-module componentLocation: /usr/bin/aactl scanner: grype + - timestamp: 2024-03-21T11:17:02Z + type: fixed + data: + fixed-version: 0.4.12-r8 - id: CVE-2024-28180 aliases: @@ -269,6 +282,15 @@ advisories: data: fixed-version: 0.4.12-r7 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T07:33:49Z + type: fixed + data: + fixed-version: 0.4.12-r7 + - id: GHSA-2c7c-3mj9-8fqh events: - timestamp: 2024-02-14T10:35:34Z diff --git a/argo-cd-2.10.advisories.yaml b/argo-cd-2.10.advisories.yaml index a253fe748..78818a56f 100644 --- a/argo-cd-2.10.advisories.yaml +++ b/argo-cd-2.10.advisories.yaml @@ -4,6 +4,15 @@ package: name: argo-cd-2.10 advisories: + - id: CVE-2024-21652 + aliases: + - GHSA-x32m-mvfj-52xv + events: + - timestamp: 2024-03-19T10:19:27Z + type: fixed + data: + fixed-version: 2.10.4-r0 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 diff --git a/argo-cd-2.7.advisories.yaml b/argo-cd-2.7.advisories.yaml index c126eff8c..1d7fee1c2 100644 --- a/argo-cd-2.7.advisories.yaml +++ b/argo-cd-2.7.advisories.yaml @@ -249,6 +249,21 @@ advisories: componentLocation: /usr/bin/argocd scanner: grype + - id: GHSA-2vgg-9h6w-m454 + events: + - timestamp: 2024-03-23T07:06:33Z + type: detection + data: + type: scan/v1 + data: + subpackageName: argo-cd-2.7 + componentID: 017ef98c4182ad84 + componentName: github.com/argoproj/argo-cd/v2 + componentVersion: v2.7.17 + componentType: go-module + componentLocation: /usr/bin/argocd + scanner: grype + - id: GHSA-6xv5-86q9-7xr8 events: - timestamp: 2023-09-09T15:17:59Z diff --git a/argo-workflows.advisories.yaml b/argo-workflows.advisories.yaml index e2f740af3..e329b970a 100644 --- a/argo-workflows.advisories.yaml +++ b/argo-workflows.advisories.yaml @@ -42,6 +42,15 @@ advisories: data: fixed-version: 3.5.2-r3 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-22T09:21:48Z + type: fixed + data: + fixed-version: 3.5.5-r4 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 @@ -58,6 +67,10 @@ advisories: componentType: go-module componentLocation: /usr/bin/workflow-controller scanner: grype + - timestamp: 2024-03-21T13:30:59Z + type: fixed + data: + fixed-version: 3.5.5-r4 - id: CVE-2024-27289 aliases: diff --git a/aws-cli-v2.advisories.yaml b/aws-cli-v2.advisories.yaml new file mode 100644 index 000000000..ecdb5cebb --- /dev/null +++ b/aws-cli-v2.advisories.yaml @@ -0,0 +1,39 @@ +schema-version: 2.0.2 + +package: + name: aws-cli-v2 + +advisories: + - id: CVE-2023-6597 + aliases: + - GHSA-797f-63wg-8chv + events: + - timestamp: 2024-03-25T18:52:05Z + type: detection + data: + type: scan/v1 + data: + subpackageName: aws-cli-v2 + componentID: d308222d66b99a12 + componentName: python + componentVersion: 3.11.8 + componentType: binary + componentLocation: /usr/lib/aws-cli/libpython3.11.so.1.0 + scanner: grype + + - id: CVE-2024-0450 + aliases: + - GHSA-jm46-725r-hh9v + events: + - timestamp: 2024-03-25T18:52:06Z + type: detection + data: + type: scan/v1 + data: + subpackageName: aws-cli-v2 + componentID: d308222d66b99a12 + componentName: python + componentVersion: 3.11.8 + componentType: binary + componentLocation: /usr/lib/aws-cli/libpython3.11.so.1.0 + scanner: grype diff --git a/bind.advisories.yaml b/bind.advisories.yaml index fc7712535..57e7471be 100644 --- a/bind.advisories.yaml +++ b/bind.advisories.yaml @@ -488,6 +488,10 @@ advisories: componentType: apk componentLocation: /.PKGINFO scanner: grype + - timestamp: 2024-03-20T15:41:12Z + type: fixed + data: + fixed-version: 9.18.25-r0 - id: CVE-2023-6516 aliases: diff --git a/bom.advisories.yaml b/bom.advisories.yaml index 5f79ac54a..a6eff8f9b 100644 --- a/bom.advisories.yaml +++ b/bom.advisories.yaml @@ -132,6 +132,23 @@ advisories: data: fixed-version: 0.6.0-r0 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T10:30:53Z + type: detection + data: + type: scan/v1 + data: + subpackageName: bom + componentID: 032b3d6a67d55c61 + componentName: github.com/docker/docker + componentVersion: v24.0.0+incompatible + componentType: go-module + componentLocation: /usr/bin/bom + scanner: grype + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/buf.advisories.yaml b/buf.advisories.yaml index 1d024aed0..f77ac3a82 100644 --- a/buf.advisories.yaml +++ b/buf.advisories.yaml @@ -41,3 +41,20 @@ advisories: type: fixed data: fixed-version: 1.30.0-r0 + + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-22T07:06:18Z + type: detection + data: + type: scan/v1 + data: + subpackageName: buf + componentID: 092d335917925f4e + componentName: github.com/docker/docker + componentVersion: v25.0.4+incompatible + componentType: go-module + componentLocation: /usr/bin/buf + scanner: grype diff --git a/buildkitd.advisories.yaml b/buildkitd.advisories.yaml index 747542ec2..521c77b6b 100644 --- a/buildkitd.advisories.yaml +++ b/buildkitd.advisories.yaml @@ -224,6 +224,27 @@ advisories: data: fixed-version: 0.13.0-r1 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T07:34:43Z + type: detection + data: + type: scan/v1 + data: + subpackageName: buildkitd + componentID: 19cd3c2af876f2e9 + componentName: github.com/docker/docker + componentVersion: v25.0.3+incompatible + componentType: go-module + componentLocation: /usr/bin/buildkitd + scanner: grype + - timestamp: 2024-03-21T11:43:47Z + type: fixed + data: + fixed-version: 0.13.1-r1 + - id: GHSA-7ww5-4wqc-m92c events: - timestamp: 2024-01-30T15:54:13Z diff --git a/cadvisor.advisories.yaml b/cadvisor.advisories.yaml index b5842b738..a66c75551 100644 --- a/cadvisor.advisories.yaml +++ b/cadvisor.advisories.yaml @@ -82,6 +82,27 @@ advisories: data: fixed-version: 0.48.1-r4 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T09:30:53Z + type: detection + data: + type: scan/v1 + data: + subpackageName: cadvisor + componentID: 5fd69375a57c4040 + componentName: github.com/docker/docker + componentVersion: v20.10.27+incompatible + componentType: go-module + componentLocation: /usr/bin/cadvisor + scanner: grype + - timestamp: 2024-03-21T11:23:06Z + type: fixed + data: + fixed-version: 0.49.1-r4 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp @@ -154,6 +175,27 @@ advisories: data: fixed-version: 0.49.1-r3 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T09:30:51Z + type: detection + data: + type: scan/v1 + data: + subpackageName: cadvisor + componentID: 5fd69375a57c4040 + componentName: github.com/docker/docker + componentVersion: v20.10.27+incompatible + componentType: go-module + componentLocation: /usr/bin/cadvisor + scanner: grype + - timestamp: 2024-03-21T11:23:06Z + type: fixed + data: + fixed-version: 0.49.1-r4 + - id: GHSA-6xv5-86q9-7xr8 events: - timestamp: 2023-09-09T15:18:01Z diff --git a/cert-manager-1.12.advisories.yaml b/cert-manager-1.12.advisories.yaml index 629fce1d4..bb193ad30 100644 --- a/cert-manager-1.12.advisories.yaml +++ b/cert-manager-1.12.advisories.yaml @@ -78,6 +78,23 @@ advisories: data: fixed-version: 1.12.7-r2 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-25T10:04:27Z + type: detection + data: + type: scan/v1 + data: + subpackageName: cmctl-1.12 + componentID: 69719a35eed06ed4 + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/cmctl + scanner: grype + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 diff --git a/cert-manager-1.14.advisories.yaml b/cert-manager-1.14.advisories.yaml index 437701c8a..4139e179a 100644 --- a/cert-manager-1.14.advisories.yaml +++ b/cert-manager-1.14.advisories.yaml @@ -26,6 +26,15 @@ advisories: type: vulnerability-record-analysis-contested note: 'This is not a vulnerability. Learn more about the response from Helm: https://helm.sh/blog/response-cve-2019-25210' + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T12:47:16Z + type: fixed + data: + fixed-version: 1.14.4-r2 + - id: CVE-2024-25620 aliases: - GHSA-v53g-5gjp-272r @@ -68,7 +77,9 @@ advisories: data: fixed-version: 1.14.2-r2 - - id: GHSA-c5q2-7r4c-mv6g + - id: CVE-2024-28180 + aliases: + - GHSA-c5q2-7r4c-mv6g events: - timestamp: 2024-03-08T07:11:22Z type: detection diff --git a/chartmuseum.advisories.yaml b/chartmuseum.advisories.yaml index 51ddd8432..7dacc3584 100644 --- a/chartmuseum.advisories.yaml +++ b/chartmuseum.advisories.yaml @@ -82,6 +82,23 @@ advisories: data: fixed-version: 0.16.1-r4 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-22T07:18:34Z + type: detection + data: + type: scan/v1 + data: + subpackageName: chartmuseum + componentID: e8713d467cb089c5 + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/chartmuseum + scanner: grype + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp @@ -109,6 +126,27 @@ advisories: data: fixed-version: 0.16.1-r4 + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 + events: + - timestamp: 2024-03-14T07:08:26Z + type: detection + data: + type: scan/v1 + data: + subpackageName: chartmuseum + componentID: 03eb8e87cf063a9d + componentName: google.golang.org/protobuf + componentVersion: v1.31.0 + componentType: go-module + componentLocation: /usr/bin/chartmuseum + scanner: grype + - timestamp: 2024-03-14T15:22:59Z + type: fixed + data: + fixed-version: 0.16.1-r5 + - id: CVE-2024-25620 aliases: - GHSA-v53g-5gjp-272r @@ -151,25 +189,6 @@ advisories: data: fixed-version: 0.16.1-r3 - - id: GHSA-8r3f-844c-mc37 - events: - - timestamp: 2024-03-14T07:08:26Z - type: detection - data: - type: scan/v1 - data: - subpackageName: chartmuseum - componentID: 03eb8e87cf063a9d - componentName: google.golang.org/protobuf - componentVersion: v1.31.0 - componentType: go-module - componentLocation: /usr/bin/chartmuseum - scanner: grype - - timestamp: 2024-03-14T15:22:59Z - type: fixed - data: - fixed-version: 0.16.1-r5 - - id: GHSA-jq35-85cj-fj4p events: - timestamp: 2023-12-27T14:29:46Z diff --git a/cilium-1.14.advisories.yaml b/cilium-1.14.advisories.yaml index 87b258325..a05e64ec6 100644 --- a/cilium-1.14.advisories.yaml +++ b/cilium-1.14.advisories.yaml @@ -29,3 +29,54 @@ advisories: type: fixed data: fixed-version: 1.14.7-r0 + + - id: CVE-2024-28248 + aliases: + - GHSA-68mj-9pjq-mc85 + events: + - timestamp: 2024-03-20T10:04:09Z + type: detection + data: + type: scan/v1 + data: + subpackageName: cilium-1.14 + componentID: 1810fb8fac7342e0 + componentName: cilium-1.14 + componentVersion: 1.14.7-r0 + componentType: apk + componentLocation: /.PKGINFO + scanner: grype + + - id: CVE-2024-28249 + aliases: + - GHSA-j89h-qrvr-xc36 + events: + - timestamp: 2024-03-20T10:04:10Z + type: detection + data: + type: scan/v1 + data: + subpackageName: cilium-1.14 + componentID: 1810fb8fac7342e0 + componentName: cilium-1.14 + componentVersion: 1.14.7-r0 + componentType: apk + componentLocation: /.PKGINFO + scanner: grype + + - id: CVE-2024-28250 + aliases: + - GHSA-v6q2-4qr3-5cw6 + events: + - timestamp: 2024-03-20T10:04:10Z + type: detection + data: + type: scan/v1 + data: + subpackageName: cilium-1.14 + componentID: 1810fb8fac7342e0 + componentName: cilium-1.14 + componentVersion: 1.14.7-r0 + componentType: apk + componentLocation: /.PKGINFO + scanner: grype diff --git a/cilium-cli.advisories.yaml b/cilium-cli.advisories.yaml index 1a100eec6..7b2c8b086 100644 --- a/cilium-cli.advisories.yaml +++ b/cilium-cli.advisories.yaml @@ -105,6 +105,23 @@ advisories: data: fixed-version: 0.15.23-r2 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-25T09:22:18Z + type: detection + data: + type: scan/v1 + data: + subpackageName: cilium-cli + componentID: 8758da7de28199e7 + componentName: github.com/docker/docker + componentVersion: v25.0.3+incompatible + componentType: go-module + componentLocation: /usr/bin/cilium + scanner: grype + - id: GHSA-7ww5-4wqc-m92c events: - timestamp: 2024-01-25T07:12:56Z diff --git a/confluent-common-docker.advisories.yaml b/confluent-common-docker.advisories.yaml new file mode 100644 index 000000000..e41ffc7e8 --- /dev/null +++ b/confluent-common-docker.advisories.yaml @@ -0,0 +1,47 @@ +schema-version: 2.0.2 + +package: + name: confluent-common-docker + +advisories: + - id: CVE-2023-51775 + aliases: + - GHSA-6qvw-249j-h44c + events: + - timestamp: 2024-03-19T16:20:01Z + type: detection + data: + type: scan/v1 + data: + subpackageName: confluent-common-docker + componentID: bc7e78f5849d3b9b + componentName: jose4j + componentVersion: 0.9.3 + componentType: java-archive + componentLocation: /usr/share/java/cp-base-new/docker-utils-jar-with-dependencies.jar + scanner: grype + - timestamp: 2024-03-20T07:06:26Z + type: pending-upstream-fix + data: + note: Confluent should publish the latest version of common package to their maven repository. They do not have any jars/poms past 7.6.x but they have 7.7.x tags in their GitHub repository. + + - id: CVE-2024-23944 + aliases: + - GHSA-r978-9m6m-6gm6 + events: + - timestamp: 2024-03-19T16:20:02Z + type: detection + data: + type: scan/v1 + data: + subpackageName: confluent-common-docker + componentID: 3b6ce91dccc68f33 + componentName: zookeeper + componentVersion: 3.8.3 + componentType: java-archive + componentLocation: /usr/share/java/cp-base-new/docker-utils-jar-with-dependencies.jar + scanner: grype + - timestamp: 2024-03-20T07:06:26Z + type: pending-upstream-fix + data: + note: Confluent should publish the latest version of common package to their maven repository. They do not have any jars/poms past 7.6.x but they have 7.7.x tags in their GitHub repository. diff --git a/confluent-kafka.advisories.yaml b/confluent-kafka.advisories.yaml new file mode 100644 index 000000000..f63b2da4a --- /dev/null +++ b/confluent-kafka.advisories.yaml @@ -0,0 +1,23 @@ +schema-version: 2.0.2 + +package: + name: confluent-kafka + +advisories: + - id: CVE-2023-51775 + aliases: + - GHSA-6qvw-249j-h44c + events: + - timestamp: 2024-03-25T18:13:26Z + type: pending-upstream-fix + data: + note: Confluent should publish the latest version of common package to their maven repository. They do not have any jars/poms past 7.6.x but they have 7.7.x tags in their GitHub repository. + + - id: CVE-2024-23944 + aliases: + - GHSA-r978-9m6m-6gm6 + events: + - timestamp: 2024-03-25T18:14:57Z + type: pending-upstream-fix + data: + note: Confluent should publish the latest version of common package to their maven repository. They do not have any jars/poms past 7.6.x but they have 7.7.x tags in their GitHub repository. diff --git a/conftest.advisories.yaml b/conftest.advisories.yaml index e292f533b..8e8a25f16 100644 --- a/conftest.advisories.yaml +++ b/conftest.advisories.yaml @@ -88,6 +88,15 @@ advisories: data: fixed-version: 0.50.0-r1 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T11:16:31Z + type: fixed + data: + fixed-version: 0.50.0-r2 + - id: GHSA-jq35-85cj-fj4p events: - timestamp: 2023-10-31T20:03:41Z diff --git a/coredns.advisories.yaml b/coredns.advisories.yaml index ec6b764b3..427fdae28 100644 --- a/coredns.advisories.yaml +++ b/coredns.advisories.yaml @@ -166,3 +166,20 @@ advisories: componentType: go-module componentLocation: /usr/bin/coredns scanner: grype + + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 + events: + - timestamp: 2024-03-20T09:04:10Z + type: detection + data: + type: scan/v1 + data: + subpackageName: coredns + componentID: fe1ad1ac5d63ddd3 + componentName: google.golang.org/protobuf + componentVersion: v1.31.0 + componentType: go-module + componentLocation: /usr/bin/coredns + scanner: grype diff --git a/cosign.advisories.yaml b/cosign.advisories.yaml index 830e9e21d..3fbf59e96 100644 --- a/cosign.advisories.yaml +++ b/cosign.advisories.yaml @@ -80,6 +80,15 @@ advisories: data: fixed-version: 2.2.2-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:16:41Z + type: fixed + data: + fixed-version: 2.2.3-r4 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 diff --git a/crane.advisories.yaml b/crane.advisories.yaml index 937259152..ee98da54c 100644 --- a/crane.advisories.yaml +++ b/crane.advisories.yaml @@ -1,4 +1,4 @@ -schema-version: 2.0.1 +schema-version: 2.0.2 package: name: crane @@ -23,3 +23,12 @@ advisories: data: type: vulnerable-code-not-included-in-package note: Only affects Windows + + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:44:21Z + type: fixed + data: + fixed-version: 0.19.1-r1 diff --git a/cri-tools.advisories.yaml b/cri-tools.advisories.yaml index 3b7dd3f6a..45951b12e 100644 --- a/cri-tools.advisories.yaml +++ b/cri-tools.advisories.yaml @@ -73,6 +73,27 @@ advisories: data: fixed-version: 1.29.0-r2 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T09:31:05Z + type: detection + data: + type: scan/v1 + data: + subpackageName: crictl + componentID: 35ba693bbd3d51a6 + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/crictl + scanner: grype + - timestamp: 2024-03-21T11:41:55Z + type: fixed + data: + fixed-version: 1.29.0-r6 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/crossplane.advisories.yaml b/crossplane.advisories.yaml index 12ab03c2f..64c9d2aca 100644 --- a/crossplane.advisories.yaml +++ b/crossplane.advisories.yaml @@ -117,3 +117,22 @@ advisories: type: fixed data: fixed-version: 1.14.5-r2 + + - id: GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T07:07:48Z + type: detection + data: + type: scan/v1 + data: + subpackageName: crossplane + componentID: c50fd69f50f2a147 + componentName: github.com/docker/docker + componentVersion: v25.0.2+incompatible + componentType: go-module + componentLocation: /usr/bin/crossplane + scanner: grype + - timestamp: 2024-03-21T11:42:22Z + type: fixed + data: + fixed-version: 1.15.1-r1 diff --git a/dagger.advisories.yaml b/dagger.advisories.yaml index 6b6612d7e..7e2327a39 100644 --- a/dagger.advisories.yaml +++ b/dagger.advisories.yaml @@ -22,6 +22,15 @@ advisories: data: fixed-version: 0.10.1-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:44:14Z + type: fixed + data: + fixed-version: 0.10.2-r1 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp @@ -48,3 +57,21 @@ advisories: type: fixed data: fixed-version: 0.10.1-r1 + + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 + events: + - timestamp: 2024-03-21T11:43:58Z + type: fixed + data: + fixed-version: 0.10.2-r1 + + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T11:44:07Z + type: fixed + data: + fixed-version: 0.10.2-r1 diff --git a/datadog-agent.advisories.yaml b/datadog-agent.advisories.yaml index d9b133573..e3dd58da2 100644 --- a/datadog-agent.advisories.yaml +++ b/datadog-agent.advisories.yaml @@ -127,6 +127,15 @@ advisories: data: fixed-version: 7.50.3-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T07:34:46Z + type: fixed + data: + fixed-version: 7.51.1-r3 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp @@ -174,3 +183,12 @@ advisories: type: fixed data: fixed-version: 7.51.1-r2 + + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T14:49:35Z + type: fixed + data: + fixed-version: 7.52.0-r0 diff --git a/docker-compose.advisories.yaml b/docker-compose.advisories.yaml index 7302d5f59..a324a4edf 100644 --- a/docker-compose.advisories.yaml +++ b/docker-compose.advisories.yaml @@ -41,3 +41,26 @@ advisories: componentType: go-module componentLocation: /usr/bin/docker-compose scanner: grype + - timestamp: 2024-03-19T12:28:56Z + type: fixed + data: + fixed-version: 2.25.0-r1 + + - id: GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T07:07:17Z + type: detection + data: + type: scan/v1 + data: + subpackageName: docker-compose + componentID: 0b3ad6c647777761 + componentName: github.com/docker/docker + componentVersion: v25.0.4-0.20240301160236-51e876cd964c+incompatible + componentType: go-module + componentLocation: /usr/bin/docker-compose + scanner: grype + - timestamp: 2024-03-21T11:44:19Z + type: fixed + data: + fixed-version: 2.25.0-r2 diff --git a/docker-credential-gcr.advisories.yaml b/docker-credential-gcr.advisories.yaml index 1a4374c24..a43a0dcf1 100644 --- a/docker-credential-gcr.advisories.yaml +++ b/docker-credential-gcr.advisories.yaml @@ -42,6 +42,15 @@ advisories: data: fixed-version: 2.1.22-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:17:00Z + type: fixed + data: + fixed-version: 2.1.22-r2 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/eksctl.advisories.yaml b/eksctl.advisories.yaml index ac0dc3b07..02c767405 100644 --- a/eksctl.advisories.yaml +++ b/eksctl.advisories.yaml @@ -80,6 +80,15 @@ advisories: data: fixed-version: 0.167.0-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:17:05Z + type: fixed + data: + fixed-version: 0.174.0-r1 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/falcoctl.advisories.yaml b/falcoctl.advisories.yaml index 6dca519bf..0c333ee3d 100644 --- a/falcoctl.advisories.yaml +++ b/falcoctl.advisories.yaml @@ -93,6 +93,15 @@ advisories: data: fixed-version: 0.7.1-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-22T12:18:18Z + type: fixed + data: + fixed-version: 0.7.3-r5 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 diff --git a/flux-helm-controller.advisories.yaml b/flux-helm-controller.advisories.yaml index 283429d45..5bcf793b7 100644 --- a/flux-helm-controller.advisories.yaml +++ b/flux-helm-controller.advisories.yaml @@ -106,6 +106,15 @@ advisories: data: fixed-version: 0.37.1-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-22T15:42:09Z + type: fixed + data: + fixed-version: 0.37.4-r5 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/flux-image-reflector-controller.advisories.yaml b/flux-image-reflector-controller.advisories.yaml index 6ba2ba579..c15553f9b 100644 --- a/flux-image-reflector-controller.advisories.yaml +++ b/flux-image-reflector-controller.advisories.yaml @@ -69,6 +69,15 @@ advisories: data: fixed-version: 0.31.1-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:44:18Z + type: fixed + data: + fixed-version: 0.31.2-r3 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/flux.advisories.yaml b/flux.advisories.yaml index d6de7b1cc..c33132cad 100644 --- a/flux.advisories.yaml +++ b/flux.advisories.yaml @@ -69,6 +69,23 @@ advisories: data: fixed-version: 2.2.1-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T07:06:31Z + type: detection + data: + type: scan/v1 + data: + subpackageName: flux + componentID: cd013f1471b1a4f7 + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/flux + scanner: grype + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/gh.advisories.yaml b/gh.advisories.yaml index e22574b85..1a63cecb4 100644 --- a/gh.advisories.yaml +++ b/gh.advisories.yaml @@ -65,3 +65,12 @@ advisories: type: fixed data: fixed-version: 2.45.0-r1 + + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 + events: + - timestamp: 2024-03-20T18:43:44Z + type: fixed + data: + fixed-version: 2.46.0-r0 diff --git a/gitlab-runner.advisories.yaml b/gitlab-runner.advisories.yaml index ae71b059d..d99dc825c 100644 --- a/gitlab-runner.advisories.yaml +++ b/gitlab-runner.advisories.yaml @@ -125,3 +125,18 @@ advisories: type: fixed data: fixed-version: 16.8.0-r2 + + - id: GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T07:07:44Z + type: detection + data: + type: scan/v1 + data: + subpackageName: gitlab-runner-helper + componentID: b930cee192b4cfa8 + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/gitlab-runner-helper + scanner: grype diff --git a/gitleaks.advisories.yaml b/gitleaks.advisories.yaml new file mode 100644 index 000000000..5092e0e5e --- /dev/null +++ b/gitleaks.advisories.yaml @@ -0,0 +1,23 @@ +schema-version: 2.0.2 + +package: + name: gitleaks + +advisories: + - id: CVE-2021-38561 + aliases: + - GHSA-ppp9-7jff-5vj2 + events: + - timestamp: 2024-03-22T13:58:58Z + type: fixed + data: + fixed-version: 8.18.2-r1 + + - id: CVE-2022-32149 + aliases: + - GHSA-69ch-w2m2-3vjp + events: + - timestamp: 2024-03-22T13:58:57Z + type: fixed + data: + fixed-version: 8.18.2-r1 diff --git a/gitsign.advisories.yaml b/gitsign.advisories.yaml index 56b101e82..cca618c24 100644 --- a/gitsign.advisories.yaml +++ b/gitsign.advisories.yaml @@ -129,6 +129,27 @@ advisories: data: fixed-version: 0.8.1-r0 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T07:31:48Z + type: detection + data: + type: scan/v1 + data: + subpackageName: gitsign + componentID: 924476b050dcaea8 + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/gitsign + scanner: grype + - timestamp: 2024-03-22T13:58:00Z + type: fixed + data: + fixed-version: 0.8.1-r5 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 diff --git a/go-1.19.advisories.yaml b/go-1.19.advisories.yaml index 8bd61577e..f87b1da69 100644 --- a/go-1.19.advisories.yaml +++ b/go-1.19.advisories.yaml @@ -259,6 +259,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.19 is no longer supported upstream. - id: CVE-2023-45290 aliases: @@ -276,6 +280,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.19 is no longer supported upstream. - id: CVE-2024-24783 aliases: @@ -293,6 +301,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.19 is no longer supported upstream. - id: CVE-2024-24784 aliases: @@ -310,6 +322,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.19 is no longer supported upstream. - id: CVE-2024-24785 aliases: @@ -327,3 +343,7 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.19 is no longer supported upstream. diff --git a/go-1.20.advisories.yaml b/go-1.20.advisories.yaml index b254158d2..0cca9384c 100644 --- a/go-1.20.advisories.yaml +++ b/go-1.20.advisories.yaml @@ -163,6 +163,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.20 is no longer supported upstream. - id: CVE-2023-45290 aliases: @@ -180,6 +184,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.20 is no longer supported upstream. - id: CVE-2024-24783 aliases: @@ -197,6 +205,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.20 is no longer supported upstream. - id: CVE-2024-24784 aliases: @@ -214,6 +226,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.20 is no longer supported upstream. - id: CVE-2024-24785 aliases: @@ -231,3 +247,7 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.20 is no longer supported upstream. diff --git a/go-fips-1.20.advisories.yaml b/go-fips-1.20.advisories.yaml index 37d357a9a..7b2af1ba0 100644 --- a/go-fips-1.20.advisories.yaml +++ b/go-fips-1.20.advisories.yaml @@ -127,6 +127,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.20 is no longer supported upstream. - id: CVE-2023-45290 aliases: @@ -144,6 +148,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.20 is no longer supported upstream. - id: CVE-2024-24783 aliases: @@ -161,6 +169,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.20 is no longer supported upstream. - id: CVE-2024-24784 aliases: @@ -178,6 +190,10 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.20 is no longer supported upstream. - id: CVE-2024-24785 aliases: @@ -195,3 +211,7 @@ advisories: componentType: binary componentLocation: /usr/lib/go/bin/go scanner: grype + - timestamp: 2024-03-20T23:17:34Z + type: fix-not-planned + data: + note: Go 1.20 is no longer supported upstream. diff --git a/golangci-lint.advisories.yaml b/golangci-lint.advisories.yaml index dbe6a3d54..e6c0d89eb 100644 --- a/golangci-lint.advisories.yaml +++ b/golangci-lint.advisories.yaml @@ -85,3 +85,7 @@ advisories: componentType: go-module componentLocation: /usr/bin/golangci-lint scanner: grype + - timestamp: 2024-03-20T00:45:09Z + type: fixed + data: + fixed-version: 1.57.0-r0 diff --git a/grype.advisories.yaml b/grype.advisories.yaml index 9880b616f..29194a435 100644 --- a/grype.advisories.yaml +++ b/grype.advisories.yaml @@ -127,6 +127,15 @@ advisories: data: fixed-version: 0.74.7-r2 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T11:17:05Z + type: fixed + data: + fixed-version: 0.74.7-r3 + - id: GHSA-7ww5-4wqc-m92c events: - timestamp: 2023-12-20T16:19:08Z diff --git a/guac.advisories.yaml b/guac.advisories.yaml index f462c2ec9..8382d415f 100644 --- a/guac.advisories.yaml +++ b/guac.advisories.yaml @@ -60,6 +60,15 @@ advisories: data: fixed-version: 0.4.0-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:44:16Z + type: fixed + data: + fixed-version: 0.5.1-r4 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 diff --git a/helm-operator.advisories.yaml b/helm-operator.advisories.yaml index 24443166b..d0f246a4d 100644 --- a/helm-operator.advisories.yaml +++ b/helm-operator.advisories.yaml @@ -39,6 +39,15 @@ advisories: data: fixed-version: 1.34.1-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-23T15:15:55Z + type: fixed + data: + fixed-version: 1.34.1-r2 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp @@ -66,6 +75,15 @@ advisories: data: fixed-version: 1.34.1-r1 + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 + events: + - timestamp: 2024-03-23T15:15:54Z + type: fixed + data: + fixed-version: 1.34.1-r2 + - id: CVE-2024-25620 aliases: - GHSA-v53g-5gjp-272r diff --git a/helm.advisories.yaml b/helm.advisories.yaml index 1be904f64..e3f31cc2b 100644 --- a/helm.advisories.yaml +++ b/helm.advisories.yaml @@ -151,6 +151,23 @@ advisories: data: fixed-version: 3.13.3-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-22T09:16:45Z + type: detection + data: + type: scan/v1 + data: + subpackageName: helm + componentID: 7a48b19dca54b4bd + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/helm + scanner: grype + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/hubble-ui.advisories.yaml b/hubble-ui.advisories.yaml index a959d0098..70fc97967 100644 --- a/hubble-ui.advisories.yaml +++ b/hubble-ui.advisories.yaml @@ -82,6 +82,18 @@ advisories: aliases: - GHSA-68mj-9pjq-mc85 events: + - timestamp: 2024-03-19T09:09:02Z + type: detection + data: + type: scan/v1 + data: + subpackageName: hubble-ui-backend + componentID: 5c42cb480883a6b5 + componentName: github.com/cilium/cilium + componentVersion: v1.15.0 + componentType: go-module + componentLocation: /usr/bin/backend + scanner: grype - timestamp: 2024-03-19T14:43:23Z type: fixed data: @@ -91,6 +103,18 @@ advisories: aliases: - GHSA-j89h-qrvr-xc36 events: + - timestamp: 2024-03-19T09:09:05Z + type: detection + data: + type: scan/v1 + data: + subpackageName: hubble-ui-backend + componentID: 5c42cb480883a6b5 + componentName: github.com/cilium/cilium + componentVersion: v1.15.0 + componentType: go-module + componentLocation: /usr/bin/backend + scanner: grype - timestamp: 2024-03-19T14:43:19Z type: fixed data: @@ -100,6 +124,18 @@ advisories: aliases: - GHSA-v6q2-4qr3-5cw6 events: + - timestamp: 2024-03-19T09:09:06Z + type: detection + data: + type: scan/v1 + data: + subpackageName: hubble-ui-backend + componentID: 5c42cb480883a6b5 + componentName: github.com/cilium/cilium + componentVersion: v1.15.0 + componentType: go-module + componentLocation: /usr/bin/backend + scanner: grype - timestamp: 2024-03-19T14:43:21Z type: fixed data: diff --git a/istio-pilot-discovery-1.20.advisories.yaml b/istio-pilot-discovery-1.20.advisories.yaml index b9a026336..48ca67e6a 100644 --- a/istio-pilot-discovery-1.20.advisories.yaml +++ b/istio-pilot-discovery-1.20.advisories.yaml @@ -53,6 +53,23 @@ advisories: data: fixed-version: 1.20.2-r3 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-23T08:01:43Z + type: detection + data: + type: scan/v1 + data: + subpackageName: istio-pilot-discovery-1.20 + componentID: 121f21f662b2e868 + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/pilot-discovery + scanner: grype + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 diff --git a/istio-pilot-discovery-1.21.advisories.yaml b/istio-pilot-discovery-1.21.advisories.yaml new file mode 100644 index 000000000..9e9a581ad --- /dev/null +++ b/istio-pilot-discovery-1.21.advisories.yaml @@ -0,0 +1,14 @@ +schema-version: 2.0.2 + +package: + name: istio-pilot-discovery-1.21 + +advisories: + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:43:36Z + type: fixed + data: + fixed-version: 1.21.0-r2 diff --git a/jenkins.advisories.yaml b/jenkins.advisories.yaml index a84e5e835..148f81e41 100644 --- a/jenkins.advisories.yaml +++ b/jenkins.advisories.yaml @@ -142,6 +142,24 @@ advisories: data: fixed-version: 2.446-r0 + - id: CVE-2024-22257 + aliases: + - GHSA-f3jh-qvm4-mg39 + events: + - timestamp: 2024-03-19T18:01:55Z + type: fixed + data: + fixed-version: 2.450-r0 + + - id: CVE-2024-22259 + aliases: + - GHSA-hgjh-9rj2-g67j + events: + - timestamp: 2024-03-19T18:01:59Z + type: fixed + data: + fixed-version: 2.450-r0 + - id: CVE-2024-23897 aliases: - GHSA-6f9g-cxwr-q5jr diff --git a/k3d.advisories.yaml b/k3d.advisories.yaml index 1451e274f..241336167 100644 --- a/k3d.advisories.yaml +++ b/k3d.advisories.yaml @@ -998,6 +998,23 @@ advisories: data: fixed-version: 5.6.0-r6 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-22T07:06:05Z + type: detection + data: + type: scan/v1 + data: + subpackageName: k3d + componentID: 22f44d686d875f84 + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/k3d + scanner: grype + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp @@ -1025,6 +1042,27 @@ advisories: data: fixed-version: 5.6.0-r7 + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 + events: + - timestamp: 2024-03-14T07:08:28Z + type: detection + data: + type: scan/v1 + data: + subpackageName: k3d + componentID: 6ae545edc2d9ee4a + componentName: google.golang.org/protobuf + componentVersion: v1.31.0 + componentType: go-module + componentLocation: /usr/bin/k3d + scanner: grype + - timestamp: 2024-03-16T20:28:53Z + type: fixed + data: + fixed-version: 5.6.0-r8 + - id: GHSA-76wf-9vgp-pj7w events: - timestamp: 2024-02-17T17:00:05Z @@ -1059,25 +1097,6 @@ advisories: data: fixed-version: 5.6.0-r6 - - id: GHSA-8r3f-844c-mc37 - events: - - timestamp: 2024-03-14T07:08:28Z - type: detection - data: - type: scan/v1 - data: - subpackageName: k3d - componentID: 6ae545edc2d9ee4a - componentName: google.golang.org/protobuf - componentVersion: v1.31.0 - componentType: go-module - componentLocation: /usr/bin/k3d - scanner: grype - - timestamp: 2024-03-16T20:28:53Z - type: fixed - data: - fixed-version: 5.6.0-r8 - - id: GHSA-jq35-85cj-fj4p events: - timestamp: 2024-02-14T12:26:39Z diff --git a/k3s.advisories.yaml b/k3s.advisories.yaml index 96b490e78..385a071ed 100644 --- a/k3s.advisories.yaml +++ b/k3s.advisories.yaml @@ -106,6 +106,15 @@ advisories: data: fixed-version: 1.29.0-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T13:31:10Z + type: fixed + data: + fixed-version: 1.29.2-r5 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/k8sgpt.advisories.yaml b/k8sgpt.advisories.yaml index 2b8b13330..fbd6b70a0 100644 --- a/k8sgpt.advisories.yaml +++ b/k8sgpt.advisories.yaml @@ -113,6 +113,15 @@ advisories: data: fixed-version: 0.3.24-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:17:02Z + type: fixed + data: + fixed-version: 0.3.28-r2 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/k9s.advisories.yaml b/k9s.advisories.yaml index 2a5fbaa1c..be86de485 100644 --- a/k9s.advisories.yaml +++ b/k9s.advisories.yaml @@ -20,6 +20,10 @@ advisories: componentType: go-module componentLocation: /usr/bin/k9s scanner: grype + - timestamp: 2024-03-20T22:07:03Z + type: fixed + data: + fixed-version: 0.32.4-r0 - id: CVE-2024-21626 aliases: diff --git a/kaniko.advisories.yaml b/kaniko.advisories.yaml index dd3717899..c7b7e821b 100644 --- a/kaniko.advisories.yaml +++ b/kaniko.advisories.yaml @@ -145,6 +145,19 @@ advisories: componentType: go-module componentLocation: /usr/bin/executor scanner: grype + - timestamp: 2024-03-21T11:16:31Z + type: fixed + data: + fixed-version: 1.21.1-r1 + + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T11:16:35Z + type: fixed + data: + fixed-version: 1.21.1-r1 - id: GHSA-7ww5-4wqc-m92c events: diff --git a/kargo.advisories.yaml b/kargo.advisories.yaml index 07181e46c..bfdbaf3a2 100644 --- a/kargo.advisories.yaml +++ b/kargo.advisories.yaml @@ -34,6 +34,15 @@ advisories: type: vulnerable-code-not-included-in-package note: Only affects Windows + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:17:07Z + type: fixed + data: + fixed-version: 0.4.4-r2 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 @@ -63,3 +72,12 @@ advisories: type: fixed data: fixed-version: 0.4.3-r2 + + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T11:17:05Z + type: fixed + data: + fixed-version: 0.4.4-r2 diff --git a/ko.advisories.yaml b/ko.advisories.yaml index b75eeade0..17f9bce64 100644 --- a/ko.advisories.yaml +++ b/ko.advisories.yaml @@ -97,7 +97,9 @@ advisories: data: fixed-version: 0.15.1-r2 - - id: GHSA-c5q2-7r4c-mv6g + - id: CVE-2024-28180 + aliases: + - GHSA-c5q2-7r4c-mv6g events: - timestamp: 2024-03-08T07:16:44Z type: detection @@ -116,6 +118,15 @@ advisories: data: fixed-version: 0.15.2-r3 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T11:42:16Z + type: fixed + data: + fixed-version: 0.15.2-r4 + - id: GHSA-jq35-85cj-fj4p events: - timestamp: 2023-10-31T20:03:54Z diff --git a/kots.advisories.yaml b/kots.advisories.yaml index dfa92290f..6d6cd3a3e 100644 --- a/kots.advisories.yaml +++ b/kots.advisories.yaml @@ -159,6 +159,24 @@ advisories: data: fixed-version: 1.107.0-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-25T16:41:27Z + type: fixed + data: + fixed-version: 1.108.2-r0 + + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 + events: + - timestamp: 2024-03-19T22:48:46Z + type: fixed + data: + fixed-version: 1.108.1-r0 + - id: CVE-2024-25620 aliases: - GHSA-v53g-5gjp-272r @@ -217,6 +235,19 @@ advisories: componentType: go-module componentLocation: /usr/bin/kotsadm scanner: grype + - timestamp: 2024-03-19T22:48:57Z + type: fixed + data: + fixed-version: 1.108.1-r0 + + - id: CVE-2024-27304 + aliases: + - GHSA-mrww-27vc-gghv + events: + - timestamp: 2024-03-19T22:48:38Z + type: fixed + data: + fixed-version: 1.108.1-r0 - id: CVE-2024-28180 aliases: @@ -254,6 +285,13 @@ advisories: type: vulnerable-code-version-not-used note: Vulnerability exists only on Windows. + - id: GHSA-7jwh-3vrq-q3m8 + events: + - timestamp: 2024-03-19T22:48:52Z + type: fixed + data: + fixed-version: 1.108.1-r0 + - id: GHSA-7ww5-4wqc-m92c events: - timestamp: 2023-12-20T11:25:16Z diff --git a/kubeflow-katib.advisories.yaml b/kubeflow-katib.advisories.yaml index 44dd8dfae..d8854e526 100644 --- a/kubeflow-katib.advisories.yaml +++ b/kubeflow-katib.advisories.yaml @@ -79,6 +79,27 @@ advisories: data: fixed-version: 0.16.0-r2 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T09:31:40Z + type: detection + data: + type: scan/v1 + data: + subpackageName: katib-controller + componentID: 72f9aeb2d9b4291a + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/katib-controller + scanner: grype + - timestamp: 2024-03-22T16:08:07Z + type: fixed + data: + fixed-version: 0.16.0-r7 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/kubeflow-pipelines.advisories.yaml b/kubeflow-pipelines.advisories.yaml index 03391a2b1..5fd90f634 100644 --- a/kubeflow-pipelines.advisories.yaml +++ b/kubeflow-pipelines.advisories.yaml @@ -441,6 +441,23 @@ advisories: data: fixed-version: 2.0.5-r5 + - id: CVE-2024-29041 + aliases: + - GHSA-rv95-896h-c2vc + events: + - timestamp: 2024-03-26T07:38:45Z + type: detection + data: + type: scan/v1 + data: + subpackageName: kubeflow-pipelines-frontend + componentID: 867d448592ecd82c + componentName: express + componentVersion: 4.17.3 + componentType: npm + componentLocation: /server/node_modules/express/package.json + scanner: grype + - id: GHSA-2jcg-qqmg-46q6 events: - timestamp: 2023-11-01T07:13:06Z diff --git a/kubescape.advisories.yaml b/kubescape.advisories.yaml index 0af8496a0..a3b378b75 100644 --- a/kubescape.advisories.yaml +++ b/kubescape.advisories.yaml @@ -269,6 +269,15 @@ advisories: data: fixed-version: 3.0.3-r7 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:52:49Z + type: fixed + data: + fixed-version: 3.0.7-r1 + - id: CVE-2024-24579 aliases: - GHSA-hpxr-w9w7-g4gv @@ -374,6 +383,15 @@ advisories: data: fixed-version: 3.0.4-r2 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T11:52:52Z + type: fixed + data: + fixed-version: 3.0.7-r1 + - id: GHSA-2c7c-3mj9-8fqh events: - timestamp: 2024-01-08T11:54:42Z diff --git a/kyverno.advisories.yaml b/kyverno.advisories.yaml index e10525b40..fd557d5d8 100644 --- a/kyverno.advisories.yaml +++ b/kyverno.advisories.yaml @@ -134,6 +134,27 @@ advisories: data: fixed-version: 1.11.4-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T09:31:37Z + type: detection + data: + type: scan/v1 + data: + subpackageName: kyverno-reports-controller + componentID: ce2e520604ff454a + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/reports-controller + scanner: grype + - timestamp: 2024-03-21T11:42:15Z + type: fixed + data: + fixed-version: 1.11.4-r8 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 diff --git a/loki.advisories.yaml b/loki.advisories.yaml index 98cc405f4..6926564e4 100644 --- a/loki.advisories.yaml +++ b/loki.advisories.yaml @@ -70,6 +70,15 @@ advisories: data: fixed-version: 2.9.3-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:42:22Z + type: fixed + data: + fixed-version: 2.9.5-r3 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/melange.advisories.yaml b/melange.advisories.yaml index 7b2df8261..61edd80e5 100644 --- a/melange.advisories.yaml +++ b/melange.advisories.yaml @@ -108,6 +108,15 @@ advisories: data: fixed-version: 0.6.9-r2 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-22T13:58:15Z + type: fixed + data: + fixed-version: 0.6.9-r4 + - id: GHSA-7ww5-4wqc-m92c events: - timestamp: 2023-12-21T10:58:30Z diff --git a/neo4j.advisories.yaml b/neo4j.advisories.yaml index 7e3dafc9b..51777719f 100644 --- a/neo4j.advisories.yaml +++ b/neo4j.advisories.yaml @@ -83,3 +83,37 @@ advisories: type: fixed data: fixed-version: 5.18.0-r0 + + - id: CVE-2024-29131 + aliases: + - GHSA-xjp4-hw94-mvp5 + events: + - timestamp: 2024-03-23T13:02:02Z + type: detection + data: + type: scan/v1 + data: + subpackageName: neo4j + componentID: fd212276536299ae + componentName: commons-configuration2 + componentVersion: 2.9.0 + componentType: java-archive + componentLocation: /usr/share/java/neo4j/lib/commons-configuration2-2.9.0.jar + scanner: grype + + - id: CVE-2024-29133 + aliases: + - GHSA-9w38-p64v-xpmv + events: + - timestamp: 2024-03-23T13:02:01Z + type: detection + data: + type: scan/v1 + data: + subpackageName: neo4j + componentID: fd212276536299ae + componentName: commons-configuration2 + componentVersion: 2.9.0 + componentType: java-archive + componentLocation: /usr/share/java/neo4j/lib/commons-configuration2-2.9.0.jar + scanner: grype diff --git a/newrelic-infrastructure-agent.advisories.yaml b/newrelic-infrastructure-agent.advisories.yaml index 4b316545b..403a68923 100644 --- a/newrelic-infrastructure-agent.advisories.yaml +++ b/newrelic-infrastructure-agent.advisories.yaml @@ -78,6 +78,15 @@ advisories: data: fixed-version: 1.48.4-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:23:08Z + type: fixed + data: + fixed-version: 1.50.0-r3 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp @@ -105,14 +114,9 @@ advisories: data: fixed-version: 1.50.0-r1 - - id: GHSA-7ww5-4wqc-m92c - events: - - timestamp: 2023-12-26T04:05:25Z - type: fixed - data: - fixed-version: 1.48.1-r2 - - - id: GHSA-8r3f-844c-mc37 + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 events: - timestamp: 2024-03-14T13:21:41Z type: detection @@ -131,6 +135,13 @@ advisories: data: fixed-version: 1.50.0-r2 + - id: GHSA-7ww5-4wqc-m92c + events: + - timestamp: 2023-12-26T04:05:25Z + type: fixed + data: + fixed-version: 1.48.1-r2 + - id: GHSA-jq35-85cj-fj4p events: - timestamp: 2023-10-31T20:03:59Z diff --git a/newrelic-nri-kube-events.advisories.yaml b/newrelic-nri-kube-events.advisories.yaml index 4a8ead352..f1b2f4761 100644 --- a/newrelic-nri-kube-events.advisories.yaml +++ b/newrelic-nri-kube-events.advisories.yaml @@ -40,3 +40,7 @@ advisories: componentType: go-module componentLocation: /usr/bin/nri-kube-events scanner: grype + - timestamp: 2024-03-25T16:41:26Z + type: fixed + data: + fixed-version: 2.9.3-r0 diff --git a/node-gyp.advisories.yaml b/node-gyp.advisories.yaml index 96c6cb209..6dc85789f 100644 --- a/node-gyp.advisories.yaml +++ b/node-gyp.advisories.yaml @@ -20,3 +20,7 @@ advisories: componentType: npm componentLocation: /usr/lib/node_modules/node-gyp/node_modules/ip/package.json scanner: grype + - timestamp: 2024-03-26T12:38:12Z + type: fixed + data: + fixed-version: 10.1.0-r0 diff --git a/opensearch-2.advisories.yaml b/opensearch-2.advisories.yaml index 8829a20bb..76104aad3 100644 --- a/opensearch-2.advisories.yaml +++ b/opensearch-2.advisories.yaml @@ -90,3 +90,20 @@ advisories: type: fixed data: fixed-version: 2.12.0-r1 + + - id: CVE-2024-28752 + aliases: + - GHSA-qmgx-j96g-4428 + events: + - timestamp: 2024-03-19T09:08:06Z + type: detection + data: + type: scan/v1 + data: + subpackageName: opensearch-2-security + componentID: 52a961a22760ca4d + componentName: cxf-core + componentVersion: 4.0.3 + componentType: java-archive + componentLocation: /usr/share/opensearch/plugins/opensearch-security/cxf-core-4.0.3.jar + scanner: grype diff --git a/policy-controller.advisories.yaml b/policy-controller.advisories.yaml index 585754dca..05b37e42c 100644 --- a/policy-controller.advisories.yaml +++ b/policy-controller.advisories.yaml @@ -69,6 +69,23 @@ advisories: data: fixed-version: 0.8.3-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-22T13:34:03Z + type: detection + data: + type: scan/v1 + data: + subpackageName: policy-controller-tester + componentID: 7da93f5585435b62 + componentName: github.com/docker/docker + componentVersion: v24.0.7+incompatible + componentType: go-module + componentLocation: /usr/bin/policy-tester + scanner: grype + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 diff --git a/prometheus-2.50.advisories.yaml b/prometheus-2.50.advisories.yaml index 2f7852979..506ef0c21 100644 --- a/prometheus-2.50.advisories.yaml +++ b/prometheus-2.50.advisories.yaml @@ -4,6 +4,23 @@ package: name: prometheus-2.50 advisories: + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-22T13:18:26Z + type: detection + data: + type: scan/v1 + data: + subpackageName: prometheus-2.50-bitnami-compat + componentID: c38a4ddb2ec79614 + componentName: github.com/docker/docker + componentVersion: v25.0.0+incompatible + componentType: go-module + componentLocation: /opt/bitnami/prometheus/bin/prometheus + scanner: grype + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 @@ -24,3 +41,20 @@ advisories: type: fixed data: fixed-version: 2.50.1-r2 + + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-22T13:18:25Z + type: detection + data: + type: scan/v1 + data: + subpackageName: prometheus-2.50-bitnami-compat + componentID: c38a4ddb2ec79614 + componentName: github.com/docker/docker + componentVersion: v25.0.0+incompatible + componentType: go-module + componentLocation: /opt/bitnami/prometheus/bin/prometheus + scanner: grype diff --git a/prometheus-2.51.advisories.yaml b/prometheus-2.51.advisories.yaml new file mode 100644 index 000000000..1daf11e3b --- /dev/null +++ b/prometheus-2.51.advisories.yaml @@ -0,0 +1,14 @@ +schema-version: 2.0.2 + +package: + name: prometheus-2.51 + +advisories: + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-22T13:57:44Z + type: fixed + data: + fixed-version: 2.51.0-r1 diff --git a/prometheus.advisories.yaml b/prometheus.advisories.yaml index 0a420fb33..ddcc3df25 100644 --- a/prometheus.advisories.yaml +++ b/prometheus.advisories.yaml @@ -115,6 +115,15 @@ advisories: data: fixed-version: 2.48.1-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:42:58Z + type: fixed + data: + fixed-version: 2.51.0-r1 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp @@ -151,6 +160,15 @@ advisories: data: fixed-version: 2.50.1-r3 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T11:43:15Z + type: fixed + data: + fixed-version: 2.51.0-r1 + - id: GHSA-jq35-85cj-fj4p events: - timestamp: 2023-10-31T20:04:00Z diff --git a/py3-oauthenticator.advisories.yaml b/py3-oauthenticator.advisories.yaml new file mode 100644 index 000000000..f67382ec0 --- /dev/null +++ b/py3-oauthenticator.advisories.yaml @@ -0,0 +1,14 @@ +schema-version: 2.0.2 + +package: + name: py3-oauthenticator + +advisories: + - id: CVE-2024-29033 + aliases: + - GHSA-55m3-44xf-hg4h + events: + - timestamp: 2024-03-23T11:02:16Z + type: fixed + data: + fixed-version: 16.3.0-r0 diff --git a/python-3.10.advisories.yaml b/python-3.10.advisories.yaml index 88c96aa31..c24060f57 100644 --- a/python-3.10.advisories.yaml +++ b/python-3.10.advisories.yaml @@ -64,3 +64,21 @@ advisories: data: type: vulnerability-record-analysis-contested note: The vendor's perspective is that this is neither a vulnerability nor a bug. + + - id: CVE-2023-6597 + aliases: + - GHSA-797f-63wg-8chv + events: + - timestamp: 2024-03-26T12:39:08Z + type: fixed + data: + fixed-version: 3.10.14-r0 + + - id: CVE-2024-0450 + aliases: + - GHSA-jm46-725r-hh9v + events: + - timestamp: 2024-03-26T12:39:09Z + type: fixed + data: + fixed-version: 3.10.14-r0 diff --git a/python-3.12.advisories.yaml b/python-3.12.advisories.yaml index dd1596ddd..8a1aa63a1 100644 --- a/python-3.12.advisories.yaml +++ b/python-3.12.advisories.yaml @@ -1,4 +1,4 @@ -schema-version: "2" +schema-version: 2.0.2 package: name: python-3.12 @@ -52,3 +52,37 @@ advisories: data: type: vulnerability-record-analysis-contested note: The vendor's perspective is that this is neither a vulnerability nor a bug. + + - id: CVE-2023-6597 + aliases: + - GHSA-797f-63wg-8chv + events: + - timestamp: 2024-03-26T08:39:21Z + type: detection + data: + type: scan/v1 + data: + subpackageName: python-3.12-base + componentID: 0a3425e789d2fa2a + componentName: python + componentVersion: 3.12.2 + componentType: binary + componentLocation: /usr/bin/python3.12, /usr/lib/libpython3.12.so.1.0 + scanner: grype + + - id: CVE-2024-0450 + aliases: + - GHSA-jm46-725r-hh9v + events: + - timestamp: 2024-03-26T08:39:22Z + type: detection + data: + type: scan/v1 + data: + subpackageName: python-3.12-base + componentID: 0a3425e789d2fa2a + componentName: python + componentVersion: 3.12.2 + componentType: binary + componentLocation: /usr/bin/python3.12, /usr/lib/libpython3.12.so.1.0 + scanner: grype diff --git a/scorecard.advisories.yaml b/scorecard.advisories.yaml index d31c8d2ba..93026cc80 100644 --- a/scorecard.advisories.yaml +++ b/scorecard.advisories.yaml @@ -196,6 +196,23 @@ advisories: componentLocation: /usr/bin/scorecard scanner: grype + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-22T13:33:30Z + type: detection + data: + type: scan/v1 + data: + subpackageName: scorecard + componentID: 8fd9f63738b717a6 + componentName: github.com/docker/docker + componentVersion: v24.0.4+incompatible + componentType: go-module + componentLocation: /usr/bin/scorecard + scanner: grype + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp @@ -223,7 +240,9 @@ advisories: data: fixed-version: 4.13.1-r2 - - id: GHSA-8r3f-844c-mc37 + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 events: - timestamp: 2024-03-14T13:19:32Z type: detection diff --git a/skaffold.advisories.yaml b/skaffold.advisories.yaml index adfb4c6ca..2de8e69c8 100644 --- a/skaffold.advisories.yaml +++ b/skaffold.advisories.yaml @@ -208,6 +208,15 @@ advisories: data: note: Upgrading buildkit to a non-vulnerable version requires to bump github.com/docker/docker to v25.0.3 (currently using v24.0.7) and as a consequence needs multiple code changes to adapt the source code to this new version. + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-25T14:36:15Z + type: fixed + data: + fixed-version: 2.10.1-r3 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/skopeo.advisories.yaml b/skopeo.advisories.yaml index eef866e7a..8a341bd10 100644 --- a/skopeo.advisories.yaml +++ b/skopeo.advisories.yaml @@ -66,6 +66,15 @@ advisories: data: fixed-version: 1.14.2-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:43:28Z + type: fixed + data: + fixed-version: 1.15.0-r1 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 diff --git a/spark-3.5.advisories.yaml b/spark-3.5.advisories.yaml new file mode 100644 index 000000000..da1ab93eb --- /dev/null +++ b/spark-3.5.advisories.yaml @@ -0,0 +1,379 @@ +schema-version: 2.0.2 + +package: + name: spark-3.5 + +advisories: + - id: CVE-2018-1330 + aliases: + - GHSA-95q3-pppp-r683 + events: + - timestamp: 2024-03-22T15:35:57Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: cb7372e7b41a1d4d + componentName: mesos + componentVersion: 1.4.3 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/mesos-1.4.3-shaded-protobuf.jar + scanner: grype + + - id: CVE-2019-0205 + aliases: + - GHSA-rj7p-rfgp-852x + events: + - timestamp: 2024-03-22T15:36:20Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 0954fe60f11d2db6 + componentName: libthrift + componentVersion: 0.12.0 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/libthrift-0.12.0.jar + scanner: grype + + - id: CVE-2019-10172 + aliases: + - GHSA-r6j9-8759-g62w + events: + - timestamp: 2024-03-22T15:36:10Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 5dd330a31e13299a + componentName: jackson-mapper-asl + componentVersion: 1.9.13 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/jackson-mapper-asl-1.9.13.jar + scanner: grype + + - id: CVE-2019-10202 + aliases: + - GHSA-c27h-mcmw-48hv + events: + - timestamp: 2024-03-22T15:35:59Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 5dd330a31e13299a + componentName: jackson-mapper-asl + componentVersion: 1.9.13 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/jackson-mapper-asl-1.9.13.jar + scanner: grype + + - id: CVE-2020-13949 + aliases: + - GHSA-g2fg-mr77-6vrm + events: + - timestamp: 2024-03-22T15:36:03Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 0954fe60f11d2db6 + componentName: libthrift + componentVersion: 0.12.0 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/libthrift-0.12.0.jar + scanner: grype + + - id: CVE-2020-8908 + aliases: + - GHSA-5mg8-w23w-74h3 + events: + - timestamp: 2024-03-22T15:35:53Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 62e0331d1b6a85ab + componentName: guava + componentVersion: 30.1.1-jre + componentType: java-archive + componentLocation: /usr/lib/spark/jars/hadoop-shaded-guava-1.1.1.jar + scanner: grype + + - id: CVE-2021-22569 + aliases: + - GHSA-wrvw-hg22-4m67 + events: + - timestamp: 2024-03-22T15:36:22Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 05d65a777f236575 + componentName: protobuf-java + componentVersion: 3.3.0 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/mesos-1.4.3-shaded-protobuf.jar + scanner: grype + + - id: CVE-2021-22570 + aliases: + - GHSA-77rm-9x9h-xj3g + events: + - timestamp: 2024-03-22T15:35:54Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 05d65a777f236575 + componentName: protobuf-java + componentVersion: 3.3.0 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/mesos-1.4.3-shaded-protobuf.jar + scanner: grype + + - id: CVE-2021-31684 + aliases: + - GHSA-fg2v-w576-w4v3 + events: + - timestamp: 2024-03-22T15:36:01Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: dcd614a72a6218e3 + componentName: json-smart + componentVersion: 1.3.2 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/hadoop-client-runtime-3.3.6.jar + scanner: grype + + - id: CVE-2022-3171 + aliases: + - GHSA-h4h5-3hr4-j3g2 + events: + - timestamp: 2024-03-22T15:36:08Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 05d65a777f236575 + componentName: protobuf-java + componentVersion: 3.3.0 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/mesos-1.4.3-shaded-protobuf.jar + scanner: grype + + - id: CVE-2022-3509 + aliases: + - GHSA-g5ww-5jh7-63cx + events: + - timestamp: 2024-03-22T15:36:04Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 05d65a777f236575 + componentName: protobuf-java + componentVersion: 3.3.0 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/mesos-1.4.3-shaded-protobuf.jar + scanner: grype + + - id: CVE-2022-3510 + aliases: + - GHSA-4gg5-vx3j-xwc7 + events: + - timestamp: 2024-03-22T15:35:52Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 05d65a777f236575 + componentName: protobuf-java + componentVersion: 3.3.0 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/mesos-1.4.3-shaded-protobuf.jar + scanner: grype + + - id: CVE-2022-46337 + aliases: + - GHSA-rcjc-c4pj-xxrp + events: + - timestamp: 2024-03-22T15:36:15Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 4059c3ac557e290c + componentName: derby + componentVersion: 10.14.2.0 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/derby-10.14.2.0.jar + scanner: grype + + - id: CVE-2023-1370 + aliases: + - GHSA-493p-pfq6-5258 + events: + - timestamp: 2024-03-22T15:35:50Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: dcd614a72a6218e3 + componentName: json-smart + componentVersion: 1.3.2 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/hadoop-client-runtime-3.3.6.jar + scanner: grype + + - id: CVE-2023-2976 + aliases: + - GHSA-7g45-4rm6-3mm3 + events: + - timestamp: 2024-03-22T15:35:55Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 62e0331d1b6a85ab + componentName: guava + componentVersion: 30.1.1-jre + componentType: java-archive + componentLocation: /usr/lib/spark/jars/hadoop-shaded-guava-1.1.1.jar + scanner: grype + + - id: CVE-2023-39410 + aliases: + - GHSA-rhrv-645h-fjfh + events: + - timestamp: 2024-03-22T15:36:17Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 777252f11bc4cb19 + componentName: avro + componentVersion: 1.7.7 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/hadoop-client-runtime-3.3.6.jar + scanner: grype + + - id: CVE-2023-52428 + aliases: + - GHSA-gvpg-vgmx-xg6w + events: + - timestamp: 2024-03-22T15:36:06Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: f9e3959f7fa07432 + componentName: nimbus-jose-jwt + componentVersion: 9.8.1 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/hadoop-client-runtime-3.3.6.jar + scanner: grype + + - id: CVE-2024-23944 + aliases: + - GHSA-r978-9m6m-6gm6 + events: + - timestamp: 2024-03-22T15:36:13Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 443de83060a0cff6 + componentName: zookeeper + componentVersion: 3.7.2 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/zookeeper-3.7.2.jar + scanner: grype + + - id: CVE-2024-25710 + aliases: + - GHSA-4g9r-vxhx-9pgx + events: + - timestamp: 2024-03-22T15:35:51Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: f411c933c542e09c + componentName: commons-compress + componentVersion: "1.21" + componentType: java-archive + componentLocation: /usr/lib/spark/jars/hadoop-client-runtime-3.3.6.jar + scanner: grype + + - id: CVE-2024-26308 + aliases: + - GHSA-4265-ccf5-phj5 + events: + - timestamp: 2024-03-22T15:35:50Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: f411c933c542e09c + componentName: commons-compress + componentVersion: "1.21" + componentType: java-archive + componentLocation: /usr/lib/spark/jars/hadoop-client-runtime-3.3.6.jar + scanner: grype + + - id: CVE-2024-29131 + aliases: + - GHSA-xjp4-hw94-mvp5 + events: + - timestamp: 2024-03-22T15:36:25Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 79d9edf4e5ff5bf6 + componentName: commons-configuration2 + componentVersion: 2.8.0 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/hadoop-client-runtime-3.3.6.jar + scanner: grype + + - id: CVE-2024-29133 + aliases: + - GHSA-9w38-p64v-xpmv + events: + - timestamp: 2024-03-22T15:35:58Z + type: detection + data: + type: scan/v1 + data: + subpackageName: spark-3.5 + componentID: 79d9edf4e5ff5bf6 + componentName: commons-configuration2 + componentVersion: 2.8.0 + componentType: java-archive + componentLocation: /usr/lib/spark/jars/hadoop-client-runtime-3.3.6.jar + scanner: grype diff --git a/spicedb.advisories.yaml b/spicedb.advisories.yaml index a9bd07df8..293130997 100644 --- a/spicedb.advisories.yaml +++ b/spicedb.advisories.yaml @@ -32,3 +32,19 @@ advisories: type: fixed data: fixed-version: 1.29.5-r0 + + - id: CVE-2024-27304 + aliases: + - GHSA-mrww-27vc-gghv + events: + - timestamp: 2024-03-19T15:46:32Z + type: fixed + data: + fixed-version: 1.30.0-r0 + + - id: GHSA-7jwh-3vrq-q3m8 + events: + - timestamp: 2024-03-19T15:46:30Z + type: fixed + data: + fixed-version: 1.30.0-r0 diff --git a/spire-server.advisories.yaml b/spire-server.advisories.yaml index 0bdaa1f3c..c04f37da6 100644 --- a/spire-server.advisories.yaml +++ b/spire-server.advisories.yaml @@ -126,6 +126,15 @@ advisories: data: fixed-version: 1.9.1-r1 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T11:42:18Z + type: fixed + data: + fixed-version: 1.9.1-r4 + - id: GHSA-2c7c-3mj9-8fqh events: - timestamp: 2023-11-22T16:41:27Z diff --git a/syft.advisories.yaml b/syft.advisories.yaml index 9ee567438..d92694bba 100644 --- a/syft.advisories.yaml +++ b/syft.advisories.yaml @@ -71,6 +71,15 @@ advisories: componentLocation: /usr/bin/syft scanner: grype + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-25T21:45:34Z + type: fixed + data: + fixed-version: 1.1.0-r0 + - id: GHSA-9763-4f94-gfch events: - timestamp: 2024-01-12T07:21:43Z diff --git a/tekton-chains.advisories.yaml b/tekton-chains.advisories.yaml index 43827426d..ad176aafd 100644 --- a/tekton-chains.advisories.yaml +++ b/tekton-chains.advisories.yaml @@ -79,21 +79,39 @@ advisories: data: fixed-version: 0.19.0-r6 - - id: GHSA-2c7c-3mj9-8fqh + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc events: - - timestamp: 2023-12-14T09:33:13Z + - timestamp: 2024-03-21T11:44:15Z type: fixed data: - fixed-version: 0.19.0-r3 + fixed-version: 0.20.1-r1 - - id: GHSA-9763-4f94-gfch + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 events: - - timestamp: 2024-01-24T07:48:56Z + - timestamp: 2024-03-20T22:06:53Z + type: detection + data: + type: scan/v1 + data: + subpackageName: tekton-chains + componentID: 775e84de213e32a7 + componentName: google.golang.org/protobuf + componentVersion: v1.32.0 + componentType: go-module + componentLocation: /usr/bin/tekton-chains + scanner: grype + - timestamp: 2024-03-21T11:44:11Z type: fixed data: - fixed-version: 0.19.0-r6 + fixed-version: 0.20.1-r1 - - id: GHSA-c5q2-7r4c-mv6g + - id: CVE-2024-28180 + aliases: + - GHSA-c5q2-7r4c-mv6g events: - timestamp: 2024-03-08T07:18:57Z type: detection @@ -112,6 +130,20 @@ advisories: data: fixed-version: 0.20.0-r3 + - id: GHSA-2c7c-3mj9-8fqh + events: + - timestamp: 2023-12-14T09:33:13Z + type: fixed + data: + fixed-version: 0.19.0-r3 + + - id: GHSA-9763-4f94-gfch + events: + - timestamp: 2024-01-24T07:48:56Z + type: fixed + data: + fixed-version: 0.19.0-r6 + - id: GHSA-jq35-85cj-fj4p events: - timestamp: 2023-12-14T09:33:02Z diff --git a/tekton-pipelines.advisories.yaml b/tekton-pipelines.advisories.yaml index 50d47ca1c..a18a7deb3 100644 --- a/tekton-pipelines.advisories.yaml +++ b/tekton-pipelines.advisories.yaml @@ -52,6 +52,36 @@ advisories: data: fixed-version: 0.55.0-r2 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:42:19Z + type: fixed + data: + fixed-version: 0.58.0-r1 + + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 + events: + - timestamp: 2024-03-14T08:20:49Z + type: detection + data: + type: scan/v1 + data: + subpackageName: tekton-pipelines-webhook + componentID: 0ab968ec0130e453 + componentName: google.golang.org/protobuf + componentVersion: v1.32.0 + componentType: go-module + componentLocation: /usr/bin/tekton-pipelines-webhook + scanner: grype + - timestamp: 2024-03-14T15:19:43Z + type: fixed + data: + fixed-version: 0.57.0-r1 + - id: CVE-2024-28110 aliases: - GHSA-5pf6-2qwx-pxm2 @@ -108,27 +138,6 @@ advisories: data: fixed-version: 0.54.2-r1 - - id: CVE-2024-24786 - aliases: - - GHSA-8r3f-844c-mc37 - events: - - timestamp: 2024-03-14T08:20:49Z - type: detection - data: - type: scan/v1 - data: - subpackageName: tekton-pipelines-webhook - componentID: 0ab968ec0130e453 - componentName: google.golang.org/protobuf - componentVersion: v1.32.0 - componentType: go-module - componentLocation: /usr/bin/tekton-pipelines-webhook - scanner: grype - - timestamp: 2024-03-14T15:19:43Z - type: fixed - data: - fixed-version: 0.57.0-r1 - - id: GHSA-9763-4f94-gfch events: - timestamp: 2024-01-12T07:28:53Z diff --git a/telegraf-1.30.advisories.yaml b/telegraf-1.30.advisories.yaml index 5109ceb5f..fa55da803 100644 --- a/telegraf-1.30.advisories.yaml +++ b/telegraf-1.30.advisories.yaml @@ -4,6 +4,15 @@ package: name: telegraf-1.30 advisories: + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:17:05Z + type: fixed + data: + fixed-version: 1.30.0-r4 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 @@ -55,6 +64,15 @@ advisories: data: fixed-version: 1.30.0-r2 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T11:17:03Z + type: fixed + data: + fixed-version: 1.30.0-r4 + - id: GHSA-7jwh-3vrq-q3m8 events: - timestamp: 2024-03-15T09:07:57Z diff --git a/temporal-server.advisories.yaml b/temporal-server.advisories.yaml index cec1c1084..339fb3605 100644 --- a/temporal-server.advisories.yaml +++ b/temporal-server.advisories.yaml @@ -55,6 +55,10 @@ advisories: data: note: | We faced issues with "otlpmetricgrpc@v0.44.0/internal/transform/metricdata.go:108:18:undefined: metricdata.ExponentialHistogram" when upgrading otlpmetricgrpc to v0.46.0. It has some strict dependencies in the source code common/telemetry using an old version and thus this fix will require some code changes in upstream. + - timestamp: 2024-03-22T18:37:56Z + type: fixed + data: + fixed-version: 1.23.0-r0 - id: CVE-2023-48795 aliases: @@ -112,3 +116,43 @@ advisories: type: fixed data: fixed-version: 1.22.6-r2 + + - id: CVE-2024-27304 + aliases: + - GHSA-mrww-27vc-gghv + events: + - timestamp: 2024-03-22T18:37:58Z + type: detection + data: + type: scan/v1 + data: + subpackageName: temporal-server + componentID: b4b041513ae9fdd7 + componentName: github.com/jackc/pgx/v5 + componentVersion: v5.4.3 + componentType: go-module + componentLocation: /usr/bin/temporal-server + scanner: grype + - timestamp: 2024-03-26T07:41:41Z + type: fixed + data: + fixed-version: 1.23.0-r1 + + - id: GHSA-7jwh-3vrq-q3m8 + events: + - timestamp: 2024-03-22T18:37:55Z + type: detection + data: + type: scan/v1 + data: + subpackageName: temporal-server + componentID: b4b041513ae9fdd7 + componentName: github.com/jackc/pgx/v5 + componentVersion: v5.4.3 + componentType: go-module + componentLocation: /usr/bin/temporal-server + scanner: grype + - timestamp: 2024-03-26T07:41:40Z + type: fixed + data: + fixed-version: 1.23.0-r1 diff --git a/timoni.advisories.yaml b/timoni.advisories.yaml index c21c67bcf..e7f877af3 100644 --- a/timoni.advisories.yaml +++ b/timoni.advisories.yaml @@ -60,6 +60,15 @@ advisories: data: fixed-version: 0.20.0-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:42:22Z + type: fixed + data: + fixed-version: 0.20.0-r3 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp diff --git a/tkn.advisories.yaml b/tkn.advisories.yaml index 557d370de..5cffa6d6b 100644 --- a/tkn.advisories.yaml +++ b/tkn.advisories.yaml @@ -90,47 +90,58 @@ advisories: data: fixed-version: 0.33.0-r3 - - id: GHSA-2c7c-3mj9-8fqh + - id: CVE-2024-24786 + aliases: + - GHSA-8r3f-844c-mc37 events: - - timestamp: 2023-12-16T00:06:20Z + - timestamp: 2024-03-20T15:31:45Z type: fixed data: - fixed-version: 0.33.0-r2 + fixed-version: 0.36.0-r0 - - id: GHSA-9763-4f94-gfch + - id: CVE-2024-28180 + aliases: + - GHSA-c5q2-7r4c-mv6g events: - - timestamp: 2024-01-11T07:20:04Z + - timestamp: 2024-03-08T07:32:23Z type: detection data: type: scan/v1 data: subpackageName: tkn - componentID: 6d101837d2732305 - componentName: github.com/cloudflare/circl - componentVersion: v1.3.5 + componentID: ce15493f84f159f4 + componentName: github.com/go-jose/go-jose/v3 + componentVersion: v3.0.1 componentType: go-module componentLocation: /usr/bin/tkn scanner: grype - - timestamp: 2024-01-24T07:11:50Z + - timestamp: 2024-03-08T15:57:40Z type: fixed data: - fixed-version: 0.34.0-r0 + fixed-version: 0.35.1-r2 + + - id: GHSA-2c7c-3mj9-8fqh + events: + - timestamp: 2023-12-16T00:06:20Z + type: fixed + data: + fixed-version: 0.33.0-r2 - - id: GHSA-c5q2-7r4c-mv6g + - id: GHSA-9763-4f94-gfch events: - - timestamp: 2024-03-08T07:32:23Z + - timestamp: 2024-01-11T07:20:04Z type: detection data: type: scan/v1 data: subpackageName: tkn - componentID: ce15493f84f159f4 - componentName: github.com/go-jose/go-jose/v3 - componentVersion: v3.0.1 + componentID: 6d101837d2732305 + componentName: github.com/cloudflare/circl + componentVersion: v1.3.5 componentType: go-module componentLocation: /usr/bin/tkn scanner: grype - - timestamp: 2024-03-08T15:57:40Z + - timestamp: 2024-01-24T07:11:50Z type: fixed data: - fixed-version: 0.35.1-r2 + fixed-version: 0.34.0-r0 diff --git a/traefik.advisories.yaml b/traefik.advisories.yaml index 477c147b2..377a06e26 100644 --- a/traefik.advisories.yaml +++ b/traefik.advisories.yaml @@ -123,6 +123,15 @@ advisories: data: fixed-version: 2.10.7-r3 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T11:44:20Z + type: fixed + data: + fixed-version: 2.11.0-r4 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 diff --git a/trino.advisories.yaml b/trino.advisories.yaml index 51e5902e7..c4fbf8586 100644 --- a/trino.advisories.yaml +++ b/trino.advisories.yaml @@ -442,6 +442,10 @@ advisories: componentType: java-archive componentLocation: /usr/lib/trino/lib/zookeeper-3.9.1.jar scanner: grype + - timestamp: 2024-03-22T05:52:12Z + type: fixed + data: + fixed-version: 443-r0 - id: CVE-2024-25710 aliases: @@ -485,6 +489,40 @@ advisories: data: fixed-version: 439-r2 + - id: CVE-2024-29131 + aliases: + - GHSA-xjp4-hw94-mvp5 + events: + - timestamp: 2024-03-22T05:51:34Z + type: detection + data: + type: scan/v1 + data: + subpackageName: trino-plugin-accumulo + componentID: 42bba93ce57c3963 + componentName: commons-configuration2 + componentVersion: 2.9.0 + componentType: java-archive + componentLocation: /usr/lib/trino/lib/commons-configuration2-2.9.0.jar + scanner: grype + + - id: CVE-2024-29133 + aliases: + - GHSA-9w38-p64v-xpmv + events: + - timestamp: 2024-03-22T05:51:30Z + type: detection + data: + type: scan/v1 + data: + subpackageName: trino-plugin-accumulo + componentID: 42bba93ce57c3963 + componentName: commons-configuration2 + componentVersion: 2.9.0 + componentType: java-archive + componentLocation: /usr/lib/trino/lib/commons-configuration2-2.9.0.jar + scanner: grype + - id: GHSA-xpw8-rcwv-8f8p events: - timestamp: 2024-02-16T01:44:04Z diff --git a/trivy.advisories.yaml b/trivy.advisories.yaml index 9f87d5b0b..ecbe9c7b1 100644 --- a/trivy.advisories.yaml +++ b/trivy.advisories.yaml @@ -155,6 +155,15 @@ advisories: data: fixed-version: 0.49.0-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T12:46:40Z + type: fixed + data: + fixed-version: 0.50.0-r1 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 @@ -206,6 +215,15 @@ advisories: data: fixed-version: 0.49.1-r2 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T12:46:38Z + type: fixed + data: + fixed-version: 0.50.0-r1 + - id: GHSA-7ww5-4wqc-m92c events: - timestamp: 2023-12-20T09:42:19Z diff --git a/up.advisories.yaml b/up.advisories.yaml index fcfa1a10f..6b9e3a52d 100644 --- a/up.advisories.yaml +++ b/up.advisories.yaml @@ -206,6 +206,15 @@ advisories: data: fixed-version: 0.24.0-r1 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-21T12:13:39Z + type: fixed + data: + fixed-version: 0.26.0-r1 + - id: CVE-2024-24783 aliases: - GHSA-3q2c-pvp5-3cqp @@ -249,6 +258,10 @@ advisories: componentType: go-module componentLocation: /usr/bin/up scanner: grype + - timestamp: 2024-03-21T12:13:42Z + type: fixed + data: + fixed-version: 0.26.0-r1 - id: CVE-2024-25620 aliases: @@ -292,6 +305,15 @@ advisories: data: fixed-version: 0.24.1-r3 + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-21T12:13:42Z + type: fixed + data: + fixed-version: 0.26.0-r1 + - id: GHSA-6xv5-86q9-7xr8 events: - timestamp: 2024-01-31T03:18:02Z diff --git a/vite.advisories.yaml b/vite.advisories.yaml index cc1afa87a..f76abbe76 100644 --- a/vite.advisories.yaml +++ b/vite.advisories.yaml @@ -20,6 +20,10 @@ advisories: componentType: go-module componentLocation: /usr/lib/node_modules/vite/node_modules/@esbuild/linux-x64/bin/esbuild scanner: grype + - timestamp: 2024-03-20T22:06:56Z + type: fixed + data: + fixed-version: 5.2.2-r0 - id: CVE-2023-45290 aliases: @@ -37,6 +41,10 @@ advisories: componentType: go-module componentLocation: /usr/lib/node_modules/vite/node_modules/@esbuild/linux-x64/bin/esbuild scanner: grype + - timestamp: 2024-03-20T22:06:53Z + type: fixed + data: + fixed-version: 5.2.2-r0 - id: CVE-2024-23331 aliases: @@ -63,6 +71,10 @@ advisories: componentType: go-module componentLocation: /usr/lib/node_modules/vite/node_modules/@esbuild/linux-x64/bin/esbuild scanner: grype + - timestamp: 2024-03-20T22:06:47Z + type: fixed + data: + fixed-version: 5.2.2-r0 - id: CVE-2024-24784 aliases: @@ -80,6 +92,10 @@ advisories: componentType: go-module componentLocation: /usr/lib/node_modules/vite/node_modules/@esbuild/linux-x64/bin/esbuild scanner: grype + - timestamp: 2024-03-20T22:06:51Z + type: fixed + data: + fixed-version: 5.2.2-r0 - id: CVE-2024-24785 aliases: @@ -97,3 +113,7 @@ advisories: componentType: go-module componentLocation: /usr/lib/node_modules/vite/node_modules/@esbuild/linux-x64/bin/esbuild scanner: grype + - timestamp: 2024-03-20T22:06:55Z + type: fixed + data: + fixed-version: 5.2.2-r0 diff --git a/wolfictl.advisories.yaml b/wolfictl.advisories.yaml index 5302be18f..15ad240a9 100644 --- a/wolfictl.advisories.yaml +++ b/wolfictl.advisories.yaml @@ -42,40 +42,63 @@ advisories: data: fixed-version: 0.14.13-r0 - - id: GHSA-9763-4f94-gfch + - id: CVE-2024-28180 + aliases: + - GHSA-c5q2-7r4c-mv6g events: - - timestamp: 2024-01-11T07:20:11Z + - timestamp: 2024-03-08T07:35:09Z type: detection data: type: scan/v1 data: subpackageName: wolfictl - componentID: 1e68f4c9d36f367e - componentName: github.com/cloudflare/circl - componentVersion: v1.3.6 + componentID: 4f29ea779dca2fc0 + componentName: gopkg.in/go-jose/go-jose.v2 + componentVersion: v2.6.2 componentType: go-module componentLocation: /usr/bin/wolfictl scanner: grype - - timestamp: 2024-01-23T15:32:12Z + - timestamp: 2024-03-08T10:56:39Z type: fixed data: - fixed-version: 0.14.1-r0 + fixed-version: 0.15.3-r3 - - id: GHSA-c5q2-7r4c-mv6g + - id: CVE-2024-29018 + aliases: + - GHSA-mq39-4gv4-mvpx events: - - timestamp: 2024-03-08T07:35:09Z + - timestamp: 2024-03-21T09:31:30Z type: detection data: type: scan/v1 data: subpackageName: wolfictl - componentID: 4f29ea779dca2fc0 - componentName: gopkg.in/go-jose/go-jose.v2 - componentVersion: v2.6.2 + componentID: bc897b5baae4b79e + componentName: github.com/docker/docker + componentVersion: v25.0.4+incompatible componentType: go-module componentLocation: /usr/bin/wolfictl scanner: grype - - timestamp: 2024-03-08T10:56:39Z + - timestamp: 2024-03-22T13:57:56Z type: fixed data: - fixed-version: 0.15.3-r3 + fixed-version: 0.15.7-r1 + + - id: GHSA-9763-4f94-gfch + events: + - timestamp: 2024-01-11T07:20:11Z + type: detection + data: + type: scan/v1 + data: + subpackageName: wolfictl + componentID: 1e68f4c9d36f367e + componentName: github.com/cloudflare/circl + componentVersion: v1.3.6 + componentType: go-module + componentLocation: /usr/bin/wolfictl + scanner: grype + - timestamp: 2024-01-23T15:32:12Z + type: fixed + data: + fixed-version: 0.14.1-r0 diff --git a/zot.advisories.yaml b/zot.advisories.yaml index 0288803c3..20af34310 100644 --- a/zot.advisories.yaml +++ b/zot.advisories.yaml @@ -185,6 +185,15 @@ advisories: data: fixed-version: 2.0.1-r2 + - id: CVE-2024-24557 + aliases: + - GHSA-xw73-rw38-6vjc + events: + - timestamp: 2024-03-22T07:17:51Z + type: fixed + data: + fixed-version: 2.0.2-r0 + - id: CVE-2024-24786 aliases: - GHSA-8r3f-844c-mc37 @@ -290,3 +299,18 @@ advisories: type: fixed data: fixed-version: 2.0.0-r2 + + - id: GHSA-mq39-4gv4-mvpx + events: + - timestamp: 2024-03-22T09:26:00Z + type: detection + data: + type: scan/v1 + data: + subpackageName: zot + componentID: e0f4f9fab9f873bf + componentName: github.com/docker/docker + componentVersion: v25.0.3+incompatible + componentType: go-module + componentLocation: /usr/bin/zli + scanner: grype