Security updates

[github-actions]

Security Vulnerability Report

Generated on: 2026-05-12 00:52:41

Summary

Found vulnerabilities in 2 packages requiring updates.

Package Upgrades Overview

Package	Current Version	Recommended Version	Vulnerabilities
biopython	1.85	Unknown	1
urllib3	2.6.3	2.7.0	2

Detailed Vulnerability Information

biopython (v1.85)

Vulnerability ID	Fix Versions	Aliases
CVE-2025-68463		GHSA-x3vf-39hj-gxr4

urllib3 (v2.6.3)

Vulnerability ID	Fix Versions	Aliases
CVE-2026-44431	2.7.0	GHSA-qccp-gfcp-xxvc
CVE-2026-44432	2.7.0	GHSA-mf9v-mfxr-j63j

Recommended Actions

1. Review the vulnerability details above.
2. Close and reopen this PR to trigger CI/CD tests.
3. Approve and merge the PR if everything looks good.

---

This report was generated automatically. Please verify all upgrades before applying.

[github-actions]

🔍 Vulnerabilities of vecoli:latest

📦 Image Reference vecoli:latest

digest	sha256:43b12e5ea8fe6423f12be622e19bb2d906db43fa72306643bbda9aa15bec2e2a
vulnerabilities
platform	linux/amd64
size	959 MB
packages	905

📦 Base Image debian:13-slim

also known as	13.4-slim trixie-20260421-slim trixie-slim
digest	sha256:e18da95f66066b7c5fa31491b524e83121271eca59a3d140f4906c8d0a090367
vulnerabilities

gnutls28 3.8.9-3+deb13u2 (deb) pkg:deb/debian/gnutls28@3.8.9-3%2Bdeb13u2?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.075% EPSS Percentile 22nd percentile Description A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption. gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-1 https://gitlab.com/gnutls/gnutls/-/work_items/1816 https://gitlab.com/gnutls/gnutls/-/work_items/1838 https://gitlab.com/gnutls/gnutls/-/work_items/1839 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78 (3.8.13) Affected range >0 Fixed version Not Fixed EPSS Score 0.046% EPSS Percentile 14th percentile Description A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service. gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-3 https://gitlab.com/gnutls/gnutls/-/issues/1811 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/e5b72c53c7d789d19d1d1cd10b275e87d0415413 (3.8.13) Affected range >0 Fixed version Not Fixed EPSS Score 0.021% EPSS Percentile 6th percentile Description A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems. gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-6 https://gitlab.com/gnutls/gnutls/-/work_items/1824 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/1dead2faec6320aaba321eb56f20d442df192b83 (3.8.13) Affected range >0 Fixed version Not Fixed EPSS Score 0.150% EPSS Percentile 35th percentile Description A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process. gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-4 https://gitlab.com/gnutls/gnutls/-/issues/1850 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/cb1833afd9b6309563211b1c0a7c291f52ca98d5 (3.8.13) Affected range >0 Fixed version Not Fixed EPSS Score 0.086% EPSS Percentile 25th percentile Description A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName (DNS) or rfc822Name (email) constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure. gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-5 https://gitlab.com/gnutls/gnutls/-/work_items/1223 https://gitlab.com/gnutls/gnutls/-/issues/1803 https://gitlab.com/gnutls/gnutls/-/issues/1852 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/19f6508647bdcd3ce21130201e484d7ca6d962c5 (3.8.13) Affected range >0 Fixed version Not Fixed EPSS Score 0.030% EPSS Percentile 9th percentile Description A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust. gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-12 https://gitlab.com/gnutls/gnutls/-/issues/1801 https://gitlab.com/gnutls/gnutls/-/issues/1812 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/731861b9de8dccaf7d3b0c1446833051e48670c2 (3.8.13) Test: https://gitlab.com/gnutls/gnutls/-/commit/d52d5f4f383e8c5d8e9a03334f2421ff35d37d2e (3.8.13) Affected range >0 Fixed version Not Fixed EPSS Score 3.832% EPSS Percentile 88th percentile Description The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. sun-java6 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) openjdk-6 6b23~pre11-1 openjdk-7 7~b147-2.0-1 iceweasel (Vulnerable code not present) http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/ chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser lighttpd 1.4.30-1 strictly speaking this is no lighttpd issue, but lighttpd adds a workaround curl 7.24.0-1 http://curl.haxx.se/docs/adv_20120124B.html python2.6 2.6.8-0.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684511) [squeeze] - python2.6 (Minor issue) python2.7 2.7.3~rc1-1 python3.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678998) [squeeze] - python3.1 (Minor issue) python3.2 3.2.3~rc1-1 http://bugs.python.org/issue13885 python3.1 is fixed starting 3.1.5 cyassl gnutls26 (unimportant) gnutls28 (unimportant) No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0 haskell-tls (unimportant) No mitigation for haskell-tls, it is recommended to use TLS 1.1, which is supported since 0.2 matrixssl (low) [squeeze] - matrixssl (Minor issue) [wheezy] - matrixssl (Minor issue) matrixssl fix this upstream in 3.2.2 bouncycastle 1.49+dfsg-1 [squeeze] - bouncycastle (Minor issue) [wheezy] - bouncycastle (Minor issue) No mitigation for bouncycastle, it is recommended to use TLS 1.1, which is supported since 1.4.9 nss 3.13.1.with.ckbi.1.88-1 https://bugzilla.mozilla.org/show_bug.cgi?id=665814 https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab polarssl (unimportant) No mitigation for polarssl, it is recommended to use TLS 1.1, which is supported in all releases tlslite [wheezy] - tlslite (Minor issue) pound 2.6-2 Pound 2.6-2 added an anti_beast.patch to mitigate BEAST attacks. erlang 1:15.b-dfsg-1 [squeeze] - erlang (Minor issue) asterisk 1:13.7.2dfsg-1 [jessie] - asterisk 1:11.13.1dfsg-2+deb8u1 [wheezy] - asterisk (Minor issue) [squeeze] - asterisk (Not supported in Squeeze LTS) http://downloads.digium.com/pub/security/AST-2016-001.html https://issues.asterisk.org/jira/browse/ASTERISK-24972 patch for 11 (jessie): https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4 all versions vulnerable, backport required for wheezy Affected range >0 Fixed version Not Fixed Description gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-13 https://gitlab.com/gnutls/gnutls/-/issues/1815 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/1e627aa5ad95c6dc0518d94e9a009997b081a1ab (3.8.13) Affected range >0 Fixed version Not Fixed Description gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-10 https://gitlab.com/gnutls/gnutls/-/issues/1814 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/77228f2d1ac207d2f894e5a168fbb47e5378e42f (3.8.13) Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/cf6bdc5e4df49e5583d3fb4d2296779785f10683 (3.8.13) Affected range >0 Fixed version Not Fixed Description gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-11 https://gitlab.com/gnutls/gnutls/-/work_items/1840 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca (3.8.13) Affected range >0 Fixed version Not Fixed Description gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-9 https://gitlab.com/gnutls/gnutls/-/issues/1766 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/3957f136e2ed23caf176a594b54b3827f5cef701 (3.8.13) Affected range >0 Fixed version Not Fixed Description gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-8 https://gitlab.com/gnutls/gnutls/-/work_items/1825 https://gitlab.com/gnutls/gnutls/-/issues/1849 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/29801bef00ecc0f23c0bac4cd333b269cd2c1af4 (3.8.13) Affected range >0 Fixed version Not Fixed Description gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-7 https://gitlab.com/gnutls/gnutls/-/issues/1802 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/8dcc6a1f48945997666ac9f10896819edd01a03b (3.8.13) Affected range >0 Fixed version Not Fixed Description gnutls28 3.8.13-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319) https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-2 https://gitlab.com/gnutls/gnutls/-/issues/1848 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/f01e21441e29052a6f0963840794c41d3b3ee66d (3.8.13) Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/f341441fad91142897d83b44a175ffc8f925b76f (3.8.13)

nghttp2 1.64.0-1.1 (deb) pkg:deb/debian/nghttp2@1.64.0-1.1?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.024% EPSS Percentile 7th percentile Description nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API nghttp2_session_terminate_session or nghttp2_session_terminate_session2 is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available. nghttp2 1.68.1-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131369) GHSA-6933-cjhr-5qg6 Fixed by: nghttp2/nghttp2@5c7df8f (v1.68.1)

rustls-webpki 0.103.12 (cargo) pkg:cargo/rustls-webpki@0.103.12 Out-of-bounds Read Affected range <0.103.13 Fixed version 0.103.13 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Summary bit_string_flags() in src/der.rs panics with an index-out-of-bounds when given a BIT STRING whose content is exactly [0x00] (one byte: zero padding bits, zero data bytes). This is reachable through the public API BorrowedCertRevocationList::from_der() via the issuingDistributionPoint CRL extension. Precondition: CRL checking is opt-in in rustls-webpki. This vulnerability affects only applications that explicitly pass RevocationOptions to verify_for_usage() and load CRL bytes from a source the attacker can influence. The default rustls configuration (no RevocationOptions) is not affected. AI disclosure: This report was prepared with AI assistance (Claude). The vulnerability was discovered by differential fuzzing against a formally-verified Rust oracle. All technical claims have been independently verified against the live source code before submission. Details bit_string_flags() in src/der.rs reads the content of named-bit BIT STRINGs (KeyUsage, ReasonFlags, etc.). Its input guard: if padding_bits > 7 || (raw_bits.is_empty() && padding_bits != 0) { return Err(Error::BadDer); } let last_byte = raw_bits[raw_bits.len() - 1]; // ← crash misses the case padding_bits == 0 && raw_bits.is_empty(). When a BIT STRING has content [0x00] (one padding-bits byte set to zero, no data bytes): padding_bits = 0x00 — passes the > 7 check ✓ raw_bits = [] — passes is_empty() && != 0 check ✓ (because 0 != 0 is false) raw_bits.len() - 1 = 0usize - 1 = underflow → usize::MAX raw_bits[usize::MAX] → panic Debug: thread 'main' panicked: attempt to subtract with overflow Release: thread 'main' panicked: index out of bounds: the len is 0 but the index is 18446744073709551615 PoC Cargo.toml: [dependencies] rustls-webpki = "0.102.8" # also reproduces on 0.103.12 src/main.rs: fn main() { let crl: &[u8] = &[ 0x30, 0x65, 0x30, 0x50, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x01, 0x41, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0xa0, 0x10, 0x30, 0x0e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x1c, 0x04, 0x05, 0x30, 0x03, 0x83, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x02, 0x00, 0x00, ]; // Panics — never returns let _ = webpki::BorrowedCertRevocationList::from_der(crl); } output: thread 'main' panicked at src/der.rs:... index out of bounds: the len is 0 but the index is 18446744073709551615 Trigger a0 10 -- cRLExtensions [0] EXPLICIT 30 0e -- SEQUENCE OF Extension 30 0c -- Extension SEQUENCE 06 03 55 1d 1c -- OID 2.5.29.28 (id-ce-issuingDistributionPoint) 04 05 -- OCTET STRING (extnValue) 30 03 -- IssuingDistributionPoint SEQUENCE 83 01 00 -- [3] onlySomeReasons: BIT STRING, len=1, content=0x00 -- padding_bits=0, data=[] ← TRIGGER Impact Who is affected: Applications that (1) use rustls-webpki with CRL revocation checking explicitly enabled via RevocationOptions, and (2) load CRL bytes from a source an attacker can influence. Attack paths: mTLS server (most realistic): An attacker obtains any certificate from a CA that permits custom CDP URLs — common in enterprise PKI. They set the CDP to a server they control, serve the 103-byte crafted CRL, and connect to the target. The server fetches the attacker's CRL during the handshake and panics. No MITM required. TLS client with server-cert CRL checking: An attacker who can MITM an HTTP CRL distribution point (ARP/DNS poisoning on a local network) serves the crafted CRL in place of the legitimate one.

krb5 1.21.3-5 (deb) pkg:deb/debian/krb5@1.21.3-5?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.099% EPSS Percentile 27th percentile Description In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message. krb5 1.22.1-2.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135317) krb5/krb5@2e75f0d Affected range >0 Fixed version Not Fixed EPSS Score 0.099% EPSS Percentile 27th percentile Description In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message. krb5 1.22.1-2.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135317) krb5/krb5@2e75f0d Affected range >0 Fixed version Not Fixed EPSS Score 0.062% EPSS Percentile 19th percentile Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >0 Fixed version Not Fixed EPSS Score 0.250% EPSS Percentile 48th percentile Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >0 Fixed version Not Fixed EPSS Score 1.504% EPSS Percentile 81st percentile Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

pip 26.0.1 (pypi) pkg:pypi/pip@26.0.1 Inclusion of Functionality from Untrusted Control Sphere Affected range <26.1 Fixed version 26.1 CVSS Score 5.3 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N EPSS Score 0.016% EPSS Percentile 4th percentile Description pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation. Unrestricted Upload of File with Dangerous Type Affected range <=26.0.1 Fixed version Not Fixed CVSS Score 4.6 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N EPSS Score 0.017% EPSS Percentile 4th percentile Description pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

tar 1.35+dfsg-3.1 (deb) pkg:deb/debian/tar@1.35%2Bdfsg-3.1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.35+dfsg-3.1 Fixed version Not Fixed EPSS Score 0.130% EPSS Percentile 32nd percentile Description GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). Disputed tar issue, works as documented per upstream: https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md Affected range >0 Fixed version Not Fixed EPSS Score 3.763% EPSS Percentile 88th percentile Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

astral-tokio-tar 0.6.0 (cargo) pkg:cargo/astral-tokio-tar@0.6.0 Improper Input Validation Affected range <=0.6.0 Fixed version 0.6.1 CVSS Score 6.6 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Description Impact Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem. See GHSA-j5gw-2vrg-8fgx for a similar desynchronization bug in astral-tokio-tar. Patches Versions 0.6.1 and newer of astral-tokio-tar address this differential. Workarounds Users are advised to upgrade to version 0.6.1 or newer to address this advisory. There is no workaround other than upgrading. Users should experience no breaking changes as a result of the upgrade. Resources GHSA-j5gw-2vrg-8fgx is a similar PAX desynchronization bug Attribution Reporter: Adam Harvey (@LawnGnome) UNIX Symbolic Link (Symlink) Following Affected range <=0.6.0 Fixed version 0.6.1 CVSS Score 2.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U Description Impact In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could inadvertently modify the permissions of external (i.e. non-archive) directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its intended hierarchy. This flaw only affects directories; individual file permissions cannot be modified via it. See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate. Patches Versions 0.6.1 and newer of astral-tokio-tar use fs::symlink_metdata rather than fs::metadata, avoiding the traversal. Workarounds Users are advised to upgrade to version 0.6.1 or newer to address this advisory. Users should experience no breaking changes as a result of the patch above. Resources GHSA-j4xf-2g29-59ph for the original tar vulnerability Attribution Reporter: Adam Harvey (@LawnGnome)

rsa 0.9.10 (cargo) pkg:cargo/rsa@0.9.10 Affected range >=0.0.0-0 Fixed version Not Fixed CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.734% EPSS Percentile 73rd percentile Description Impact Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. Patches No patch is yet available, however work is underway to migrate to a fully constant-time implementation. Workarounds The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine. References This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

biopython 1.85 (pypi) pkg:pypi/biopython@1.85 Improper Restriction of XML External Entity Reference Affected range <=1.86 Fixed version Not Fixed CVSS Score 4.9 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L EPSS Score 0.074% EPSS Percentile 22nd percentile Description Bio.Entrez in Biopython through 1.86 allows doctype XXE.

binutils 2.44-3 (deb) pkg:deb/debian/binutils@2.44-3?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.020% EPSS Percentile 6th percentile Description A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable. binutils (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2460006 https://sourceware.org/bugzilla/show_bug.cgi?id=34049 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a089e0302382f4d4e077941156e1eaa68d01393 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.005% EPSS Percentile 0th percentile Description A flaw was found in binutils, specifically within the readelf utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash. binutils (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2460012 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.019% EPSS Percentile 5th percentile Description A flaw was found in the readelf utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the readelf utility becoming unresponsive or crashing, leading to a denial of service. binutils (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2460016 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.004% EPSS Percentile 0th percentile Description A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks. binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33919 Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9e99dbc1f19ffaf18d0250788951706066ebe7f2 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.006% EPSS Percentile 0th percentile Description A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service. binutils (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2443828 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.006% EPSS Percentile 0th percentile Description A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service. binutils (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2443826 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.033% EPSS Percentile 10th percentile Description A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue. binutils 2.45-3 (unimportant) https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.064% EPSS Percentile 20th percentile Description A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue. binutils 2.45-3 (unimportant) https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b https://sourceware.org/bugzilla/show_bug.cgi?id=33050 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.069% EPSS Percentile 21st percentile Description A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue. binutils 2.45-3 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33049 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.022% EPSS Percentile 6th percentile Description GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service. binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33701 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=44b79abd0fa12e7947252eb4c6e5d16ed6033e01 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.007% EPSS Percentile 1st percentile Description GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version. binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33700 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.149% EPSS Percentile 35th percentile Description GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version. binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33698 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.045% EPSS Percentile 14th percentile Description GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed. binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33697 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.022% EPSS Percentile 6th percentile Description GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed. binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33641 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.024% EPSS Percentile 7th percentile Description GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis. binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33640 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.005% EPSS Percentile 0th percentile Description Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis. binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33638 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.006% EPSS Percentile 0th percentile Description Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file. binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33637 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cdb728d4da6184631989b192f1022c219dea7677 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.006% EPSS Percentile 0th percentile Description An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file. binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33639 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.035% EPSS Percentile 10th percentile Description An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. binutils (unimportant) binutils not covered by security support and most certainly bogus since they were assigned for a very old binutils release Affected range >0 Fixed version Not Fixed EPSS Score 0.174% EPSS Percentile 38th percentile Description An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. binutils (unimportant) binutils not covered by security support and most certainly bogus since they were assigned for a very old binutils release Affected range >0 Fixed version Not Fixed EPSS Score 0.122% EPSS Percentile 31st percentile Description An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. binutils (unimportant) binutils not covered by security support and most certainly bogus since they were assigned for a very old binutils release Affected range >0 Fixed version Not Fixed EPSS Score 0.174% EPSS Percentile 38th percentile Description An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. binutils (unimportant) binutils not covered by security support and most certainly bogus since they were assigned for a very old binutils release Affected range >0 Fixed version Not Fixed EPSS Score 0.128% EPSS Percentile 32nd percentile Description A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. binutils (unimportant) binutils not covered by security support and most certainly bogus since they were assigned for a very old binutils release Affected range >0 Fixed version Not Fixed EPSS Score 0.042% EPSS Percentile 13th percentile Description An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file. binutils (unimportant) binutils not covered by security support and most certainly bogus since they were assigned for a very old binutils release Affected range >0 Fixed version Not Fixed EPSS Score 0.084% EPSS Percentile 24th percentile Description A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. binutils 2.45-3 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32829 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.081% EPSS Percentile 24th percentile Description A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component. binutils 2.45-3 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32858 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.068% EPSS Percentile 21st percentile Description A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue. binutils 2.45-3 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32716 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.028% EPSS Percentile 8th percentile Description A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue. binutils 2.46-1 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33455 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f6b0f53a36820da91eadfa9f466c22f92e4256e0 (binutils-2_46) binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.023% EPSS Percentile 6th percentile Description A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. binutils 2.46-1 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33448 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe (binutils-2_46) binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.104% EPSS Percentile 28th percentile Description A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue. binutils 2.45-3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108986) https://sourceware.org/bugzilla/show_bug.cgi?id=32644 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b425859021d17adf62f06fb904797cf8642986ad binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.117% EPSS Percentile 30th percentile Description A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue. binutils 2.45-3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108986) https://sourceware.org/bugzilla/show_bug.cgi?id=32643 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=931494c9a89558acb36a03a340c01726545eef24 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.082% EPSS Percentile 24th percentile Description A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. binutils 2.45-3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108986) https://sourceware.org/bugzilla/show_bug.cgi?id=32642 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.120% EPSS Percentile 30th percentile Description A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue. binutils 2.45-3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108986) https://sourceware.org/bugzilla/show_bug.cgi?id=32638 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75086e9de1707281172cc77f178e7949a4414ed0 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.213% EPSS Percentile 44th percentile Description A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue. binutils 2.45-3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108986) https://sourceware.org/bugzilla/show_bug.cgi?id=32636 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f9978defb6fab0bd8583942d97c112b0932ac814 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.083% EPSS Percentile 24th percentile Description A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component. binutils 2.45-3 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32603 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.048% EPSS Percentile 15th percentile Description A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master." binutils 2.45-3 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32576 binutils not covered by security support These were fixed in master, so 2.45 at the time Affected range >0 Fixed version Not Fixed EPSS Score 0.048% EPSS Percentile 15th percentile Description A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master." binutils 2.45-3 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32576 binutils not covered by security support These were fixed in master, so 2.45 at the time Affected range >0 Fixed version Not Fixed EPSS Score 0.048% EPSS Percentile 15th percentile Description A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master." binutils 2.45-3 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32576 binutils not covered by security support These were fixed in master, so 2.45 at the time Affected range >0 Fixed version Not Fixed EPSS Score 0.030% EPSS Percentile 9th percentile Description A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch. binutils 2.46-1 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33502 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0 (binutils-2_46) binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.039% EPSS Percentile 12th percentile Description A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue. binutils 2.46-1 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33499 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a (binutils-2_46) binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.048% EPSS Percentile 15th percentile Description A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master." binutils 2.45-3 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32576 binutils not covered by security support These were fixed in master, so 2.45 at the time Affected range >0 Fixed version Not Fixed EPSS Score 0.072% EPSS Percentile 22nd percentile Description A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master." binutils 2.45-3 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32576 binutils not covered by security support These were fixed in master, so 2.45 at the time Affected range >0 Fixed version Not Fixed EPSS Score 0.067% EPSS Percentile 21st percentile Description A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. binutils 2.45-3 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=32556 binutils not covered by security support These were fixed in master, so 2.45 at the time Affected range >0 Fixed version Not Fixed EPSS Score 0.030% EPSS Percentile 9th percentile Description A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component. binutils 2.46-1 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33450 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703 (binutils-2_46) binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.028% EPSS Percentile 8th percentile Description A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised. binutils 2.46-1 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33452 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0 (binutils-2_46) binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.030% EPSS Percentile 9th percentile Description A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch. binutils 2.46-1 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33452 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc (binutils-2_46) binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.027% EPSS Percentile 8th percentile Description A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with "[f]ixed for 2.46". binutils 2.46-1 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33457 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490 (binutils-2_46) binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.023% EPSS Percentile 7th percentile Description A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with "[f]ixed for 2.46". binutils 2.46-1 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33464 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8 (binutils-2_46) binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.030% EPSS Percentile 9th percentile Description A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue. binutils 2.46-1 (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=33406 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b (binutils-2_46) binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.124% EPSS Percentile 31st percentile Description An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c. binutils (unimportant) https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1927070 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.385% EPSS Percentile 60th percentile Description An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression. binutils (unimportant) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.673% EPSS Percentile 71st percentile Description A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt. binutils (unimportant) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629 https://sourceware.org/bugzilla/show_bug.cgi?id=24043 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.093% EPSS Percentile 26th percentile Description The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for "Create an array for saving the template argument values") that can trigger a heap-based buffer overflow, as demonstrated by nm. binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=24039 binutils not covered by security support Affected range >0 Fixed version Not Fixed EPSS Score 0.237% EPSS Percentile 47th percentile Description The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd). binutils (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=22009 Underlying bug is though in the C++ demangler part of libiberty, but MITRE has assigned it specifically to the issue as raised within binutils. binutils not covered by security support

glibc 2.41-12+deb13u2 (deb) pkg:deb/debian/glibc@2.41-12%2Bdeb13u2?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.790% EPSS Percentile 74th percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern glibc (unimportant) eglibc (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=24269 Affected range >0 Fixed version Not Fixed EPSS Score 0.840% EPSS Percentile 75th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22853 Affected range >0 Fixed version Not Fixed EPSS Score 0.634% EPSS Percentile 70th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22852 Affected range >0 Fixed version Not Fixed EPSS Score 0.307% EPSS Percentile 54th percentile Description GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851 Affected range >0 Fixed version Not Fixed EPSS Score 0.129% EPSS Percentile 32nd percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850 Affected range >0 Fixed version Not Fixed EPSS Score 1.492% EPSS Percentile 81st percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep. glibc (unimportant) eglibc (unimportant) https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions Affected range >0 Fixed version Not Fixed EPSS Score 0.394% EPSS Percentile 60th percentile Description The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. glibc (unimportant) eglibc (unimportant) That's standard POSIX behaviour implemented by (e)glibc. Applications using glob need to impose limits for themselves

openldap 2.6.10+dfsg-1 (deb) pkg:deb/debian/openldap@2.6.10%2Bdfsg-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.027% EPSS Percentile 8th percentile Description OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition. openldap (unimportant) lmdb (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126287) [trixie] - lmdb (Minor issue) [bookworm] - lmdb (Minor issue) [bullseye] - lmdb (Minor issue, OOB read) https://seclists.org/fulldisclosure/2026/Jan/5 https://bugs.openldap.org/show_bug.cgi?id=10421 Fixed by: https://git.openldap.org/openldap/openldap/-/commit/8e1fda85532a3c74276df38a42d234dcdfa1e40d OpenLDAP bundles lmdb but does not build mdb_load.c Affected range >0 Fixed version Not Fixed EPSS Score 0.216% EPSS Percentile 44th percentile Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. openldap (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965184) https://bugs.openldap.org/show_bug.cgi?id=9266 https://bugzilla.redhat.com/show_bug.cgi?id=1740070 RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap behaviour does conform with RFC4513. RFC6125 does not superseed the rules for verifying service identity provided in specifications for existing application protocols published prior to RFC6125, like RFC4513 for LDAP. Affected range >0 Fixed version Not Fixed EPSS Score 6.138% EPSS Percentile 91st percentile Description contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. openldap (unimportant) http://www.openldap.org/its/index.cgi/Incoming?id=8759 nops slapd-module not built Affected range >0 Fixed version Not Fixed EPSS Score 0.111% EPSS Percentile 29th percentile Description slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. openldap (unimportant) http://www.openldap.org/its/index.cgi?findid=8703 Negligible security impact, but filed #877512 Affected range >0 Fixed version Not Fixed EPSS Score 2.575% EPSS Percentile 86th percentile Description The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. openldap (unimportant) Debian builds with GNUTLS, not NSS

curl 8.14.1-2+deb13u2 (deb) pkg:deb/debian/curl@8.14.1-2%2Bdeb13u2?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.098% EPSS Percentile 27th percentile Description When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. curl 8.18.0-1 (unimportant) https://curl.se/docs/CVE-2025-15224.html Introduced with: curl/curl@c92d2e1 (curl-7_58_0) Fixed by: curl/curl@16d5f2a (curl-8_18_0) Debian builds with libssh2 for SSH backend Affected range >0 Fixed version Not Fixed EPSS Score 0.047% EPSS Percentile 14th percentile Description When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file. curl 8.18.0~rc3-1 (unimportant) https://curl.se/docs/CVE-2025-15079.html Introduced with: curl/curl@c92d2e1 (curl-7_58_0) Fixed by: curl/curl@adca486 (rc-8_18_0-3, curl-8_18_0) Debian builds with libssh2 for SSH backend Affected range >0 Fixed version Not Fixed EPSS Score 0.010% EPSS Percentile 1st percentile Description When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well. curl 8.18.0~rc2-1 (unimportant) https://curl.se/docs/CVE-2025-14017.html Introduced with: curl/curl@ccba0d1 (curl-7_17_0) Fixed by: curl/curl@39d1976 (rc-8_18_0-1, curl-8_18_0) Built with OpenLDAP (only affects the legacy LDAP support) Affected range >0 Fixed version Not Fixed EPSS Score 0.026% EPSS Percentile 7th percentile Description curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more. curl 8.17.0~rc2-1 (unimportant) https://curl.se/docs/CVE-2025-10966.html Introduced with: curl/curl@6773c7c (curl-7_69_0) Fixed by: curl/curl@b011e3f (rc-8_17_0-1) wolfSSH backend not used in Debian

systemd 257.9-1~deb13u1 (deb) pkg:deb/debian/systemd@257.9-1~deb13u1?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.125% EPSS Percentile 31st percentile Description An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >0 Fixed version Not Fixed EPSS Score 0.134% EPSS Percentile 32nd percentile Description An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >0 Fixed version Not Fixed EPSS Score 0.170% EPSS Percentile 38th percentile Description An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >0 Fixed version Not Fixed EPSS Score 0.042% EPSS Percentile 13th percentile Description systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. systemd (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357) [wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy) https://bugzilla.redhat.com/show_bug.cgi?id=859060 only relevant to systems running systemd along with selinux

coreutils 9.7-3 (deb) pkg:deb/debian/coreutils@9.7-3?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.130% EPSS Percentile 32nd percentile Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >0 Fixed version Not Fixed EPSS Score 0.056% EPSS Percentile 17th percentile Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

sqlite3 3.46.1-7+deb13u1 (deb) pkg:deb/debian/sqlite3@3.46.1-7%2Bdeb13u1?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.050% EPSS Percentile 15th percentile Description An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file. sqlite3 (unimportant) https://sqlite.org/src/info/3d459f1fb1bd1b5e https://sqlite.org/forum/forumpost/761eac3c82 https://gist.github.com/cnwangjihe/f496393f30f5ecec5b18c8f5ab072054 zipfile extension not build for Debian binary package builds Affected range >0 Fixed version Not Fixed EPSS Score 0.271% EPSS Percentile 50th percentile Description A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect. sqlite3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005974) sqlite (unimportant) https://github.com/guyinatuxedo/sqlite3_record_leaking https://bugzilla.redhat.com/show_bug.cgi?id=2054793 https://sqlite.org/forum/forumpost/056d557c2f8c452ed5bb9c215414c802b215ce437be82be047726e521342161e Negligible security impact

util-linux 2.41-5 (deb) pkg:deb/debian/util-linux@2.41-5?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.006% EPSS Percentile 0th percentile Description A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the setpwnam() function, affecting SUID (Set User ID) login-utils utilities writing to the password database. util-linux 2.41.3-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122058; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2419369 util-linux setpwnam.c 256-byte login off-by-one util-linux/util-linux#3585 Fix heap-buffer-overread in setpwnam.c triggered by 256-byte username util-linux/util-linux#3586 Fixed by: util-linux/util-linux@aaa9e71 Fixed by: util-linux/util-linux@9a36d77 Affected code in setpwnam() is only used by chsh and chfn which are not build in any Debian released binary package from src:util-linux and explicitly configured as with --disable-chfn-chsh since 2.25-1. Affected range >0 Fixed version Not Fixed EPSS Score 0.025% EPSS Percentile 7th percentile Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

bash-completion 1:2.16.0-7 (deb) pkg:deb/debian/bash-completion@1%3A2.16.0-7?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.070% EPSS Percentile 21st percentile Description In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion. bash-completion (unimportant) util-linux 2.31.1-0.5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179) [jessie] - util-linux (umount completion added later) [wheezy] - util-linux (umount completion added later) Fix in bash-completion's from util-linux: util-linux/util-linux@75f03ba#diff-a47601b5dbce9dc06c3af1deb02758c7 src:util-linux/2.28-1 takes over the umount completion from src:bash-completion (which in turn starting from 1:2.1-4.3 does not provide the umount completion in the binary packaage)

unzip 6.0-29 (deb) pkg:deb/debian/unzip@6.0-29?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.195% EPSS Percentile 41st percentile Description A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. unzip (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2044583 https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 Crash in CLI tool, no security impact

perl 5.40.1-6 (deb) pkg:deb/debian/perl@5.40.1-6?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.189% EPSS Percentile 40th percentile Description _is_safe in the File::Temp module for Perl does not properly handle symlinks. perl (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776268) http://thread.gmane.org/gmane.comp.security.oss.general/6174/focus=6177 File:Temp::_is_safe() allows unsafe traversal of symlinks [rt.cpan.org #69106] Perl-Toolchain-Gang/File-Temp#14

apt 3.0.3 (deb) pkg:deb/debian/apt@3.0.3?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 1.509% EPSS Percentile 81st percentile Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

jansson 2.14-2 (deb) pkg:deb/debian/jansson@2.14-2?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.659% EPSS Percentile 71st percentile Description An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification jansson (unimportant) OOB Read memory corruption bug akheron/jansson#548 Disputed security impact (only if programmer fails to follow API specifications)

rand 0.9.2 (cargo) pkg:cargo/rand@0.9.2 Improper Input Validation Affected range >=0.9.0 <0.9.3 Fixed version 0.9.3 Description It has been reported (by @lopopolo) that the rand library is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met: The log and thread_rng features are enabled A custom logger is defined The custom logger accesses rand::rng() (previously rand::thread_rng()) and calls any TryRng (previously RngCore) methods on ThreadRng The ThreadRng (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data) Trace-level logging is enabled or warn-level logging is enabled and the random source (the getrandom crate) is unable to provide a new seed TryRng (previously RngCore) methods for ThreadRng use unsafe code to cast *mut BlockRng<ReseedingCore> to &mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict.

shadow 1:4.17.4-2 (deb) pkg:deb/debian/shadow@1%3A4.17.4-2?os_distro=trixie&os_name=debian&os_version=13 Affected range >0 Fixed version Not Fixed EPSS Score 0.322% EPSS Percentile 55th percentile Description initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. shadow (unimportant) See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so unknown usernames are not recorded on login failures

openssl 3.5.5-1~deb13u2 (deb) pkg:deb/debian/openssl@3.5.5-1~deb13u2?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.2.1-3 Fixed version Not Fixed EPSS Score 0.094% EPSS Percentile 26th percentile Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

rkyv 0.8.15 (cargo) pkg:cargo/rkyv@0.8.15 Affected range >=0.8.0 <0.8.16 Fixed version 0.8.16 Description InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe. Both functions iterate over their elements and call drop_in_place on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value. A subsequent invocation of clear() on the same container then re-visits the already-freed elements: InlineVec::clear() is called again from InlineVec's own Drop implementation when the value is later dropped. SerVec::clear() is called again by SerVec::with_capacity() after the user closure returns. Impact CWE-415 (Double Free): heap corruption when the element type is one that owns memory, such as Box<T> or Vec<T> CWE-416 (Use-After-Free): memory corruption when an element is accessed following a caught panic Both types of undefined behavior can be invoked in safe Rust, but only if unwinding panics are enabled and std::panic::catch_unwind is used.

[github-actions]

Recommended fixes for image vecoli:latest

Base image is debian:13-slim

Name	13.4-slim
Digest	sha256:e18da95f66066b7c5fa31491b524e83121271eca59a3d140f4906c8d0a090367
Vulnerabilities
Pushed	3 weeks ago
Size	30 MB
Packages	111
OS	13.4

The base image is also available under the supported tag(s): 13.4-slim, trixie-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
13-slim Newer image for same tag Also known as: 13.4-slim trixie-slim trixie-20260505-slim	Benefits: Same OS detected Newer image for same tag Minor OS version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Tag is using slim variant Image details: Size: 30 MB OS: 13.4	1 week ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20260505-slim	Benefits: Same OS detected Tag is preferred tag Tag was pushed more recently Image has similar size Image contains equal number of packages Tag is using slim variant stable-slim was pulled 46K times last month Image details: Size: 30 MB Flavor: debian OS: 12 Slim: ✅	1 week ago
13 Tag is latest Also known as: 13.4 latest trixie trixie-20260505	Benefits: Same OS detected Minor OS version update Tag was pushed more recently Tag is latest Image contains equal number of packages Image details: Size: 49 MB OS: 13.4	1 week ago