claircore
claircore copied to clipboard
quay
Clair v4 creates CVEs duplicates in database
Description of Problem / Feature Request
In ubuntu:bionic image Clair v4 finds CVE duplicates in package libzstd1:
$ ./clairctl report ubuntu:bionic
ubuntu:bionic found passwd 1:4.5-1ubuntu2 CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found passwd 1:4.5-1ubuntu2 CVE-2018-7169 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found ncurses-base 6.1-1ubuntu1.18.04 CVE-2018-19211 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found ncurses-base 6.1-1ubuntu1.18.04 CVE-2019-17594 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found ncurses-base 6.1-1ubuntu1.18.04 CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2009-5155 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2015-8985 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2016-10228 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2016-10739 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-25013 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2020-27618 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2020-6096 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2021-3326 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2018-20796 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-1010022 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-1010023 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-1010024 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-6488 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2019-7309 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2021-27645 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libc-bin 2.27-3ubuntu1.4 CVE-2020-27618 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found gcc-8-base 8.4.0-1ubuntu1~18.04 CVE-2018-12886 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found gcc-8-base 8.4.0-1ubuntu1~18.04 CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found gcc-8-base 8.4.0-1ubuntu1~18.04 CVE-2020-13844 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libtinfo5 6.1-1ubuntu1.18.04 CVE-2018-19211 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libtinfo5 6.1-1ubuntu1.18.04 CVE-2019-17594 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libtinfo5 6.1-1ubuntu1.18.04 CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libstdc++6 8.4.0-1ubuntu1~18.04 CVE-2018-12886 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libstdc++6 8.4.0-1ubuntu1~18.04 CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libstdc++6 8.4.0-1ubuntu1~18.04 CVE-2020-13844 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found gpgv 2.2.4-1ubuntu1.4 CVE-2019-13050 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found login 1:4.5-1ubuntu2 CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found login 1:4.5-1ubuntu2 CVE-2018-7169 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found ncurses-bin 6.1-1ubuntu1.18.04 CVE-2018-19211 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found ncurses-bin 6.1-1ubuntu1.18.04 CVE-2019-17594 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found ncurses-bin 6.1-1ubuntu1.18.04 CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libgcc1 1:8.4.0-1ubuntu1~18.04 CVE-2018-12886 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libgcc1 1:8.4.0-1ubuntu1~18.04 CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libgcc1 1:8.4.0-1ubuntu1~18.04 CVE-2020-13844 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libudev1 237-3ubuntu10.44 CVE-2018-20839 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libudev1 237-3ubuntu10.44 CVE-2019-9619 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libudev1 237-3ubuntu10.44 CVE-2020-13776 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libnettle6 3.4-1 CVE-2018-16869 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found liblz4-1 0.0~r131-2ubuntu3 CVE-2019-17543 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libgcrypt20 1.8.1-4ubuntu1.2 CVE-2019-12904 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libncursesw5 6.1-1ubuntu1.18.04 CVE-2018-19211 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libncursesw5 6.1-1ubuntu1.18.04 CVE-2019-17594 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libncursesw5 6.1-1ubuntu1.18.04 CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found bash 4.4.18-2ubuntu1.2 CVE-2019-18276 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libncurses5 6.1-1ubuntu1.18.04 CVE-2018-19211 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libncurses5 6.1-1ubuntu1.18.04 CVE-2019-17594 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libncurses5 6.1-1ubuntu1.18.04 CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libgnutls30 3.5.18-1ubuntu1.4 CVE-2018-16868 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libgnutls30 3.5.18-1ubuntu1.4 CVE-2021-20231 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libgnutls30 3.5.18-1ubuntu1.4 CVE-2021-20232 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libsystemd0 237-3ubuntu10.44 CVE-2018-20839 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libsystemd0 237-3ubuntu10.44 CVE-2019-9619 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libsystemd0 237-3ubuntu10.44 CVE-2020-13776 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24032 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium. (fixed: 0:1.3.3+dfsg-2ubuntu1.2)
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24032 on Ubuntu 18.04 LTS (bionic) - medium. (fixed: 0:1.3.3+dfsg-2ubuntu1.2)
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium. (fixed: 0:1.3.3+dfsg-2ubuntu1.2)
ubuntu:bionic found libzstd1 1.3.3+dfsg-2ubuntu1.1 CVE-2021-24032 on Ubuntu 18.04 LTS (bionic) - medium. (fixed: 0:1.3.3+dfsg-2ubuntu1.2)
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2009-5155 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2015-8985 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2016-10228 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2016-10739 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-25013 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2020-27618 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2020-6096 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2021-3326 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2018-20796 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-1010022 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-1010023 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-1010024 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-6488 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2019-7309 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2021-27645 on Ubuntu 18.04 LTS (bionic) - medium.
ubuntu:bionic found libc6 2.27-3ubuntu1.4 CVE-2020-27618 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libpcre3 2:8.39-9 CVE-2017-11164 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libpcre3 2:8.39-9 CVE-2019-20838 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libpcre3 2:8.39-9 CVE-2020-14155 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found coreutils 8.28-1ubuntu1 CVE-2016-2781 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found coreutils 8.28-1ubuntu1 CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found tar 1.29b-2ubuntu0.2 CVE-2021-20193 on Ubuntu 18.04 LTS (bionic) - low.
ubuntu:bionic found libtasn1-6 4.13-2 CVE-2018-1000654 on Ubuntu 18.04 LTS (bionic) - negligible.
ubuntu:bionic found libhogweed4 3.4-1 CVE-2018-16869 on Ubuntu 18.04 LTS (bionic) - low.
This CVE duplicates are presented in database with different IDs and have differences in fields: fixed_in_version and description:
[ RECORD 3 ]----------+----------------------------------------------------------------------------------------------------------------------------------
id | 168079564
hash_kind | md5
hash | \x12c86ca1844458d93764b733beb604d6
updater | ubuntu-bionic-updater
name | CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium.
description | zstd adds read permissions to files while being compressed or uncompressed
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24031 http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-24031.html http://bugs.debian.org/cgi-bi
n/bugreport.cgi?bug=981404 https://github.com/facebook/zstd/issues/1630
severity |
normalized_severity | Medium
package_name | libzstd1
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | ubuntu
dist_name | Ubuntu
dist_version | 18.04.3 LTS (Bionic Beaver)
dist_version_code_name | bionic
dist_version_id | 18.04
dist_arch |
dist_cpe |
dist_pretty_name | Ubuntu 18.04.3 LTS
repo_name |
repo_key |
repo_uri |
fixed_in_version |
arch_operation | invalid
vulnerable_range | empty
version_kind |
-[ RECORD 11 ]---------+----------------------------------------------------------------------------------------------------------------------------------
id | 229026487
hash_kind | md5
hash | \x483176d55a10232efd722a7a3bd1523b
updater | ubuntu-bionic-updater
name | CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium.
description | zstd adds read permissions to files while being compressed or uncompressed
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24031 http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-24031.html https://usn.ubuntu.com/usn/us
n-4760-1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404 https://github.com/facebook/zstd/issues/1630
severity |
normalized_severity | Medium
package_name | libzstd1
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | ubuntu
dist_name | Ubuntu
dist_version | 18.04.3 LTS (Bionic Beaver)
dist_version_code_name | bionic
dist_version_id | 18.04
dist_arch |
dist_cpe |
dist_pretty_name | Ubuntu 18.04.3 LTS
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:1.3.3+dfsg-2ubuntu1.2
arch_operation | invalid
vulnerable_range | empty
version_kind |
-[ RECORD 17 ]---------+----------------------------------------------------------------------------------------------------------------------------------
id | 244074097
hash_kind | md5
hash | \x6e56deaf1e258356e6d52a18e7f4e58f
updater | ubuntu-bionic-updater
name | CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium.
description | In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only b
e set at completion time. Output files could therefore be readable or writable to unintended parties.
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24031 http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-24031.html https://usn.ubuntu.com/usn/us
n-4760-1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404 https://github.com/facebook/zstd/issues/1630
severity |
normalized_severity | Medium
package_name | libzstd1
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | ubuntu
dist_name | Ubuntu
dist_version | 18.04.3 LTS (Bionic Beaver)
dist_version_code_name | bionic
dist_version_id | 18.04
dist_arch |
dist_cpe |
dist_pretty_name | Ubuntu 18.04.3 LTS
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:1.3.3+dfsg-2ubuntu1.2
arch_operation | invalid
vulnerable_range | empty
version_kind |
Environment
Clair version/image: v4.0 Clair client name/version: Host OS: ubuntu:bionic Kernel (e.g. uname -a): Kubernetes version (use kubectl version): Network/Firewall setup:
Hey @SofyaTavrovskaya
clair will parse the upstream data source (in this case ubuntu) and hash the contents of vulnerabilities to understand if they are duplicates or not.
Your evidence here suggests the upstream data source is providing a similar vulns that differ slightly. Are you able to determine if the upstream data source is providing these duplicates, or if clair is manufacturing them?
@ldelossa No, the upstream data source isn't providing these duplicates, I found only one record regarding CVE-2021-24031 and one regarding CVE-2021-24032 in https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml.bz2.
</definition>
<definition class="vulnerability" id="oval:com.ubuntu.bionic:def:2021240310000000" version="1">
<metadata>
<title>CVE-2021-24031 on Ubuntu 18.04 LTS (bionic) - medium.</title>
<description>In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.</description>
<affected family="unix">
<platform>Ubuntu 18.04 LTS</platform>
</affected>
<reference source="CVE" ref_id="CVE-2021-24031" ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24031" />
<advisory>
<severity>Medium</severity>
<rights>Copyright (C) 2021 Canonical Ltd.</rights>
<public_date>2021-03-04 21:15:00 UTC</public_date>
<public_date_at_usn>2021-02-10 00:00:00 UTC</public_date_at_usn>
<assigned_to>mdeslaur</assigned_to>
<bug>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404</bug>
<bug>https://github.com/facebook/zstd/issues/1630</bug>
<ref>http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-24031.html</ref>
<ref>https://usn.ubuntu.com/usn/usn-4760-1</ref>
</advisory>
</metadata>
<criteria>
<extend_definition definition_ref="oval:com.ubuntu.bionic:def:100" comment="Ubuntu 18.04 LTS (bionic) is installed." applicability_check="true" />
<criterion test_ref="oval:com.ubuntu.bionic:tst:2021240310000000" comment="libzstd package in bionic was vulnerable but has been fixed (note: '1.3.3+dfsg-2ubuntu1.2')." />
</criteria>
</definition>
<definition class="vulnerability" id="oval:com.ubuntu.bionic:def:2021240320000000" version="1">
<metadata>
<title>CVE-2021-24032 on Ubuntu 18.04 LTS (bionic) - medium.</title>
<description>Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.</description>
<affected family="unix">
<platform>Ubuntu 18.04 LTS</platform>
</affected>
<reference source="CVE" ref_id="CVE-2021-24032" ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24032" />
<advisory>
<severity>Medium</severity>
<rights>Copyright (C) 2021 Canonical Ltd.</rights>
<public_date>2021-03-04 21:15:00 UTC</public_date>
<public_date_at_usn>2021-02-20 00:00:00 UTC</public_date_at_usn>
<assigned_to>mdeslaur</assigned_to>
<bug>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519</bug>
<bug>https://github.com/facebook/zstd/issues/2491</bug>
<ref>http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-24032.html</ref>
<ref>https://usn.ubuntu.com/usn/usn-4760-1</ref>
</advisory>
</metadata>
<criteria>
<extend_definition definition_ref="oval:com.ubuntu.bionic:def:100" comment="Ubuntu 18.04 LTS (bionic) is installed." applicability_check="true" />
<criterion test_ref="oval:com.ubuntu.bionic:tst:2021240310000000" comment="libzstd package in bionic was vulnerable but has been fixed (note: '1.3.3+dfsg-2ubuntu1.2')." />
</criteria>
</definition>
I don't see the same problem with freshly installed Clair v4, only with Clair that we installed about a month ago.
@SofyaTavrovskaya its possible the parsing issue was fixed on newer versions of Clair. Can you be specific about which version produces this issue and if its reproducible?
@ldelossa We definitely saw this problem before. When we were installing Clair on another server, we understood that we have differences between the old Clair's report and the newer installed Clair's report. We found duplicated CVEs, but we had several outages on the cloud and thought that it's a root cause.
I even found in mailing with our engineer this: the same vulnerability with different ids:
{'id': '24561971', 'updater': 'ubuntu-bionic-updater', 'name': 'CVE-2021-20193 on Ubuntu 18.04 LTS (bionic) - low.', 'description': '[Memory leak in read_header() in list.c]', 'issued': '0001-01-01T00:00:00Z', 'links': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20193 http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-20193.html https://savannah.gnu.org/bugs/?59897 https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980525', 'severity': '', 'normalized_severity': 'Low', 'package': {'id': '', 'name': 'tar', 'version': '', 'kind': 'binary', 'normalized_version': '', 'cpe': ''}, 'distribution': {'id': '', 'did': 'ubuntu', 'name': 'Ubuntu', 'version': '18.04.3 LTS (Bionic Beaver)', 'version_code_name': 'bionic', 'version_id': '18.04', 'arch': '', 'cpe': '', 'pretty_name': 'Ubuntu 18.04.3 LTS'}, 'repository': {'cpe': ''}, 'fixed_in_version': ''}
(Pdb) vulnerability_report['vulnerabilities']['29602683']
{'id': '29602683', 'updater': 'ubuntu-bionic-updater', 'name': 'CVE-2021-20193 on Ubuntu 18.04 LTS (bionic) - low.', 'description': '[Memory leak in read_header() in list.c]', 'issued': '0001-01-01T00:00:00Z', 'links': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20193 http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-20193.html https://savannah.gnu.org/bugs/?59897 https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980525 https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1912091', 'severity': '', 'normalized_severity': 'Low', 'package': {'id': '', 'name': 'tar', 'version': '', 'kind': 'binary', 'normalized_version': '', 'cpe': ''}, 'distribution': {'id': '', 'did': 'ubuntu', 'name': 'Ubuntu', 'version': '18.04.3 LTS (Bionic Beaver)', 'version_code_name': 'bionic', 'version_id': '18.04', 'arch': '', 'cpe': '', 'pretty_name': 'Ubuntu 18.04.3 LTS'}, 'repository': {'cpe': ''}, 'fixed_in_version': ''}
Now we are using Clair v4.0.1.
Should we use a newer version: 4.0.3?
@ldelossa I deployed Clair v4.0.3 today, I'll check it this week. I think we need some time to see changes
Thanks a lot. Ill watch for your report back.
On Mon, Mar 29, 2021 at 10:41 AM SofyaTavrovskaya @.***> wrote:
@ldelossa https://github.com/ldelossa I deployed Clair v4.0.3 today, I'll check it this week. I think we need some time to see changes
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/quay/claircore/issues/354#issuecomment-809436173, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABLBVFS2VUHOHV6CK2ZBNT3TGCNTZANCNFSM4ZZNJ4EA .
@ldelossa I've checked Clair version 4.0.3 today, and also found duplicates in DB. Fox example, for CVE-2021-28957 in lxml package:
-[ RECORD 1 ]----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------
id | 22425415
hash_kind | md5
hash | \x04277dd27fcf272fd4d256f1ed89d246
updater | debian-stretch-updater
name | CVE-2021-28957
description | An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove
the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is
patched in lxml 4.6.3.
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
severity |
normalized_severity | Unknown
package_name | lxml
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | debian
dist_name | Debian GNU/Linux
dist_version | 9 (stretch)
dist_version_code_name | stretch
dist_version_id | 9
dist_arch |
dist_cpe |
dist_pretty_name | Debian GNU/Linux 9 (stretch)
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:3.7.1-1+deb9u4
arch_operation | invalid
vulnerable_range | empty
version_kind |
-[ RECORD 2 ]----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------
id | 2674835
hash_kind | md5
hash | \x7bf4b959325b7fbfe8ce43e5db133417
updater | debian-stretch-updater
name | CVE-2021-28957
description | lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 form
action attribute.
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
severity |
normalized_severity | Unknown
package_name | lxml
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | debian
dist_name | Debian GNU/Linux
dist_version | 9 (stretch)
dist_version_code_name | stretch
dist_version_id | 9
dist_arch |
dist_cpe |
dist_pretty_name | Debian GNU/Linux 9 (stretch)
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:3.7.1-1+deb9u4
arch_operation | invalid
vulnerable_range | empty
version_kind |
-[ RECORD 3 ]----------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
id | 8531269
hash_kind | md5
hash | \x764076ca3100e31b3589f63fe05b4dae
updater | debian-buster-updater
name | CVE-2021-28957
description | lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
severity |
normalized_severity | Unknown
package_name | lxml
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | debian
dist_name | Debian GNU/Linux
dist_version | 10 (buster)
dist_version_code_name | buster
dist_version_id | 10
dist_arch |
dist_cpe |
dist_pretty_name | Debian GNU/Linux 10 (buster)
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:4.3.2-1+deb10u3
arch_operation | invalid
vulnerable_range | empty
version_kind |
-[ RECORD 4 ]----------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
id | 22424105
hash_kind | md5
hash | \x6e086f7cd69d0538751b4efb55e4879e
updater | debian-buster-updater
name | CVE-2021-28957
description | An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
severity |
normalized_severity | Unknown
package_name | lxml
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | debian
dist_name | Debian GNU/Linux
dist_version | 10 (buster)
dist_version_code_name | buster
dist_version_id | 10
dist_arch |
dist_cpe |
dist_pretty_name | Debian GNU/Linux 10 (buster)
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:4.3.2-1+deb10u3
arch_operation | invalid
vulnerable_range | empty
version_kind |
-[ RECORD 5 ]----------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
id | 2634267
hash_kind | md5
hash | \x339307fa0c11fa0adee32d12552700a6
updater | debian-buster-updater
name | CVE-2021-28957
description | lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.
issued | 0001-01-01 00:00:00+00
links | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
severity |
normalized_severity | Unknown
package_name | lxml
package_version |
package_module |
package_arch |
package_kind | binary
dist_id | debian
dist_name | Debian GNU/Linux
dist_version | 10 (buster)
dist_version_code_name | buster
dist_version_id | 10
dist_arch |
dist_cpe |
dist_pretty_name | Debian GNU/Linux 10 (buster)
repo_name |
repo_key |
repo_uri |
fixed_in_version | 0:0
arch_operation | invalid
vulnerable_range | empty
version_kind |