Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.AL2_ALAS-2022-1830.NASL
HistoryAug 08, 2022 - 12:00 a.m.

Amazon Linux 2 : golang (ALAS-2022-1830)

2022-08-0800:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
10

9.5 High

AI Score

Confidence

High

JSON

The version of golang installed on the remote host is prior to 1.18.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1830 advisory.

  • A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. (CVE-2020-29652)

  • encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method. (CVE-2021-27918)

  • archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which …/ occurs at the beginning of any filename. (CVE-2021-27919)

  • Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. (CVE-2021-33195)

  • In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  • In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  • Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

  • Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. (CVE-2021-38297)

  • In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. (CVE-2021-39293)

  • Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. (CVE-2022-23772)

  • cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. (CVE-2022-23773)

  • Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

  • encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data. (CVE-2022-24675)

  • regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. (CVE-2022-24921)

  • The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input. (CVE-2022-28327)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2022-1830.
##

include('compat.inc');

if (description)
{
  script_id(163918);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/08");

  script_cve_id(
    "CVE-2020-29652",
    "CVE-2021-27918",
    "CVE-2021-27919",
    "CVE-2021-33195",
    "CVE-2021-33197",
    "CVE-2021-33198",
    "CVE-2021-36221",
    "CVE-2021-38297",
    "CVE-2021-39293",
    "CVE-2022-23772",
    "CVE-2022-23773",
    "CVE-2022-23806",
    "CVE-2022-24675",
    "CVE-2022-24921",
    "CVE-2022-28327"
  );
  script_xref(name:"IAVB", value:"2021-B-0040-S");
  script_xref(name:"IAVB", value:"2022-B-0008-S");
  script_xref(name:"IAVB", value:"2022-B-0011-S");
  script_xref(name:"IAVB", value:"2021-B-0069-S");
  script_xref(name:"IAVB", value:"2023-B-0080-S");

  script_name(english:"Amazon Linux 2 : golang (ALAS-2022-1830)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of golang installed on the remote host is prior to 1.18.3-1. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2022-1830 advisory.

  - A nil pointer dereference in the golang.org/x/crypto/ssh component through
    v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH
    servers. (CVE-2020-29652)

  - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader
    (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode,
    DecodeElement, or Skip method. (CVE-2021-27918)

  - archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon
    attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any
    filename. (CVE-2021-27919)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from
    DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to
    the RFC1035 format. (CVE-2021-33195)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from
    net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the
    math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil
    ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

  - Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function
    invocation from a WASM module, when GOARCH=wasm GOOS=js is used. (CVE-2021-38297)

  - In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating
    that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of
    an incomplete fix for CVE-2021-33196. (CVE-2021-39293)

  - Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to
    Uncontrolled Memory Consumption. (CVE-2022-23772)

  - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to
    be version tags. This can lead to incorrect access control if an actor is supposed to be able to create
    branches but not tags. (CVE-2022-23773)

  - Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return
    true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

  - encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount
    of PEM data. (CVE-2022-24675)

  - regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested
    expression. (CVE-2022-24921)

  - The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic
    via long scalar input. (CVE-2022-28327)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2022-1830.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-29652.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-27918.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-27919.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-33195.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-33197.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-33198.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-36221.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-38297.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-39293.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-23772.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-23773.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-23806.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-24675.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-24921.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-28327.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update golang' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-38297");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/12/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/07/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/08/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-bin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-misc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-race");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-shared");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-src");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-tests");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
var os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'golang-1.18.3-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'golang-1.18.3-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'golang-bin-1.18.3-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'golang-bin-1.18.3-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'golang-docs-1.18.3-1.amzn2', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'golang-misc-1.18.3-1.amzn2', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'golang-race-1.18.3-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'golang-shared-1.18.3-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'golang-shared-1.18.3-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'golang-src-1.18.3-1.amzn2', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'golang-tests-1.18.3-1.amzn2', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var release = NULL;
  var sp = NULL;
  var cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {
    if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "golang / golang-bin / golang-docs / etc");
}
VendorProductVersionCPE
amazonlinuxgolangp-cpe:/a:amazon:linux:golang
amazonlinuxgolang-binp-cpe:/a:amazon:linux:golang-bin
amazonlinuxgolang-docsp-cpe:/a:amazon:linux:golang-docs
amazonlinuxgolang-miscp-cpe:/a:amazon:linux:golang-misc
amazonlinuxgolang-racep-cpe:/a:amazon:linux:golang-race
amazonlinuxgolang-sharedp-cpe:/a:amazon:linux:golang-shared
amazonlinuxgolang-srcp-cpe:/a:amazon:linux:golang-src
amazonlinuxgolang-testsp-cpe:/a:amazon:linux:golang-tests
amazonlinux2cpe:/o:amazon:linux:2

References

Related

amazon 6
nessus 81
archlinux 1
freebsd 3
osv 13
altlinux 5
suse 6
oraclelinux 4
redhat 27
rocky 3
almalinux 3
ibm 18
photon 8
mageia 4
debian 5
redhatcve 1
cve 1
fedora 5
ubuntucve 1
prion 1
alpinelinux 1
debiancve 1
gentoo 1
amazon
amazon
Important: golang
2022-07-28 21:55:00
Medium: golang
2023-02-15 00:23:00
Important: golang
2022-07-06 03:11:00
nessus
nessus
EulerOS 2.0 SP5 : golang (EulerOS-SA-2022-1534)
2022-04-25 00:00:00
Rocky Linux 8 : go-toolset:rhel8 (RLSA-2021:4156)
2023-11-06 00:00:00
EulerOS 2.0 SP8 : golang (EulerOS-SA-2022-1566)
2022-04-25 00:00:00
archlinux
archlinux
[ASA-202106-42] go: multiple issues
2021-06-15 00:00:00
freebsd
freebsd
go -- multiple vulnerabilities
2021-05-01 00:00:00
go -- multiple vulnerabilities
2022-02-10 00:00:00
go -- encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader; archive/zip: panic when calling Reader.Open
2021-03-05 00:00:00
osv
osv
Moderate: go-toolset:rhel8 security, bug fix, and enhancement update
2021-11-09 08:25:49
Moderate: go-toolset:rhel8 security and bug fix update
2022-05-10 06:29:31
Moderate: go-toolset:rhel8 security, bug fix, and enhancement update
2021-11-09 08:25:49
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.16.5-alt1
2021-06-05 00:00:00
Security fix for the ALT Linux 9 package golang version 1.15.13-alt1
2021-06-07 00:00:00
Security fix for the ALT Linux 10 package golang version 1.17.7-alt1
2022-02-11 00:00:00
suse
suse
Security update for go1.15 (important)
2021-07-01 00:00:00
Security update for go1.15 (important)
2021-06-30 00:00:00
Security update for go1.16 (important)
2021-06-28 00:00:00
oraclelinux
oraclelinux
go-toolset:ol8addon security update
2022-06-08 00:00:00
go-toolset:ol8 security and bug fix update
2022-05-17 00:00:00
go-toolset:ol8addon security update
2022-06-08 00:00:00
redhat
redhat
(RHSA-2022:1819) Moderate: go-toolset:rhel8 security and bug fix update
2022-05-10 06:29:31
(RHSA-2021:4156) Moderate: go-toolset:rhel8 security, bug fix, and enhancement update
2021-11-09 08:25:49
(RHSA-2022:5729) Moderate: OpenShift Container Platform 4.10.25 security update
2022-08-01 11:00:16
rocky
rocky
go-toolset:rhel8 security, bug fix, and enhancement update
2021-11-09 08:25:49
go-toolset:rhel8 security and bug fix update
2022-05-10 06:29:31
go-toolset:rhel8 security and bug fix update
2022-06-28 10:54:21
almalinux
almalinux
Moderate: go-toolset:rhel8 security, bug fix, and enhancement update
2021-11-09 08:25:49
Moderate: go-toolset:rhel8 security and bug fix update
2022-05-10 06:29:31
Moderate: buildah security and bug fix update
2022-11-15 00:00:00
ibm
ibm
Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in Golang
2021-12-21 17:45:34
Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager
2022-03-15 17:37:28
Security Bulletin: Security Vulnerabilities affect IBM Cloud Private - Golang (CVE-2022-23772, CVE-2022-23773, CVE-2022-23806)
2022-04-22 21:06:28
photon
photon
Important Photon OS Security Update - PHSA-2021-0294
2021-09-02 00:00:00
Important Photon OS Security Update - PHSA-2021-3.0-0294
2021-09-02 00:00:00
Critical Photon OS Security Update - PHSA-2022-0159
2022-03-02 00:00:00
mageia
mageia
Updated golang packages fix security vulnerability
2021-10-13 22:39:52
Updated golang packages fix security vulnerabilities
2021-07-25 11:34:17
Updated golang packages fix security vulnerability
2022-03-08 02:10:22
debian
debian
[SECURITY] [DLA 2986-1] golang-1.8 security update
2022-04-28 09:57:43
[SECURITY] [DLA 2985-1] golang-1.7 security update
2022-04-28 09:57:28
[SECURITY] [DLA 3395-1] golang-1.11 security update
2023-04-19 21:42:48
redhatcve
redhatcve
CVE-2021-39293
2021-09-20 19:13:18
cve
cve
CVE-2021-39293
2022-01-24 01:15:00
fedora
fedora
[SECURITY] Fedora 34 Update: golang-1.16.8-1.fc34
2021-09-22 16:30:52
[SECURITY] Fedora 35 Update: golang-1.16.8-2.fc35
2021-09-24 20:54:01
[SECURITY] Fedora 35 Update: golang-1.16.15-2.fc35
2022-07-01 01:17:14
ubuntucve
ubuntucve
CVE-2021-39293
2022-01-24 00:00:00
prion
prion
Design/Logic Flaw
2022-01-24 01:15:00
alpinelinux
alpinelinux
CVE-2021-39293
2022-01-24 01:15:00
debiancve
debiancve
CVE-2021-39293
2022-01-24 01:15:00
gentoo
gentoo
Go: Multiple Vulnerabilities
2022-08-04 00:00:00

9.5 High

AI Score

Confidence

High

JSON
Related for AL2_ALAS-2022-1830.NASL
amazon6nessus81archlinux1freebsd3osv13altlinux5suse6oraclelinux4redhat27rocky3almalinux3ibm18photon8mageia4debian5redhatcve1cve1fedora5ubuntucve1prion1alpinelinux1debiancve1gentoo1