CVE-2023-45288 affecting package docker-buildx for versions less than 0.14.0-1

CVE-2023-45288 affecting package docker-buildx for versions less than 0.14.0-1. An upgraded version of the package is available that resolves this issue...

AZL-38260 CVE-2023-45288 affecting package docker-buildx for versions less than 0.14.0-1

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-35641 CVE-2024-24786 affecting package docker-buildx for versions less than 0.14.0-1

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set...

AZL-35582 CVE-2024-24786 affecting package moby-buildx for versions less than 0.7.1-24

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set...

CVE-2024-23653 affecting package moby-buildx for versions less than 0.7.1-18

CVE-2024-23653 affecting package moby-buildx for versions less than 0.7.1-18. A patched version of the package is available...

CVE-2021-44716 affecting package moby-buildx for versions less than 0.7.1-18

CVE-2021-44716 affecting package moby-buildx for versions less than 0.7.1-18. A patched version of the package is available...

CVE-2022-21698 affecting package moby-buildx for versions less than 0.7.1-16

CVE-2022-21698 affecting package moby-buildx for versions less than 0.7.1-16. A patched version of the package is available...

AZL-34078 CVE-2024-23653 affecting package moby-buildx for versions less than 0.7.1-18

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask...

AZL-35433 CVE-2024-23653 affecting package docker-buildx for versions less than 0.14.0-1

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask...

AZL-35432 CVE-2024-23650 affecting package docker-buildx for versions less than 0.14.0-1

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoi...

AZL-35435 CVE-2023-48795 affecting package docker-buildx for versions less than 0.14.0-1

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted from the extension negotiation message, and a client and server may consequently end up with a connecti...

AZL-35434 CVE-2023-47108 affecting package docker-buildx for versions less than 0.14.0-1

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the...

CVE-2023-44487 affecting package moby-buildx for versions less than 0.7.1-14

CVE-2023-44487 affecting package moby-buildx for versions less than 0.7.1-14. A patched version of the package is available...

AZL-35437 CVE-2023-45142 affecting package docker-buildx for versions less than 0.14.0-1

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...

AZL-31325 CVE-2023-44487 affecting package moby-buildx for versions less than 0.7.1-14

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

AZL-35436 CVE-2023-44487 affecting package docker-buildx for versions less than 0.14.0-1

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

SUSE-SU-2023:3536-1 Security update for docker

This update for docker fixes the following issues: - Update to Docker 24.0.5-ce. See upstream changelong online at bsc1213229 - Update to Docker 24.0.4-ce. See upstream changelog online at . bsc1213500 - Update to Docker 24.0.3-ce. See upstream changelog online at . bsc1213120 - Recommend...

Buildkit credentials inlined to Git URLs could end up in provenance attestation

When the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1 Invoking build directly from a URL...

GHSA-GC89-7GCR-JXQC Buildkit credentials inlined to Git URLs could end up in provenance attestation

When the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1 Invoking build directly from a URL...

AZL-43344 CVE-2021-43565 affecting package moby-buildx for versions less than 0.7.1-20

The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server...