Msrc Cbl Mariner 1.0 X64 vulnerabilities

CVE-2019-6488 [HIGH] CWE-404 The string component in the GNU C Library (aka glibc or libc6) through 2.28 when running on the x32 architecture incorrectly attempts to use a 64-bit register for size_t in assembly codes which can le The string component in the GNU C Library (aka glibc or libc6) through 2.28 when running on the x32 architecture incorrectly attempts to use a 64-bit register for size_t in assembly codes which can lead to a segmentation fault or possibly unspecified other impact as dem

CVE-2019-6461 [MEDIUM] CWE-617 An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c. An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who cho

CVE-2019-6462 [MEDIUM] CWE-835 An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c related to _arc_max_angle_for_tolerance_normalized. An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c related to _arc_max_angle_for_tolerance_normalized. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore pot

CVE-2019-6293 [MEDIUM] CWE-674 An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to i An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote

CVE-2016-10739 [MEDIUM] CWE-20 In the GNU C Library (aka glibc or libc6) through 2.28 the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters which c In the GNU C Library (aka glibc or libc6) through 2.28 the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters which could lead applications to incorrectly assume that it had parsed a va

CVE-2018-16866 [LOW] CWE-125 An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable. FAQ: Is Azure Linux the only Micro

CVE-2018-19591 [HIGH] CWE-20 In the GNU C Library (aka glibc or libc6) through 2.28 attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to In the GNU C Library (aka glibc or libc6) through 2.28 attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function. FAQ: Is Azure Linux the only Microsoft

CVE-2018-19665 [MEDIUM] CWE-190 The Bluetooth subsystem in QEMU mishandles negative values for length variables leading to memory corruption. The Bluetooth subsystem in QEMU mishandles negative values for length variables leading to memory corruption. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment

CVE-2018-19787 [MEDIUM] CWE-79 An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping allowing a remote attacker to conduct XSS attacks as d An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping allowing a remote attacker to conduct XSS attacks as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is

CVE-2018-19876 [MEDIUM] CWE-416 cairo 1.16.0 in cairo_ft_apply_variations() in cairo-ft-font.c would free memory using a free function incompatible with WebKit's fastMalloc leading to an application crash with a "free(): invalid poi cairo 1.16.0 in cairo_ft_apply_variations() in cairo-ft-font.c would free memory using a free function incompatible with WebKit's fastMalloc leading to an application crash with a "free(): invalid pointer" error. FAQ: Is Azure Linux the only Microsoft product that i

CVE-2018-16395 [CRITICAL] An issue was discovered in the OpenSSL library in Ruby before 2.3.8 2.4.x before 2.4.5 2.5.x before 2.5.2 and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using == de An issue was discovered in the OpenSSL library in Ruby before 2.3.8 2.4.x before 2.4.5 2.5.x before 2.5.2 and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using == depending on the ordering non-equal objects may return true. When the first

CVE-2018-19662 [HIGH] CWE-125 An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2alaw_array in alaw.c that will lead to a denial of service. An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2alaw_array in alaw.c that will lead to a denial of service. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main be

CVE-2018-19758 [MEDIUM] CWE-125 There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azur

CVE-2018-19432 [MEDIUM] CWE-476 An issue was discovered in libsndfile 1.0.28. There is a NULL pointer dereference in the function sf_write_int in sndfile.c which will lead to a denial of service. An issue was discovered in libsndfile 1.0.28. There is a NULL pointer dereference in the function sf_write_int in sndfile.c which will lead to a denial of service. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnera

CVE-2018-19661 [MEDIUM] CWE-125 An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2ulaw_array in ulaw.c that will lead to a denial of service. An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2ulaw_array in ulaw.c that will lead to a denial of service. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main

CVE-2018-15686 [HIGH] CWE-502 systemd: reexec state injection: fgets() on overlong lines leads to line splitting systemd: reexec state injection: fgets() on overlong lines leads to line splitting FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most sec

CVE-2018-15687 [HIGH] CWE-362 systemd: chown_one() can dereference symlinks systemd: chown_one() can dereference symlinks FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is compose

CVE-2018-15688 [HIGH] CWE-120 Out-of-Bounds write in systemd-networkd dhcpv6 option handling Out-of-Bounds write in systemd-networkd dhcpv6 option handling FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source librarie

CVE-2018-18384 [MEDIUM] CWE-119 Info-ZIP UnZip 6.0 has a buffer overflow in list.c when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value because a buffer size is 10 and is su Info-ZIP UnZip 6.0 has a buffer overflow in list.c when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value because a buffer size is 10 and is supposed to be 12. FAQ: Is Azure Linux the only Microsoft product th

CVE-2018-10896 [HIGH] CWE-321 The default cloud-init configuration in cloud-init 0.6.2 and newer included "ssh_deletekeys: 0" disabling cloud-init's deletion of ssh host keys. In some environments this could lead to instances crea The default cloud-init configuration in cloud-init 0.6.2 and newer included "ssh_deletekeys: 0" disabling cloud-init's deletion of ssh host keys. In some environments this could lead to instances created by cloning a golden master or template system sharing ssh host ke