You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SUSE Linux Enterprise Server 15 SP6
libqpdf26 >= 9.0.2-150200.3.3.1
qpdf >= 10.3.1-150600.11.2
qpdf-devel >= 10.3.1-150600.11.2
Note: Grype FIXED-IN seem to confuse libqpdf26 with qpdf (version 0:10.3.1-150600.11.2) where recommended qpdf in SUSE advisory is 10.3.1-150600.11.2. It could be the cause that triggered this CVE generation.
How to reproduce it (as minimally and precisely as possible):
Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.6
RUN zypper in -y --no-recommends libqpdf26=9.0.2-150200.3.3.1
ENTRYPOINT [""]
CMD ["bash"]
What happened:
Scan on image that has libqpdf26-9.0.2-150200.3.3.1.x86_64 installed.
It generates the following vulnerabilities:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11627 High
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11625 High
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11624 High
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9210 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9209 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9208 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-12595 Low
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11626 Low
What you expected to happen:
According to SUSE Advisory CVE-2017-11624, CVE-2017-11625, CVE-2017-11627
Patch for these CVE are applied from version libqpdf26-9.0.2-150200.3.3.1.x86_64
See with this link: https://www.suse.com/security/cve/CVE-2017-11624.html
SUSE Linux Enterprise Server 15 SP6
libqpdf26 >= 9.0.2-150200.3.3.1
qpdf >= 10.3.1-150600.11.2
qpdf-devel >= 10.3.1-150600.11.2
Note: Grype FIXED-IN seem to confuse libqpdf26 with qpdf (version 0:10.3.1-150600.11.2) where recommended qpdf in SUSE advisory is 10.3.1-150600.11.2. It could be the cause that triggered this CVE generation.
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.6
RUN zypper in -y --no-recommends libqpdf26=9.0.2-150200.3.3.1
ENTRYPOINT [""]
CMD ["bash"]
$ docker build -t "suse15.6_libqpdf26:v1" .
$ $ grype --distro sles:15.6 suse15.6_libqpdf26:v1 | grep libqpdf
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11627 High (Problem reproduced)
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11625 High (Problem reproduced)
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11624 High (Problem reproduced)
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9210 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9209 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9208 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-12595 Low
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11626 Low
`
$ docker run -it suse15.6_libqpdf26:v1 rpm -qa | grep libqpdf26
libqpdf26-9.0.2-150200.3.3.1.x86_64
$ syft suse15.6_libqpdf26:v1 | grep libqpdf
libqpdf26 9.0.2-150200.3.3.1 rpm
Environment:
Output of
grype version
: grype 0.86.1OS (e.g:
cat /etc/os-release
or similar):$ docker run -it suse15.6_libqpdf26:v1 cat /etc/release
NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
The text was updated successfully, but these errors were encountered: