Skip to content

1.79.0
Compare
Choose a tag to compare
@cf-buildpacks-eng cf-buildpacks-eng released this 28 Feb 21:09
· 95 commits to main since this release
1.79.0
274b57e

Notably, this release addresses:

USN-6666-1 libuv vulnerability:

  • CVE-2024-24806:
    libuv is a multi-platform support library with a focus on asynchronous I/O.
    The uv_getaddrinfo function in src/unix/getaddrinfo.c (and its windows
    counterpart src/win/getaddrinfo.c), truncates hostnames to 256 characters
    before calling getaddrinfo. This behavior can be exploited to create
    addresses like 0x00007f000001, which are considered valid by
    getaddrinfo and could allow an attacker to craft payloads that resolve to
    unintended IP addresses, bypassing developer checks. The vulnerability
    arises due to how the hostname_ascii variable (with a length of 256
    bytes) is handled in uv_getaddrinfo and subsequently in
    uv__idna_toascii. When the hostname exceeds 256 characters, it gets
    truncated without a terminating null byte. As a result attackers may be
    able to access internal APIs or for websites (similar to MySpace) that
    allows users to have username.example.com pages. Internal services that
    crawl or cache these user pages can be exposed to SSRF attacks if a
    malicious user chooses a long vulnerable username. This issue has been
    addressed in release version 1.48.0. Users are advised to upgrade. There
    are no known workarounds for this vulnerability.

USN-6665-1 Unbound vulnerabilities:

  • CVE-2023-50868:
    The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC
    9276 guidance is skipped) allows remote attackers to cause a denial of
    service (CPU consumption for SHA-1 computations) via DNSSEC responses in a
    random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification
    implies that an algorithm must perform thousands of iterations of a hash
    function in certain situations.
  • CVE-2023-50387:
    Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840,
    and related RFCs) allow remote attackers to cause a denial of service (CPU
    consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One
    of the concerns is that, when there is a zone with many DNSKEY and RRSIG
    records, the protocol specification implies that an algorithm must evaluate
    all combinations of DNSKEY and RRSIG records.
-ii  libunbound8:amd64 1.13.1-1ubuntu5.3 amd64 library implementing DNS resolution and validation
+ii  libunbound8:amd64 1.13.1-1ubuntu5.4 amd64 library implementing DNS resolution and validation
-ii  libuv1:amd64      1.43.0-1          amd64 asynchronous event notification library - runtime library
+ii  libuv1:amd64      1.43.0-1ubuntu0.1 amd64 asynchronous event notification library - runtime library```
Assets 3
Loading