Bump the github-actions group with 3 updates

[dependabot]

Bumps the github-actions group with 3 updates: github/codeql-action, docker/login-action and anchore/scan-action.

Updates github/codeql-action from 4.31.11 to 4.32.0

Release notes

Sourced from github/codeql-action's releases.

v4.32.0

• Update default CodeQL bundle version to 2.24.0. #3425

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.32.0 - 26 Jan 2026

• Update default CodeQL bundle version to 2.24.0. #3425

4.31.11 - 23 Jan 2026

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #3409
• Improved error handling throughout the CodeQL Action. #3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #3403

4.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #3393

4.31.9 - 16 Dec 2025

No user facing changes.

4.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #3354

4.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #3343

4.31.6 - 01 Dec 2025

No user facing changes.

4.31.5 - 24 Nov 2025

• Update default CodeQL bundle version to 2.23.6. #3321

4.31.4 - 18 Nov 2025

No user facing changes.

4.31.3 - 13 Nov 2025

• CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see Upcoming deprecation of CodeQL Action v3.

... (truncated)

Commits

• b20883b Merge pull request #3428 from github/update-v4.32.0-e3b8227a2
• c9aa45d Update changelog for v4.32.0
• e3b8227 Merge pull request #3427 from github/henrymercer/bump-for-new-minor-series
• 8a01181 Compare minor version number
• 80e1425 Bump minor version for CLI v2.24.0
• b748848 Bump the Action minor version number on new CodeQL minor version series
• 5e767ef Merge pull request #3425 from github/update-bundle/codeql-bundle-v2.24.0
• 9752869 Add changelog note
• c62c214 Update default bundle to codeql-bundle-v2.24.0
• 25a224b Merge pull request #3423 from github/mbg/ci/yq-windows
• Additional commits viewable in compare view

Updates docker/login-action from 3.6.0 to 3.7.0

Release notes

Sourced from docker/login-action's releases.

v3.7.0

• Add scope input to set scopes for the authentication token by @​crazy-max in docker/login-action#912
• Add support for AWS European Sovereign Cloud ECR by @​dphi in docker/login-action#914
• Ensure passwords are redacted with registry-auth input by @​crazy-max in docker/login-action#911
• build(deps): bump lodash from 4.17.21 to 4.17.23 in docker/login-action#915

Full Changelog: docker/login-action@v3.6.0...v3.7.0

Commits

• c94ce9f Merge pull request #915 from docker/dependabot/npm_and_yarn/lodash-4.17.23
• 8339c95 Merge pull request #912 from docker/scope
• c83e932 build(deps): bump lodash from 4.17.21 to 4.17.23
• b268aa5 chore: update generated content
• a603229 documentation for scope input
• 7567f92 Add scope input to set scopes for the authentication token
• 0567fa5 Merge pull request #914 from dphi/add-support-for-amazonaws.eu
• f6ef577 feat: add support for AWS European Sovereign Cloud ECR registries
• 916386b Merge pull request #911 from crazy-max/ensure-redact
• 5b3f94a chore: update generated content
• Additional commits viewable in compare view

Updates anchore/scan-action from 7.3.0 to 7.3.1

Release notes

Sourced from anchore/scan-action's releases.

v7.3.1

⬆️ Dependencies

• chore(deps): update Grype to v0.106.0 (#583) [@anchore-actions-token-generator[bot]]
• chore(deps): bump lodash from 4.17.21 to 4.17.23 (#580) [@dependabot[bot]]

Commits

• 8d2fce0 chore(deps): update Grype to v0.106.0 (#583)
• 5610d55 chore(deps): bump zizmorcore/zizmor-action from 0.3.0 to 0.4.1 (#582)
• 2b21785 chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#581)
• 7212629 chore(deps): bump lodash from 4.17.21 to 4.17.23 (#580)
• 4cabd70 chore: tweak release drafter author and husky (#579)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

🔍 Vulnerabilities of harbor-os.greenbone.net/opensight/opensight-postgres:16

📦 Image Reference harbor-os.greenbone.net/opensight/opensight-postgres:16

digest	sha256:27f722fb2e547db3c58309ddb91894f49c0c44816f23cb8a4e37c10b6f5817e9
vulnerabilities
platform	linux/amd64
size	160 MB
packages	204

📦 Base Image postgres:16

also known as	16-trixie 16.10 16.10-trixie
digest	sha256:3084fa1fadd59e7633ec56d318f1e4de01be744f446c5c35df7cd801fbc34894
vulnerabilities

stdlib 1.18.2 (golang) pkg:golang/stdlib@1.18.2 # Dockerfile (6:6) FROM postgres:${POSTGRES_VERSION} Affected range <1.21.11 Fixed version 1.21.11 EPSS Score 0.082% EPSS Percentile 24th percentile Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Affected range <1.19.9 Fixed version 1.19.9 EPSS Score 0.243% EPSS Percentile 47th percentile Description Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. Affected range <1.19.8 Fixed version 1.19.8 EPSS Score 0.646% EPSS Percentile 70th percentile Description Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. Affected range <1.23.8 Fixed version 1.23.8 EPSS Score 0.047% EPSS Percentile 14th percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. Affected range <1.19.10 Fixed version 1.19.10 EPSS Score 0.009% EPSS Percentile 1st percentile Description On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. Affected range >=1.18.0-0 <1.18.3 Fixed version 1.18.3 EPSS Score 0.026% EPSS Percentile 7th percentile Description On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe". Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.023% EPSS Percentile 5th percentile Description The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.031% EPSS Percentile 8th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.038% EPSS Percentile 11th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.018% EPSS Percentile 4th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.018% EPSS Percentile 4th percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.163% EPSS Percentile 37th percentile Description Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.298% EPSS Percentile 53rd percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range <1.21.12 Fixed version 1.21.12 EPSS Score 0.635% EPSS Percentile 70th percentile Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. Affected range <1.21.8 Fixed version 1.21.8 EPSS Score 1.498% EPSS Percentile 81st percentile Description The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Affected range <1.21.9 Fixed version 1.21.9 EPSS Score 66.635% EPSS Percentile 98th percentile Description An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. Affected range <1.20.0 Fixed version 1.20.0 EPSS Score 0.185% EPSS Percentile 40th percentile Description Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels. Affected range <1.20.11 Fixed version 1.20.11 EPSS Score 0.083% EPSS Percentile 24th percentile Description The filepath package does not recognize paths with a ??\ prefix as special. On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a..??\b into the root local device path ??\b. Clean will now convert this to .??\b. Similarly, Join(, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path ??\b. Join will now convert this to .??\b. In addition, with fix, IsAbs now correctly reports paths beginning with ??\ as absolute, and VolumeName correctly reports the ??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with ?, resulting in filepath.Clean(?\c:) returning ?\c: rather than ?\c:\ (among other effects). The previous behavior has been restored. Affected range <1.20.10 Fixed version 1.20.10 EPSS Score 94.394% EPSS Percentile 100th percentile Description A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. Affected range <1.20.10 Fixed version 1.20.10 EPSS Score 0.150% EPSS Percentile 36th percentile Description A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. Affected range <1.19.8 Fixed version 1.19.8 EPSS Score 0.013% EPSS Percentile 2nd percentile Description Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. Affected range <1.19.8 Fixed version 1.19.8 EPSS Score 0.070% EPSS Percentile 22nd percentile Description Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. Affected range <1.19.8 Fixed version 1.19.8 EPSS Score 0.048% EPSS Percentile 15th percentile Description HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers. Affected range <1.19.6 Fixed version 1.19.6 EPSS Score 0.055% EPSS Percentile 17th percentile Description A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. Affected range <1.19.6 Fixed version 1.19.6 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). Affected range <1.19.6 Fixed version 1.19.6 EPSS Score 0.229% EPSS Percentile 45th percentile Description A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. Affected range <1.19.6 Fixed version 1.19.6 EPSS Score 0.175% EPSS Percentile 39th percentile Description A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b". Affected range <1.18.9 Fixed version 1.18.9 EPSS Score 0.035% EPSS Percentile 10th percentile Description On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. Affected range <1.18.8 Fixed version 1.18.8 EPSS Score 0.013% EPSS Percentile 2nd percentile Description Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D". Affected range <1.18.7 Fixed version 1.18.7 EPSS Score 0.016% EPSS Percentile 3rd percentile Description Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. Affected range >=1.18.0-0 <1.18.5 Fixed version 1.18.5 EPSS Score 0.113% EPSS Percentile 30th percentile Description Decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service. Affected range >=1.18.0-0 <1.18.4 Fixed version 1.18.4 EPSS Score 0.096% EPSS Percentile 27th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. Affected range >=1.18.0-0 <1.18.3 Fixed version 1.18.3 EPSS Score 0.024% EPSS Percentile 6th percentile Description On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes. Affected range >=1.18.0-0 <1.18.4 Fixed version 1.18.4 EPSS Score 0.096% EPSS Percentile 27th percentile Description Unmarshaling an XML document into a Go struct which has a nested field that uses the 'any' field tag can panic due to stack exhaustion. Affected range >=1.18.0-0 <1.18.4 Fixed version 1.18.4 EPSS Score 0.096% EPSS Percentile 27th percentile Description Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. Affected range >=1.18.0-0 <1.18.4 Fixed version 1.18.4 EPSS Score 0.041% EPSS Percentile 12th percentile Description Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. Affected range >=1.18.0-0 <1.18.4 Fixed version 1.18.4 EPSS Score 0.038% EPSS Percentile 11th percentile Description Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. Affected range >=1.18.0-0 <1.18.3 Fixed version 1.18.3 EPSS Score 0.082% EPSS Percentile 24th percentile Description On Windows, the filepath.Clean function can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack. For example, Clean(".\c:") returns "c:". Affected range <1.18.7 Fixed version 1.18.7 EPSS Score 0.031% EPSS Percentile 9th percentile Description Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. Affected range <1.18.7 Fixed version 1.18.7 EPSS Score 0.016% EPSS Percentile 3rd percentile Description Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. Affected range >=1.18.0-0 <1.18.4 Fixed version 1.18.4 EPSS Score 0.014% EPSS Percentile 2nd percentile Description Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion. Affected range <1.18.6 Fixed version 1.18.6 EPSS Score 0.096% EPSS Percentile 27th percentile Description HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service. Affected range <1.19.9 Fixed version 1.19.9 EPSS Score 0.048% EPSS Percentile 15th percentile Description Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. Affected range <1.19.9 Fixed version 1.19.9 EPSS Score 0.065% EPSS Percentile 20th percentile Description Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input. Affected range <1.23.10 Fixed version 1.23.10 EPSS Score 0.011% EPSS Percentile 1st percentile Description Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.015% EPSS Percentile 2nd percentile Description archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.010% EPSS Percentile 1st percentile Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. Affected range <1.23.12 Fixed version 1.23.12 EPSS Score 0.020% EPSS Percentile 4th percentile Description If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Affected range <1.21.8 Fixed version 1.21.8 EPSS Score 0.362% EPSS Percentile 58th percentile Description When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. Affected range <1.19.11 Fixed version 1.19.11 EPSS Score 0.258% EPSS Percentile 49th percentile Description The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. Affected range >=1.18.0-0 <1.18.4 Fixed version 1.18.4 EPSS Score 0.056% EPSS Percentile 17th percentile Description Client IP adresses may be unintentionally exposed via X-Forwarded-For headers. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function sets the X-Forwarded-For header value to nil, ReverseProxy leaves the header unmodified as expected. Affected range >=1.18.0-0 <1.18.4 Fixed version 1.18.4 EPSS Score 0.053% EPSS Percentile 17th percentile Description The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.008% EPSS Percentile 1st percentile Description During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Affected range <1.22.11 Fixed version 1.22.11 EPSS Score 0.048% EPSS Percentile 15th percentile Description A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. Affected range <1.22.11 Fixed version 1.22.11 EPSS Score 0.078% EPSS Percentile 23rd percentile Description The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2. Affected range <1.20.8 Fixed version 1.20.8 EPSS Score 0.085% EPSS Percentile 25th percentile Description The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Affected range <1.20.8 Fixed version 1.20.8 EPSS Score 0.085% EPSS Percentile 25th percentile Description The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. Affected range <1.21.8 Fixed version 1.21.8 EPSS Score 0.445% EPSS Percentile 63rd percentile Description Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Affected range <1.23.10 Fixed version 1.23.10 EPSS Score 0.009% EPSS Percentile 1st percentile Description os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink. Affected range <1.21.11 Fixed version 1.21.11 EPSS Score 0.007% EPSS Percentile 0th percentile Description The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Affected range >=1.18.0-0 <1.18.4 Fixed version 1.18.4 EPSS Score 0.005% EPSS Percentile 0th percentile Description Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion. Affected range <1.21.8 Fixed version 1.21.8 EPSS Score 0.273% EPSS Percentile 50th percentile Description If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.022% EPSS Percentile 5th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.014% EPSS Percentile 2nd percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.030% EPSS Percentile 8th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.032% EPSS Percentile 9th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.032% EPSS Percentile 9th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.20.11 Fixed version 1.20.11 EPSS Score 0.040% EPSS Percentile 12th percentile Description On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local. Affected range <1.20.12 Fixed version 1.20.12 EPSS Score 0.064% EPSS Percentile 20th percentile Description A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. Affected range <1.19.12 Fixed version 1.19.12 EPSS Score 0.125% EPSS Percentile 32nd percentile Description Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Affected range <1.19.7 Fixed version 1.19.7 EPSS Score 0.025% EPSS Percentile 6th percentile Description The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh. Affected range <1.18.9 Fixed version 1.18.9 EPSS Score 0.714% EPSS Percentile 72nd percentile Description An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 3rd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.081% EPSS Percentile 24th percentile Description Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. Affected range <1.21.8 Fixed version 1.21.8 EPSS Score 0.454% EPSS Percentile 63rd percentile Description When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Affected range <1.22.12 Fixed version 1.22.12 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.

openssl 3.5.1-1 (deb) pkg:deb/debian/openssl@3.5.1-1?os_distro=trixie&os_name=debian&os_version=13 # Dockerfile (6:6) FROM postgres:${POSTGRES_VERSION} Affected range <3.5.1-1+deb13u1 Fixed version 3.5.1-1+deb13u1 EPSS Score 0.031% EPSS Percentile 9th percentile Description Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. openssl 3.5.4-1 https://openssl-library.org/news/secadv/20250930.txt Fixed by: openssl/openssl@5965ea5 (openssl-3.3.5) Fixed by: openssl/openssl@9e91358 (openssl-3.4.3) Fixed by: openssl/openssl@b5282d6 (openssl-3.2.6) Fixed by: openssl/openssl@a79c4ce (openssl-3.0.18) Affected range <3.5.4-1~deb13u2 Fixed version 3.5.4-1~deb13u2 EPSS Score 0.065% EPSS Percentile 20th percentile Description Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. openssl 3.5.5-1 https://openssl-library.org/news/secadv/20260127.txt Fixed by: openssl/openssl@564fd9c (openssl-3.5.5) Fixed by: openssl/openssl@4e254b4 (openssl-3.0.19) Affected range <3.5.4-1~deb13u2 Fixed version 3.5.4-1~deb13u2 EPSS Score 0.043% EPSS Percentile 13th percentile Description Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. openssl 3.5.5-1 https://openssl-library.org/news/secadv/20260127.txt Fixed by: openssl/openssl@ff62893 (openssl-3.5.5) Fixed by: openssl/openssl@41be0f2 (openssl-3.0.19) Affected range <3.5.4-1~deb13u2 Fixed version 3.5.4-1~deb13u2 EPSS Score 0.012% EPSS Percentile 1st percentile Description Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. openssl 3.5.5-1 https://openssl-library.org/news/secadv/20260127.txt Fixed by: openssl/openssl@2502e7b (openssl-3.5.5) Fixed by: openssl/openssl@572844b (openssl-3.0.19) Affected range <3.5.4-1~deb13u2 Fixed version 3.5.4-1~deb13u2 EPSS Score 0.066% EPSS Percentile 21st percentile Description Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. openssl 3.5.5-1 https://openssl-library.org/news/secadv/20260127.txt Fixed by: openssl/openssl@2502e7b (openssl-3.5.5) Fixed by: openssl/openssl@572844b (openssl-3.0.19) Affected range <3.5.4-1~deb13u2 Fixed version 3.5.4-1~deb13u2 EPSS Score 0.012% EPSS Percentile 1st percentile Description Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. openssl 3.5.5-1 https://openssl-library.org/news/secadv/20260127.txt Fixed by: openssl/openssl@6845c3b (openssl-3.5.5) Fixed by: openssl/openssl@475c466 (openssl-3.0.19) Affected range <3.5.4-1~deb13u2 Fixed version 3.5.4-1~deb13u2 EPSS Score 0.007% EPSS Percentile 0th percentile Description Issue summary: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. Impact summary: The trailing 1-15 bytes of a message may be exposed in cleartext on encryption and are not covered by the authentication tag, allowing an attacker to read or tamper with those bytes without detection. The low-level OCB encrypt and decrypt routines in the hardware-accelerated stream path process full 16-byte blocks but do not advance the input/output pointers. The subsequent tail-handling code then operates on the original base pointers, effectively reprocessing the beginning of the buffer while leaving the actual trailing bytes unprocessed. The authentication checksum also excludes the true tail bytes. However, typical OpenSSL consumers using EVP are not affected because the higher-level EVP and provider OCB implementations split inputs so that full blocks and trailing partial blocks are processed in separate calls, avoiding the problematic code path. Additionally, TLS does not use OCB ciphersuites. The vulnerability only affects applications that call the low-level CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with non-block-aligned lengths in a single call on hardware-accelerated builds. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as OCB mode is not a FIPS-approved algorithm. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. openssl 3.5.5-1 https://openssl-library.org/news/secadv/20260127.txt Fixed by: openssl/openssl@4016975 (openssl-3.5.5) Fixed by: openssl/openssl@52d23c8 (openssl-3.0.19)

gnupg2 2.4.7-21 (deb) pkg:deb/debian/gnupg2@2.4.7-21?os_distro=trixie&os_name=debian&os_version=13 # Dockerfile (6:6) FROM postgres:${POSTGRES_VERSION} Affected range <=2.4.7-21+deb13u1 Fixed version Not Fixed EPSS Score 0.005% EPSS Percentile 0th percentile Description In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. gnupg2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126631) https://dev.gnupg.org/T8045 Affected range <2.4.7-21+deb13u1 Fixed version 2.4.7-21+deb13u1 EPSS Score 0.019% EPSS Percentile 4th percentile Description In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.) gnupg2 2.4.8-5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124221) [trixie] - gnupg2 2.4.7-21+deb13u1 [bookworm] - gnupg2 2.2.40-1.1+deb12u2 https://gpg.fail/memcpy https://dev.gnupg.org/T7906 https://www.openwall.com/lists/oss-security/2025/12/28/5 gpg/gnupg@115d138 (gnupg-2.5.14) gpg/gnupg@4ecc512 (gnupg-2.4.9) gpg/gnupg@1e929ab (gnupg-2.2.51)

libxslt 1.1.35-1.2 (deb) pkg:deb/debian/libxslt@1.1.35-1.2?os_distro=trixie&os_name=debian&os_version=13 # Dockerfile (6:6) FROM postgres:${POSTGRES_VERSION} Affected range <1.1.35-1.2+deb13u1 Fixed version 1.1.35-1.2+deb13u1 EPSS Score 0.336% EPSS Percentile 56th percentile Description A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior. libxslt 1.1.35-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109123) https://bugzilla.redhat.com/show_bug.cgi?id=2379228 https://gitlab.gnome.org/GNOME/libxslt/-/issues/139

libxml2 2.12.7+dfsg+really2.9.14-2.1 (deb) pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1?os_distro=trixie&os_name=debian&os_version=13 # Dockerfile (6:6) FROM postgres:${POSTGRES_VERSION} Affected range <2.12.7+dfsg+really2.9.14-2.1+deb13u2 Fixed version 2.12.7+dfsg+really2.9.14-2.1+deb13u2 EPSS Score 0.008% EPSS Percentile 1st percentile Description Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions xmlXPathRunEval, xmlXPathCtxtCompile, and xmlXPathEvalExpr were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled. libxml2 2.14.5+dfsg-0.1 [trixie] - libxml2 2.12.7+dfsg+really2.9.14-2.1+deb13u2 [bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u5 https://bugzilla.redhat.com/show_bug.cgi?id=2392605 https://gitlab.gnome.org/GNOME/libxslt/-/issues/148 Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21 (v2.10.0) Test fixes in libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/commit/b7994c3b7ab83b502f4298ab4abb10fb183f7ed4 (v1.1.36) libxml2/2.14.5+dfsg-0.1 is actually not the earliest version in unstable with the fix, but later on the version got reverted to 2.9.14 based one.

postgresql-17 17.6-1.pgdg13+1 (deb) pkg:deb/debian/postgresql-17@17.6-1.pgdg13%2B1?os_distro=trixie&os_name=debian&os_version=13 # Dockerfile (6:6) FROM postgres:${POSTGRES_VERSION} Affected range <17.7-0+deb13u1 Fixed version 17.7-0+deb13u1 EPSS Score 0.074% EPSS Percentile 23rd percentile Description Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected. postgresql-18 18.1-1 postgresql-17 [trixie] - postgresql-17 17.7-0+deb13u1 postgresql-15 [bookworm] - postgresql-15 15.15-0+deb12u1 postgresql-13 https://www.postgresql.org/about/news/postgresql-181-177-1611-1515-1420-and-1323-released-3171/ Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=600086f471a3bb57ff4953accf1d3f8d2efe0201 (master) Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=7eb8fcad860e9a0548191dab7a87a5bead5f8e91 (REL_18_1) Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=f5999f01815969dfe8df33bac9c0f1aa38dd6cd5 (REL_17_7) Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=91421565febbf99c1ea2341070878dc50ab0afef (REL_15_15) Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=d6f0c0d6d6d3f14177848e4a00df988fa2f0a09a (REL_13_23)

gnutls28 3.8.9-3 (deb) pkg:deb/debian/gnutls28@3.8.9-3?os_distro=trixie&os_name=debian&os_version=13 # Dockerfile (6:6) FROM postgres:${POSTGRES_VERSION} Affected range <3.8.9-3+deb13u1 Fixed version 3.8.9-3+deb13u1 EPSS Score 0.008% EPSS Percentile 1st percentile Description A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks. [experimental] - gnutls28 3.8.11-1 gnutls28 3.8.11-3 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121146) [trixie] - gnutls28 3.8.9-3+deb13u1 [bookworm] - gnutls28 (Minor issue) [bullseye] - gnutls28 (Minor issue; can be fixed in next update) https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18 https://gitlab.com/gnutls/gnutls/-/issues/1732 Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5 (3.8.11)

tar 1.35+dfsg-3.1 (deb) pkg:deb/debian/tar@1.35%2Bdfsg-3.1?os_distro=trixie&os_name=debian&os_version=13 # Dockerfile (6:6) FROM postgres:${POSTGRES_VERSION} Affected range >=1.35+dfsg-3.1 Fixed version Not Fixed EPSS Score 0.060% EPSS Percentile 19th percentile Description GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). Disputed tar issue, works as documented per upstream: https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md