rhel9 binaries

[HugoCasa]

• feat: rhl9 img test
• fix: action
• fix: action
• fix: build
• don't use rustup
• fix: rustfmt
• fix: second apt-get
• fix
• fix: try xmlsec1 no-dev
• fix: remove scache
• fix: 1.75 rust support
• fix: rust 1.75
• fix: xmlsec1
• fix: nit
• fix: missing async recursion
• fix: missing dep + unregister from RH
• fix: add xmlsec1 openssl
• fix: check binary is running
• add link
• feat: clean rhel files

---

🚀	This description was created by Ellipsis for commit cf34548

Summary:

Added support for building Windmill binaries on Red Hat Linux 9 with necessary dependency updates and documentation.

Key points:

• Added docker/RHEL9/Dockerfile for building Windmill binaries on Red Hat Linux 9.
• Updated backend/Cargo.toml to pin specific AWS SDK versions for Rust 1.75 compatibility.
• Added docker/RHEL9/README.md with instructions for building and running Windmill on RHEL9.
• Modified .github/workflows/build-staging-image.yml to adjust Docker image tagging.
• Ensured compatibility with xmlsec1-devel package and CodeReady Builder repository.
• Handled async recursion in backend/windmill-worker/src/worker_lockfiles.rs for compilation.

---

Generated with ❤️ by ellipsis.dev

[cloudflare-workers-and-pages]

Deploying windmill with    Cloudflare Pages

Latest commit:	cf34548
Status:	✅  Deploy successful!
Preview URL:	https://0432337a.windmill.pages.dev
Branch Preview URL:	https://hc-rhel9.windmill.pages.dev

View logs

[github-actions]

🔍 Vulnerabilities of ghcr.io/windmill-labs/windmill-ee:main

📦 Image Reference ghcr.io/windmill-labs/windmill-ee:main

digest	sha256:0ec3573bbab970aecc8467c4aede46c475b9d73ebce6241b89f06fc62f007c74
vulnerabilities
size	885 MB
packages	1377

📦 Base Image python:3.11-slim

also known as	3.11-slim-bookworm 3.11.8-slim 3.11.8-slim-bookworm
digest	sha256:4bcdb5d5bc81caf410bc880ca7d47d6ce3f05dc50f81166eb42827fcdc98cfca
vulnerabilities

git 1:2.39.2-1.1 (deb) pkg:deb/debian/git@1:2.39.2-1.1?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (92:94) RUN apt-get update \ && apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \ && rm -rf /var/lib/apt/lists/* Affected range >=1:2.39.2-1.1 Fixed version Not Fixed EPSS Score 0.15% EPSS Percentile 52nd percentile Description Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. Affected range >=1:2.39.2-1.1 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 11th percentile Description Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. Affected range >=1:2.39.2-1.1 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 11th percentile Description Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.

stdlib 1.21.7 (golang) pkg:golang/[email protected] # Dockerfile (110:116) RUN if [ "$WITH_HELM" = "true" ]; then \ arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \ wget "https://get.helm.sh/helm-v${HELM_VERSION}-linux-$arch.tar.gz" && \ tar -zxvf "helm-v${HELM_VERSION}-linux-$arch.tar.gz" && \ mv linux-$arch/helm /usr/local/bin/helm &&\ chmod +x /usr/local/bin/helm; \ else echo 'Building the image without helm'; fi Affected range <1.21.11 Fixed version 1.21.11 EPSS Score 0.06% EPSS Percentile 27th percentile Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Affected range <1.21.12 Fixed version 1.21.12 EPSS Score 0.04% EPSS Percentile 16th percentile Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

stdlib 1.21.6 (golang) pkg:golang/[email protected] # Dockerfile (154:154) COPY --from=builder /frontend/build /static_frontend Affected range <1.21.11 Fixed version 1.21.11 EPSS Score 0.06% EPSS Percentile 27th percentile Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Affected range <1.21.12 Fixed version 1.21.12 EPSS Score 0.04% EPSS Percentile 16th percentile Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

pillow 9.4.0 (pypi) pkg:pypi/[email protected] # Dockerfile (154:154) COPY --from=builder /frontend/build /static_frontend Out-of-bounds Write Affected range <10.0.1 Fixed version 10.0.1 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 60.91% EPSS Percentile 98th percentile Description Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page. Improper Control of Generation of Code ('Code Injection') Affected range <10.2.0 Fixed version 10.2.0 CVSS Score 8.1 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.07% EPSS Percentile 32nd percentile Description Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). Uncontrolled Resource Consumption Affected range <10.0.0 Fixed version 10.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.05% EPSS Percentile 23rd percentile Description An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. Affected range <10.0.1 Fixed version 10.0.1 Description Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.

cryptography 38.0.4 (pypi) pkg:pypi/[email protected] # Dockerfile (92:94) RUN apt-get update \ && apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \ && rm -rf /var/lib/apt/lists/* NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.04% EPSS Percentile 16th percentile Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.10% EPSS Percentile 41st percentile Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. Access of Resource Using Incompatible Type ('Type Confusion') Affected range >=0.8.1 <39.0.1 Fixed version 39.0.1 CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H EPSS Score 0.25% EPSS Percentile 66th percentile Description pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

nodejs 20.15.1-1nodesource1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (154:154) COPY --from=builder /frontend/build /static_frontend Affected range >=18.19.0+dfsg-6~deb12u2 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 16th percentile Description An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. Affected range >=18.19.0+dfsg-6~deb12u2 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 16th percentile Description A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

pip 24.0 (pypi) pkg:pypi/[email protected] # Dockerfile (79:79) FROM ${PYTHON_IMAGE} OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range >=0 Fixed version Not Fixed CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.11% EPSS Percentile 45th percentile Description An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number).

setuptools 66.1.1-1 (deb) pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12 # Dockerfile (92:94) RUN apt-get update \ && apt-get install -y ca-certificates wget curl git jq unzip build-essential unixodbc xmlsec1 software-properties-common \ && rm -rf /var/lib/apt/lists/* Affected range >=66.1.1-1 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 9th percentile Description A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

stdlib 1.21.11 (golang) pkg:golang/[email protected] # Dockerfile (165:165) COPY --from=docker:dind /usr/local/bin/docker /usr/local/bin/ Affected range <1.21.12 Fixed version 1.21.12 EPSS Score 0.04% EPSS Percentile 16th percentile Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

System.Formats.Asn1 7.0.823.31807 (nuget) pkg:nuget/[email protected] # Dockerfile (97:108) RUN if [ "$WITH_POWERSHELL" = "true" ]; then \ if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \ dpkg --install 'pwsh.deb' && \ rm 'pwsh.deb'; \ elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \ mkdir -p /opt/microsoft/powershell/7 && \ tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \ chmod +x /opt/microsoft/powershell/7/pwsh && \ ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \ rm powershell.tar.gz; \ else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \ else echo 'Building the image without powershell'; fi Improper Input Validation Affected range >=7.0.0-preview.1.22076.8 <8.0.1 Fixed version 8.0.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.06% EPSS Percentile 27th percentile Description Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A Vulnerability exists when System.Formats.Asn1 in .NET parses an X.509 certificate or collection of certificates, a malicious certificate can result in excessive CPU consumption on all platforms result in Denial of Service. Announcement Announcement for this issue can be found at dotnet/announcements#312 Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. Affected software Any .NET 6.0 application running on .NET 6.0.31 or earlier. Any .NET 8.0 application running on .NET 8.0.6 or earlier. Affected Packages The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below .NET 6 Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x86 >=6.0.0, <= 6.0.31 6.0.32 System.Formats.Asn1 >=5.0.0-preview.7.20364.11 6.0.1 .NET 8 Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x86 >=8.0.0, <= 8.0.6 8.0.7 System.Formats.Asn1 <=6.0.0, >=7.0.0-preview.1.22076.8 8.0.1 Advisory FAQ How do I know if I am affected? If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability. How do I fix the issue? To fix the issue please install the latest version of .NET 8.0 or .NET 7.0 or .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs. If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following; .NET Core SDK (reflecting any global.json): Version: 8.0.200 Commit: 8473146e7d Runtime Environment: OS Name: Windows OS Version: 10.0.18363 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.300\ Host (useful for support): Version: 8.0.3 Commit: 8473146e7d .NET Core SDKs installed: 8.0.200 [C:\Program Files\dotnet\sdk] .NET Core runtimes installed: Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App] Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download If you're using .NET 8.0, you should download and install .NET 8.0.7 Runtime or .NET 8.0.107 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0. If you're using .NET 6.0, you should download and install Runtime 6.0.32 or SDK 6.0.132 (for Visual Studio 2022 v17.4) from https://dotnet.microsoft.com/download/dotnet-core/6.0. .NET 6.0 and .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates. Once you have installed the updated runtime or SDK, restart your apps for the update to take effect. Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. Other Information Reporting Security Issues If you have found a potential security issue in .NET 8.0 or .NET 6.0, please email details to [email protected]. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. Support You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. Disclaimer The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. External Links CVE-2024-38095 Revisions V1.0 (July 09, 2024): Advisory published. Version 1.0 Last Updated 2024-07-09

System.Data.SqlClient 4.8.5 (nuget) pkg:nuget/[email protected] # Dockerfile (97:108) RUN if [ "$WITH_POWERSHELL" = "true" ]; then \ if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \ dpkg --install 'pwsh.deb' && \ rm 'pwsh.deb'; \ elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \ mkdir -p /opt/microsoft/powershell/7 && \ tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \ chmod +x /opt/microsoft/powershell/7/pwsh && \ ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \ rm powershell.tar.gz; \ else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \ else echo 'Building the image without powershell'; fi Cleartext Transmission of Sensitive Information Affected range <4.8.6 Fixed version 4.8.6 CVSS Score 8.7 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N EPSS Score 0.13% EPSS Percentile 48th percentile Description Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

setuptools 65.5.1 (pypi) pkg:pypi/[email protected] # Dockerfile (79:79) FROM ${PYTHON_IMAGE} Improper Control of Generation of Code ('Code Injection') Affected range <70.0.0 Fixed version 70.0.0 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.04% EPSS Percentile 9th percentile Description A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

System.Text.Json 7.0.823.31807 (nuget) pkg:nuget/[email protected] # Dockerfile (97:108) RUN if [ "$WITH_POWERSHELL" = "true" ]; then \ if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \ dpkg --install 'pwsh.deb' && \ rm 'pwsh.deb'; \ elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \ mkdir -p /opt/microsoft/powershell/7 && \ tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \ chmod +x /opt/microsoft/powershell/7/pwsh && \ ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \ rm powershell.tar.gz; \ else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \ else echo 'Building the image without powershell'; fi Uncontrolled Resource Consumption Affected range >=7.0.0 <8.0.4 Fixed version 8.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.05% EPSS Percentile 17th percentile Description Microsoft Security Advisory CVE-2024-30105 | .NET Denial of Service Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET when calling the JsonSerializer.DeserializeAsyncEnumerable method against an untrusted input using System.Text.Json may result in Denial of Service. Discussion Discussion for this issue can be found at dotnet/runtime#104619 Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. Affected software Any .NET 8.0 application running on .NET 8.0.6 or earlier. Affected Packages The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below .NET 8 Package name Affected version Patched version System.Text.Json >= 7.0.0, < =8.0.3 8.0.4 Advisory FAQ How do I know if I am affected? If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability. How do I fix the issue? To fix the issue please install the latest version of .NET 8.0 . If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs. If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following; .NET Core SDK (reflecting any global.json): Version: 8.0.200 Commit: 8473146e7d Runtime Environment: OS Name: Windows OS Version: 10.0.18363 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.300\ Host (useful for support): Version: 8.0.3 Commit: 8473146e7d .NET Core SDKs installed: 8.0.200 [C:\Program Files\dotnet\sdk] .NET Core runtimes installed: Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App] Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download If you're using .NET 8.0, you should download and install .NET 8.0.7 Runtime or .NET 8.0.107 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0. .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates. Once you have installed the updated runtime or SDK, restart your apps for the update to take effect. Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. Other Information Reporting Security Issues If you have found a potential security issue in .NET 8.0 or .NET 7.0 or .NET 6.0, please email details to [email protected]. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. Support You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. Disclaimer The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. External Links CVE-2024-30105 Revisions V1.0 (July 09, 2024): Advisory published. Version 1.0 Last Updated 2024-07-09

System.Formats.Asn1 7.0.0 (nuget) pkg:nuget/[email protected] # Dockerfile (97:108) RUN if [ "$WITH_POWERSHELL" = "true" ]; then \ if [ "$TARGETPLATFORM" = "linux/amd64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O 'pwsh.deb' "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell_${POWERSHELL_DEB_VERSION}.deb_amd64.deb" && \ dpkg --install 'pwsh.deb' && \ rm 'pwsh.deb'; \ elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then apt-get update -y && apt install libicu-dev -y && wget -O powershell.tar.gz "https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-arm64.tar.gz" && \ mkdir -p /opt/microsoft/powershell/7 && \ tar zxf powershell.tar.gz -C /opt/microsoft/powershell/7 && \ chmod +x /opt/microsoft/powershell/7/pwsh && \ ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && \ rm powershell.tar.gz; \ else echo 'Could not install pwshell, not on amd64 or arm64'; fi; \ else echo 'Building the image without powershell'; fi Improper Input Validation Affected range >=7.0.0-preview.1.22076.8 <8.0.1 Fixed version 8.0.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.06% EPSS Percentile 27th percentile Description Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A Vulnerability exists when System.Formats.Asn1 in .NET parses an X.509 certificate or collection of certificates, a malicious certificate can result in excessive CPU consumption on all platforms result in Denial of Service. Announcement Announcement for this issue can be found at dotnet/announcements#312 Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. Affected software Any .NET 6.0 application running on .NET 6.0.31 or earlier. Any .NET 8.0 application running on .NET 8.0.6 or earlier. Affected Packages The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below .NET 6 Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.linux-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.osx-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-arm64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x64 >=6.0.0, <= 6.0.31 6.0.32 Microsoft.NetCore.App.Runtime.win-x86 >=6.0.0, <= 6.0.31 6.0.32 System.Formats.Asn1 >=5.0.0-preview.7.20364.11 6.0.1 .NET 8 Package name Affected version Patched version Microsoft.NetCore.App.Runtime.linux-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-musl-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.linux-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.osx-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-arm64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x64 >=8.0.0, <= 8.0.6 8.0.7 Microsoft.NetCore.App.Runtime.win-x86 >=8.0.0, <= 8.0.6 8.0.7 System.Formats.Asn1 <=6.0.0, >=7.0.0-preview.1.22076.8 8.0.1 Advisory FAQ How do I know if I am affected? If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability. How do I fix the issue? To fix the issue please install the latest version of .NET 8.0 or .NET 7.0 or .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs. If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following; .NET Core SDK (reflecting any global.json): Version: 8.0.200 Commit: 8473146e7d Runtime Environment: OS Name: Windows OS Version: 10.0.18363 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.300\ Host (useful for support): Version: 8.0.3 Commit: 8473146e7d .NET Core SDKs installed: 8.0.200 [C:\Program Files\dotnet\sdk] .NET Core runtimes installed: Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App] Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download If you're using .NET 8.0, you should download and install .NET 8.0.7 Runtime or .NET 8.0.107 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0. If you're using .NET 6.0, you should download and install Runtime 6.0.32 or SDK 6.0.132 (for Visual Studio 2022 v17.4) from https://dotnet.microsoft.com/download/dotnet-core/6.0. .NET 6.0 and .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates. Once you have installed the updated runtime or SDK, restart your apps for the update to take effect. Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. Other Information Reporting Security Issues If you have found a potential security issue in .NET 8.0 or .NET 6.0, please email details to [email protected]. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. Support You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. Disclaimer The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. External Links CVE-2024-38095 Revisions V1.0 (July 09, 2024): Advisory published. Version 1.0 Last Updated 2024-07-09

[ellipsis-dev]

👍 Looks good to me! Reviewed everything up to cf34548 in 1 minute and 37 seconds

More details

• Looked at 162 lines of code in 6 files
• Skipped 0 files when reviewing.
• Skipped posting 3 drafted comments based on config settings.

1. docker/RHEL9/Dockerfile:7

• Draft comment:
  The PR description specifies not to use rustup, but rust-toolset might include rustup as part of its installation. Please verify and adjust if necessary to align with the PR's intent.
• Reason this comment was not posted:
  Confidence of 30% on close inspection, compared to threshold of 50%.

2. docker/RHEL9/Dockerfile:61

• Draft comment:
  The README.md mentions the necessity of xmlsec1-devel for building, but it's not explicitly installed in the Dockerfile. Please ensure all required dependencies are correctly installed as per the project requirements.
• Reason this comment was not posted:
  Confidence of 0% on close inspection, compared to threshold of 50%.

3. docker/RHEL9/Dockerfile:10

• Draft comment:
  The PR includes a fix related to rustfmt, but the Dockerfile installs rustfmt without specifying a version. Consider pinning a specific version if needed to ensure consistent formatting across environments.
• Reason this comment was not posted:
  Confidence of 50% on close inspection, compared to threshold of 50%.

Workflow ID: wflow_r6dretLVXBB0mhCk

---

You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.