Skip to content

v0.19.3

Compare
Choose a tag to compare
@MaineK00n MaineK00n released this 09 Feb 01:37
· 350 commits to master since this release
0cdc7a3

What's new in v0.19.3

TL;DR

  • Fedora support #1367
  • trivy v0.23.0 support #1377

How it works

Vulnerable Fedora Environment Setup

Deliberately downgrade the mysql package so that FEDORA-MODULAR-2021-217f84c072 is detected.

  • Dockerfile
FROM fedora:35

RUN dnf -y install openssh-server glibc-langpack-en
RUN mkdir /var/run/sshd

RUN sed -i 's/#\?PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed -i 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' /etc/pam.d/sshd

ENV NOTVISIBLE "in users profile"
RUN echo "export VISIBLE=now" >> /etc/profile

COPY .ssh/id_rsa.pub /root/authorized_keys
RUN mkdir ~/.ssh && \
    mv ~/authorized_keys ~/.ssh/authorized_keys && \
    chmod 0600 ~/.ssh/authorized_keys

RUN ssh-keygen -A
RUN rm -rf /run/nologin

EXPOSE 22

# Vuls Setting
RUN dnf -y install dnf-utils which lsof iproute

# FEDORA-MODULAR-2021-217f84c072
RUN dnf module install -y mysql && dnf downgrade -y mysql

CMD ["/usr/sbin/sshd", "-D"]

check community-mysql package version

$ docker build -t vuls-target -f Dockerfile .
$ docker run --rm -itd -p 2222:22 vuls-target
$ ssh -i ~/.ssh/id_rsa -p 2222 [email protected]
[root@615d6b9247ec /]# cat /etc/fedora-release 
Fedora release 35 (Thirty Five)
[root@615d6b9247ec /]# rpm -qa | grep community-mysql
community-mysql-common-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-errmsg-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-server-8.0.26-1.module_f35+12627+b26747dd.x86_64

Vulnerability Detection (dnf updateinfo --security vs vuls report)

dnf updateinfo --security

The mysql package we just installed is a modular package, so the advisory starting with FEDORA-MODULAR- should be presented.
However, the actual advisory provided relates to a non-modular package of the same name.

[root@615d6b9247ec /]# dnf updateinfo --security --info
Last metadata expiration check: 0:02:24 ago on Thu Feb  3 04:47:52 2022.
===============================================================================
  community-mysql-8.0.27-1.fc35
===============================================================================
  Update ID: FEDORA-2021-46dc82116b
       Type: security
    Updated: 2021-11-10 02:52:52
       Bugs: 2015421 - community-mysql-8.0.27 is available
           : 2016141 - CVE-2021-2478 CVE-2021-2479 CVE-2021-2481 CVE-2021-35546 CVE-2021-35575 CVE-2021-35577 CVE-2021-35591 CVE-2021-35596 CVE-2021-35597 CVE-2021-35602 CVE-2021-35604 CVE-2021-35607 CVE-2021-35608 CVE-2021-35610 ... community-mysql: various flaws [fedora-all]
Description: **MySQL 8.0.27**
           : 
           : Release notes:
           : 
           :     https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html
   Severity: Moderate

vuls

vuls report

FixedIn is displayed correctly as module to module!

$ vuls report --format-full-text
...
+----------------+----------------------------------------------------------------------------------+
| CVE-2021-35610 | FIXED                                                                            |
+----------------+----------------------------------------------------------------------------------+
| Max Score      | 7.1 MODERATE (redhat_api)                                                        |
| redhat_api     | 7.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H MODERATE                        |
| nvd            | 7.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H HIGH                            |
| jvn            | 7.1/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H HIGH                            |
| Vendor         | 4.0-6.9 MODERATE                                                                 |
| nvd            | 5.5/AV:N/AC:L/Au:S/C:N/I:P/A:P MEDIUM                                            |
| jvn            | 5.5/AV:N/AC:L/Au:S/C:N/I:P/A:P MEDIUM                                            |
| Summary        | **MySQL 8.0.27**  Release notes:                                                 |
|                | https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html                 |
| Primary Src    | https://www.oracle.com/security-alerts/cpuoct2021.html                           |
| Primary Src    | https://nvd.nist.gov/vuln/detail/CVE-2021-35610                                  |
| Primary Src    | https://bodhi.fedoraproject.org/updates/FEDORA-MODULAR-2021-217f84c072           |
| Patch          | https://www.oracle.com/security-alerts/cpuoct2021.html                           |
| Affected Pkg   | community-mysql-8.0.26-1.module_f35+12627+b26747dd                               |
|                | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn:                                  |
|                | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular)                          |
| Affected Pkg   | community-mysql-common-8.0.26-1.module_f35+12627+b26747dd                        |
|                | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn:                                  |
|                | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular)                          |
| Affected Pkg   | community-mysql-errmsg-8.0.26-1.module_f35+12627+b26747dd                        |
|                | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn:                                  |
|                | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular)                          |
| Affected Pkg   | community-mysql-server-8.0.26-1.module_f35+12627+b26747dd                        |
|                | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn:                                  |
|                | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular)                          |
| Confidence     | 100 / OvalMatch                                                                  |
| CWE            | NVD-CWE-noinfo:  (nvd)                                                           |
| CWE            | https://cwe.mitre.org/data/definitions/NVD-CWE-noinfo.html                       |
+----------------+----------------------------------------------------------------------------------+
...

vuls tui

Looking at the TUI, we have succeeded in getting the advisory we really want: FEDORA-MODULAR-2021-217f84c072!

vuls tui


What's Changed

New Contributors

Full Changelog: v0.19.2...v0.19.3