Security Vulnerabilities detected!! #34
Comments
We do install the very latest versions in the daily release: https://github.com/rstudio/tinytex-releases/releases/tag/daily The installation script https://yihui.org/tinytex/install-bin-unix.sh installs the daily version by default. So I'm not sure why you still got the problems. Thanks for the report anyway! |
|
Thanks for the reply! So its using https://github.com/yihui/tinytex/raw/master/tools/install-unx.sh and not https://yihui.org/tinytex/install-bin-unix.sh. As this is transitive to us we are not able to do any changes. Can you make the similar changes to https://github.com/yihui/tinytex/raw/master/tools/install-unx.sh, so that it also start installing the daily version by default? Appreciate the help. Regards, |
|
Sorry, I still don't understand. Both |
Hi Team,
In our recent vulnerability scans we observed multiple vulnerabilities.
Usage:
RUN PACKAGES="wget perl-switch" \
&& apk --no-cache add tzdata
&& wget -qO-
"https://yihui.org/tinytex/install-bin-unix.sh" |
sh -s - --admin --no-path
&& mv ~/.TinyTeX /opt/TinyTeX
&& /opt/TinyTeX/bin/*/tlmgr path add
&& tlmgr path add
&& chown -R root:adm /opt/TinyTeX
&& chmod -R g+w /opt/TinyTeX
&& chmod -R g+wx /opt/TinyTeX/bin
&& tlmgr install epstopdf-pkg \
Vulnerabilities List:
libpng | 1.6.37 | sourceforge | libpng/v1.6.37 | v1.6.37 | BDSA-2019-5322
lua | 5.3.6 | unknown | | v5.3.6 | CVE-2020-15888 (BDSA-2020-1807)
lua | 5.3.6 | unknown | | v5.3.6 | CVE-2020-15945 (BDSA-2020-1850)
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2058
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2093
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2094
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2099
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2021-3384
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-0057
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-0976
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-1825
lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | CVE-2019-17543 (BDSA-2019-3383)
lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | CVE-2021-3520 (BDSA-2021-1549)
The FreeType Project | 2.11.1 | unknown | | 2.11.1 | CVE-2022-27404 (BDSA-2022-1122)
The FreeType Project | 2.11.1 | unknown | | 2.11.1 | CVE-2022-27405 (BDSA-2022-1123)
The FreeType Project | 2.11.1 | unknown | | 2.11.1 | CVE-2022-27406 (BDSA-2022-1124)
The FreeType Project | 2.11.1 | unknown | | 2.11.1 | BDSA-2022-1494
Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | CVE-2019-5953 (BDSA-2019-0984)
Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | CVE-2021-31879 (BDSA-2021-1176)
Xpdf | 4.03 | unknown | | 4.03 | BDSA-2019-4611
Xpdf | 4.03 | unknown | | 4.03 | BDSA-2020-2283
Xpdf | 4.03 | unknown | | 4.03 | CVE-2021-30860
Xpdf | 4.03 | unknown | | 4.03 | CVE-2022-27135
Xpdf | 4.03 | unknown | | 4.03 | BDSA-2022-1301
Xpdf | 4.03 | unknown | | 4.03 | CVE-2021-27548
Xpdf | 4.03 | unknown | | 4.03 | CVE-2022-38334
Xpdf | 4.03 | unknown | | 4.03 | BDSA-2022-3104
Xpdf | 4.03 | unknown | | 4.03 | CVE-2021-36493
XZ Utils | 5.2.4 | unknown | | 5.2.4 | BDSA-2022-0958
zlib | 1.2.11 | unknown | | 1.2.11 | CVE-2018-25032 (BDSA-2018-5271)
zlib | 1.2.11 | unknown | | 1.2.11 | CVE-2022-37434 (BDSA-2022-2183)
I see that the packages are installed using - https://tinytex.yihui.org/pkgs-custom.txt
Can we get these packages latest versions installed by https://tinytex.yihui.org/pkgs-custom.txt?
If that's done we can get over most of these vulnerabilities or at least we will be at their latest versions.
Regards,
Amber Khare
The text was updated successfully, but these errors were encountered: