We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi Team,
In our recent vulnerability scans we observed multiple vulnerabilities. Usage: RUN PACKAGES="wget perl-switch" && apk --no-cache add tzdata && wget -qO- "https://yihui.org/tinytex/install-bin-unix.sh" | sh -s - --admin --no-path && mv ~/.TinyTeX /opt/TinyTeX && /opt/TinyTeX/bin/*/tlmgr path add && tlmgr path add && chown -R root:adm /opt/TinyTeX && chmod -R g+w /opt/TinyTeX && chmod -R g+wx /opt/TinyTeX/bin && tlmgr install epstopdf-pkg \
Vulnerabilities List: libpng | 1.6.37 | sourceforge | libpng/v1.6.37 | v1.6.37 | BDSA-2019-5322 lua | 5.3.6 | unknown | | v5.3.6 | GHSA-4f5v-4r5w-g4x3 (BDSA-2020-1807) lua | 5.3.6 | unknown | | v5.3.6 | GHSA-4fp8-99qh-27p3 (BDSA-2020-1850) lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2058 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2093 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2094 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2099 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2021-3384 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-0057 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-0976 lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-1825 lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | GHSA-fxrv-74g3-w7qr (BDSA-2019-3383) lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | GHSA-gmc7-pqv9-966m (BDSA-2021-1549) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | GHSA-22wv-f9f6-xwwm (BDSA-2022-1122) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | GHSA-3p63-23m4-gmcp (BDSA-2022-1123) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | GHSA-34wh-7j35-vw3w (BDSA-2022-1124) The FreeType Project | 2.11.1 | unknown | | 2.11.1 | BDSA-2022-1494 Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | GHSA-fhwx-v7qv-pjh3 (BDSA-2019-0984) Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | GHSA-78qj-768g-464g (BDSA-2021-1176) Xpdf | 4.03 | unknown | | 4.03 | BDSA-2019-4611 Xpdf | 4.03 | unknown | | 4.03 | BDSA-2020-2283 Xpdf | 4.03 | unknown | | 4.03 | CVE-2021-30860 Xpdf | 4.03 | unknown | | 4.03 | GHSA-479v-8jg2-8fgj Xpdf | 4.03 | unknown | | 4.03 | BDSA-2022-1301 Xpdf | 4.03 | unknown | | 4.03 | GHSA-2gqh-hpcc-jmx2 Xpdf | 4.03 | unknown | | 4.03 | GHSA-fvj4-fm65-5pqm Xpdf | 4.03 | unknown | | 4.03 | BDSA-2022-3104 Xpdf | 4.03 | unknown | | 4.03 | GHSA-32jj-wp9g-2g8g XZ Utils | 5.2.4 | unknown | | 5.2.4 | BDSA-2022-0958 zlib | 1.2.11 | unknown | | 1.2.11 | GHSA-jc36-42cf-vqwj (BDSA-2018-5271) zlib | 1.2.11 | unknown | | 1.2.11 | GHSA-cfmr-vrgj-vqwv (BDSA-2022-2183)
I see that the packages are installed using - https://tinytex.yihui.org/pkgs-custom.txt Can we get these packages latest versions installed by https://tinytex.yihui.org/pkgs-custom.txt? If that's done we can get over most of these vulnerabilities or at least we will be at their latest versions.
Regards, Amber Khare
The text was updated successfully, but these errors were encountered:
Duplicate of rstudio/tinytex-releases#34
Sorry, something went wrong.
No branches or pull requests
Hi Team,
In our recent vulnerability scans we observed multiple vulnerabilities.
Usage:
RUN PACKAGES="wget perl-switch"
&& apk --no-cache add tzdata
&& wget -qO-
"https://yihui.org/tinytex/install-bin-unix.sh" |
sh -s - --admin --no-path
&& mv ~/.TinyTeX /opt/TinyTeX
&& /opt/TinyTeX/bin/*/tlmgr path add
&& tlmgr path add
&& chown -R root:adm /opt/TinyTeX
&& chmod -R g+w /opt/TinyTeX
&& chmod -R g+wx /opt/TinyTeX/bin
&& tlmgr install epstopdf-pkg \
Vulnerabilities List:
libpng | 1.6.37 | sourceforge | libpng/v1.6.37 | v1.6.37 | BDSA-2019-5322
lua | 5.3.6 | unknown | | v5.3.6 | GHSA-4f5v-4r5w-g4x3 (BDSA-2020-1807)
lua | 5.3.6 | unknown | | v5.3.6 | GHSA-4fp8-99qh-27p3 (BDSA-2020-1850)
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2058
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2093
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2094
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2020-2099
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2021-3384
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-0057
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-0976
lua | 5.3.6 | unknown | | v5.3.6 | BDSA-2022-1825
lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | GHSA-fxrv-74g3-w7qr (BDSA-2019-3383)
lz4 | 1.8.3 | github | lz4/lz4:v1.8.3 | v1.8.3 | GHSA-gmc7-pqv9-966m (BDSA-2021-1549)
The FreeType Project | 2.11.1 | unknown | | 2.11.1 | GHSA-22wv-f9f6-xwwm (BDSA-2022-1122)
The FreeType Project | 2.11.1 | unknown | | 2.11.1 | GHSA-3p63-23m4-gmcp (BDSA-2022-1123)
The FreeType Project | 2.11.1 | unknown | | 2.11.1 | GHSA-34wh-7j35-vw3w (BDSA-2022-1124)
The FreeType Project | 2.11.1 | unknown | | 2.11.1 | BDSA-2022-1494
Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | GHSA-fhwx-v7qv-pjh3 (BDSA-2019-0984)
Wget | 1.20.1 | gnu | wget:1.20.1 | 1.20.1 | GHSA-78qj-768g-464g (BDSA-2021-1176)
Xpdf | 4.03 | unknown | | 4.03 | BDSA-2019-4611
Xpdf | 4.03 | unknown | | 4.03 | BDSA-2020-2283
Xpdf | 4.03 | unknown | | 4.03 | CVE-2021-30860
Xpdf | 4.03 | unknown | | 4.03 | GHSA-479v-8jg2-8fgj
Xpdf | 4.03 | unknown | | 4.03 | BDSA-2022-1301
Xpdf | 4.03 | unknown | | 4.03 | GHSA-2gqh-hpcc-jmx2
Xpdf | 4.03 | unknown | | 4.03 | GHSA-fvj4-fm65-5pqm
Xpdf | 4.03 | unknown | | 4.03 | BDSA-2022-3104
Xpdf | 4.03 | unknown | | 4.03 | GHSA-32jj-wp9g-2g8g
XZ Utils | 5.2.4 | unknown | | 5.2.4 | BDSA-2022-0958
zlib | 1.2.11 | unknown | | 1.2.11 | GHSA-jc36-42cf-vqwj (BDSA-2018-5271)
zlib | 1.2.11 | unknown | | 1.2.11 | GHSA-cfmr-vrgj-vqwv (BDSA-2022-2183)
I see that the packages are installed using - https://tinytex.yihui.org/pkgs-custom.txt
Can we get these packages latest versions installed by https://tinytex.yihui.org/pkgs-custom.txt?
If that's done we can get over most of these vulnerabilities or at least we will be at their latest versions.
Regards,
Amber Khare
The text was updated successfully, but these errors were encountered: