ALT Vulnerability
This commit is contained in:
parent
4f62f40e62
commit
c5da272ed8
@ -117,7 +117,7 @@
|
||||
{
|
||||
"ID": "CVE-2015-0310",
|
||||
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
||||
"CWE": "CWE-264",
|
||||
"CWE": "NVD-CWE-noinfo",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2015-0310",
|
||||
"Impact": "Critical",
|
||||
"Public": "20150123"
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -105,7 +105,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades otrs to version 6.0.36-alt1. \nSecurity Fix(es):\n\n * BDU:2021-04651: Уязвимость системы запроса билетов OTRS, связанная с недостатками в обработке исключительных состояний, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2022-01681: Уязвимость системы запроса билетов OTRS, связанная с ошибками обработки разрешений, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2022-05546: Уязвимость системы запроса билетов OTRS, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)\n\n * BDU:2022-05547: Уязвимость интерфейса администратора системы запроса билетов OTRS, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)\n\n * CVE-2021-21435: Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions.\n\n * CVE-2021-21439: DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.\n\n * CVE-2021-21443: Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.\n\n * CVE-2021-36091: Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.\n\n * CVE-2021-36092: It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.\n\n * CVE-2022-39049: An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.\n\n * CVE-2022-39050: An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap\n\n * CVE-2022-39051: Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package\n\n * CVE-2022-39052: An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system\n\n * CVE-2022-4427: Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice\nThis issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n\n\n * CVE-2023-1248: Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n\n\n * CVE-2023-1250: Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names\nThis issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n",
|
||||
"Description": "This update upgrades otrs to version 6.0.36-alt1. \nSecurity Fix(es):\n\n * BDU:2021-04651: Уязвимость системы запроса билетов OTRS, связанная с недостатками в обработке исключительных состояний, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2022-01681: Уязвимость системы запроса билетов OTRS, связанная с ошибками обработки разрешений, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2022-05546: Уязвимость системы запроса билетов OTRS, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)\n\n * BDU:2022-05547: Уязвимость интерфейса администратора системы запроса билетов OTRS, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)\n\n * CVE-2021-21435: Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions.\n\n * CVE-2021-21439: DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.\n\n * CVE-2021-21443: Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.\n\n * CVE-2021-36091: Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.\n\n * CVE-2021-36092: It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.\n\n * CVE-2022-39049: An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.\n\n * CVE-2022-39050: An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap\n\n * CVE-2022-39051: Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package\n\n * CVE-2022-39052: An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system\n\n * CVE-2022-4427: Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice\nThis issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n * CVE-2023-1248: Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n\n\n * CVE-2023-1250: Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names\nThis issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades apache2 to version 2.4.55-alt1. \nSecurity Fix(es):\n\n * BDU:2023-00495: Уязвимость модуля mod_proxy_ajp веб-сервера Apache HTTP Server, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)\n\n * BDU:2023-00496: Уязвимость модуля mod_proxy веб-сервера Apache HTTP Server, позволяющая нарушителю выполнять атаки с разделением ответов HTTP\n\n * BDU:2023-01105: Уязвимость модуля mod_dav веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2006-20001: A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.\n\nThis issue affects Apache HTTP Server 2.4.54 and earlier.\n\n\n * CVE-2022-36760: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.\n\n * CVE-2022-37436: Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.\n\n * #44044: Отключённый a2dismod модуль отключается даже после a2enmod",
|
||||
"Description": "This update upgrades apache2 to version 2.4.55-alt1. \nSecurity Fix(es):\n\n * BDU:2023-00495: Уязвимость модуля mod_proxy_ajp веб-сервера Apache HTTP Server, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)\n\n * BDU:2023-00496: Уязвимость модуля mod_proxy веб-сервера Apache HTTP Server, позволяющая нарушителю выполнять атаки с разделением ответов HTTP\n\n * BDU:2023-01105: Уязвимость модуля mod_dav веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2006-20001: A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.\n\nThis issue affects Apache HTTP Server 2.4.54 and earlier.\n\n * CVE-2022-36760: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.\n\n * CVE-2022-37436: Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.\n\n * #44044: Отключённый a2dismod модуль отключается даже после a2enmod",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -50,7 +50,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades php8.1 to version 8.1.16-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02263: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-02264: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность\n\n * CVE-2023-0567: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. \n\n\n\n * CVE-2023-0568: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. \n\n * CVE-2023-0662: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. ",
|
||||
"Description": "This update upgrades php8.1 to version 8.1.16-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02263: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-02264: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность\n\n * CVE-2023-0567: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. \n\n\n\n * CVE-2023-0568: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.\n\n * CVE-2023-0662: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -50,7 +50,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades php8.0 to version 8.0.28-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02263: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-02264: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность\n\n * CVE-2023-0567: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. \n\n\n\n * CVE-2023-0568: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. \n\n * CVE-2023-0662: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. ",
|
||||
"Description": "This update upgrades php8.0 to version 8.0.28-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02263: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-02264: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность\n\n * CVE-2023-0567: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. \n\n\n\n * CVE-2023-0568: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.\n\n * CVE-2023-0662: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades kernel-image-un-def to version 5.15.96-alt1. \nSecurity Fix(es):\n\n * BDU:2023-01571: Уязвимость функции tcf_exts_exec() фильтра индексирования системы контроля трафика tcindex ядра операционных систем Linux, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2023-02532: Уязвимость функции _copy_from_user() в модуле lib/usercopy.c ядра операционной системы Linux, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2023-0459: Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47\n\n * CVE-2023-1281: Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.\nThis issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.\n\n",
|
||||
"Description": "This update upgrades kernel-image-un-def to version 5.15.96-alt1. \nSecurity Fix(es):\n\n * BDU:2023-01571: Уязвимость функции tcf_exts_exec() фильтра индексирования системы контроля трафика tcindex ядра операционных систем Linux, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2023-02532: Уязвимость функции _copy_from_user() в модуле lib/usercopy.c ядра операционной системы Linux, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2023-0459: Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47\n\n * CVE-2023-1281: Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.\nThis issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades kernel-image-std-def to version 5.10.170-alt1. \nSecurity Fix(es):\n\n * BDU:2022-07509: Уязвимость подсистемы виртуализации Kernel-based Virtual Machine (KVM) ядра операционной системы Linux, позволяющая нарушителю получить несанкционированный доступ и повысить свои привилегии\n\n * BDU:2023-01571: Уязвимость функции tcf_exts_exec() фильтра индексирования системы контроля трафика tcindex ядра операционных систем Linux, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2023-02532: Уязвимость функции _copy_from_user() в модуле lib/usercopy.c ядра операционной системы Linux, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2022-2196: A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a\n\n\n * CVE-2023-0459: Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47\n\n * CVE-2023-1281: Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.\nThis issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.\n\n",
|
||||
"Description": "This update upgrades kernel-image-std-def to version 5.10.170-alt1. \nSecurity Fix(es):\n\n * BDU:2022-07509: Уязвимость подсистемы виртуализации Kernel-based Virtual Machine (KVM) ядра операционной системы Linux, позволяющая нарушителю получить несанкционированный доступ и повысить свои привилегии\n\n * BDU:2023-01571: Уязвимость функции tcf_exts_exec() фильтра индексирования системы контроля трафика tcindex ядра операционных систем Linux, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2023-02532: Уязвимость функции _copy_from_user() в модуле lib/usercopy.c ядра операционной системы Linux, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2022-2196: A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a\n\n * CVE-2023-0459: Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47\n\n * CVE-2023-1281: Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.\nThis issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades apache2 to version 2.4.56-alt1. \nSecurity Fix(es):\n\n * BDU:2023-01738: Уязвимость модуля mod_proxy веб-сервера Apache HTTP Server, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)\n\n * BDU:2023-02021: Уязвимость компонента mod_proxy_uwsgi веб-сервера Apache HTTP Server связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку \u0026quot;контрабанда HTTP-запросов\u0026quot;\n\n * CVE-2023-25690: Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.\n\n\n\n\nConfigurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example, something like:\n\n\n\n\nRewriteEngine on\nRewriteRule \"^/here/(.*)\" \"http://example.com:8080/elsewhere?$1\"; [P]\nProxyPassReverse /here/ http://example.com:8080/\n\n\nRequest splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.\n\n\n\n\n * CVE-2023-27522: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.\n\nSpecial characters in the origin response header can truncate/split the response forwarded to the client.\n\n\n",
|
||||
"Description": "This update upgrades apache2 to version 2.4.56-alt1. \nSecurity Fix(es):\n\n * BDU:2023-01738: Уязвимость модуля mod_proxy веб-сервера Apache HTTP Server, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)\n\n * BDU:2023-02021: Уязвимость компонента mod_proxy_uwsgi веб-сервера Apache HTTP Server связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку \u0026quot;контрабанда HTTP-запросов\u0026quot;\n\n * CVE-2023-25690: Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.\n\n\n\n\nConfigurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example, something like:\n\n\n\n\nRewriteEngine on\nRewriteRule \"^/here/(.*)\" \"http://example.com:8080/elsewhere?$1\"; [P]\nProxyPassReverse /here/ http://example.com:8080/\n\n\nRequest splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.\n\n * CVE-2023-27522: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.\n\nSpecial characters in the origin response header can truncate/split the response forwarded to the client.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades kernel-image-rt to version 5.10.175-alt1.rt84. \nSecurity Fix(es):\n\n * BDU:2023-01571: Уязвимость функции tcf_exts_exec() фильтра индексирования системы контроля трафика tcindex ядра операционных систем Linux, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2023-02532: Уязвимость функции _copy_from_user() в модуле lib/usercopy.c ядра операционной системы Linux, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2023-0459: Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47\n\n * CVE-2023-1281: Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.\nThis issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.\n\n",
|
||||
"Description": "This update upgrades kernel-image-rt to version 5.10.175-alt1.rt84. \nSecurity Fix(es):\n\n * BDU:2023-01571: Уязвимость функции tcf_exts_exec() фильтра индексирования системы контроля трафика tcindex ядра операционных систем Linux, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2023-02532: Уязвимость функции _copy_from_user() в модуле lib/usercopy.c ядра операционной системы Linux, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2023-0459: Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47\n\n * CVE-2023-1281: Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.\nThis issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -50,7 +50,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades kubernetes to version 1.26.3-alt1. \nSecurity Fix(es):\n\n * BDU:2022-06756: Уязвимость Kube API-сервера программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю выполнить произвольные запросы\n\n * BDU:2022-06757: Уязвимость программного средства управления кластерами виртуальных машин Kubernetes, связанная с недостатками контроля доступа, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * CVE-2022-3162: Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.\n\n * CVE-2022-3172: A security issue was discovered in kube-apiserver that allows an \naggregated API server to redirect client traffic to any URL. This could\n lead to the client performing unexpected actions as well as forwarding \nthe client's API server credentials to third parties.\n\n\n * CVE-2022-3294: Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.",
|
||||
"Description": "This update upgrades kubernetes to version 1.26.3-alt1. \nSecurity Fix(es):\n\n * BDU:2022-06756: Уязвимость Kube API-сервера программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю выполнить произвольные запросы\n\n * BDU:2022-06757: Уязвимость программного средства управления кластерами виртуальных машин Kubernetes, связанная с недостатками контроля доступа, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * CVE-2022-3162: Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.\n\n * CVE-2022-3172: A security issue was discovered in kube-apiserver that allows an \naggregated API server to redirect client traffic to any URL. This could\n lead to the client performing unexpected actions as well as forwarding \nthe client's API server credentials to third parties.\n\n * CVE-2022-3294: Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -30,7 +30,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades traefik to version 2.9.10-alt1. \nSecurity Fix(es):\n\n * CVE-2023-29013: Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service. This issue has been patched in versions 2.9.10 and 2.10.0-rc2.\n",
|
||||
"Description": "This update upgrades traefik to version 2.9.10-alt1. \nSecurity Fix(es):\n\n * CVE-2023-29013: Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service. This issue has been patched in versions 2.9.10 and 2.10.0-rc2.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
@ -46,6 +46,7 @@
|
||||
{
|
||||
"ID": "CVE-2023-29013",
|
||||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||||
"CWE": "CWE-400",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-29013",
|
||||
"Impact": "High",
|
||||
"Public": "20230414"
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades kubernetes to version 1.26.6-alt1. \nSecurity Fix(es):\n\n * BDU:2023-03213: Уязвимость программного средства управления кластерами виртуальных машин Kubernetes, связанная с возможностью обхода политик модуля допуска ImagePolicyWebhook, позволяющая нарушителю обойти существующие ограничения безопасности при запуске контейнеров\n\n * CVE-2023-2431: A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.\n\n * CVE-2023-2727: Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n\n\n * CVE-2023-2728: Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.\n\n",
|
||||
"Description": "This update upgrades kubernetes to version 1.26.6-alt1. \nSecurity Fix(es):\n\n * BDU:2023-03213: Уязвимость программного средства управления кластерами виртуальных машин Kubernetes, связанная с возможностью обхода политик модуля допуска ImagePolicyWebhook, позволяющая нарушителю обойти существующие ограничения безопасности при запуске контейнеров\n\n * CVE-2023-2431: A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.\n\n * CVE-2023-2727: Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n * CVE-2023-2728: Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
|
||||
@ -90,7 +90,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades c-ares to version 1.19.1-alt1. \nSecurity Fix(es):\n\n * BDU:2018-00106: Уязвимость функции ares_parse_naptr_reply библиотеки асинхронных DNS-запросов c-ares, позволяющая нарушителю выполнить чтение за границами буфера в памяти\n\n * BDU:2021-04594: Уязвимость функций ares_destroy() и ares_getaddrinfo() библиотеки асинхронных DNS-запросов C-ares, связанная с использованием памяти после её освобождения, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-01258: Уязвимость функции ares_set_sortlist библиотеки асинхронных DNS-запросов c-ares, позволяющая нарушителю вызвать отказ в обслуживании или оказать ограниченное влияния на конфиденциальность и целостность\n\n * BDU:2023-05898: Уязвимость функции ares_parse_soa_reply() библиотеки асинхронных DNS-запросов C-ares, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * CVE-2016-5180: Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.\n\n * CVE-2017-1000381: The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.\n\n * CVE-2020-14354: A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.\n\n * CVE-2020-22217: Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.\n\n * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.\n\n * CVE-2023-31124: c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.\n\n\n * CVE-2023-31130: c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.\n\n\n * CVE-2023-31147: c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.\n\n * CVE-2023-32067: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.",
|
||||
"Description": "This update upgrades c-ares to version 1.19.1-alt1. \nSecurity Fix(es):\n\n * BDU:2018-00106: Уязвимость функции ares_parse_naptr_reply библиотеки асинхронных DNS-запросов c-ares, позволяющая нарушителю выполнить чтение за границами буфера в памяти\n\n * BDU:2021-04594: Уязвимость функций ares_destroy() и ares_getaddrinfo() библиотеки асинхронных DNS-запросов C-ares, связанная с использованием памяти после её освобождения, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-01258: Уязвимость функции ares_set_sortlist библиотеки асинхронных DNS-запросов c-ares, позволяющая нарушителю вызвать отказ в обслуживании или оказать ограниченное влияния на конфиденциальность и целостность\n\n * BDU:2023-05898: Уязвимость функции ares_parse_soa_reply() библиотеки асинхронных DNS-запросов C-ares, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * CVE-2016-5180: Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.\n\n * CVE-2017-1000381: The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.\n\n * CVE-2020-14354: A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.\n\n * CVE-2020-22217: Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.\n\n * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.\n\n * CVE-2023-31124: c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.\n\n * CVE-2023-31130: c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.\n\n * CVE-2023-31147: c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.\n\n * CVE-2023-32067: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
@ -186,6 +186,7 @@
|
||||
{
|
||||
"ID": "CVE-2023-31124",
|
||||
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
|
||||
"CWE": "CWE-330",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-31124",
|
||||
"Impact": "Low",
|
||||
"Public": "20230525"
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades firefox-esr to version 102.12.0-alt2. \nSecurity Fix(es):\n\n * BDU:2023-03125: Уязвимость браузеров Mozilla Firefox и Firefox ESR, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-03196: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с неверным ограничением визуализируемых слоев пользовательского интерфейса, позволяющая нарушителю провести атаку типа clickjacking («захват клика»)\n\n * CVE-2023-34414: The error page for sites with invalid TLS certificates was missing the\nactivation-delay Firefox uses to protect prompts and permission dialogs\nfrom attacks that exploit human response time delays. If a malicious\npage elicited user clicks in precise locations immediately before\nnavigating to a site with a certificate error and made the renderer\nextremely busy at the same time, it could create a gap between when\nthe error page was loaded and when the display actually refreshed.\nWith the right timing the elicited clicks could land in that gap and \nactivate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR \u003c 102.12, Firefox \u003c 114, and Thunderbird \u003c 102.12.\n\n * CVE-2023-34416: Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR \u003c 102.12, Firefox \u003c 114, and Thunderbird \u003c 102.12.\n\n",
|
||||
"Description": "This update upgrades firefox-esr to version 102.12.0-alt2. \nSecurity Fix(es):\n\n * BDU:2023-03125: Уязвимость браузеров Mozilla Firefox и Firefox ESR, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-03196: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с неверным ограничением визуализируемых слоев пользовательского интерфейса, позволяющая нарушителю провести атаку типа clickjacking («захват клика»)\n\n * CVE-2023-34414: The error page for sites with invalid TLS certificates was missing the\nactivation-delay Firefox uses to protect prompts and permission dialogs\nfrom attacks that exploit human response time delays. If a malicious\npage elicited user clicks in precise locations immediately before\nnavigating to a site with a certificate error and made the renderer\nextremely busy at the same time, it could create a gap between when\nthe error page was loaded and when the display actually refreshed.\nWith the right timing the elicited clicks could land in that gap and \nactivate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR \u003c 102.12, Firefox \u003c 114, and Thunderbird \u003c 102.12.\n\n * CVE-2023-34416: Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR \u003c 102.12, Firefox \u003c 114, and Thunderbird \u003c 102.12.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades salt to version 3005.2-alt0.c10.1. \nSecurity Fix(es):\n\n * CVE-2023-20897: Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.\n\n\n * CVE-2023-20898: Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.\n",
|
||||
"Description": "This update upgrades salt to version 3005.2-alt0.c10.1. \nSecurity Fix(es):\n\n * CVE-2023-20897: Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.\n\n * CVE-2023-20898: Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -65,7 +65,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades wireshark to version 4.0.8-alt1. \nSecurity Fix(es):\n\n * BDU:2023-05022: Уязвимость компонента CP2179 анализатора трафика компьютерных сетей Wireshark, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-05711: Уязвимость анализатора трафика компьютерных сетей Wireshark, связанная с выполнением цикла с недоступным условием выхода, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-05712: Уязвимость анализатора трафика компьютерных сетей Wireshark , связанная с ошибкой освобождения памяти, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-05713: Уязвимость анализатора трафика компьютерных сетей Wireshark, вызванная неконтролируемой рекурсией, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-2906: Due to a failure in validating the length provided by an attacker-crafted CP2179 packet, Wireshark versions 2.0.0 through 4.0.7 is susceptible to a divide by zero allowing for a denial of service attack.\n\n\n * CVE-2023-4511: BT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file\n\n * CVE-2023-4512: CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file\n\n * CVE-2023-4513: BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file",
|
||||
"Description": "This update upgrades wireshark to version 4.0.8-alt1. \nSecurity Fix(es):\n\n * BDU:2023-05022: Уязвимость компонента CP2179 анализатора трафика компьютерных сетей Wireshark, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-05711: Уязвимость анализатора трафика компьютерных сетей Wireshark, связанная с выполнением цикла с недоступным условием выхода, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-05712: Уязвимость анализатора трафика компьютерных сетей Wireshark , связанная с ошибкой освобождения памяти, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-05713: Уязвимость анализатора трафика компьютерных сетей Wireshark, вызванная неконтролируемой рекурсией, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-2906: Due to a failure in validating the length provided by an attacker-crafted CP2179 packet, Wireshark versions 2.0.0 through 4.0.7 is susceptible to a divide by zero allowing for a denial of service attack.\n\n * CVE-2023-4511: BT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file\n\n * CVE-2023-4512: CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file\n\n * CVE-2023-4513: BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades php8.0 to version 8.0.30-alt1. \nSecurity Fix(es):\n\n * CVE-2023-3823: In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. \n\n\n\n * CVE-2023-3824: In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. \n\n",
|
||||
"Description": "This update upgrades php8.0 to version 8.0.30-alt1. \nSecurity Fix(es):\n\n * CVE-2023-3823: In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.\n\n * CVE-2023-3824: In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
@ -30,7 +30,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades xrdp to version 0.9.23-alt1. \nSecurity Fix(es):\n\n * CVE-2023-40184: xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.",
|
||||
"Description": "This update upgrades xrdp to version 0.9.23-alt1. \nSecurity Fix(es):\n\n * CVE-2023-40184: xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades xrdp to version 0.9.23.1-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06266: Уязвимость компонента xrdp_painter.c сервера XRDP, позволяющая нарушителю получить доступ к защищаемой информации\n\n * CVE-2023-42822: xrdp is an open source remote desktop protocol server. Access to the font glyphs in xrdp_painter.c is not bounds-checked . Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode. This issue has been addressed in release 0.9.23.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
|
||||
"Description": "This update upgrades xrdp to version 0.9.23.1-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06266: Уязвимость компонента xrdp_painter.c сервера XRDP, позволяющая нарушителю получить доступ к защищаемой информации\n\n * CVE-2023-42822: xrdp is an open source remote desktop protocol server. Access to the font glyphs in xrdp_painter.c is not bounds-checked . Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode. This issue has been addressed in release 0.9.23.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades curl to version 8.4.0-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06576: Уязвимость реализации протокола SOCKS5 утилиты командной строки cURL, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код\n\n * BDU:2023-06579: Уязвимость функции curl_easy_duphandle библиотеки libcurl, позволяющая нарушителю создать или перезаписать файлы cookie\n\n * CVE-2023-38545: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.\n\n\n * CVE-2023-38546: This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course.\n",
|
||||
"Description": "This update upgrades curl to version 8.4.0-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06576: Уязвимость реализации протокола SOCKS5 утилиты командной строки cURL, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код\n\n * BDU:2023-06579: Уязвимость функции curl_easy_duphandle библиотеки libcurl, позволяющая нарушителю создать или перезаписать файлы cookie\n\n * CVE-2023-38545: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.\n\n * CVE-2023-38546: This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades php8.1 to version 8.1.25-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06656: Уязвимость интерпретатора языка программирования PHP, связанная с неверным ограничением XML-ссылок на внешний объект, позволяющая нарушителю вызвать отказ в обслуживании или получить несанкционированный доступ к конфиденциальным данным\n\n * BDU:2023-06657: Уязвимость функции phar_dir_read() интерпретатора PHP, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2023-3823: In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. \n\n\n\n * CVE-2023-3824: In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. \n\n",
|
||||
"Description": "This update upgrades php8.1 to version 8.1.25-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06656: Уязвимость интерпретатора языка программирования PHP, связанная с неверным ограничением XML-ссылок на внешний объект, позволяющая нарушителю вызвать отказ в обслуживании или получить несанкционированный доступ к конфиденциальным данным\n\n * BDU:2023-06657: Уязвимость функции phar_dir_read() интерпретатора PHP, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2023-3823: In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.\n\n * CVE-2023-3824: In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades php8.2 to version 8.2.12-alt1. \nSecurity Fix(es):\n\n * BDU:2023-05887: Уязвимость языка программирования PHP, связанная с использованием недостаточно случайных значений, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2023-06656: Уязвимость интерпретатора языка программирования PHP, связанная с неверным ограничением XML-ссылок на внешний объект, позволяющая нарушителю вызвать отказ в обслуживании или получить несанкционированный доступ к конфиденциальным данным\n\n * BDU:2023-06657: Уязвимость функции phar_dir_read() интерпретатора PHP, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2023-3247: In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. \n\n\n\n * CVE-2023-3823: In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. \n\n\n\n * CVE-2023-3824: In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. \n\n",
|
||||
"Description": "This update upgrades php8.2 to version 8.2.12-alt1. \nSecurity Fix(es):\n\n * BDU:2023-05887: Уязвимость языка программирования PHP, связанная с использованием недостаточно случайных значений, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2023-06656: Уязвимость интерпретатора языка программирования PHP, связанная с неверным ограничением XML-ссылок на внешний объект, позволяющая нарушителю вызвать отказ в обслуживании или получить несанкционированный доступ к конфиденциальным данным\n\n * BDU:2023-06657: Уязвимость функции phar_dir_read() интерпретатора PHP, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2023-3247: In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. \n\n\n\n * CVE-2023-3823: In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.\n\n * CVE-2023-3824: In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades apache2 to version 2.4.58-alt1. \nSecurity Fix(es):\n\n * BDU:2023-07003: Уязвимость компонента обработчика HTTP2 веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-07124: Уязвимость модуля mod_macro веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-07171: Уязвимость веб-сервера Apache HTTP Server, связанная с блокировкой обработки соединения HTTP/2, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-31122: Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.\n\n\n\n * CVE-2023-43622: An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n\n\n\n * CVE-2023-45802: When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.\n\nThis was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During \"normal\" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.",
|
||||
"Description": "This update upgrades apache2 to version 2.4.58-alt1. \nSecurity Fix(es):\n\n * BDU:2023-07003: Уязвимость компонента обработчика HTTP2 веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-07124: Уязвимость модуля mod_macro веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-07171: Уязвимость веб-сервера Apache HTTP Server, связанная с блокировкой обработки соединения HTTP/2, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-31122: Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.\n\n * CVE-2023-43622: An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n\n * CVE-2023-45802: When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.\n\nThis was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During \"normal\" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades vim to version 9.0.2081-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06596: Уязвимость функции trunc_string() текстового редактора Vim, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-07250: Уязвимость функции ga_grow_inner текстового редактора vim,, вызванная целочисленным переполнением, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-46246: Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.\n\n\n * CVE-2023-5344: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.\n\n * CVE-2023-5441: NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.\n\n * CVE-2023-5535: Use After Free in GitHub repository vim/vim prior to v9.0.2010.",
|
||||
"Description": "This update upgrades vim to version 9.0.2081-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06596: Уязвимость функции trunc_string() текстового редактора Vim, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-07250: Уязвимость функции ga_grow_inner текстового редактора vim,, вызванная целочисленным переполнением, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-46246: Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.\n\n * CVE-2023-5344: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.\n\n * CVE-2023-5441: NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.\n\n * CVE-2023-5535: Use After Free in GitHub repository vim/vim prior to v9.0.2010.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -75,7 +75,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades squid to version 6.5-alt1. \nSecurity Fix(es):\n\n * BDU:2023-07699: Уязвимость прокси-сервера Squid, связанная с ошибками при проверке сертификата SSL/TLS, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-07920: Уязвимость обработчика аутентификации HTTP Digest Authentication прокси-сервера Squid, позволяющая нарушителю вызвать отказ в обслуживании или оказать иное воздействие\n\n * BDU:2023-08061: Уязвимость прокси-сервера Squid, связана с неправильным обращением с исключительными условиями и неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-08062: Уязвимость прокси-сервера Squid, связана с неправильным преобразованием между числовыми типами и неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-08063: Уязвимость декодера chunked прокси-сервера Squid, \nпозволяющая нарушителю взаимодействовать с сервером напрямую\n\n * CVE-2023-46724: Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.\n\n * CVE-2023-46846: SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.\n\n * CVE-2023-46847: Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication.\n\n * CVE-2023-46848: Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input.\n\n * CVE-2023-5824: A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk cache, resulting in a denial of service.",
|
||||
"Description": "This update upgrades squid to version 6.5-alt1. \nSecurity Fix(es):\n\n * BDU:2023-07699: Уязвимость прокси-сервера Squid, связанная с ошибками при проверке сертификата SSL/TLS, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-07920: Уязвимость обработчика аутентификации HTTP Digest Authentication прокси-сервера Squid, позволяющая нарушителю вызвать отказ в обслуживании или оказать иное воздействие\n\n * BDU:2023-08061: Уязвимость прокси-сервера Squid, связана с неправильным обращением с исключительными условиями и неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-08062: Уязвимость прокси-сервера Squid, связана с неправильным преобразованием между числовыми типами и неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-08063: Уязвимость декодера chunked прокси-сервера Squid, \nпозволяющая нарушителю взаимодействовать с сервером напрямую\n\n * CVE-2023-46724: Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.\n\n * CVE-2023-46846: SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.\n\n * CVE-2023-46847: Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication.\n\n * CVE-2023-46848: Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input.\n\n * CVE-2023-5824: A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk cache, resulting in a denial of service.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades curl to version 8.5.0-alt1. \nSecurity Fix(es):\n\n * CVE-2023-46218: This flaw allows a malicious HTTP server to set \"super cookies\" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n\n\n * CVE-2023-46219: When saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n",
|
||||
"Description": "This update upgrades curl to version 8.5.0-alt1. \nSecurity Fix(es):\n\n * CVE-2023-46218: This flaw allows a malicious HTTP server to set \"super cookies\" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n\n * CVE-2023-46219: When saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
|
||||
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades php8.2 to version 8.2.3-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02263: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-02264: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность\n\n * BDU:2024-07326: Уязвимость функции верификации пароля языка программирования PHP, связанная с недостаточным вычислением хеша пароля, позволяющая нарушителю оказать воздействие на целостность данных\n\n * CVE-2023-0567: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. \n\n\n\n * CVE-2023-0568: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. \n\n * CVE-2023-0662: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. ",
|
||||
"Description": "This update upgrades php8.2 to version 8.2.3-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02263: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-02264: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность\n\n * BDU:2024-07326: Уязвимость функции верификации пароля языка программирования PHP, связанная с недостаточным вычислением хеша пароля, позволяющая нарушителю оказать воздействие на целостность данных\n\n * CVE-2023-0567: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. \n\n\n\n * CVE-2023-0568: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.\n\n * CVE-2023-0662: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades kernel-image-std-def to version 5.10.174-alt1. \nSecurity Fix(es):\n\n * BDU:2023-01218: Уязвимость функции ene_remove() (drivers/media/rc/ene_ir.c) драйвера инфракрасного приемника\\передатчика ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании или повысить свои привилегии\n\n * BDU:2023-01280: Уязвимость функции _pick_next_task_rt() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-02165: Уязвимость фильтра индексирования системы контроля трафика tcindex (net/sched/cls_tcindex.c) ядра операционной системы Linux, позволяющая нарушителю повысить свои привилегии\n\n * CVE-2023-1077: In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption.\n\n * CVE-2023-1118: A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.\n\n * CVE-2023-1829: A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.\n\n",
|
||||
"Description": "This update upgrades kernel-image-std-def to version 5.10.174-alt1. \nSecurity Fix(es):\n\n * BDU:2023-01218: Уязвимость функции ene_remove() (drivers/media/rc/ene_ir.c) драйвера инфракрасного приемника\\передатчика ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании или повысить свои привилегии\n\n * BDU:2023-01280: Уязвимость функции _pick_next_task_rt() ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-02165: Уязвимость фильтра индексирования системы контроля трафика tcindex (net/sched/cls_tcindex.c) ядра операционной системы Linux, позволяющая нарушителю повысить свои привилегии\n\n * CVE-2023-1077: In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption.\n\n * CVE-2023-1118: A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.\n\n * CVE-2023-1829: A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades uwsgi to version 2.0.23-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02021: Уязвимость компонента mod_proxy_uwsgi веб-сервера Apache HTTP Server связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку \u0026quot;контрабанда HTTP-запросов\u0026quot;\n\n * CVE-2023-27522: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.\n\nSpecial characters in the origin response header can truncate/split the response forwarded to the client.\n\n\n",
|
||||
"Description": "This update upgrades uwsgi to version 2.0.23-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02021: Уязвимость компонента mod_proxy_uwsgi веб-сервера Apache HTTP Server связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку \u0026quot;контрабанда HTTP-запросов\u0026quot;\n\n * CVE-2023-27522: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.\n\nSpecial characters in the origin response header can truncate/split the response forwarded to the client.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -70,7 +70,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades LibreOffice-still to version 7.5.9.2-alt1.p10.1. \nSecurity Fix(es):\n\n * BDU:2023-02967: Уязвимость модуля Spreadsheet пакета офисных программ LibreOffice, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-02968: Уязвимость компонента Floating Frames пакета офисных программ LibreOffice, позволяющая нарушителю выполнить спуфинговую атаку\n\n * BDU:2023-08655: Уязвимость пакета офисных программ LibreOffice, связанная с возможностью внедрения кода или данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-08957: Уязвимость модуля Gstreamer пакета офисных программ LibreOffice, позволяющая нарушителю запускать произвольные плагины Gstreamer\n\n * CVE-2023-0950: Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.6; 7.5 versions prior to 7.5.1.\n\n * CVE-2023-1183: A flaw was found in the Libreoffice package. An attacker can craft an odb containing a \"database/script\" file with a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.\n\n * CVE-2023-2255: Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used \"floating frames\" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.\n\n * CVE-2023-6185: Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins.\n\nIn affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.\n\n\n\n * CVE-2023-6186: Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning.\n\nIn affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user.\n\n\n\n\n * #46320: Обновить стабильную версию LibreOffice-still\n\n * #48841: Сломалась сборка Libreoffice-still",
|
||||
"Description": "This update upgrades LibreOffice-still to version 7.5.9.2-alt1.p10.1. \nSecurity Fix(es):\n\n * BDU:2023-02967: Уязвимость модуля Spreadsheet пакета офисных программ LibreOffice, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-02968: Уязвимость компонента Floating Frames пакета офисных программ LibreOffice, позволяющая нарушителю выполнить спуфинговую атаку\n\n * BDU:2023-08655: Уязвимость пакета офисных программ LibreOffice, связанная с возможностью внедрения кода или данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-08957: Уязвимость модуля Gstreamer пакета офисных программ LibreOffice, позволяющая нарушителю запускать произвольные плагины Gstreamer\n\n * CVE-2023-0950: Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.6; 7.5 versions prior to 7.5.1.\n\n * CVE-2023-1183: A flaw was found in the Libreoffice package. An attacker can craft an odb containing a \"database/script\" file with a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.\n\n * CVE-2023-2255: Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used \"floating frames\" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.\n\n * CVE-2023-6185: Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins.\n\nIn affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.\n\n * CVE-2023-6186: Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning.\n\nIn affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user.\n\n * #46320: Обновить стабильную версию LibreOffice-still\n\n * #48841: Сломалась сборка Libreoffice-still",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades libwebp to version 1.3.2-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02923: Уязвимость функции EncodeAlphaInternal() библиотеки libwebp для кодирования и декодирования изображений в формате WebP браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-05510: Уязвимость библиотеки libwebp для кодирования и декодирования изображений в формате WebP, связанная с чтением за границами буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2023-1999: There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. \n\n\n * CVE-2023-4863: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)",
|
||||
"Description": "This update upgrades libwebp to version 1.3.2-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02923: Уязвимость функции EncodeAlphaInternal() библиотеки libwebp для кодирования и декодирования изображений в формате WebP браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-05510: Уязвимость библиотеки libwebp для кодирования и декодирования изображений в формате WebP, связанная с чтением за границами буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2023-1999: There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.\n\n * CVE-2023-4863: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades sssd to version 2.9.4-alt1. \nSecurity Fix(es):\n\n * BDU:2023-00665: Уязвимость функции GENERAL_NAME_cmp библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-0286: There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n",
|
||||
"Description": "This update upgrades sssd to version 2.9.4-alt1. \nSecurity Fix(es):\n\n * BDU:2023-00665: Уязвимость функции GENERAL_NAME_cmp библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-0286: There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades atril-gtk to version 1.27.0-alt2. \nSecurity Fix(es):\n\n * BDU:2024-00525: Уязвимость программы для просмотра многостраничных документов Atril, связанная с возможностью внедрения команд, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-05041: Уязвимость программы для просмотра многостраничных документов Atril, связанная с возможностью обхода каталога с ограниченным доступом, позволяющая нарушителю записать произвольные файлы\n\n * CVE-2023-51698: Atril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.\n\n\n * CVE-2023-52076: Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.",
|
||||
"Description": "This update upgrades atril-gtk to version 1.27.0-alt2. \nSecurity Fix(es):\n\n * BDU:2024-00525: Уязвимость программы для просмотра многостраничных документов Atril, связанная с возможностью внедрения команд, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-05041: Уязвимость программы для просмотра многостраничных документов Atril, связанная с возможностью обхода каталога с ограниченным доступом, позволяющая нарушителю записать произвольные файлы\n\n * CVE-2023-51698: Atril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.\n\n * CVE-2023-52076: Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades perl-Spreadsheet-ParseExcel to version 0.66-alt1. \nSecurity Fix(es):\n\n * BDU:2024-00130: Уязвимость библиотеки для работы с XLS-файлами Spreadsheet::ParseExcel, связанная с непринятием мер по нейтрализации инструкций в динамически исполняемом коде, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2023-7101: Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic. \n",
|
||||
"Description": "This update upgrades perl-Spreadsheet-ParseExcel to version 0.66-alt1. \nSecurity Fix(es):\n\n * BDU:2024-00130: Уязвимость библиотеки для работы с XLS-файлами Spreadsheet::ParseExcel, связанная с непринятием мер по нейтрализации инструкций в динамически исполняемом коде, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2023-7101: Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades python-module-urllib3 to version 1.26.20-alt1.c10f1. \nSecurity Fix(es):\n\n * BDU:2023-06977: Уязвимость модуля urllib3 интерпретатора языка программирования Python, позволяющая нарушителю раскрыть защищаемую информацию\n\n * BDU:2023-08730: Уязвимость модуля urllib3 интерпретатора языка программирования Python, связанная с отсутствием защиты служебных данных, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2023-43804: urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.\n\n * CVE-2023-45803: urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n",
|
||||
"Description": "This update upgrades python-module-urllib3 to version 1.26.20-alt1.c10f1. \nSecurity Fix(es):\n\n * BDU:2023-06977: Уязвимость модуля urllib3 интерпретатора языка программирования Python, позволяющая нарушителю раскрыть защищаемую информацию\n\n * BDU:2023-08730: Уязвимость модуля urllib3 интерпретатора языка программирования Python, связанная с отсутствием защиты служебных данных, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2023-43804: urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.\n\n * CVE-2023-45803: urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
@ -88,6 +88,7 @@
|
||||
{
|
||||
"ID": "CVE-2023-45803",
|
||||
"CVSS3": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
|
||||
"CWE": "NVD-CWE-noinfo",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803",
|
||||
"Impact": "Low",
|
||||
"Public": "20231017"
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -40,7 +40,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades guacamole-server to version 1.5.5-alt1. \nSecurity Fix(es):\n\n * CVE-2023-30575: Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of instruction elements sent during the Guacamole protocol handshake, potentially allowing an attacker to inject Guacamole instructions during the handshake through specially-crafted data.\n\n\n\n * CVE-2023-30576: Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP audio input buffer. Depending on timing, this may allow an attacker to execute arbitrary code with the privileges of the guacd process.\n\n\n\n * CVE-2023-43826: Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. If a user connects to a malicious or compromised VNC server, specially-crafted data could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.\n\nUsers are recommended to upgrade to version 1.5.4, which fixes this issue.\n\n\n\n * #47735: Не работает SSH подключение без Monospace шрифтов (Unable to load font “monospace”)",
|
||||
"Description": "This update upgrades guacamole-server to version 1.5.5-alt1. \nSecurity Fix(es):\n\n * CVE-2023-30575: Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of instruction elements sent during the Guacamole protocol handshake, potentially allowing an attacker to inject Guacamole instructions during the handshake through specially-crafted data.\n\n\n\n * CVE-2023-30576: Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP audio input buffer. Depending on timing, this may allow an attacker to execute arbitrary code with the privileges of the guacd process.\n\n\n\n * CVE-2023-43826: Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. If a user connects to a malicious or compromised VNC server, specially-crafted data could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.\n\nUsers are recommended to upgrade to version 1.5.4, which fixes this issue.\n\n * #47735: Не работает SSH подключение без Monospace шрифтов (Unable to load font “monospace”)",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades python3-module-requests to version 2.32.3-alt0.p10.1. \nSecurity Fix(es):\n\n * BDU:2023-03874: Уязвимость библиотеки HTTP запросов языка программирования Python Requests, связанная с недостаточной защитой служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * CVE-2023-32681: Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n",
|
||||
"Description": "This update upgrades python3-module-requests to version 2.32.3-alt0.p10.1. \nSecurity Fix(es):\n\n * BDU:2023-03874: Уязвимость библиотеки HTTP запросов языка программирования Python Requests, связанная с недостаточной защитой служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * CVE-2023-32681: Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
@ -61,6 +61,7 @@
|
||||
{
|
||||
"ID": "CVE-2023-32681",
|
||||
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
|
||||
"CWE": "NVD-CWE-noinfo",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681",
|
||||
"Impact": "Low",
|
||||
"Public": "20230526"
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades freerdp to version 2.11.5-alt1. \nSecurity Fix(es):\n\n * BDU:2024-00706: Уязвимость функции freerdp_bitmap_planar_context_reset() RDP-клиента FreeRDP, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2024-22211: FreeRDP is a set of free and open source remote desktop protocol library and clients. In affected versions an integer overflow in `freerdp_bitmap_planar_context_reset` leads to heap-buffer overflow. This affects FreeRDP based clients. FreeRDP based server implementations and proxy are not affected. A malicious server could prepare a `RDPGFX_RESET_GRAPHICS_PDU` to allocate too small buffers, possibly triggering later out of bound read/write. Data extraction over network is not possible, the buffers are used to display an image. This issue has been addressed in version 2.11.5 and 3.2.0. Users are advised to upgrade. there are no know workarounds for this vulnerability.\n",
|
||||
"Description": "This update upgrades freerdp to version 2.11.5-alt1. \nSecurity Fix(es):\n\n * BDU:2024-00706: Уязвимость функции freerdp_bitmap_planar_context_reset() RDP-клиента FreeRDP, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2024-22211: FreeRDP is a set of free and open source remote desktop protocol library and clients. In affected versions an integer overflow in `freerdp_bitmap_planar_context_reset` leads to heap-buffer overflow. This affects FreeRDP based clients. FreeRDP based server implementations and proxy are not affected. A malicious server could prepare a `RDPGFX_RESET_GRAPHICS_PDU` to allocate too small buffers, possibly triggering later out of bound read/write. Data extraction over network is not possible, the buffers are used to display an image. This issue has been addressed in version 2.11.5 and 3.2.0. Users are advised to upgrade. there are no know workarounds for this vulnerability.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades vault to version 1.13.12-alt2. \nSecurity Fix(es):\n\n * BDU:2023-08660: Уязвимость компонента max_request_duration платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-3775: A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vault Enterprise 1.15.0, 1.14.4, 1.13.8.\n\n * CVE-2023-4680: HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.\n\n * CVE-2023-6337: HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.\n\nFixed in Vault 1.15.4, 1.14.8, 1.13.12.\n\n",
|
||||
"Description": "This update upgrades vault to version 1.13.12-alt2. \nSecurity Fix(es):\n\n * BDU:2023-08660: Уязвимость компонента max_request_duration платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-3775: A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vault Enterprise 1.15.0, 1.14.4, 1.13.8.\n\n * CVE-2023-4680: HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.\n\n * CVE-2023-6337: HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.\n\nFixed in Vault 1.15.4, 1.14.8, 1.13.12.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades cups to version 2.4.7-alt2. \nSecurity Fix(es):\n\n * BDU:2023-03719: Уязвимость функции httpClose(con-\u0026gt;http) сервера печати CUPS, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-03873: Уязвимость функции format_log_line() сервера печати CUPS, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06408: Уязвимость функции scan_ps() библиотеки libppd сервера печати CUPS, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код\n\n * CVE-2023-32324: OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication.\n\n * CVE-2023-34241: OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process.\n\nThe exact cause of this issue is the function `httpClose(con-\u003ehttp)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`.\n\nVersion 2.4.6 has a patch for this issue.\n\n * CVE-2023-4504: Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.\n\n\n * #38564: dpkg-architecture: command not found\n\n * #48114: [PATCH] поддержка бездрайверного режима печати на Pantum BM5100ADW",
|
||||
"Description": "This update upgrades cups to version 2.4.7-alt2. \nSecurity Fix(es):\n\n * BDU:2023-03719: Уязвимость функции httpClose(con-\u0026gt;http) сервера печати CUPS, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-03873: Уязвимость функции format_log_line() сервера печати CUPS, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06408: Уязвимость функции scan_ps() библиотеки libppd сервера печати CUPS, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код\n\n * CVE-2023-32324: OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication.\n\n * CVE-2023-34241: OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process.\n\nThe exact cause of this issue is the function `httpClose(con-\u003ehttp)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`.\n\nVersion 2.4.6 has a patch for this issue.\n\n * CVE-2023-4504: Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.\n\n * #38564: dpkg-architecture: command not found\n\n * #48114: [PATCH] поддержка бездрайверного режима печати на Pantum BM5100ADW",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -70,7 +70,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades python3 to version 3.9.18-alt0.c10f1.1. \nSecurity Fix(es):\n\n * BDU:2022-05975: Уязвимость функций extract и extractall модуля tarfile интерпретатора языка программирования Python, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-00665: Уязвимость функции GENERAL_NAME_cmp библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-04978: Уязвимость компонента urllib.parse интерпретатора языка программирования Python, позволяющая нарушителю обходить блокировки URL-адресов\n\n * BDU:2023-05002: Уязвимость класса SSLSocket интерпретатора языка программирования Python, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.\n\n * CVE-2022-4303: The WP Limit Login Attempts WordPress plugin through 2.6.4 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based restrictions on login forms.\n\n * CVE-2023-0286: There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n\n\n * CVE-2023-24329: An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.\n\n * CVE-2023-40217: An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)\n\n * #49415: Обновление python3 для закрытия уязвимостей",
|
||||
"Description": "This update upgrades python3 to version 3.9.18-alt0.c10f1.1. \nSecurity Fix(es):\n\n * BDU:2022-05975: Уязвимость функций extract и extractall модуля tarfile интерпретатора языка программирования Python, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-00665: Уязвимость функции GENERAL_NAME_cmp библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-04978: Уязвимость компонента urllib.parse интерпретатора языка программирования Python, позволяющая нарушителю обходить блокировки URL-адресов\n\n * BDU:2023-05002: Уязвимость класса SSLSocket интерпретатора языка программирования Python, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.\n\n * CVE-2022-4303: The WP Limit Login Attempts WordPress plugin through 2.6.4 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based restrictions on login forms.\n\n * CVE-2023-0286: There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n * CVE-2023-24329: An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.\n\n * CVE-2023-40217: An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)\n\n * #49415: Обновление python3 для закрытия уязвимостей",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -80,7 +80,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades php8.1 to version 8.1.28-alt1. \nSecurity Fix(es):\n\n * BDU:2024-07676: Уязвимость интерпретатора языка программирования PHP, связанная с недостаточной проверкой входных данных, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * BDU:2024-07677: Уязвимость интерпретатора языка программирования PHP, существующая из-за непринятия мер по нейтрализации специальных элементов, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * BDU:2024-07679: Уязвимость сценария cgi.force_redirect интерпретатора языка программирования PHP, позволяющая нарушителю обойти существующие ограничения безопасности\n\n * BDU:2024-07680: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю обойти существующие ограничения безопасности\n\n * CVE-2024-1874: In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. \n\n\n\n * CVE-2024-2756: Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications. \n\n\n * CVE-2024-3096: In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.\n\n\n\n * CVE-2024-8925: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.\n\n * CVE-2024-8926: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows \"Best Fit\" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.\n\n * CVE-2024-8927: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.\n\n * CVE-2024-9026: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.",
|
||||
"Description": "This update upgrades php8.1 to version 8.1.28-alt1. \nSecurity Fix(es):\n\n * BDU:2024-07676: Уязвимость интерпретатора языка программирования PHP, связанная с недостаточной проверкой входных данных, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * BDU:2024-07677: Уязвимость интерпретатора языка программирования PHP, существующая из-за непринятия мер по нейтрализации специальных элементов, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * BDU:2024-07679: Уязвимость сценария cgi.force_redirect интерпретатора языка программирования PHP, позволяющая нарушителю обойти существующие ограничения безопасности\n\n * BDU:2024-07680: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю обойти существующие ограничения безопасности\n\n * CVE-2024-1874: In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.\n\n * CVE-2024-2756: Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.\n\n * CVE-2024-3096: In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.\n\n * CVE-2024-8925: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.\n\n * CVE-2024-8926: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows \"Best Fit\" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.\n\n * CVE-2024-8927: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.\n\n * CVE-2024-9026: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
@ -40,7 +40,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades guacamole to version 1.5.4-alt1. \nSecurity Fix(es):\n\n * CVE-2023-30575: Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of instruction elements sent during the Guacamole protocol handshake, potentially allowing an attacker to inject Guacamole instructions during the handshake through specially-crafted data.\n\n\n\n * CVE-2023-30576: Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP audio input buffer. Depending on timing, this may allow an attacker to execute arbitrary code with the privileges of the guacd process.\n\n\n\n * CVE-2023-43826: Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. If a user connects to a malicious or compromised VNC server, specially-crafted data could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.\n\nUsers are recommended to upgrade to version 1.5.4, which fixes this issue.\n\n",
|
||||
"Description": "This update upgrades guacamole to version 1.5.4-alt1. \nSecurity Fix(es):\n\n * CVE-2023-30575: Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of instruction elements sent during the Guacamole protocol handshake, potentially allowing an attacker to inject Guacamole instructions during the handshake through specially-crafted data.\n\n\n\n * CVE-2023-30576: Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP audio input buffer. Depending on timing, this may allow an attacker to execute arbitrary code with the privileges of the guacd process.\n\n\n\n * CVE-2023-43826: Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. If a user connects to a malicious or compromised VNC server, specially-crafted data could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.\n\nUsers are recommended to upgrade to version 1.5.4, which fixes this issue.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades glibc to version 2.32-alt5.p10.3. \nSecurity Fix(es):\n\n * BDU:2024-03171: Уязвимость функции iconv() системной библиотеки glibc, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2024-2961: The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n\n\n * CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n\n * CVE-2024-33600: nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n\n\n * CVE-2024-33601: nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n\n\n * CVE-2024-33602: nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n",
|
||||
"Description": "This update upgrades glibc to version 2.32-alt5.p10.3. \nSecurity Fix(es):\n\n * BDU:2024-03171: Уязвимость функции iconv() системной библиотеки glibc, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2024-2961: The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n\n * CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n * CVE-2024-33600: nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n * CVE-2024-33601: nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n * CVE-2024-33602: nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades gem-rails-html-sanitizer to version 1.5.0-alt1. \nSecurity Fix(es):\n\n * BDU:2022-06004: Уязвимость реализации конфигурации инструмента очистки HTML для приложений Rails Rails Html Sanitizer, позволяющая нарушителю проводить межсайтовые сценарные атаки\n\n * CVE-2022-23517: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer \u003c 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue has been patched in version 1.4.4.\n\n * CVE-2022-23518: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions \u003e= 1.0.3, \u003c 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah \u003e= 2.1.0. This issue is patched in version 1.4.4.\n\n * CVE-2022-23519: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways: allow both \"math\" and \"style\" elements, or allow both \"svg\" and \"style\" elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version 1.4.4. All users overriding the allowed tags to include \"math\" or \"svg\" and \"style\" should either upgrade or use the following workaround immediately: Remove \"style\" from the overridden allowed tags, or remove \"math\" and \"svg\" from the overridden allowed tags.\n\n\n * CVE-2022-23520: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both \"select\" and \"style\" elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version 1.4.4. All users overriding the allowed tags to include both \"select\" and \"style\" should either upgrade or use this workaround: Remove either \"select\" or \"style\" from the overridden allowed tags. NOTE: Code is _not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize.\n\n\n * CVE-2022-32209: # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:```\u003c%= sanitize @comment.body, tags: [\"select\", \"style\"] %\u003e```see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```or```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```All users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user).",
|
||||
"Description": "This update upgrades gem-rails-html-sanitizer to version 1.5.0-alt1. \nSecurity Fix(es):\n\n * BDU:2022-06004: Уязвимость реализации конфигурации инструмента очистки HTML для приложений Rails Rails Html Sanitizer, позволяющая нарушителю проводить межсайтовые сценарные атаки\n\n * CVE-2022-23517: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer \u003c 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue has been patched in version 1.4.4.\n\n * CVE-2022-23518: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions \u003e= 1.0.3, \u003c 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah \u003e= 2.1.0. This issue is patched in version 1.4.4.\n\n * CVE-2022-23519: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways: allow both \"math\" and \"style\" elements, or allow both \"svg\" and \"style\" elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version 1.4.4. All users overriding the allowed tags to include \"math\" or \"svg\" and \"style\" should either upgrade or use the following workaround immediately: Remove \"style\" from the overridden allowed tags, or remove \"math\" and \"svg\" from the overridden allowed tags.\n\n * CVE-2022-23520: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both \"select\" and \"style\" elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version 1.4.4. All users overriding the allowed tags to include both \"select\" and \"style\" should either upgrade or use this workaround: Remove either \"select\" or \"style\" from the overridden allowed tags. NOTE: Code is _not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize.\n\n * CVE-2022-32209: # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:```\u003c%= sanitize @comment.body, tags: [\"select\", \"style\"] %\u003e```see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```or```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```All users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user).",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
@ -103,6 +103,7 @@
|
||||
{
|
||||
"ID": "CVE-2022-23520",
|
||||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||||
"CWE": "CWE-79",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-23520",
|
||||
"Impact": "Low",
|
||||
"Public": "20221214"
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades grafana to version 10.2.2-alt1.1. \nSecurity Fix(es):\n\n * BDU:2024-02572: Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с разрешительный список разрешенных входов, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2024-02599: Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с недостатками списка контроля доступом (ACL), позволяющая нарушителю обойти существующие ограничения доступа\n\n * CVE-2023-4399: Grafana is an open-source platform for monitoring and observability. \n\nIn Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts.\n\nHowever, the restriction can be bypassed used punycode encoding of the characters in the request address.\n\n\n\n * CVE-2023-4822: Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations.\n\nIt also allows an Organization Admin to assign or revoke any permissions that they have to any user globally.\n\nThis means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user.\n\nThe vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of.\n\n",
|
||||
"Description": "This update upgrades grafana to version 10.2.2-alt1.1. \nSecurity Fix(es):\n\n * BDU:2024-02572: Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с разрешительный список разрешенных входов, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2024-02599: Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с недостатками списка контроля доступом (ACL), позволяющая нарушителю обойти существующие ограничения доступа\n\n * CVE-2023-4399: Grafana is an open-source platform for monitoring and observability. \n\nIn Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts.\n\nHowever, the restriction can be bypassed used punycode encoding of the characters in the request address.\n\n * CVE-2023-4822: Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations.\n\nIt also allows an Organization Admin to assign or revoke any permissions that they have to any user globally.\n\nThis means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user.\n\nThe vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades mongo4.4 to version 4.4.29-alt0.c10.1. \nSecurity Fix(es):\n\n * BDU:2024-01947: Уязвимость системы управления базами данных MongoDB, связанная с ошибками процедуры подтверждения подлинности TLS сертификата, позволяющая нарушителю установить несанкционированное соединение к серверу MongoDB\n\n * CVE-2024-1351: Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\n\n",
|
||||
"Description": "This update upgrades mongo4.4 to version 4.4.29-alt0.c10.1. \nSecurity Fix(es):\n\n * BDU:2024-01947: Уязвимость системы управления базами данных MongoDB, связанная с ошибками процедуры подтверждения подлинности TLS сертификата, позволяющая нарушителю установить несанкционированное соединение к серверу MongoDB\n\n * CVE-2024-1351: Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades mongo6.0 to version 6.0.14-alt0.c10.1. \nSecurity Fix(es):\n\n * BDU:2024-01947: Уязвимость системы управления базами данных MongoDB, связанная с ошибками процедуры подтверждения подлинности TLS сертификата, позволяющая нарушителю установить несанкционированное соединение к серверу MongoDB\n\n * CVE-2024-1351: Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\n\n\n\n * CVE-2024-3372: Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25.\n\n\n * CVE-2024-3374: An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5.\n",
|
||||
"Description": "This update upgrades mongo6.0 to version 6.0.14-alt0.c10.1. \nSecurity Fix(es):\n\n * BDU:2024-01947: Уязвимость системы управления базами данных MongoDB, связанная с ошибками процедуры подтверждения подлинности TLS сертификата, позволяющая нарушителю установить несанкционированное соединение к серверу MongoDB\n\n * CVE-2024-1351: Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\n\n * CVE-2024-3372: Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25.\n\n\n * CVE-2024-3374: An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5.\n",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades mongo5.0 to version 5.0.25-alt0.c10.1. \nSecurity Fix(es):\n\n * BDU:2024-01947: Уязвимость системы управления базами данных MongoDB, связанная с ошибками процедуры подтверждения подлинности TLS сертификата, позволяющая нарушителю установить несанкционированное соединение к серверу MongoDB\n\n * CVE-2024-1351: Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\n\n\n\n * CVE-2024-3372: Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25.\n\n\n * CVE-2024-3374: An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5.\n",
|
||||
"Description": "This update upgrades mongo5.0 to version 5.0.25-alt0.c10.1. \nSecurity Fix(es):\n\n * BDU:2024-01947: Уязвимость системы управления базами данных MongoDB, связанная с ошибками процедуры подтверждения подлинности TLS сертификата, позволяющая нарушителю установить несанкционированное соединение к серверу MongoDB\n\n * CVE-2024-1351: Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\n\n * CVE-2024-3372: Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25.\n\n\n * CVE-2024-3374: An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5.\n",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -60,7 +60,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades mosquitto to version 2.0.20-alt1. \nSecurity Fix(es):\n\n * BDU:2023-05834: Уязвимость брокера сообщений Eclipse Mosquitto, связанная с ошибкой освобождения памяти, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2024-04210: Уязвимость компонента CONNECT брокера сообщений Eclipse Mosquitto, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2024-04213: Уязвимость компонента CONNECT v5 брокера сообщений Eclipse Mosquitto, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-0809: In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.\n\n * CVE-2023-28366: The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.\n\n * CVE-2023-3592: In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.\n\n\n * CVE-2024-8376: In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of \"CONNECT\", \"DISCONNECT\", \"SUBSCRIBE\", \"UNSUBSCRIBE\" and \"PUBLISH\" packets.",
|
||||
"Description": "This update upgrades mosquitto to version 2.0.20-alt1. \nSecurity Fix(es):\n\n * BDU:2023-05834: Уязвимость брокера сообщений Eclipse Mosquitto, связанная с ошибкой освобождения памяти, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2024-04210: Уязвимость компонента CONNECT брокера сообщений Eclipse Mosquitto, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2024-04213: Уязвимость компонента CONNECT v5 брокера сообщений Eclipse Mosquitto, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-0809: In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.\n\n * CVE-2023-28366: The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.\n\n * CVE-2023-3592: In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.\n\n * CVE-2024-8376: In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of \"CONNECT\", \"DISCONNECT\", \"SUBSCRIBE\", \"UNSUBSCRIBE\" and \"PUBLISH\" packets.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -65,7 +65,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades salt to version 3007.1-alt0.p10.1. \nSecurity Fix(es):\n\n * BDU:2023-05935: Уязвимость системы управления конфигурациями и удалённого выполнения операций SaltStack Salt, связанная с отсутствием защиты служебных данных, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * BDU:2024-04876: Уязвимость системы управления конфигурациями и удалённого выполнения операций Salt, связанная с возможностью обхода каталога, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-04877: Уязвимость системы управления конфигурациями и удалённого выполнения операций Salt, связанная с созданием специальных URL-адресов, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * CVE-2023-20897: Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.\n\n\n * CVE-2023-20898: Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.\n\n\n * CVE-2023-34049: The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. If an attacker has access to the target VM and knows the path to the pre-flight script before it runs they can ensure Salt-SSH runs their script with the privileges of the user running Salt-SSH. Do not make the copy path on the target predictable and ensure we check return codes of the scp command if the copy fails.\n\n * CVE-2024-22231: Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt master.\n\n * CVE-2024-22232: A specially crafted url can be created which leads to a directory traversal in the salt file server.\nA malicious user can read an arbitrary file from a Salt master’s filesystem.",
|
||||
"Description": "This update upgrades salt to version 3007.1-alt0.p10.1. \nSecurity Fix(es):\n\n * BDU:2023-05935: Уязвимость системы управления конфигурациями и удалённого выполнения операций SaltStack Salt, связанная с отсутствием защиты служебных данных, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * BDU:2024-04876: Уязвимость системы управления конфигурациями и удалённого выполнения операций Salt, связанная с возможностью обхода каталога, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-04877: Уязвимость системы управления конфигурациями и удалённого выполнения операций Salt, связанная с созданием специальных URL-адресов, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * CVE-2023-20897: Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.\n\n * CVE-2023-20898: Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.\n\n * CVE-2023-34049: The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. If an attacker has access to the target VM and knows the path to the pre-flight script before it runs they can ensure Salt-SSH runs their script with the privileges of the user running Salt-SSH. Do not make the copy path on the target predictable and ensure we check return codes of the scp command if the copy fails.\n\n * CVE-2024-22231: Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt master.\n\n * CVE-2024-22232: A specially crafted url can be created which leads to a directory traversal in the salt file server.\nA malicious user can read an arbitrary file from a Salt master’s filesystem.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -80,7 +80,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades roundcube to version 1.6.7-alt1. \nSecurity Fix(es):\n\n * BDU:2021-06259: Уязвимость почтового клиента Roundcube, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный SQL-код\n\n * BDU:2022-05555: Уязвимость почтового клиента Roundcube, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки\n\n * BDU:2023-06297: Уязвимость компонента program/lib/Roundcube/rcube_string_replacer.php почтового клиента RoundCube Webmail, позволяющая нарушителю провести атаку межсайтового скриптинга\n\n * BDU:2023-07143: Уязвимость библиотеки program/lib/Roundcube/rcube_washtml.php почтового клиента RoundCube Webmail, позволяющая нарушителю выполнить произвольный JavaScript-код\n\n * BDU:2024-05163: Уязвимость почтового клиента RoundCube Webmail, связанная с недостаточной защитой структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки\n\n * CVE-2021-44025: Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.\n\n * CVE-2021-44026: Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.\n\n * CVE-2021-46144: Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.\n\n * CVE-2023-43770: Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.\n\n * CVE-2023-5631: \nRoundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker\n\nto load arbitrary JavaScript code.\n\n\n\n\n\n\n\n\n\n * CVE-2024-37383: Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.",
|
||||
"Description": "This update upgrades roundcube to version 1.6.7-alt1. \nSecurity Fix(es):\n\n * BDU:2021-06259: Уязвимость почтового клиента Roundcube, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный SQL-код\n\n * BDU:2022-05555: Уязвимость почтового клиента Roundcube, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки\n\n * BDU:2023-06297: Уязвимость компонента program/lib/Roundcube/rcube_string_replacer.php почтового клиента RoundCube Webmail, позволяющая нарушителю провести атаку межсайтового скриптинга\n\n * BDU:2023-07143: Уязвимость библиотеки program/lib/Roundcube/rcube_washtml.php почтового клиента RoundCube Webmail, позволяющая нарушителю выполнить произвольный JavaScript-код\n\n * BDU:2024-05163: Уязвимость почтового клиента RoundCube Webmail, связанная с недостаточной защитой структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки\n\n * CVE-2021-44025: Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.\n\n * CVE-2021-44026: Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.\n\n * CVE-2021-46144: Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.\n\n * CVE-2023-43770: Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.\n\n * CVE-2023-5631: Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker\n\nto load arbitrary JavaScript code.\n\n * CVE-2024-37383: Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades binwalk to version 2.3.4-alt1. \nSecurity Fix(es):\n\n * CVE-2021-4287: A vulnerability, which was classified as problematic, was found in ReFirm Labs binwalk up to 2.3.2. Affected is an unknown function of the file src/binwalk/modules/extractor.py of the component Archive Extraction Handler. The manipulation leads to symlink following. It is possible to launch the attack remotely. Upgrading to version 2.3.3 is able to address this issue. The name of the patch is fa0c0bd59b8588814756942fe4cb5452e76c1dcd. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216876.\n\n * CVE-2022-4510: \nA path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins.\n This vulnerability is associated with program files src/binwalk/plugins/unpfs.py.\n\nThis issue affects binwalk from 2.1.2b through 2.3.3 included.\n\n",
|
||||
"Description": "This update upgrades binwalk to version 2.3.4-alt1. \nSecurity Fix(es):\n\n * CVE-2021-4287: A vulnerability, which was classified as problematic, was found in ReFirm Labs binwalk up to 2.3.2. Affected is an unknown function of the file src/binwalk/modules/extractor.py of the component Archive Extraction Handler. The manipulation leads to symlink following. It is possible to launch the attack remotely. Upgrading to version 2.3.3 is able to address this issue. The name of the patch is fa0c0bd59b8588814756942fe4cb5452e76c1dcd. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216876.\n\n * CVE-2022-4510: A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins.\n This vulnerability is associated with program files src/binwalk/plugins/unpfs.py.\n\nThis issue affects binwalk from 2.1.2b through 2.3.3 included.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -117,7 +117,7 @@
|
||||
{
|
||||
"ID": "CVE-2015-0310",
|
||||
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
||||
"CWE": "CWE-264",
|
||||
"CWE": "NVD-CWE-noinfo",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2015-0310",
|
||||
"Impact": "Critical",
|
||||
"Public": "20150123"
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -90,7 +90,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades php8.1 to version 8.1.16-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02263: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-02264: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность\n\n * BDU:2024-07676: Уязвимость интерпретатора языка программирования PHP, связанная с недостаточной проверкой входных данных, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * BDU:2024-07677: Уязвимость интерпретатора языка программирования PHP, существующая из-за непринятия мер по нейтрализации специальных элементов, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * BDU:2024-07679: Уязвимость сценария cgi.force_redirect интерпретатора языка программирования PHP, позволяющая нарушителю обойти существующие ограничения безопасности\n\n * BDU:2024-07680: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю обойти существующие ограничения безопасности\n\n * CVE-2023-0567: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. \n\n\n\n * CVE-2023-0568: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. \n\n * CVE-2023-0662: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. \n\n * CVE-2024-8925: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.\n\n * CVE-2024-8926: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows \"Best Fit\" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.\n\n * CVE-2024-8927: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.\n\n * CVE-2024-9026: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.",
|
||||
"Description": "This update upgrades php8.1 to version 8.1.16-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02263: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-02264: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность\n\n * BDU:2024-07676: Уязвимость интерпретатора языка программирования PHP, связанная с недостаточной проверкой входных данных, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * BDU:2024-07677: Уязвимость интерпретатора языка программирования PHP, существующая из-за непринятия мер по нейтрализации специальных элементов, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * BDU:2024-07679: Уязвимость сценария cgi.force_redirect интерпретатора языка программирования PHP, позволяющая нарушителю обойти существующие ограничения безопасности\n\n * BDU:2024-07680: Уязвимость интерпретатора языка программирования PHP, позволяющая нарушителю обойти существующие ограничения безопасности\n\n * CVE-2023-0567: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. \n\n\n\n * CVE-2023-0568: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.\n\n * CVE-2023-0662: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.\n\n * CVE-2024-8925: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.\n\n * CVE-2024-8926: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows \"Best Fit\" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.\n\n * CVE-2024-8927: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.\n\n * CVE-2024-9026: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades apache2 to version 2.4.55-alt1. \nSecurity Fix(es):\n\n * BDU:2023-00495: Уязвимость модуля mod_proxy_ajp веб-сервера Apache HTTP Server, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)\n\n * BDU:2023-00496: Уязвимость модуля mod_proxy веб-сервера Apache HTTP Server, позволяющая нарушителю выполнять атаки с разделением ответов HTTP\n\n * BDU:2023-01105: Уязвимость модуля mod_dav веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2006-20001: A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.\n\nThis issue affects Apache HTTP Server 2.4.54 and earlier.\n\n\n * CVE-2022-36760: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.\n\n * CVE-2022-37436: Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.\n\n * #44044: Отключённый a2dismod модуль отключается даже после a2enmod\n\n * #44078: Заменить /var/lock на /run/lock в tmpfiles.conf",
|
||||
"Description": "This update upgrades apache2 to version 2.4.55-alt1. \nSecurity Fix(es):\n\n * BDU:2023-00495: Уязвимость модуля mod_proxy_ajp веб-сервера Apache HTTP Server, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)\n\n * BDU:2023-00496: Уязвимость модуля mod_proxy веб-сервера Apache HTTP Server, позволяющая нарушителю выполнять атаки с разделением ответов HTTP\n\n * BDU:2023-01105: Уязвимость модуля mod_dav веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2006-20001: A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.\n\nThis issue affects Apache HTTP Server 2.4.54 and earlier.\n\n * CVE-2022-36760: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.\n\n * CVE-2022-37436: Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.\n\n * #44044: Отключённый a2dismod модуль отключается даже после a2enmod\n\n * #44078: Заменить /var/lock на /run/lock в tmpfiles.conf",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades apache2 to version 2.4.56-alt1. \nSecurity Fix(es):\n\n * BDU:2023-01738: Уязвимость модуля mod_proxy веб-сервера Apache HTTP Server, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)\n\n * BDU:2023-02021: Уязвимость компонента mod_proxy_uwsgi веб-сервера Apache HTTP Server связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку \u0026quot;контрабанда HTTP-запросов\u0026quot;\n\n * CVE-2023-25690: Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.\n\n\n\n\nConfigurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example, something like:\n\n\n\n\nRewriteEngine on\nRewriteRule \"^/here/(.*)\" \"http://example.com:8080/elsewhere?$1\"; [P]\nProxyPassReverse /here/ http://example.com:8080/\n\n\nRequest splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.\n\n\n\n\n * CVE-2023-27522: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.\n\nSpecial characters in the origin response header can truncate/split the response forwarded to the client.\n\n\n",
|
||||
"Description": "This update upgrades apache2 to version 2.4.56-alt1. \nSecurity Fix(es):\n\n * BDU:2023-01738: Уязвимость модуля mod_proxy веб-сервера Apache HTTP Server, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)\n\n * BDU:2023-02021: Уязвимость компонента mod_proxy_uwsgi веб-сервера Apache HTTP Server связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку \u0026quot;контрабанда HTTP-запросов\u0026quot;\n\n * CVE-2023-25690: Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.\n\n\n\n\nConfigurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example, something like:\n\n\n\n\nRewriteEngine on\nRewriteRule \"^/here/(.*)\" \"http://example.com:8080/elsewhere?$1\"; [P]\nProxyPassReverse /here/ http://example.com:8080/\n\n\nRequest splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.\n\n * CVE-2023-27522: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.\n\nSpecial characters in the origin response header can truncate/split the response forwarded to the client.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -50,7 +50,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades kernel-image-std-def to version 5.10.185-alt0.c9f.2. \nSecurity Fix(es):\n\n * BDU:2022-07339: Уязвимость драйвера файловой системы NFS ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-01780: Уязвимость функции xirc2ps_detach() драйвера сетевого адаптера Xircom 16-bit PCMCIA (PC-card) операционных систем Linux, позволяющая нарушителю повысить свои привилегии или вызвать отказ в обслуживании\n\n * CVE-2022-4379: A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial\n\n * CVE-2023-1670: A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.\n\n * CVE-2023-3389: A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nRacing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer.\n\nWe recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).\n\n",
|
||||
"Description": "This update upgrades kernel-image-std-def to version 5.10.185-alt0.c9f.2. \nSecurity Fix(es):\n\n * BDU:2022-07339: Уязвимость драйвера файловой системы NFS ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-01780: Уязвимость функции xirc2ps_detach() драйвера сетевого адаптера Xircom 16-bit PCMCIA (PC-card) операционных систем Linux, позволяющая нарушителю повысить свои привилегии или вызвать отказ в обслуживании\n\n * CVE-2022-4379: A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial\n\n * CVE-2023-1670: A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.\n\n * CVE-2023-3389: A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nRacing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer.\n\nWe recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades firefox-esr to version 102.12.0-alt0.c9.1. \nSecurity Fix(es):\n\n * BDU:2023-03125: Уязвимость браузеров Mozilla Firefox и Firefox ESR, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-03196: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с неверным ограничением визуализируемых слоев пользовательского интерфейса, позволяющая нарушителю провести атаку типа clickjacking («захват клика»)\n\n * CVE-2023-34414: The error page for sites with invalid TLS certificates was missing the\nactivation-delay Firefox uses to protect prompts and permission dialogs\nfrom attacks that exploit human response time delays. If a malicious\npage elicited user clicks in precise locations immediately before\nnavigating to a site with a certificate error and made the renderer\nextremely busy at the same time, it could create a gap between when\nthe error page was loaded and when the display actually refreshed.\nWith the right timing the elicited clicks could land in that gap and \nactivate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR \u003c 102.12, Firefox \u003c 114, and Thunderbird \u003c 102.12.\n\n * CVE-2023-34416: Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR \u003c 102.12, Firefox \u003c 114, and Thunderbird \u003c 102.12.\n\n",
|
||||
"Description": "This update upgrades firefox-esr to version 102.12.0-alt0.c9.1. \nSecurity Fix(es):\n\n * BDU:2023-03125: Уязвимость браузеров Mozilla Firefox и Firefox ESR, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-03196: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с неверным ограничением визуализируемых слоев пользовательского интерфейса, позволяющая нарушителю провести атаку типа clickjacking («захват клика»)\n\n * CVE-2023-34414: The error page for sites with invalid TLS certificates was missing the\nactivation-delay Firefox uses to protect prompts and permission dialogs\nfrom attacks that exploit human response time delays. If a malicious\npage elicited user clicks in precise locations immediately before\nnavigating to a site with a certificate error and made the renderer\nextremely busy at the same time, it could create a gap between when\nthe error page was loaded and when the display actually refreshed.\nWith the right timing the elicited clicks could land in that gap and \nactivate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR \u003c 102.12, Firefox \u003c 114, and Thunderbird \u003c 102.12.\n\n * CVE-2023-34416: Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR \u003c 102.12, Firefox \u003c 114, and Thunderbird \u003c 102.12.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -30,7 +30,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades xrdp to version 0.9.23-alt1. \nSecurity Fix(es):\n\n * CVE-2023-40184: xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.",
|
||||
"Description": "This update upgrades xrdp to version 0.9.23-alt1. \nSecurity Fix(es):\n\n * CVE-2023-40184: xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades libwebp to version 1.3.2-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02923: Уязвимость функции EncodeAlphaInternal() библиотеки libwebp для кодирования и декодирования изображений в формате WebP браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-05510: Уязвимость библиотеки libwebp для кодирования и декодирования изображений в формате WebP, связанная с чтением за границами буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2023-1999: There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. \n\n\n * CVE-2023-4863: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)",
|
||||
"Description": "This update upgrades libwebp to version 1.3.2-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02923: Уязвимость функции EncodeAlphaInternal() библиотеки libwebp для кодирования и декодирования изображений в формате WebP браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-05510: Уязвимость библиотеки libwebp для кодирования и декодирования изображений в формате WebP, связанная с чтением за границами буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2023-1999: There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.\n\n * CVE-2023-4863: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades xrdp to version 0.9.23.1-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06266: Уязвимость компонента xrdp_painter.c сервера XRDP, позволяющая нарушителю получить доступ к защищаемой информации\n\n * CVE-2023-42822: xrdp is an open source remote desktop protocol server. Access to the font glyphs in xrdp_painter.c is not bounds-checked . Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode. This issue has been addressed in release 0.9.23.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
|
||||
"Description": "This update upgrades xrdp to version 0.9.23.1-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06266: Уязвимость компонента xrdp_painter.c сервера XRDP, позволяющая нарушителю получить доступ к защищаемой информации\n\n * CVE-2023-42822: xrdp is an open source remote desktop protocol server. Access to the font glyphs in xrdp_painter.c is not bounds-checked . Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode. This issue has been addressed in release 0.9.23.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
|
||||
@ -40,7 +40,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades salt to version 3005.2-alt0.c9.2. \nSecurity Fix(es):\n\n * BDU:2023-05935: Уязвимость системы управления конфигурациями и удалённого выполнения операций SaltStack Salt, связанная с отсутствием защиты служебных данных, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * CVE-2023-20897: Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.\n\n\n * CVE-2023-20898: Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.\n",
|
||||
"Description": "This update upgrades salt to version 3005.2-alt0.c9.2. \nSecurity Fix(es):\n\n * BDU:2023-05935: Уязвимость системы управления конфигурациями и удалённого выполнения операций SaltStack Salt, связанная с отсутствием защиты служебных данных, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * CVE-2023-20897: Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.\n\n * CVE-2023-20898: Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -55,7 +55,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades cups to version 2.4.7-alt1. \nSecurity Fix(es):\n\n * BDU:2023-03719: Уязвимость функции httpClose(con-\u0026gt;http) сервера печати CUPS, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-03873: Уязвимость функции format_log_line() сервера печати CUPS, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06408: Уязвимость функции scan_ps() библиотеки libppd сервера печати CUPS, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код\n\n * CVE-2023-32324: OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication.\n\n * CVE-2023-34241: OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process.\n\nThe exact cause of this issue is the function `httpClose(con-\u003ehttp)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`.\n\nVersion 2.4.6 has a patch for this issue.\n\n * CVE-2023-4504: Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.\n",
|
||||
"Description": "This update upgrades cups to version 2.4.7-alt1. \nSecurity Fix(es):\n\n * BDU:2023-03719: Уязвимость функции httpClose(con-\u0026gt;http) сервера печати CUPS, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-03873: Уязвимость функции format_log_line() сервера печати CUPS, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06408: Уязвимость функции scan_ps() библиотеки libppd сервера печати CUPS, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код\n\n * CVE-2023-32324: OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication.\n\n * CVE-2023-34241: OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process.\n\nThe exact cause of this issue is the function `httpClose(con-\u003ehttp)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`.\n\nVersion 2.4.6 has a patch for this issue.\n\n * CVE-2023-4504: Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades curl to version 8.4.0-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06576: Уязвимость реализации протокола SOCKS5 утилиты командной строки cURL, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код\n\n * BDU:2023-06579: Уязвимость функции curl_easy_duphandle библиотеки libcurl, позволяющая нарушителю создать или перезаписать файлы cookie\n\n * CVE-2023-38545: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.\n\n\n * CVE-2023-38546: This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course.\n",
|
||||
"Description": "This update upgrades curl to version 8.4.0-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06576: Уязвимость реализации протокола SOCKS5 утилиты командной строки cURL, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код\n\n * BDU:2023-06579: Уязвимость функции curl_easy_duphandle библиотеки libcurl, позволяющая нарушителю создать или перезаписать файлы cookie\n\n * CVE-2023-38545: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.\n\n * CVE-2023-38546: This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Critical",
|
||||
|
||||
File diff suppressed because one or more lines are too long
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user