ALT-BU-2016-2933-1
Branch sisyphus update bulletin.
Closed vulnerabilities
Modified: 2025-04-12
CVE-2016-3958
Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function.
- http://www.openwall.com/lists/oss-security/2016/04/05/1
- http://www.openwall.com/lists/oss-security/2016/04/05/2
- https://github.com/golang/go/issues/14959
- https://go-review.googlesource.com/#/c/21428/
- https://groups.google.com/forum/#%21topic/golang-announce/9eqIHqaWvck
- http://www.openwall.com/lists/oss-security/2016/04/05/1
- http://www.openwall.com/lists/oss-security/2016/04/05/2
- https://github.com/golang/go/issues/14959
- https://go-review.googlesource.com/#/c/21428/
- https://groups.google.com/forum/#%21topic/golang-announce/9eqIHqaWvck
Modified: 2025-04-12
CVE-2016-3959
The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182526.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183106.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183137.html
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00077.html
- http://rhn.redhat.com/errata/RHSA-2016-1538.html
- http://www.openwall.com/lists/oss-security/2016/04/05/1
- http://www.openwall.com/lists/oss-security/2016/04/05/2
- https://go-review.googlesource.com/#/c/21533/
- https://groups.google.com/forum/#%21topic/golang-announce/9eqIHqaWvck
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182526.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183106.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183137.html
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00077.html
- http://rhn.redhat.com/errata/RHSA-2016-1538.html
- http://www.openwall.com/lists/oss-security/2016/04/05/1
- http://www.openwall.com/lists/oss-security/2016/04/05/2
- https://go-review.googlesource.com/#/c/21533/
- https://groups.google.com/forum/#%21topic/golang-announce/9eqIHqaWvck
Modified: 2025-04-12
CVE-2016-5386
The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
- http://rhn.redhat.com/errata/RHSA-2016-1538.html
- http://www.kb.cert.org/vuls/id/797896
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1353798
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
- https://httpoxy.org/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OR52UXGM6RKSCWF3KQMVZGVZVJ3WEESJ/
- http://rhn.redhat.com/errata/RHSA-2016-1538.html
- http://www.kb.cert.org/vuls/id/797896
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1353798
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
- https://httpoxy.org/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OR52UXGM6RKSCWF3KQMVZGVZVJ3WEESJ/
Package util-linux updated to version 2.28.1-alt1 for branch sisyphus in task 168589.
Closed vulnerabilities
Modified: 2025-04-20
CVE-2016-5011
The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.
- http://rhn.redhat.com/errata/RHSA-2016-2605.html
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543
- http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801
- http://www.openwall.com/lists/oss-security/2016/07/11/2
- http://www.securityfocus.com/bid/91683
- http://www.securitytracker.com/id/1036272
- https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3
- http://rhn.redhat.com/errata/RHSA-2016-2605.html
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543
- http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801
- http://www.openwall.com/lists/oss-security/2016/07/11/2
- http://www.securityfocus.com/bid/91683
- http://www.securitytracker.com/id/1036272
- https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3
Closed bugs
удалите поддержку /lib/udev/devices
Closed bugs
Не работают субтитры в mpv 0.19.0