2016-10-25
ALT-BU-2016-3086-2
Branch sisyphus update bulletin.
Closed vulnerabilities
Published: 2021-04-06
Modified: 2024-09-16
Modified: 2024-09-16
BDU:2021-01890
Уязвимость функции lldp_decode компонента daemon/protocols/lldp.c реализации протокола LLDP под Unix Lldpd, связанная с переполнением буфера в памяти, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
References:
Published: 2020-01-28
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2015-8011
Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via vectors involving large management addresses and TLV boundaries.
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://www.openwall.com/lists/oss-security/2015/10/16/2
- http://www.openwall.com/lists/oss-security/2015/10/30/2
- https://cert-portal.siemens.com/productcert/pdf/ssa-941426.pdf
- https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2
- https://lists.debian.org/debian-lts-announce/2021/02/msg00032.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJ4DXFJWMZ325ECZXPZOSK7BOEDJZHPR/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-07
- https://www.debian.org/security/2021/dsa-4836
- http://www.openwall.com/lists/oss-security/2015/10/16/2
- http://www.openwall.com/lists/oss-security/2015/10/30/2
- https://cert-portal.siemens.com/productcert/pdf/ssa-941426.pdf
- https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2
- https://lists.debian.org/debian-lts-announce/2021/02/msg00032.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJ4DXFJWMZ325ECZXPZOSK7BOEDJZHPR/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-07
- https://www.debian.org/security/2021/dsa-4836
Published: 2020-01-28
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2015-8012
lldpd before 0.8.0 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via a malformed packet.
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- http://www.openwall.com/lists/oss-security/2015/10/18/2
- http://www.openwall.com/lists/oss-security/2015/10/30/2
- https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00
- https://github.com/vincentbernat/lldpd/commit/9221b5c249f9e4843f77c7f888d5705348d179c0
- http://www.openwall.com/lists/oss-security/2015/10/18/2
- http://www.openwall.com/lists/oss-security/2015/10/30/2
- https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00
- https://github.com/vincentbernat/lldpd/commit/9221b5c249f9e4843f77c7f888d5705348d179c0
Package owncloud-client updated to version 2.2.4-alt1 for branch sisyphus in task 171294.
Closed bugs
Просьба обновить клиента owncloud
Closed bugs
Нет cinnamon-menu-editor
Closed bugs
Не отображаются аватарки пользователей
Package python-module-django updated to version 1.8.15-alt1 for branch sisyphus in task 171331.
Closed vulnerabilities
Published: 2016-04-08
Modified: 2025-04-12
Modified: 2025-04-12
CVE-2016-2512
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Severity: HIGH (7.4)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
References:
- http://rhn.redhat.com/errata/RHSA-2016-0502.html
- http://rhn.redhat.com/errata/RHSA-2016-0504.html
- http://rhn.redhat.com/errata/RHSA-2016-0505.html
- http://rhn.redhat.com/errata/RHSA-2016-0506.html
- http://www.debian.org/security/2016/dsa-3544
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/83879
- http://www.securitytracker.com/id/1035152
- http://www.ubuntu.com/usn/USN-2915-1
- http://www.ubuntu.com/usn/USN-2915-2
- http://www.ubuntu.com/usn/USN-2915-3
- https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0
- https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
- http://rhn.redhat.com/errata/RHSA-2016-0502.html
- http://rhn.redhat.com/errata/RHSA-2016-0504.html
- http://rhn.redhat.com/errata/RHSA-2016-0505.html
- http://rhn.redhat.com/errata/RHSA-2016-0506.html
- http://www.debian.org/security/2016/dsa-3544
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/83879
- http://www.securitytracker.com/id/1035152
- http://www.ubuntu.com/usn/USN-2915-1
- http://www.ubuntu.com/usn/USN-2915-2
- http://www.ubuntu.com/usn/USN-2915-3
- https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0
- https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
Published: 2016-04-08
Modified: 2025-04-12
Modified: 2025-04-12
CVE-2016-2513
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
Severity: LOW (2.6)Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N
Severity: LOW (3.1)Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
References:
- http://rhn.redhat.com/errata/RHSA-2016-0502.html
- http://rhn.redhat.com/errata/RHSA-2016-0504.html
- http://rhn.redhat.com/errata/RHSA-2016-0505.html
- http://rhn.redhat.com/errata/RHSA-2016-0506.html
- http://www.debian.org/security/2016/dsa-3544
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/83878
- http://www.securitytracker.com/id/1035152
- http://www.ubuntu.com/usn/USN-2915-1
- http://www.ubuntu.com/usn/USN-2915-2
- http://www.ubuntu.com/usn/USN-2915-3
- https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab
- https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
- http://rhn.redhat.com/errata/RHSA-2016-0502.html
- http://rhn.redhat.com/errata/RHSA-2016-0504.html
- http://rhn.redhat.com/errata/RHSA-2016-0505.html
- http://rhn.redhat.com/errata/RHSA-2016-0506.html
- http://www.debian.org/security/2016/dsa-3544
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/83878
- http://www.securitytracker.com/id/1035152
- http://www.ubuntu.com/usn/USN-2915-1
- http://www.ubuntu.com/usn/USN-2915-2
- http://www.ubuntu.com/usn/USN-2915-3
- https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab
- https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
Published: 2016-08-05
Modified: 2025-04-12
Modified: 2025-04-12
CVE-2016-6186
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Severity: MEDIUM (6.1)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
- http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html
- http://rhn.redhat.com/errata/RHSA-2016-1594.html
- http://rhn.redhat.com/errata/RHSA-2016-1595.html
- http://rhn.redhat.com/errata/RHSA-2016-1596.html
- http://seclists.org/fulldisclosure/2016/Jul/53
- http://www.debian.org/security/2016/dsa-3622
- http://www.securityfocus.com/archive/1/538947/100/0/threaded
- http://www.securityfocus.com/bid/92058
- http://www.securitytracker.com/id/1036338
- http://www.ubuntu.com/usn/USN-3039-1
- http://www.vulnerability-lab.com/get_content.php?id=1869
- https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158
- https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/
- https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
- https://www.exploit-db.com/exploits/40129/
- http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html
- http://rhn.redhat.com/errata/RHSA-2016-1594.html
- http://rhn.redhat.com/errata/RHSA-2016-1595.html
- http://rhn.redhat.com/errata/RHSA-2016-1596.html
- http://seclists.org/fulldisclosure/2016/Jul/53
- http://www.debian.org/security/2016/dsa-3622
- http://www.securityfocus.com/archive/1/538947/100/0/threaded
- http://www.securityfocus.com/bid/92058
- http://www.securitytracker.com/id/1036338
- http://www.ubuntu.com/usn/USN-3039-1
- http://www.vulnerability-lab.com/get_content.php?id=1869
- https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158
- https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/
- https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
- https://www.exploit-db.com/exploits/40129/
Published: 2016-10-03
Modified: 2025-04-12
Modified: 2025-04-12
CVE-2016-7401
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Severity: HIGH (7.5)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
- http://rhn.redhat.com/errata/RHSA-2016-2038.html
- http://rhn.redhat.com/errata/RHSA-2016-2039.html
- http://rhn.redhat.com/errata/RHSA-2016-2040.html
- http://rhn.redhat.com/errata/RHSA-2016-2041.html
- http://rhn.redhat.com/errata/RHSA-2016-2042.html
- http://rhn.redhat.com/errata/RHSA-2016-2043.html
- http://www.debian.org/security/2016/dsa-3678
- http://www.securityfocus.com/bid/93182
- http://www.securitytracker.com/id/1036899
- http://www.ubuntu.com/usn/USN-3089-1
- https://www.djangoproject.com/weblog/2016/sep/26/security-releases/
- http://rhn.redhat.com/errata/RHSA-2016-2038.html
- http://rhn.redhat.com/errata/RHSA-2016-2039.html
- http://rhn.redhat.com/errata/RHSA-2016-2040.html
- http://rhn.redhat.com/errata/RHSA-2016-2041.html
- http://rhn.redhat.com/errata/RHSA-2016-2042.html
- http://rhn.redhat.com/errata/RHSA-2016-2043.html
- http://www.debian.org/security/2016/dsa-3678
- http://www.securityfocus.com/bid/93182
- http://www.securitytracker.com/id/1036899
- http://www.ubuntu.com/usn/USN-3089-1
- https://www.djangoproject.com/weblog/2016/sep/26/security-releases/
Published: 2022-05-14
Modified: 2024-09-17
Modified: 2024-09-17
GHSA-c8c8-9472-w52h
Django Cross-site scripting Vulnerability
Severity: MEDIUM (5.3)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.3)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-6186
- https://github.com/django/django/commit/6fa150b2f8b601668083042324c4add534143cb1
- https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158
- https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-2.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW
- https://web.archive.org/web/20201022155237/http://www.securityfocus.com/archive/1/538947/100/0/threaded
- https://web.archive.org/web/20210123154652/http://www.securityfocus.com/bid/92058
- https://web.archive.org/web/20211204042848/http://www.securitytracker.com/id/1036338
- https://www.djangoproject.com/weblog/2016/jul/18/security-releases
- https://www.exploit-db.com/exploits/40129
- http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html
- http://rhn.redhat.com/errata/RHSA-2016-1594.html
- http://rhn.redhat.com/errata/RHSA-2016-1595.html
- http://rhn.redhat.com/errata/RHSA-2016-1596.html
- http://seclists.org/fulldisclosure/2016/Jul/53
- http://www.debian.org/security/2016/dsa-3622
- http://www.ubuntu.com/usn/USN-3039-1
- http://www.vulnerability-lab.com/get_content.php?id=1869
Published: 2022-05-14
Modified: 2024-09-18
Modified: 2024-09-18
GHSA-crhm-qpjc-cm64
Django CSRF Protection Bypass
Severity: HIGH (8.7)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: HIGH (8.7)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-7401
- https://github.com/django/django/commit/6118ab7d0676f0d622278e5be215f14fb5410b6a
- https://github.com/django/django/commit/6fe846a8f08dc959003f298b5407e321c6fe3735
- https://github.com/django/django/commit/d1bc980db1c0fffd6d60677e62f70beadb9fe64a
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-3.yaml
- https://web.archive.org/web/20200227223637/http://www.securityfocus.com/bid/93182
- https://web.archive.org/web/20210927195154/http://www.securitytracker.com/id/1036899
- https://www.djangoproject.com/weblog/2016/sep/26/security-releases
- http://rhn.redhat.com/errata/RHSA-2016-2038.html
- http://rhn.redhat.com/errata/RHSA-2016-2039.html
- http://rhn.redhat.com/errata/RHSA-2016-2040.html
- http://rhn.redhat.com/errata/RHSA-2016-2041.html
- http://rhn.redhat.com/errata/RHSA-2016-2042.html
- http://rhn.redhat.com/errata/RHSA-2016-2043.html
- http://www.debian.org/security/2016/dsa-3678
- http://www.ubuntu.com/usn/USN-3089-1
Published: 2022-05-17
Modified: 2024-09-18
Modified: 2024-09-18
GHSA-fp6p-5xvw-m74f
Django User Enumeration Vulnerability
Severity: LOW (2.3)Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Severity: LOW (2.3)Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-2513
- https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab
- https://github.com/django/django/commit/af7d09b0c5c6ab68e629fd9baf736f9dd203b18e
- https://github.com/django/django/commit/f4e6e02f7713a6924d16540be279909ff4091eb6
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-16.yaml
- https://web.archive.org/web/20160322001143/http://www.securitytracker.com/id/1035152
- https://web.archive.org/web/20200228001222/http://www.securityfocus.com/bid/83878
- https://www.djangoproject.com/weblog/2016/mar/01/security-releases
- http://rhn.redhat.com/errata/RHSA-2016-0502.html
- http://rhn.redhat.com/errata/RHSA-2016-0504.html
- http://rhn.redhat.com/errata/RHSA-2016-0505.html
- http://rhn.redhat.com/errata/RHSA-2016-0506.html
- http://www.debian.org/security/2016/dsa-3544
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.ubuntu.com/usn/USN-2915-1
- http://www.ubuntu.com/usn/USN-2915-2
- http://www.ubuntu.com/usn/USN-2915-3
Published: 2022-05-17
Modified: 2024-09-18
Modified: 2024-09-18
GHSA-pw27-w7w4-9qc7
Django XSS Vulnerability
Severity: MEDIUM (6.3)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Severity: MEDIUM (6.3)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-2512
- https://github.com/django/django/commit/382ab137312961ad62feb8109d70a5a581fe8350
- https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0
- https://github.com/django/django/commit/fc6d147a63f89795dbcdecb0559256470fff4380
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-15.yaml
- https://web.archive.org/web/20210123090815/http://www.securityfocus.com/bid/83879
- https://web.archive.org/web/20210413200202/http://www.securitytracker.com/id/1035152
- https://www.djangoproject.com/weblog/2016/mar/01/security-releases
- http://rhn.redhat.com/errata/RHSA-2016-0502.html
- http://rhn.redhat.com/errata/RHSA-2016-0504.html
- http://rhn.redhat.com/errata/RHSA-2016-0505.html
- http://rhn.redhat.com/errata/RHSA-2016-0506.html
- http://www.debian.org/security/2016/dsa-3544
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.ubuntu.com/usn/USN-2915-1
- http://www.ubuntu.com/usn/USN-2915-2
- http://www.ubuntu.com/usn/USN-2915-3
Package make-initrd-propagator updated to version 0.31-alt1 for branch sisyphus in task 171337.
Closed bugs
вернуть возможность запуска livecd без rw slice на флэшке
Сеансовый livecd может сделать заведомо слишком маленький rw-раздел
Package mate-session updated to version 1.16.0-alt2_1 for branch sisyphus in task 171341.
Closed bugs
Разные поля Exec