ALT-BU-2016-3086-1
Branch sisyphus update bulletin.
Closed vulnerabilities
BDU:2021-01890
Уязвимость функции lldp_decode компонента daemon/protocols/lldp.c реализации протокола LLDP под Unix Lldpd, связанная с переполнением буфера в памяти, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2015-8011
Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via vectors involving large management addresses and TLV boundaries.
- http://www.openwall.com/lists/oss-security/2015/10/16/2
- http://www.openwall.com/lists/oss-security/2015/10/16/2
- http://www.openwall.com/lists/oss-security/2015/10/30/2
- http://www.openwall.com/lists/oss-security/2015/10/30/2
- https://cert-portal.siemens.com/productcert/pdf/ssa-941426.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-941426.pdf
- https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2
- https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2
- [debian-lts-announce] 20210219 [SECURITY] [DLA 2571-1] openvswitch security update
- [debian-lts-announce] 20210219 [SECURITY] [DLA 2571-1] openvswitch security update
- FEDORA-2021-fba11d37ee
- FEDORA-2021-fba11d37ee
- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-07
- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-07
- DSA-4836
- DSA-4836
Modified: 2024-11-21
CVE-2015-8012
lldpd before 0.8.0 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via a malformed packet.
- http://www.openwall.com/lists/oss-security/2015/10/18/2
- http://www.openwall.com/lists/oss-security/2015/10/18/2
- http://www.openwall.com/lists/oss-security/2015/10/30/2
- http://www.openwall.com/lists/oss-security/2015/10/30/2
- https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00
- https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00
- https://github.com/vincentbernat/lldpd/commit/9221b5c249f9e4843f77c7f888d5705348d179c0
- https://github.com/vincentbernat/lldpd/commit/9221b5c249f9e4843f77c7f888d5705348d179c0
Package owncloud-client updated to version 2.2.4-alt1 for branch sisyphus in task 171294.
Closed bugs
Просьба обновить клиента owncloud
Closed bugs
Нет cinnamon-menu-editor
Closed bugs
Не отображаются аватарки пользователей
Package python-module-django updated to version 1.8.15-alt1 for branch sisyphus in task 171331.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2016-2512
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
- RHSA-2016:0502
- RHSA-2016:0502
- RHSA-2016:0504
- RHSA-2016:0504
- RHSA-2016:0505
- RHSA-2016:0505
- RHSA-2016:0506
- RHSA-2016:0506
- DSA-3544
- DSA-3544
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- 83879
- 83879
- 1035152
- 1035152
- USN-2915-1
- USN-2915-1
- USN-2915-2
- USN-2915-2
- USN-2915-3
- USN-2915-3
- https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0
- https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0
- https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
- https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
Modified: 2024-11-21
CVE-2016-2513
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
- RHSA-2016:0502
- RHSA-2016:0502
- RHSA-2016:0504
- RHSA-2016:0504
- RHSA-2016:0505
- RHSA-2016:0505
- RHSA-2016:0506
- RHSA-2016:0506
- DSA-3544
- DSA-3544
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- 83878
- 83878
- 1035152
- 1035152
- USN-2915-1
- USN-2915-1
- USN-2915-2
- USN-2915-2
- USN-2915-3
- USN-2915-3
- https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab
- https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab
- https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
- https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
Modified: 2024-11-21
CVE-2016-6186
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
- http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html
- http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html
- RHSA-2016:1594
- RHSA-2016:1594
- RHSA-2016:1595
- RHSA-2016:1595
- RHSA-2016:1596
- RHSA-2016:1596
- 20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)
- 20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)
- DSA-3622
- DSA-3622
- 20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)
- 20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)
- 92058
- 92058
- 1036338
- 1036338
- USN-3039-1
- USN-3039-1
- http://www.vulnerability-lab.com/get_content.php?id=1869
- http://www.vulnerability-lab.com/get_content.php?id=1869
- https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158
- https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158
- https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d
- https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d
- FEDORA-2016-b7e31a0b9a
- FEDORA-2016-b7e31a0b9a
- FEDORA-2016-97ca9d52a4
- FEDORA-2016-97ca9d52a4
- https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
- https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
- 40129
- 40129
Modified: 2024-11-21
CVE-2016-7401
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
- RHSA-2016:2038
- RHSA-2016:2038
- RHSA-2016:2039
- RHSA-2016:2039
- RHSA-2016:2040
- RHSA-2016:2040
- RHSA-2016:2041
- RHSA-2016:2041
- RHSA-2016:2042
- RHSA-2016:2042
- RHSA-2016:2043
- RHSA-2016:2043
- DSA-3678
- DSA-3678
- 93182
- 93182
- 1036899
- 1036899
- USN-3089-1
- USN-3089-1
- https://www.djangoproject.com/weblog/2016/sep/26/security-releases/
- https://www.djangoproject.com/weblog/2016/sep/26/security-releases/
Package make-initrd-propagator updated to version 0.31-alt1 for branch sisyphus in task 171337.
Closed bugs
вернуть возможность запуска livecd без rw slice на флэшке
Сеансовый livecd может сделать заведомо слишком маленький rw-раздел
Package mate-session updated to version 1.16.0-alt2_1 for branch sisyphus in task 171341.
Closed bugs
Разные поля Exec