ALT-BU-2017-3230-2

Branch sisyphus update bulletin.

Package nginx updated to version 1.12.1-alt1.S1 for branch sisyphus in task 185277.

Уязвимость модуля фильтра диапазона nginx HTTP-сервера nginx, позволяющая нарушителю раскрыть защищаемую информацию

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N

References:

CVE-2017-7529

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Package libva-driver-intel updated to version 1.8.3-alt2.S1 for branch sisyphus in task 185275.

wrong package summary

Package ocaml updated to version 4.04.2-alt1.S1 for branch sisyphus in task 185009.

Insufficient sanitisation in the OCaml compiler versions 4.04.0 and 4.04.1 allows external code to be executed with raised privilege in binaries marked as setuid, by setting the CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, or CAML_BYTE_CPLUGINS environment variable.

Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: CRITICAL (9.8)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

OCaml compiler allows attackers to have unspecified impact via unknown vectors, a similar issue to CVE-2017-9772 "but with much less impact."

Severity: HIGH (7.2)Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Severity: HIGH (7.8)Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Version: 2.1.2

Branch sisyphus update on 2017-07-12

ALT-BU-2017-3230-2

ALT-PU-2017-1846-2

Closed vulnerabilities

BDU:2021-03045

CVE-2017-7529

ALT-PU-2017-1847-1

Closed bugs

Bug #33639

ALT-PU-2017-1849-1

Closed vulnerabilities

CVE-2017-9772

CVE-2017-9779