ALT Linux Team

Branch sisyphus update on 2017-10-21

2017-10-21

ALT-BU-2017-3443-1

Branch sisyphus update bulletin.

ALT-PU-2017-2477-1

Package apache2 updated to version 2.4.28-alt1.S1 for branch sisyphus in task 190885.

Closed vulnerabilities

Published: 2017-09-18

BDU:2018-00103

Уязвимость функции ap_limit_section httpd-демона веб-сервера Apache HTTP Server, позволяющая нарушителю получить доступ к данным из памяти процесса

Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:
Published: 2017-09-18
Modified: 2024-11-21

CVE-2017-9798

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:

Closed bugs

Bug #31062

нестабильно работает service httpd2 restart

Bug #32269

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd2/conf/sites-enabled/ports_all.conf:9

Bug #33978

автоматически не стартует при холодном старте системы

ALT-PU-2017-2478-1

Package libXfont updated to version 1.5.3-alt1 for branch sisyphus in task 191287.

Closed vulnerabilities

Published: 2017-10-11
Modified: 2024-11-21

CVE-2017-13720

In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with access to an X connection can cause a buffer over-read during pattern matching of fonts, leading to information disclosure or a crash (denial of service). This occurs because '\0' characters are incorrectly skipped in situations involving ? characters.

Severity: HIGH (7.1) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
References:
Published: 2017-10-11
Modified: 2024-11-21

CVE-2017-13722

In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used by local attackers authenticated to an Xserver for a buffer over-read, for information disclosure or a crash of the X server.

Severity: HIGH (7.1) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
References:

ALT-PU-2017-2480-1

Package libXfont2 updated to version 2.0.2-alt1 for branch sisyphus in task 191297.

Closed vulnerabilities

Published: 2017-10-11
Modified: 2024-11-21

CVE-2017-13720

In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with access to an X connection can cause a buffer over-read during pattern matching of fonts, leading to information disclosure or a crash (denial of service). This occurs because '\0' characters are incorrectly skipped in situations involving ? characters.

Severity: HIGH (7.1) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
References:
Published: 2017-10-11
Modified: 2024-11-21

CVE-2017-13722

In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used by local attackers authenticated to an Xserver for a buffer over-read, for information disclosure or a crash of the X server.

Severity: HIGH (7.1) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top