ALT-BU-2017-3552-3

Branch sisyphus update bulletin.

Package pinentry updated to version 1.0.0-alt2.S1 for branch sisyphus in task 195934.

typo: s/qt4/qt5/

Package libraw updated to version 0.18.6-alt1 for branch sisyphus in task 195936.

Уязвимость компонента internal/dcraw_common.cpp библиотеки для обработки изображений LibRaw, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Severity: HIGH (7.1)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C

References:

CVE-2017-16910

Уязвимость компонента dcraw_common.cpp библиотеки для обработки изображений LibRaw, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Severity: HIGH (8.8)Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: CRITICAL (9.3)Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

References:

CVE-2017-16909

An error related to the "LibRaw::panasonic_load_raw()" function (dcraw_common.cpp) in LibRaw versions prior to 0.18.6 can be exploited to cause a heap-based buffer overflow and subsequently cause a crash via a specially crafted TIFF image.

Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: HIGH (8.8)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

An error within the "LibRaw::xtrans_interpolate()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.6 can be exploited to cause an invalid read memory access and subsequently a Denial of Service condition.

Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Severity: MEDIUM (6.5)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Package redshift updated to version 1.11-alt3 for branch sisyphus in task 195936.

redshift-gtk is broken

Package pve-qemu updated to version 2.9.1-alt4 for branch sisyphus in task 195938.

Уязвимость компонента Virtio Vring эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5)Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Severity: MEDIUM (4.6)Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C

References:

CVE-2017-17381

The Virtio Vring implementation in QEMU allows local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings.

Severity: LOW (2.1)Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

References:

Package bind updated to version 9.11.2-alt2 for branch sisyphus in task 195945.

Не работает rndc при запуске bind без chroot

Package mariadb updated to version 10.1.29-alt1.S1 for branch sisyphus in task 195960.

Уязвимость компонента Server:Replication системы управления базами данных Oracle MySQL, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным

Severity: MEDIUM (4.1)Vector: AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Severity: MEDIUM (4.4)Vector: AV:L/AC:M/Au:S/C:C/I:N/A:N

References:

CVE-2017-10268

Уязвимость компонента Server:Optimizer системы управления базами данных Oracle MySQL, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: MEDIUM (6.8)Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C

References:

CVE-2017-10378

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).

Severity: LOW (1.5)Vector: AV:L/AC:M/Au:S/C:P/I:N/A:N

Severity: MEDIUM (4.1)Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Package borg updated to version 1.1.3-alt1 for branch sisyphus in task 195957.

Incorrect implementation of access controls allows remote users to override repository restrictions in Borg servers 1.1.x before 1.1.3.

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: HIGH (8.8)Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Borg Improper Access Control vulnerability

Severity: HIGH (8.8)Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Version: 2.1.2

Branch sisyphus update on 2017-12-08

ALT-BU-2017-3552-3

ALT-PU-2017-2754-1

Closed bugs

Bug #34290

ALT-PU-2017-2757-1

Closed vulnerabilities

BDU:2022-05947

BDU:2022-06038

CVE-2017-16909

CVE-2017-16910

ALT-PU-2017-2758-1

Closed bugs

Bug #34289

ALT-PU-2017-2764-1

Closed vulnerabilities

BDU:2019-04122

CVE-2017-17381

ALT-PU-2017-2766-1

Closed bugs

Bug #34292

ALT-PU-2017-2768-1

Closed vulnerabilities

BDU:2020-00675

BDU:2020-00677

CVE-2017-10268

CVE-2017-10378

ALT-PU-2017-3587-2

Closed vulnerabilities

CVE-2017-15914

GHSA-8q8v-28rm-qw4w