ALT-BU-2018-3125-1
Branch p8 update bulletin.
Package firefox-esr updated to version 52.7.0-alt0.M80P.1 for branch p8 in task 201658.
Closed vulnerabilities
BDU:2023-01886
Уязвимость браузера Mozilla Firefox ESR и почтового клиента Thunderbird, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2018-5144
An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7.
- 103384
- 103384
- 1040514
- 1040514
- RHSA-2018:0526
- RHSA-2018:0526
- RHSA-2018:0527
- RHSA-2018:0527
- RHSA-2018:0647
- RHSA-2018:0647
- RHSA-2018:0648
- RHSA-2018:0648
- https://bugzilla.mozilla.org/show_bug.cgi?id=1440926
- https://bugzilla.mozilla.org/show_bug.cgi?id=1440926
- [debian-lts-announce] 20180315 [SECURITY] [DLA 1308-1] firefox-esr security update
- [debian-lts-announce] 20180315 [SECURITY] [DLA 1308-1] firefox-esr security update
- [debian-lts-announce] 20180329 [SECURITY] [DLA 1327-1] thunderbird security update
- [debian-lts-announce] 20180329 [SECURITY] [DLA 1327-1] thunderbird security update
- GLSA-201810-01
- GLSA-201810-01
- GLSA-201811-13
- GLSA-201811-13
- USN-3545-1
- USN-3545-1
- DSA-4139
- DSA-4139
- DSA-4155
- DSA-4155
- https://www.mozilla.org/security/advisories/mfsa2018-07/
- https://www.mozilla.org/security/advisories/mfsa2018-07/
- https://www.mozilla.org/security/advisories/mfsa2018-09/
- https://www.mozilla.org/security/advisories/mfsa2018-09/
Modified: 2024-11-21
CVE-2018-5145
Memory safety bugs were reported in Firefox ESR 52.6. These bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7.
- 103384
- 103384
- 1040514
- 1040514
- RHSA-2018:0526
- RHSA-2018:0526
- RHSA-2018:0527
- RHSA-2018:0527
- RHSA-2018:0647
- RHSA-2018:0647
- RHSA-2018:0648
- RHSA-2018:0648
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1261175%2C1348955
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1261175%2C1348955
- [debian-lts-announce] 20180315 [SECURITY] [DLA 1308-1] firefox-esr security update
- [debian-lts-announce] 20180315 [SECURITY] [DLA 1308-1] firefox-esr security update
- [debian-lts-announce] 20180329 [SECURITY] [DLA 1327-1] thunderbird security update
- [debian-lts-announce] 20180329 [SECURITY] [DLA 1327-1] thunderbird security update
- GLSA-201811-13
- GLSA-201811-13
- USN-3545-1
- USN-3545-1
- DSA-4139
- DSA-4139
- DSA-4155
- DSA-4155
- https://www.mozilla.org/security/advisories/mfsa2018-07/
- https://www.mozilla.org/security/advisories/mfsa2018-07/
- https://www.mozilla.org/security/advisories/mfsa2018-09/
- https://www.mozilla.org/security/advisories/mfsa2018-09/
Closed vulnerabilities
BDU:2019-01781
Уязвимость реализации протокола BGP программного обеспечения Quagga, связанная с повторным освобождением памяти, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код
BDU:2019-03925
Уязвимость демона bgpd пакета программ Quagga, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2018-5378
The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or bgpd may crash.
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095
- VU#940439
- VU#940439
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-0543.txt
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-0543.txt
- GLSA-201804-17
- GLSA-201804-17
- USN-3573-1
- USN-3573-1
- DSA-4115
- DSA-4115
Modified: 2024-11-21
CVE-2018-5379
The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or potentially allow an attacker to execute arbitrary code.
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095
- VU#940439
- VU#940439
- 103105
- 103105
- RHSA-2018:0377
- RHSA-2018:0377
- https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1114.txt
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1114.txt
- [debian-lts-announce] 20180216 [SECURITY] [DLA 1286-1] quagga security update
- [debian-lts-announce] 20180216 [SECURITY] [DLA 1286-1] quagga security update
- GLSA-201804-17
- GLSA-201804-17
- USN-3573-1
- USN-3573-1
- DSA-4115
- DSA-4115
Modified: 2024-11-21
CVE-2018-5380
The Quagga BGP daemon (bgpd) prior to version 1.2.3 can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input.
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095
- VU#940439
- VU#940439
- https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1550.txt
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1550.txt
- [debian-lts-announce] 20180216 [SECURITY] [DLA 1286-1] quagga security update
- [debian-lts-announce] 20180216 [SECURITY] [DLA 1286-1] quagga security update
- GLSA-201804-17
- GLSA-201804-17
- USN-3573-1
- USN-3573-1
- DSA-4115
- DSA-4115
Modified: 2024-11-21
CVE-2018-5381
The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service.
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095
- VU#940439
- VU#940439
- https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1975.txt
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1975.txt
- [debian-lts-announce] 20180216 [SECURITY] [DLA 1286-1] quagga security update
- [debian-lts-announce] 20180216 [SECURITY] [DLA 1286-1] quagga security update
- GLSA-201804-17
- GLSA-201804-17
- USN-3573-1
- USN-3573-1
- DSA-4115
- DSA-4115
Closed bugs
Не запускается LXQt. Требуется пересборка.
Package kernel-image-std-def updated to version 4.9.86-alt0.M80P.1 for branch p8 in task 201654.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2018-1000028
Linux kernel version after commit bdcf0a423ea1 - 4.15-rc4+, 4.14.8+, 4.9.76+, 4.4.111+ contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the "rootsquash" options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa.