ALT-BU-2018-3233-1
Branch sisyphus update bulletin.
Closed vulnerabilities
BDU:2019-00438
Уязвимость функции PyString_DecodeEscape интерпретатора языка программирования Python (CPython), позволяющая нарушителю выполнить произвольный код
BDU:2023-01646
Уязвимость компонента Lib/webbrowser.py интерпретатора языка программирования Python, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2017-1000158
CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)
- 1039890
- 1039890
- https://bugs.python.org/issue30657
- https://bugs.python.org/issue30657
- [debian-lts-announce] 20171124 [SECURITY] [DLA 1189-1] python2.7 security update
- [debian-lts-announce] 20171124 [SECURITY] [DLA 1189-1] python2.7 security update
- [debian-lts-announce] 20171124 [SECURITY] [DLA 1190-1] python2.6 security update
- [debian-lts-announce] 20171124 [SECURITY] [DLA 1190-1] python2.6 security update
- [debian-lts-announce] 20180925 [SECURITY] [DLA 1519-1] python2.7 security update
- [debian-lts-announce] 20180925 [SECURITY] [DLA 1519-1] python2.7 security update
- [debian-lts-announce] 20180926 [SECURITY] [DLA 1520-1] python3.4 security update
- [debian-lts-announce] 20180926 [SECURITY] [DLA 1520-1] python3.4 security update
- GLSA-201805-02
- GLSA-201805-02
- https://security.netapp.com/advisory/ntap-20230216-0001/
- https://security.netapp.com/advisory/ntap-20230216-0001/
- DSA-4307
- DSA-4307
Modified: 2024-11-21
CVE-2017-17522
Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting
Closed bugs
spoils buildreq results again (while reading the list of available pkgs)
Closed vulnerabilities
BDU:2018-00493
Уязвимость реализации команды «go get» языка программирования Go, позволяющая нарушителю выполнять произвольные команды
BDU:2019-00903
Уязвимость реализации команды «go get» программного пакета Go, позволяющая нарушителю удаленно выполнить команду «go get»
Modified: 2024-11-21
CVE-2018-6574
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
- RHSA-2018:0878
- RHSA-2018:0878
- RHSA-2018:1304
- RHSA-2018:1304
- https://github.com/golang/go/issues/23672
- https://github.com/golang/go/issues/23672
- https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
- https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
- https://groups.google.com/forum/#%21topic/golang-nuts/Gbhh1NxAjMU
- https://groups.google.com/forum/#%21topic/golang-nuts/Gbhh1NxAjMU
- https://groups.google.com/forum/#%21topic/golang-nuts/sprOaQ5m3Dk
- https://groups.google.com/forum/#%21topic/golang-nuts/sprOaQ5m3Dk
- DSA-4380
- DSA-4380
Modified: 2024-11-21
CVE-2018-7187
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
- https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc
- https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc
- https://github.com/golang/go/issues/23867
- https://github.com/golang/go/issues/23867
- [debian-lts-announce] 20180225 [SECURITY] [DLA 1294-1] golang security update
- [debian-lts-announce] 20180225 [SECURITY] [DLA 1294-1] golang security update
- GLSA-201804-12
- GLSA-201804-12
- DSA-4379
- DSA-4379
- DSA-4380
- DSA-4380