ALT-BU-2018-3302-3
Branch sisyphus update bulletin.
Closed bugs
Невозможность скачивания metadata при автоустановке с диска
Package matrix-synapse updated to version 0.29.1-alt1 for branch sisyphus in task 208138.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2018-10657
Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018.
- https://github.com/matrix-org/synapse/commit/33f469ba19586bbafa0cf2c7d7c35463bdab87eb
- https://matrix.org/blog/2018/05/01/security-update-synapse-0-28-1/
- https://github.com/matrix-org/synapse/commit/33f469ba19586bbafa0cf2c7d7c35463bdab87eb
- https://matrix.org/blog/2018/05/01/security-update-synapse-0-28-1/
Modified: 2023-10-06
GHSA-vmcc-4p4x-x7wg
Matrix Synapse DoS
- https://nvd.nist.gov/vuln/detail/CVE-2018-10657
- https://github.com/matrix-org/synapse/commit/33f469ba19586bbafa0cf2c7d7c35463bdab87eb
- https://docs.google.com/document/d/1I3fi2S-XnpO45qrpCsowZv8P8dHcNZ4fsBsbOW7KABI/edit#heading=h.fj95ykuss7s1
- https://github.com/matrix-org/synapse
- https://matrix.org/blog/2018/05/01/security-update-synapse-0-28-1
Closed vulnerabilities
Modified: 2025-04-20
CVE-2017-1000229
Integer overflow bug in function minitiff_read_info() of optipng 0.7.6 allows an attacker to remotely execute code or cause denial of service.
- https://lists.debian.org/debian-lts-announce/2017/11/msg00030.html
- https://security.gentoo.org/glsa/201801-02
- https://sourceforge.net/p/optipng/bugs/65/
- https://www.debian.org/security/2017/dsa-4058
- https://lists.debian.org/debian-lts-announce/2017/11/msg00030.html
- https://security.gentoo.org/glsa/201801-02
- https://sourceforge.net/p/optipng/bugs/65/
- https://www.debian.org/security/2017/dsa-4058
Modified: 2025-04-20
CVE-2017-16938
A global buffer overflow in OptiPNG 0.7.6 allows remote attackers to cause a denial-of-service attack or other unspecified impact with a maliciously crafted GIF format file, related to an uncontrolled loop in the LZWReadByte function of the gifread.c file.
- https://lists.debian.org/debian-lts-announce/2017/11/msg00042.html
- https://security.gentoo.org/glsa/201801-02
- https://sourceforge.net/p/optipng/bugs/69/
- https://www.debian.org/security/2017/dsa-4058
- https://lists.debian.org/debian-lts-announce/2017/11/msg00042.html
- https://security.gentoo.org/glsa/201801-02
- https://sourceforge.net/p/optipng/bugs/69/
- https://www.debian.org/security/2017/dsa-4058
Package python-module-bleach updated to version 2.1.3-alt1 for branch sisyphus in task 208172.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2018-7753
An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.
- https://bugs.debian.org/892252
- https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef
- https://github.com/mozilla/bleach/releases/tag/v2.1.3
- https://bugs.debian.org/892252
- https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef
- https://github.com/mozilla/bleach/releases/tag/v2.1.3
Modified: 2024-09-04
GHSA-m9mq-p2f9-cfqv
Bleach URI Scheme Restriction Bypass
- https://nvd.nist.gov/vuln/detail/CVE-2018-7753
- https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef
- https://bugs.debian.org/892252
- https://github.com/mozilla/bleach
- https://github.com/mozilla/bleach/releases/tag/v2.1.3
- https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2018-51.yaml