2018-06-17
ALT-BU-2018-3311-1
Branch sisyphus update bulletin.
Package devscripts updated to version 2.18.3-alt1_1 for branch sisyphus in task 208523.
Closed vulnerabilities
Published: 2015-04-28
Modified: 2024-07-05
Modified: 2024-07-05
BDU:2015-02662
Уязвимости операционной системы Debian GNU/Linux, позволяющие удаленному злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
Severity: HIGH (7.5)
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
References:
Published: 2017-11-03
Modified: 2021-03-23
Modified: 2021-03-23
BDU:2017-02344
Уязвимость пакета сценариев devscripts (scripts/licensecheck.pl) для операционной системы Fedora, позволяющая нарушителю выполнить произвольные shell-команды
Severity: HIGH (7.8)
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.2)
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2014-01-07
Modified: 2025-04-11
Modified: 2025-04-11
CVE-2013-6888
Uscan in devscripts before 2.13.9 allows remote attackers to execute arbitrary code via a crafted tarball.
Severity: HIGH (7.5)
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
References:
- http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git%3Ba=commitdiff%3Bh=02c6850d973e3e1246fde72edab27f03d63acc52
- http://marc.info/?l=oss-security&m=138900586911271&w=2
- http://secunia.com/advisories/56192
- http://secunia.com/advisories/56579
- http://www.debian.org/security/2014/dsa-2836
- http://www.securityfocus.com/bid/64656
- http://www.ubuntu.com/usn/USN-2084-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90107
- http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git%3Ba=commitdiff%3Bh=02c6850d973e3e1246fde72edab27f03d63acc52
- http://marc.info/?l=oss-security&m=138900586911271&w=2
- http://secunia.com/advisories/56192
- http://secunia.com/advisories/56579
- http://www.debian.org/security/2014/dsa-2836
- http://www.securityfocus.com/bid/64656
- http://www.ubuntu.com/usn/USN-2084-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90107
Published: 2013-12-13
Modified: 2025-04-11
Modified: 2025-04-11
CVE-2013-7050
The get_main_source_dir function in scripts/uscan.pl in devscripts before 2.13.8, when using USCAN_EXCLUSION, allows remote attackers to execute arbitrary commands via shell metacharacters in a directory name.
Severity: MEDIUM (6.8)
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
References:
- http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git%3Ba=commitdiff%3Bh=91f05b5
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731849
- http://osvdb.org/100855
- http://seclists.org/oss-sec/2013/q4/470
- http://seclists.org/oss-sec/2013/q4/486
- http://www.securityfocus.com/bid/64241
- https://bugzilla.redhat.com/show_bug.cgi?id=1040266
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89666
- http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git%3Ba=commitdiff%3Bh=91f05b5
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731849
- http://osvdb.org/100855
- http://seclists.org/oss-sec/2013/q4/470
- http://seclists.org/oss-sec/2013/q4/486
- http://www.securityfocus.com/bid/64241
- https://bugzilla.redhat.com/show_bug.cgi?id=1040266
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89666
Published: 2019-12-03
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2013-7325
An issue exists in uscan in devscripts before 2.13.19, which could let a remote malicious user execute arbitrary code via a crafted tarball.
Severity: MEDIUM (6.5)
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Severity: HIGH (8.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
- http://www.openwall.com/lists/oss-security/2014/02/12/14
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7325
- https://security-tracker.debian.org/tracker/CVE-2013-7325
- http://www.openwall.com/lists/oss-security/2014/02/12/14
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7325
- https://security-tracker.debian.org/tracker/CVE-2013-7325
Published: 2017-09-25
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2015-5704
scripts/licensecheck.pl in devscripts before 2.15.7 allows local users to execute arbitrary shell commands.
Severity: HIGH (7.2)
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Severity: HIGH (7.8)
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163705.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163710.html
- http://www.openwall.com/lists/oss-security/2015/08/01/7
- http://www.securityfocus.com/bid/76143
- https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260
- https://bugzilla.redhat.com/show_bug.cgi?id=1249635
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163705.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163710.html
- http://www.openwall.com/lists/oss-security/2015/08/01/7
- http://www.securityfocus.com/bid/76143
- https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260
- https://bugzilla.redhat.com/show_bug.cgi?id=1249635
Published: 2017-09-06
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2015-5705
Argument injection vulnerability in devscripts before 2.15.7 allows remote attackers to write to arbitrary files via a crafted symlink and crafted filename.
Severity: MEDIUM (5.0)
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Severity: HIGH (7.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163705.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163710.html
- http://www.openwall.com/lists/oss-security/2015/08/01/7
- https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=d8f8fa1d8e4151fa62997cb74403f97ab0d7e1a2
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260
- https://bugzilla.redhat.com/show_bug.cgi?id=1249645
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163705.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163710.html
- http://www.openwall.com/lists/oss-security/2015/08/01/7
- https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=d8f8fa1d8e4151fa62997cb74403f97ab0d7e1a2
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260
- https://bugzilla.redhat.com/show_bug.cgi?id=1249645
Closed vulnerabilities
Published: 2019-05-16
Modified: 2023-06-28
Modified: 2023-06-28
BDU:2019-01774
Уязвимость библиотеки struct подсистемы Lua системы управления базами данных Redis, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Severity: CRITICAL (9.8)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2019-05-16
Modified: 2023-04-20
Modified: 2023-04-20
BDU:2019-01775
Уязвимость библиотеки cmsgpack подсистемы Lua системы управления базами данных Redis, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Severity: CRITICAL (9.8)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2018-06-17
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2018-11218
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows.
Severity: HIGH (7.5)
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://antirez.com/news/119
- http://www.securityfocus.com/bid/104553
- https://access.redhat.com/errata/RHSA-2019:0052
- https://access.redhat.com/errata/RHSA-2019:0094
- https://access.redhat.com/errata/RHSA-2019:1860
- https://github.com/antirez/redis/commit/52a00201fca331217c3b4b8b634f6a0f57d6b7d3
- https://github.com/antirez/redis/commit/5ccb6f7a791bf3490357b00a898885759d98bab0
- https://github.com/antirez/redis/issues/5017
- https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
- https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
- https://security.gentoo.org/glsa/201908-04
- https://www.debian.org/security/2018/dsa-4230
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- http://antirez.com/news/119
- http://www.securityfocus.com/bid/104553
- https://access.redhat.com/errata/RHSA-2019:0052
- https://access.redhat.com/errata/RHSA-2019:0094
- https://access.redhat.com/errata/RHSA-2019:1860
- https://github.com/antirez/redis/commit/52a00201fca331217c3b4b8b634f6a0f57d6b7d3
- https://github.com/antirez/redis/commit/5ccb6f7a791bf3490357b00a898885759d98bab0
- https://github.com/antirez/redis/issues/5017
- https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
- https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
- https://security.gentoo.org/glsa/201908-04
- https://www.debian.org/security/2018/dsa-4230
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Published: 2018-06-17
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2018-11219
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking.
Severity: HIGH (7.5)
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://antirez.com/news/119
- http://www.securityfocus.com/bid/104552
- https://access.redhat.com/errata/RHSA-2019:0052
- https://access.redhat.com/errata/RHSA-2019:0094
- https://access.redhat.com/errata/RHSA-2019:1860
- https://github.com/antirez/redis/commit/1eb08bcd4634ae42ec45e8284923ac048beaa4c3
- https://github.com/antirez/redis/commit/e89086e09a38cc6713bcd4b9c29abf92cf393936
- https://github.com/antirez/redis/issues/5017
- https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
- https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
- https://security.gentoo.org/glsa/201908-04
- https://www.debian.org/security/2018/dsa-4230
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- http://antirez.com/news/119
- http://www.securityfocus.com/bid/104552
- https://access.redhat.com/errata/RHSA-2019:0052
- https://access.redhat.com/errata/RHSA-2019:0094
- https://access.redhat.com/errata/RHSA-2019:1860
- https://github.com/antirez/redis/commit/1eb08bcd4634ae42ec45e8284923ac048beaa4c3
- https://github.com/antirez/redis/commit/e89086e09a38cc6713bcd4b9c29abf92cf393936
- https://github.com/antirez/redis/issues/5017
- https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
- https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
- https://security.gentoo.org/glsa/201908-04
- https://www.debian.org/security/2018/dsa-4230
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Published: 2018-06-17
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2018-12326
Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3 allows an attacker to achieve code execution and escalate to higher privileges via a crafted command line. NOTE: It is unclear whether there are any common situations in which redis-cli is used with, for example, a -h (aka hostname) argument from an untrusted source.
Severity: MEDIUM (4.6)
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
Severity: HIGH (8.4)
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://access.redhat.com/errata/RHSA-2019:0052
- https://access.redhat.com/errata/RHSA-2019:0094
- https://access.redhat.com/errata/RHSA-2019:1860
- https://gist.github.com/fakhrizulkifli/f831f40ec6cde4f744c552503d8698f0
- https://github.com/antirez/redis/commit/9fdcc15962f9ff4baebe6fdd947816f43f730d50
- https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
- https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
- https://www.exploit-db.com/exploits/44904/
- https://access.redhat.com/errata/RHSA-2019:0052
- https://access.redhat.com/errata/RHSA-2019:0094
- https://access.redhat.com/errata/RHSA-2019:1860
- https://gist.github.com/fakhrizulkifli/f831f40ec6cde4f744c552503d8698f0
- https://github.com/antirez/redis/commit/9fdcc15962f9ff4baebe6fdd947816f43f730d50
- https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
- https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
- https://www.exploit-db.com/exploits/44904/
Closed bugs
luatex general protection fault