ALT Linux Team

Branch sisyphus update on 2018-08-18

2018-08-18

ALT-BU-2018-3404-2

Branch sisyphus update bulletin.

ALT-PU-2018-2166-1

Package libldb updated to version 1.3.5-alt1.S1 for branch sisyphus in task 211372.

Closed vulnerabilities

Published: 2020-02-24

BDU:2020-00694

Уязвимость компонента LDAP-сервера программ сетевого взаимодействия Samba, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5)Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: LOW (3.3)Vector: AV:A/AC:L/Au:N/C:N/I:N/A:P
References:
Published: 2018-08-22
Modified: 2024-11-21

CVE-2018-1140

A missing input sanitization flaw was found in the implementation of LDP database used for the LDAP server. An attacker could use this flaw to cause a denial of service against a samba server, used as a Active Directory Domain Controller. All versions of Samba from 4.8.0 onwards are vulnerable

Severity: LOW (3.3)Vector: AV:A/AC:L/Au:N/C:N/I:N/A:P
Severity: MEDIUM (6.5)Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2018-2167-1

Package samba updated to version 4.8.4-alt1.S1 for branch sisyphus in task 211372.

Closed vulnerabilities

Published: 2019-04-25
Modified: 2024-09-30

BDU:2019-01639

Уязвимость программного обеспечения Samba, связанная c переполнением буфера динамической памяти, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (8.8)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: MEDIUM (6.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
References:
Published: 2020-02-24

BDU:2020-00691

Уязвимость пакета программ для сетевого взаимодействия Samba, связанная с разыменованием нулевого указателя, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P
References:
Published: 2020-02-24
Modified: 2024-08-26

BDU:2020-00692

Уязвимость компонента Active Directory LDAP-сервера программ сетевого взаимодействия Samba, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
References:
Published: 2020-02-24

BDU:2020-00693

Уязвимость компонента аутентификации NTLMv1 программ сетевого взаимодействия Samba, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным

Severity: HIGH (8.1)Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
References:
Published: 2020-02-24

BDU:2020-00694

Уязвимость компонента LDAP-сервера программ сетевого взаимодействия Samba, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5)Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: LOW (3.3)Vector: AV:A/AC:L/Au:N/C:N/I:N/A:P
References:
Published: 2018-08-22
Modified: 2024-11-21

CVE-2018-10858

A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Severity: HIGH (8.8)Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2018-08-22
Modified: 2024-11-21

CVE-2018-10918

A null pointer dereference flaw was found in the way samba checked database outputs from the LDB database layer. An authenticated attacker could use this flaw to crash a samba server in an Active Directory Domain Controller configuration. Samba versions before 4.7.9 and 4.8.4 are vulnerable.

Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P
Severity: MEDIUM (6.5)Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2018-08-22
Modified: 2024-11-21

CVE-2018-10919

The Samba Active Directory LDAP server was vulnerable to an information disclosure flaw because of missing access control checks. An authenticated attacker could use this flaw to extract confidential attribute values using LDAP search expressions. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.

Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
Severity: MEDIUM (6.5)Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2018-08-22
Modified: 2024-11-21

CVE-2018-1139

A flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details passed between the samba server and client.

Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Severity: HIGH (8.1)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2018-08-22
Modified: 2024-11-21

CVE-2018-1140

A missing input sanitization flaw was found in the implementation of LDP database used for the LDAP server. An attacker could use this flaw to cause a denial of service against a samba server, used as a Active Directory Domain Controller. All versions of Samba from 4.8.0 onwards are vulnerable

Severity: LOW (3.3)Vector: AV:A/AC:L/Au:N/C:N/I:N/A:P
Severity: MEDIUM (6.5)Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2018-2168-1

Package samba-DC updated to version 4.8.4-alt1.S1 for branch sisyphus in task 211372.

Closed vulnerabilities

Published: 2019-04-25
Modified: 2024-09-30

BDU:2019-01639

Уязвимость программного обеспечения Samba, связанная c переполнением буфера динамической памяти, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (8.8)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: MEDIUM (6.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
References:
Published: 2020-02-24

BDU:2020-00691

Уязвимость пакета программ для сетевого взаимодействия Samba, связанная с разыменованием нулевого указателя, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P
References:
Published: 2020-02-24
Modified: 2024-08-26

BDU:2020-00692

Уязвимость компонента Active Directory LDAP-сервера программ сетевого взаимодействия Samba, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
References:
Published: 2020-02-24

BDU:2020-00693

Уязвимость компонента аутентификации NTLMv1 программ сетевого взаимодействия Samba, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным

Severity: HIGH (8.1)Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
References:
Published: 2020-02-24

BDU:2020-00694

Уязвимость компонента LDAP-сервера программ сетевого взаимодействия Samba, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5)Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: LOW (3.3)Vector: AV:A/AC:L/Au:N/C:N/I:N/A:P
References:
Published: 2018-08-22
Modified: 2024-11-21

CVE-2018-10858

A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Severity: HIGH (8.8)Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2018-08-22
Modified: 2024-11-21

CVE-2018-10918

A null pointer dereference flaw was found in the way samba checked database outputs from the LDB database layer. An authenticated attacker could use this flaw to crash a samba server in an Active Directory Domain Controller configuration. Samba versions before 4.7.9 and 4.8.4 are vulnerable.

Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P
Severity: MEDIUM (6.5)Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2018-08-22
Modified: 2024-11-21

CVE-2018-10919

The Samba Active Directory LDAP server was vulnerable to an information disclosure flaw because of missing access control checks. An authenticated attacker could use this flaw to extract confidential attribute values using LDAP search expressions. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.

Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
Severity: MEDIUM (6.5)Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2018-08-22
Modified: 2024-11-21

CVE-2018-1139

A flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details passed between the samba server and client.

Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Severity: HIGH (8.1)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2018-08-22
Modified: 2024-11-21

CVE-2018-1140

A missing input sanitization flaw was found in the implementation of LDP database used for the LDAP server. An attacker could use this flaw to cause a denial of service against a samba server, used as a Active Directory Domain Controller. All versions of Samba from 4.8.0 onwards are vulnerable

Severity: LOW (3.3)Vector: AV:A/AC:L/Au:N/C:N/I:N/A:P
Severity: MEDIUM (6.5)Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2018-2169-1

Package libgraphite2 updated to version 1.3.12-alt1 for branch sisyphus in task 211568.

Closed vulnerabilities

Published: 2018-03-09
Modified: 2024-11-21

CVE-2018-7999

In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference vulnerability was found in Segment.cpp during a dumbRendering operation, which may allow attackers to cause a denial of service or possibly have unspecified other impact via a crafted .ttf file.

Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (8.8)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:

ALT-PU-2018-2170-1

Package glib2 updated to version 2.56.2-alt1 for branch sisyphus in task 211567.

Closed vulnerabilities

Published: 2019-07-11
Modified: 2021-03-23

BDU:2019-02446

Уязвимость функции g_markup_parse_context_end_parse библиотеки Glib, позволяющая нарушителю вызвать отказ в обслуживании

Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.5)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
References:
Published: 2019-07-11
Modified: 2023-11-21

BDU:2019-02447

Уязвимость функции g_markup_parse_context_parse библиотеки Glib, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2018-09-04
Modified: 2024-11-21

CVE-2018-16428

In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.

Severity: HIGH (7.5)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2018-09-04
Modified: 2024-11-21

CVE-2018-16429

GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2018-2173-1

Package iperf updated to version 2.0.12-alt1 for branch sisyphus in task 211561.

Closed bugs

Bug #33251

Обновить URL и версию до 2.0.9

ALT-PU-2018-2174-2

Package kubernetes updated to version 1.11.2-alt1.S1 for branch sisyphus in task 211573.

Closed vulnerabilities

Published: 2018-12-27
Modified: 2021-03-23

BDU:2018-01617

Уязвимость программного средства управления кластерами виртуальных машин Kubernetes, связанная с непринятием мер по нейтрализации специальных элементов, используемых в командах, позволяющая нарушителю выполнить произвольные команды операционной системы

Severity: HIGH (7.3)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
References:
Published: 2018-12-05
Modified: 2024-11-21

CVE-2018-1002101

In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.

Severity: HIGH (7.5)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2022-02-15
Modified: 2023-10-02

GHSA-wqwf-x5cj-rg56

Kubernetes Arbitrary Command Injection

Severity: MEDIUM (5.9)Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
References:

ALT-PU-2018-2179-1

Package composer updated to version 1.7.2-alt1 for branch sisyphus in task 211615.

Closed bugs

Bug #33520

Hardcoded memory_limit value in the wrapper script

VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top