ALT-BU-2018-3509-2
Branch sisyphus update bulletin.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2018-17458
An improper update of the WebAssembly dispatch table in WebAssembly in Google Chrome prior to 69.0.3497.92 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Modified: 2024-11-21
CVE-2018-17459
Incorrect handling of clicks in the omnibox in Navigation in Google Chrome prior to 69.0.3497.92 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
Package 389-ds-base updated to version 1.3.8.10-alt1 for branch sisyphus in task 214578.
Closed vulnerabilities
BDU:2020-02774
Уязвимость функции log__error_emergency() сервера службы каталогов 389 Directory Server, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2018-14624
A vulnerability was discovered in 389-ds-base through versions 1.3.7.10, 1.3.8.8 and 1.4.0.16. The lock controlling the error log was not correctly used when re-opening the log file in log__error_emergency(). An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash.
- openSUSE-SU-2019:1397
- RHSA-2018:2757
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14624
- [debian-lts-announce] 20180929 [SECURITY] [DLA 1526-1] 389-ds-base security update
- https://pagure.io/389-ds-base/issue/49937
- openSUSE-SU-2019:1397
- https://pagure.io/389-ds-base/issue/49937
- [debian-lts-announce] 20180929 [SECURITY] [DLA 1526-1] 389-ds-base security update
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14624
- RHSA-2018:2757
Closed vulnerabilities
BDU:2019-00423
Уязвимость функционала «git clone» распределенной системы контроля версий Git, позволяющая нарушителю выполнить произвольный код
BDU:2022-05960
Уязвимость функции ng_pkt компонента transports/smart_pkt.c реализации методов Git на языке C Libgit2, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2018-15501
In ng_pkt in transports/smart_pkt.c in libgit2 before 0.26.6 and 0.27.x before 0.27.4, a remote attacker can send a crafted smart-protocol "ng" packet that lacks a '\0' byte to trigger an out-of-bounds read that leads to DoS.
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9406
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9406
- https://bugzilla.suse.com/show_bug.cgi?id=1104641
- https://bugzilla.suse.com/show_bug.cgi?id=1104641
- https://github.com/libgit2/libgit2/commit/1f9a8510e1d2f20ed7334eeeddb92c4dd8e7c649
- https://github.com/libgit2/libgit2/commit/1f9a8510e1d2f20ed7334eeeddb92c4dd8e7c649
- https://github.com/libgit2/libgit2/releases/tag/v0.26.6
- https://github.com/libgit2/libgit2/releases/tag/v0.26.6
- https://github.com/libgit2/libgit2/releases/tag/v0.27.4
- https://github.com/libgit2/libgit2/releases/tag/v0.27.4
- [debian-lts-announce] 20180825 [SECURITY] [DLA 1477-1] libgit2 security update
- [debian-lts-announce] 20180825 [SECURITY] [DLA 1477-1] libgit2 security update
- [debian-lts-announce] 20220321 [SECURITY] [DLA 2936-1] libgit2 security update
- [debian-lts-announce] 20220321 [SECURITY] [DLA 2936-1] libgit2 security update
- https://www.pro-linux.de/sicherheit/2/44650/denial-of-service-in-libgit2.html
- https://www.pro-linux.de/sicherheit/2/44650/denial-of-service-in-libgit2.html
Modified: 2024-11-21
CVE-2018-17456
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
- openSUSE-SU-2020:0598
- openSUSE-SU-2020:0598
- http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html
- http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html
- 105523
- 105523
- 107511
- 107511
- 1041811
- 1041811
- RHSA-2018:3408
- RHSA-2018:3408
- RHSA-2018:3505
- RHSA-2018:3505
- RHSA-2018:3541
- RHSA-2018:3541
- RHSA-2020:0316
- RHSA-2020:0316
- https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
- https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
- https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
- https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
- https://marc.info/?l=git&m=153875888916397&w=2
- https://marc.info/?l=git&m=153875888916397&w=2
- 20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities
- 20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities
- USN-3791-1
- USN-3791-1
- DSA-4311
- DSA-4311
- 45548
- 45548
- 45631
- 45631
- https://www.openwall.com/lists/oss-security/2018/10/06/3
- https://www.openwall.com/lists/oss-security/2018/10/06/3
Closed vulnerabilities
BDU:2019-00423
Уязвимость функционала «git clone» распределенной системы контроля версий Git, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2018-17456
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
- openSUSE-SU-2020:0598
- openSUSE-SU-2020:0598
- http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html
- http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html
- 105523
- 105523
- 107511
- 107511
- 1041811
- 1041811
- RHSA-2018:3408
- RHSA-2018:3408
- RHSA-2018:3505
- RHSA-2018:3505
- RHSA-2018:3541
- RHSA-2018:3541
- RHSA-2020:0316
- RHSA-2020:0316
- https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
- https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
- https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
- https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
- https://marc.info/?l=git&m=153875888916397&w=2
- https://marc.info/?l=git&m=153875888916397&w=2
- 20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities
- 20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities
- USN-3791-1
- USN-3791-1
- DSA-4311
- DSA-4311
- 45548
- 45548
- 45631
- 45631
- https://www.openwall.com/lists/oss-security/2018/10/06/3
- https://www.openwall.com/lists/oss-security/2018/10/06/3
Closed bugs
Отсутствует информация о создании PGP ключа в MATE
Closed vulnerabilities
Modified: 2024-11-21
CVE-2018-1999024
MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later.
- https://blog.bentkowski.info/2018/06/xss-in-google-colaboratory-csp-bypass.html
- https://blog.bentkowski.info/2018/06/xss-in-google-colaboratory-csp-bypass.html
- https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852f1
- https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852f1