ALT-BU-2018-3640-2
Branch sisyphus update bulletin.
Closed bugs
new version
Package kernel-image-std-debug updated to version 4.14.88-alt1 for branch sisyphus in task 217758.
Closed vulnerabilities
Modified: 2025-02-11
BDU:2019-01061
Уязвимость функций connect() и close() ядра операционной системы Linux, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Modified: 2024-11-21
CVE-2018-14625
A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.
- https://access.redhat.com/errata/RHSA-2019:2029
- https://access.redhat.com/errata/RHSA-2019:2043
- https://access.redhat.com/errata/RHSA-2019:4154
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14625
- https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html
- https://syzkaller.appspot.com/bug?extid=bd391451452fb0b93039
- https://usn.ubuntu.com/3871-1/
- https://usn.ubuntu.com/3871-3/
- https://usn.ubuntu.com/3871-4/
- https://usn.ubuntu.com/3871-5/
- https://usn.ubuntu.com/3872-1/
- https://usn.ubuntu.com/3878-1/
- https://usn.ubuntu.com/3878-2/
- https://access.redhat.com/errata/RHSA-2019:2029
- https://access.redhat.com/errata/RHSA-2019:2043
- https://access.redhat.com/errata/RHSA-2019:4154
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14625
- https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html
- https://syzkaller.appspot.com/bug?extid=bd391451452fb0b93039
- https://usn.ubuntu.com/3871-1/
- https://usn.ubuntu.com/3871-3/
- https://usn.ubuntu.com/3871-4/
- https://usn.ubuntu.com/3871-5/
- https://usn.ubuntu.com/3872-1/
- https://usn.ubuntu.com/3878-1/
- https://usn.ubuntu.com/3878-2/
Package cloud-init updated to version 18.4-alt1 for branch sisyphus in task 217764.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2018-10896
The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks.
- https://bugs.launchpad.net/cloud-init/+bug/1781094
- https://bugzilla.redhat.com/show_bug.cgi?id=1574338
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10896
- https://bugs.launchpad.net/cloud-init/+bug/1781094
- https://bugzilla.redhat.com/show_bug.cgi?id=1574338
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10896
Package ImageMagick updated to version 6.9.10.16-alt1 for branch sisyphus in task 217812.
Closed vulnerabilities
Modified: 2023-11-21
BDU:2021-03459
Уязвимость компонента coders/bmp.c консольного графического редактора ImageMagick, связанная с бесконечной работой цикла, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2018-20467
In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00006.html
- http://www.securityfocus.com/bid/106315
- https://github.com/ImageMagick/ImageMagick/commit/db0add932fb850d762b02604ca3053b7d7ab6deb
- https://github.com/ImageMagick/ImageMagick/issues/1408
- https://lists.debian.org/debian-lts-announce/2020/08/msg00030.html
- https://usn.ubuntu.com/4034-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00006.html
- http://www.securityfocus.com/bid/106315
- https://github.com/ImageMagick/ImageMagick/commit/db0add932fb850d762b02604ca3053b7d7ab6deb
- https://github.com/ImageMagick/ImageMagick/issues/1408
- https://lists.debian.org/debian-lts-announce/2020/08/msg00030.html
- https://usn.ubuntu.com/4034-1/
Closed vulnerabilities
Modified: 2024-11-21
CVE-2018-1000816
Grafana version confirmed for 5.2.4 and 5.3.0 contains a Cross Site Scripting (XSS) vulnerability in Influxdb and Graphite query editor that can result in Running arbitrary js code in victims browser.. This attack appear to be exploitable via Authenticated user must click on the input field where the payload was previously inserted..
Modified: 2024-11-21
CVE-2018-19039
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html
- http://www.securityfocus.com/bid/105994
- https://access.redhat.com/errata/RHSA-2019:0747
- https://access.redhat.com/errata/RHSA-2019:0911
- https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961
- https://security.netapp.com/advisory/ntap-20190416-0004/
- https://www.percona.com/blog/2018/11/20/how-cve-2018-19039-affects-percona-monitoring-and-management/
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html
- http://www.securityfocus.com/bid/105994
- https://access.redhat.com/errata/RHSA-2019:0747
- https://access.redhat.com/errata/RHSA-2019:0911
- https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961
- https://security.netapp.com/advisory/ntap-20190416-0004/
- https://www.percona.com/blog/2018/11/20/how-cve-2018-19039-affects-percona-monitoring-and-management/
Modified: 2023-10-06
GHSA-x5fh-fvvr-892f
Grafana XSS Vulnerability
Package python-module-flask updated to version 1.0.2-alt1 for branch sisyphus in task 217741.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2018-1000656
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.
- https://github.com/pallets/flask/pull/2691
- https://github.com/pallets/flask/releases/tag/0.12.3
- https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html
- https://security.netapp.com/advisory/ntap-20190221-0001/
- https://usn.ubuntu.com/4378-1/
- https://github.com/pallets/flask/pull/2691
- https://github.com/pallets/flask/releases/tag/0.12.3
- https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html
- https://security.netapp.com/advisory/ntap-20190221-0001/
- https://usn.ubuntu.com/4378-1/
Modified: 2024-11-21
CVE-2019-1010083
The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.
Modified: 2024-09-20
GHSA-562c-5r94-xh97
Flask is vulnerable to Denial of Service via incorrect encoding of JSON data
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000656
- https://github.com/pallets/flask/pull/2691
- https://github.com/pallets/flask/commit/b178e89e4456e777b1a7ac6d7199052d0dfdbbbe
- https://github.com/advisories/GHSA-562c-5r94-xh97
- https://github.com/pallets/flask
- https://github.com/pallets/flask/releases/tag/0.12.3
- https://github.com/pypa/advisory-database/tree/main/vulns/flask/PYSEC-2018-66.yaml
- https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html
- https://security.netapp.com/advisory/ntap-20190221-0001
- https://usn.ubuntu.com/4378-1
Modified: 2024-09-21
GHSA-5wv5-4vpf-pj6m
Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory usage