ALT Linux Team

Branch sisyphus update on 2018-12-27

2018-12-27

ALT-BU-2018-3666-3

Branch sisyphus update bulletin.

ALT-PU-2018-2964-1

Package netatalk updated to version 3.1.12-alt1 for branch sisyphus in task 218619.

Closed vulnerabilities

Published: 2019-04-04
Modified: 2026-02-16

BDU:2019-01250

Уязвимость реализации протокола Netatalk, связанная с записью за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2018-12-20
Modified: 2026-02-13

CVE-2018-1160

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Severity: CRITICAL (9.8)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:

ALT-PU-2018-2965-1

Package extreme-tuxracer updated to version 0.7.5-alt2 for branch sisyphus in task 218623.

Closed bugs

Bug #26342

в пакете отсутствует desktop-файл

ALT-PU-2018-2966-1

Package gnome-software updated to version 3.30.6-alt2 for branch sisyphus in task 218631.

Closed bugs

Bug #35817

Отсутствие поддержки packagekit в gnome-software

ALT-PU-2018-3739-1

Package python-module-lxml updated to version 4.2.5-alt1 for branch sisyphus in task 218580.

Closed vulnerabilities

Published: 2019-07-30
Modified: 2023-11-21

BDU:2019-02732

Уязвимость компонента lxml/html/clean.py модуля lxml.html.clean библиотеки для обработки разметки XML и HTML Lxml, позволяющая нарушителю осуществлять межсайтовые сценарные атаки

Severity: MEDIUM (6.1)Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
References:
Published: 2018-12-02
Modified: 2025-12-18

CVE-2018-19787

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.

Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Severity: MEDIUM (6.1)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2022-05-13
Modified: 2025-12-20

GHSA-xp26-p53h-6h2p

Improper Neutralization of Input During Web Page Generation in LXML

Severity: MEDIUM (5.3)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.3)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References:
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top