ALT Linux Team

Branch sisyphus update on 2019-05-07

2019-05-07

ALT-BU-2019-3643-1

Branch sisyphus update bulletin.

ALT-PU-2019-1770-1

Package python-module-urllib3 updated to version 1.24.3-alt1 for branch sisyphus in task 228978.

Closed vulnerabilities

Published: 2019-03-13

BDU:2021-03607

Уязвимость модуля urllib2 интерпретатора языка программирования Python, связанная с непринятием мер по нейтрализации последовательностей crlf, позволяющая нарушителю оказать воздействие на целостность данных

Severity: MEDIUM (6.1) Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2019-03-13
Modified: 2024-11-21

CVE-2019-9740

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:

ALT-PU-2019-1771-1

Package polkit updated to version 0.116-alt1 for branch sisyphus in task 228976.

Closed vulnerabilities

Published: 2018-12-02

BDU:2019-00885

Уязвимость программной платформы для управления административными политиками и привилегиями Policykit, связанная с ошибками при обработке больших значений идентификаторов пользователей, позволяющая нарушителю обойти процедуру аутентификации

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2019-01-08

BDU:2019-01338

Уязвимость библиотеки Polkit операционных систем Linux, позволяющая нарушителю выполнить произвольные команды

Severity: MEDIUM (6.7) Vector: AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2018-12-03
Modified: 2024-11-21

CVE-2018-19788

A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.

Severity: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2019-01-11
Modified: 2024-11-21

CVE-2019-6133

In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.

Severity: MEDIUM (6.7) Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
References:

ALT-PU-2019-1772-1

Package dpkg updated to version 1.19.5-alt1 for branch sisyphus in task 228986.

Closed bugs

Bug #36230

Версия 1.19.5

VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top