ALT Linux Team

Branch p8 update on 2019-07-02

2019-07-02

ALT-BU-2019-3778-1

Branch p8 update bulletin.

ALT-PU-2019-2171-1

Package kernel-image-std-def updated to version 4.9.183-alt0.M80P.1 for branch p8 in task 233089.

Closed vulnerabilities

Published: 2019-06-21
Modified: 2024-06-18

BDU:2019-02194

Уязвимость механизма TCP Selective Acknowledgement ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2019-06-21
Modified: 2024-05-29

BDU:2019-02195

Уязвимость механизма TCP Selective Acknowledgement ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2019-06-21
Modified: 2024-05-29

BDU:2019-02196

Уязвимость ядра операционной системы Linux, вызванная ошибками при обработке сегментов минимального размера, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2019-06-19
Modified: 2024-11-21

CVE-2019-11477

Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.

Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2019-06-19
Modified: 2024-11-21

CVE-2019-11478

Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2019-06-19
Modified: 2024-11-21

CVE-2019-11479

Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2019-2189-1

Package postgresql11 updated to version 11.4-alt0.M80P.1 for branch p8 in task 232693.

Closed vulnerabilities

Published: 2019-07-04
Modified: 2023-08-11

BDU:2019-02385

Множественные уязвимости системы управления базами данных PostgreSQL, вызванные переполнением буфера на стеке, позволяющие нарушителю выполнить произвольный код

Severity: HIGH (7.5)Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.1)Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C
References:
Published: 2019-06-26
Modified: 2024-11-21

CVE-2019-10164

PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.

Severity: CRITICAL (9.0)Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:

ALT-PU-2019-2190-1

Package postgresql10 updated to version 10.9-alt0.M80P.1 for branch p8 in task 232693.

Closed vulnerabilities

Published: 2019-07-04
Modified: 2023-08-11

BDU:2019-02385

Множественные уязвимости системы управления базами данных PostgreSQL, вызванные переполнением буфера на стеке, позволяющие нарушителю выполнить произвольный код

Severity: HIGH (7.5)Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.1)Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C
References:
Published: 2019-06-26
Modified: 2024-11-21

CVE-2019-10164

PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.

Severity: CRITICAL (9.0)Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:

ALT-PU-2019-2191-1

Package postgresql10-1C updated to version 10.9-alt0.M80P.1 for branch p8 in task 232693.

Closed vulnerabilities

Published: 2019-07-04
Modified: 2023-08-11

BDU:2019-02385

Множественные уязвимости системы управления базами данных PostgreSQL, вызванные переполнением буфера на стеке, позволяющие нарушителю выполнить произвольный код

Severity: HIGH (7.5)Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.1)Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C
References:
Published: 2019-06-26
Modified: 2024-11-21

CVE-2019-10164

PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.

Severity: CRITICAL (9.0)Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top