2019-09-14
ALT-BU-2019-3944-1
Branch c8.1 update bulletin.
Package kf5-kconfig updated to version 5.31.0-alt2 for branch c8.1 in task 235751.
Closed vulnerabilities
Published: 2019-10-16
Modified: 2023-11-21
Modified: 2023-11-21
BDU:2019-03649
Уязвимость библиотеки Kconfig среды рабочего стола KDE, позволяющая нарушителю получить несанкционированный доступ к информации, вызвать отказ в обслуживании или оказать воздействие на доступность информации
Severity: HIGH (7.8)
Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: MEDIUM (5.1)
Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P
References:
Published: 2019-08-07
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-14744
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
Severity: MEDIUM (5.1)
Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html
- http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html
- https://access.redhat.com/errata/RHSA-2019:2606
- https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
- https://lists.debian.org/debian-lts-announce/2019/08/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/
- https://seclists.org/bugtraq/2019/Aug/12
- https://seclists.org/bugtraq/2019/Aug/9
- https://security.gentoo.org/glsa/201908-07
- https://usn.ubuntu.com/4100-1/
- https://www.debian.org/security/2019/dsa-4494
- https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html
- http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html
- https://access.redhat.com/errata/RHSA-2019:2606
- https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
- https://lists.debian.org/debian-lts-announce/2019/08/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/
- https://seclists.org/bugtraq/2019/Aug/12
- https://seclists.org/bugtraq/2019/Aug/9
- https://security.gentoo.org/glsa/201908-07
- https://usn.ubuntu.com/4100-1/
- https://www.debian.org/security/2019/dsa-4494
- https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/
Package kernel-image-un-def updated to version 4.19.72-alt0.M80C.2 for branch c8.1 in task 237398.
Closed vulnerabilities
Published: 2020-01-23
Modified: 2025-01-29
Modified: 2025-01-29
BDU:2020-00236
Уязвимость подсистемы ptrace ядра операционной системы Linux, позволяющая нарушителю раскрыть защищаемую информацию
Severity: MEDIUM (5.6)
Vector: AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Severity: LOW (3.8)
Vector: AV:L/AC:H/Au:S/C:C/I:N/A:N
References:
Published: 2019-08-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-15538
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.
Severity: HIGH (7.8)
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1fb254aa983bf190cfd685d40c64a480a9bafaee
- https://github.com/torvalds/linux/commit/1fb254aa983bf190cfd685d40c64a480a9bafaee
- https://lists.debian.org/debian-lts-announce/2019/09/msg00014.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O3RUDQJXRJQVGHCGR4YZWTQ3ECBI7TXH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4JZ6AEUKFWBHQAROGMQARJ274PQP2QP/
- https://lore.kernel.org/linux-xfs/20190823035528.GH1037422%40magnolia/
- https://lore.kernel.org/linux-xfs/20190823192433.GA8736%40eldamar.local
- https://security.netapp.com/advisory/ntap-20191004-0001/
- https://support.f5.com/csp/article/K32592426?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/4144-1/
- https://usn.ubuntu.com/4147-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1fb254aa983bf190cfd685d40c64a480a9bafaee
- https://github.com/torvalds/linux/commit/1fb254aa983bf190cfd685d40c64a480a9bafaee
- https://lists.debian.org/debian-lts-announce/2019/09/msg00014.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O3RUDQJXRJQVGHCGR4YZWTQ3ECBI7TXH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4JZ6AEUKFWBHQAROGMQARJ274PQP2QP/
- https://lore.kernel.org/linux-xfs/20190823035528.GH1037422%40magnolia/
- https://lore.kernel.org/linux-xfs/20190823192433.GA8736%40eldamar.local
- https://security.netapp.com/advisory/ntap-20191004-0001/
- https://support.f5.com/csp/article/K32592426?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/4144-1/
- https://usn.ubuntu.com/4147-1/
Published: 2019-09-04
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-15902
A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.
Severity: MEDIUM (4.7)
Vector: AV:L/AC:M/Au:N/C:C/I:N/A:N
Severity: MEDIUM (5.6)
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
References:
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html
- https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
- https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html
- https://seclists.org/bugtraq/2019/Sep/41
- https://security.netapp.com/advisory/ntap-20191004-0001/
- https://usn.ubuntu.com/4157-1/
- https://usn.ubuntu.com/4157-2/
- https://usn.ubuntu.com/4162-1/
- https://usn.ubuntu.com/4162-2/
- https://usn.ubuntu.com/4163-1/
- https://usn.ubuntu.com/4163-2/
- https://www.debian.org/security/2019/dsa-4531
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html
- https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
- https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html
- https://seclists.org/bugtraq/2019/Sep/41
- https://security.netapp.com/advisory/ntap-20191004-0001/
- https://usn.ubuntu.com/4157-1/
- https://usn.ubuntu.com/4157-2/
- https://usn.ubuntu.com/4162-1/
- https://usn.ubuntu.com/4162-2/
- https://usn.ubuntu.com/4163-1/
- https://usn.ubuntu.com/4163-2/
- https://www.debian.org/security/2019/dsa-4531
Package alterator-sysconfig updated to version 1.2.4-alt0.M80C.1 for branch c8.1 in task 235984.
Closed bugs
Неправильно работает настройка прокси