ALT-BU-2019-4113-2

Branch sisyphus update bulletin.

Package wireshark updated to version 3.0.7-alt1 for branch sisyphus in task 242563.

Уязвимость диссектора CMS анализатора трафика компьютерных сетей Wireshark, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

CVE-2019-19553

In Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12, the CMS dissector could crash. This was addressed in epan/dissectors/asn1/cms/packet-cms-template.c by ensuring that an object identifier is set to NULL after a ContentInfo dissection.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Package juffed updated to version 0.10-alt3.git7746772 for branch sisyphus in task 242579.

Просьба перевести на qt5

Package puma updated to version 4.3.1-alt1 for branch sisyphus in task 242594.

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack

Severity: MEDIUM (5.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Version: 2.1.2

Branch sisyphus update on 2019-12-10

ALT-BU-2019-4113-2

ALT-PU-2019-3248-1

Closed vulnerabilities

BDU:2021-01456

CVE-2019-19553

ALT-PU-2019-3249-1

Closed bugs

Bug #37589

ALT-PU-2019-4232-1

Closed vulnerabilities

CVE-2019-16770

GHSA-7xx3-m584-x994