2020-03-03
ALT-BU-2020-3681-1
Branch sisyphus update bulletin.
Closed vulnerabilities
Published: 2019-12-16
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-10773
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
Severity: HIGH (7.8)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- RHSA-2020:0475
- RHSA-2020:0475
- https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
- https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
- https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
- https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
- https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
- https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
- FEDORA-2020-7525beefa1
- FEDORA-2020-7525beefa1
- FEDORA-2020-766ce5adae
- FEDORA-2020-766ce5adae
- https://snyk.io/vuln/SNYK-JS-YARN-537806%2C
- https://snyk.io/vuln/SNYK-JS-YARN-537806%2C
Published: 2020-03-15
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-15608
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
Severity: MEDIUM (5.9)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
- https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
- https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
- https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
- https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
- https://hackerone.com/reports/703138
- https://hackerone.com/reports/703138
Published: 2020-02-24
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-8131
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Package plasma5-workspace updated to version 5.18.1-alt7 for branch sisyphus in task 247209.
Closed bugs
Проблема с alt-app-starter при запуске из контекстного меню главного меню
Closed vulnerabilities
Published: 2019-06-06
BDU:2019-02881
Уязвимость функции BZ2_decompress утилиты для сжатия данных bzip2, позволяющая нарушителю выполнить произвольный код
Severity: HIGH (8.6)
Vector: AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References:
Published: 2016-06-30
BDU:2021-01720
Уязвимость функции bzip2recover программного обеспечения для сжатия данных Bzip2, связанная с использованием после освобождения, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (6.5)
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2016-06-30
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2016-3189
Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
Severity: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- [oss-security] 20160620 CVE-2016-3189: bzip2 use-after-free on bzip2recover
- [oss-security] 20160620 CVE-2016-3189: bzip2 use-after-free on bzip2recover
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- 91297
- 91297
- 1036132
- 1036132
- https://bugzilla.redhat.com/show_bug.cgi?id=1319648
- https://bugzilla.redhat.com/show_bug.cgi?id=1319648
- [kafka-jira] 20200414 [jira] [Commented] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20200414 [jira] [Commented] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-dev] 20210729 [jira] [Resolved] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-dev] 20210729 [jira] [Resolved] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20200413 [jira] [Created] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20200413 [jira] [Created] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20210729 [jira] [Resolved] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20210729 [jira] [Resolved] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20210729 [jira] [Commented] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20210729 [jira] [Commented] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20210729 [jira] [Commented] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20210729 [jira] [Commented] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20200413 [jira] [Updated] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20200413 [jira] [Updated] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka
- [kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka
- [kafka-dev] 20200413 [jira] [Created] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-dev] 20200413 [jira] [Created] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20210729 [jira] [Comment Edited] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [kafka-jira] 20210729 [jira] [Comment Edited] (KAFKA-9858) CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
- [debian-lts-announce] 20190624 [SECURITY] [DLA 1833-1] bzip2 security update
- [debian-lts-announce] 20190624 [SECURITY] [DLA 1833-1] bzip2 security update
- 20190806 FreeBSD Security Advisory FreeBSD-SA-19:18.bzip2
- 20190806 FreeBSD Security Advisory FreeBSD-SA-19:18.bzip2
- 20190715 [slackware-security] bzip2 (SSA:2019-195-01)
- 20190715 [slackware-security] bzip2 (SSA:2019-195-01)
- FreeBSD-SA-19:18
- FreeBSD-SA-19:18
- GLSA-201708-08
- GLSA-201708-08
- USN-4038-1
- USN-4038-1
- USN-4038-2
- USN-4038-2
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
Published: 2019-06-20
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-12900
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- openSUSE-SU-2019:1781
- openSUSE-SU-2019:1781
- openSUSE-SU-2019:1918
- openSUSE-SU-2019:1918
- openSUSE-SU-2019:2595
- openSUSE-SU-2019:2595
- openSUSE-SU-2019:2597
- openSUSE-SU-2019:2597
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
- https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
- [kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka
- [kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka
- [flink-user] 20210717 Re: Flink 1.13.1 - Vulnerabilities CVE-2019-12900 for librocksdbjni
- [flink-user] 20210717 Re: Flink 1.13.1 - Vulnerabilities CVE-2019-12900 for librocksdbjni
- [flink-user] 20210716 Flink 1.13.1 - Vulnerabilities CVE-2019-12900 for librocksdbjni
- [flink-user] 20210716 Flink 1.13.1 - Vulnerabilities CVE-2019-12900 for librocksdbjni
- [debian-lts-announce] 20190624 [SECURITY] [DLA 1833-1] bzip2 security update
- [debian-lts-announce] 20190624 [SECURITY] [DLA 1833-1] bzip2 security update
- [debian-lts-announce] 20190718 [SECURITY] [DLA 1833-2] bzip2 regression update
- [debian-lts-announce] 20190718 [SECURITY] [DLA 1833-2] bzip2 regression update
- [debian-lts-announce] 20191010 [SECURITY] [DLA 1953-1] clamav security update
- [debian-lts-announce] 20191010 [SECURITY] [DLA 1953-1] clamav security update
- [debian-lts-announce] 20191014 [SECURITY] [DLA 1953-2] clamav regression update
- [debian-lts-announce] 20191014 [SECURITY] [DLA 1953-2] clamav regression update
- 20190806 FreeBSD Security Advisory FreeBSD-SA-19:18.bzip2
- 20190806 FreeBSD Security Advisory FreeBSD-SA-19:18.bzip2
- 20190715 [slackware-security] bzip2 (SSA:2019-195-01)
- 20190715 [slackware-security] bzip2 (SSA:2019-195-01)
- FreeBSD-SA-19:18
- FreeBSD-SA-19:18
- https://support.f5.com/csp/article/K68713584?utm_source=f5support&%3Butm_medium=RSS
- https://support.f5.com/csp/article/K68713584?utm_source=f5support&%3Butm_medium=RSS
- USN-4038-1
- USN-4038-1
- USN-4038-2
- USN-4038-2
- USN-4146-1
- USN-4146-1
- USN-4146-2
- USN-4146-2
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html