ALT-BU-2020-3968-1
Branch sisyphus update bulletin.
Package python3-module-scikit-learn updated to version 0.23.2-alt1 for branch sisyphus in task 256112.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2020-13092
scikit-learn (aka sklearn) through 0.23.0 can unserialize and execute commands from an untrusted file that is passed to the joblib.load() function, if __reduce__ makes an os.system call. NOTE: third parties dispute this issue because the joblib.load() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner
- https://github.com/0FuzzingQ/vuln/blob/master/sklearn%20unserialize.md
- https://scikit-learn.org/stable/modules/model_persistence.html#security-maintainability-limitations
- https://github.com/0FuzzingQ/vuln/blob/master/sklearn%20unserialize.md
- https://scikit-learn.org/stable/modules/model_persistence.html#security-maintainability-limitations
Closed vulnerabilities
BDU:2021-02857
Уязвимость средства разработки GoLang прикладного программного обеспечения Аврора Центр, связанная с выполнением цикла с недоступным условием выхода, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2020-16845
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
- openSUSE-SU-2020:1178
- openSUSE-SU-2020:1178
- openSUSE-SU-2020:1194
- openSUSE-SU-2020:1194
- openSUSE-SU-2020:1405
- openSUSE-SU-2020:1405
- openSUSE-SU-2020:1407
- openSUSE-SU-2020:1407
- https://groups.google.com/forum/#%21topic/golang-announce/_ulYYcIWg3Q
- https://groups.google.com/forum/#%21topic/golang-announce/_ulYYcIWg3Q
- https://groups.google.com/forum/#%21topic/golang-announce/NyPIaucMgXo
- https://groups.google.com/forum/#%21topic/golang-announce/NyPIaucMgXo
- [debian-lts-announce] 20201121 [SECURITY] [DLA 2459-1] golang-1.7 security update
- [debian-lts-announce] 20201121 [SECURITY] [DLA 2459-1] golang-1.7 security update
- [debian-lts-announce] 20201121 [SECURITY] [DLA 2460-1] golang-1.8 security update
- [debian-lts-announce] 20201121 [SECURITY] [DLA 2460-1] golang-1.8 security update
- FEDORA-2020-e384830a0d
- FEDORA-2020-e384830a0d
- FEDORA-2020-deff052e7a
- FEDORA-2020-deff052e7a
- FEDORA-2020-a55f130272
- FEDORA-2020-a55f130272
- FEDORA-2020-b190375a37
- FEDORA-2020-b190375a37
- https://security.netapp.com/advisory/ntap-20200924-0002/
- https://security.netapp.com/advisory/ntap-20200924-0002/
- DSA-4848
- DSA-4848
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
Closed vulnerabilities
Modified: 2024-11-21
CVE-2020-14339
A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.