ALT Linux Team

Branch sisyphus update on 2020-09-23

2020-09-23

ALT-BU-2020-4046-1

Branch sisyphus update bulletin.

ALT-PU-2020-2858-1

Package kernel-image-std-def updated to version 5.4.65-alt1 for branch sisyphus in task 258111.

Closed vulnerabilities

Published: 2020-05-14

BDU:2021-00471

Уязвимость драйвера VFIO PCI ядра операционной системы Linux, связанная с недостаточной обработкой исключительных состояний, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (5.3) Vector: AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
Severity: MEDIUM (4.7) Vector: AV:L/AC:M/Au:N/C:N/I:N/A:C
References:
Published: 2020-09-04

BDU:2021-03394

Уязвимость компонента net/packet/af_packet.c ядра операционной системы Linux, связанная с выходом операции за допустимые границы буфера данных, позволяющая нарушителю получить доступ к конфиденциальной информации или вызвать отказ в обслуживании

Severity: HIGH (7.8) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: MEDIUM (6.8) Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C
References:
Published: 2020-05-15
Modified: 2024-11-21

CVE-2020-12888

The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space.

Severity: MEDIUM (4.7) Vector: AV:L/AC:M/Au:N/C:N/I:N/A:C
Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
References:
Published: 2020-09-16
Modified: 2024-11-21

CVE-2020-14386

A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.

Severity: HIGH (7.2) Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:

ALT-PU-2020-2860-1

Package kde5-ark updated to version 20.08.1-alt1 for branch sisyphus in task 258474.

Closed vulnerabilities

Published: 2020-09-02

BDU:2021-01751

Уязвимость функции emitEntryFromArchiveEntry из libarchiveplugin.cpp архиватора Ark, связанная с неверным определением ссылки перед доступом к файлу, позволяющая нарушителю оказать воздействие на целостность данных

Severity: MEDIUM (4.3) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Severity: MEDIUM (4.3) Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
References:
Published: 2020-08-03

BDU:2021-03629

Уязвимость функции Job::onEntry из jobs.cpp архиватора Ark, связанная с недостатками ограничения имени пути к каталогу, позволяющая нарушителю оказать воздействие на целостность защищаемой информации

Severity: MEDIUM (4.3) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Severity: MEDIUM (4.3) Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
References:
Published: 2020-08-03
Modified: 2024-11-21

CVE-2020-16116

In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal.

Severity: MEDIUM (4.3) Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Severity: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
References:
Published: 2020-09-02
Modified: 2024-11-21

CVE-2020-24654

In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.

Severity: MEDIUM (4.3) Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Severity: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
References:

ALT-PU-2020-2861-1

Package zabbix-preinstall updated to version 2.2.2-alt2.2 for branch sisyphus in task 258508.

Closed bugs

Bug #37465

/usr/sbin/zabbix-init.sh не правильный путь к sql файлу

ALT-PU-2020-2862-1

Package NetworkManager updated to version 1.26.3-alt1.g2d8c6343e for branch sisyphus in task 258369.

Closed vulnerabilities

Published: 2020-05-17

BDU:2023-02641

Уязвимость интерфейса командной строки nmcli программы для управления сетевыми соединениями Network Manager, позволяющая нарушителю получить доступ к конфиденциальным данным

Severity: MEDIUM (4.3) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM (4.0) Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
References:
Published: 2020-06-08
Modified: 2024-11-21

CVE-2020-10754

It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely.

Severity: MEDIUM (4.0) Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References:

Closed bugs

Bug #38860

NetworkManager: new version

ALT-PU-2020-2864-1

Package kernel-image-un-def updated to version 5.8.10-alt1 for branch sisyphus in task 258514.

Closed vulnerabilities

Published: 2020-09-11

BDU:2021-01953

Уязвимость функции kvm_io_bus_unregister_dev (virt/kvm/kvm_main.c) ядра операционных систем Linux, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (5.5) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity: MEDIUM (4.6) Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C
References:
Published: 2020-09-14

BDU:2021-03291

Уязвимость подсистемы vgacon ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на доступность защищаемой информации

Severity: MEDIUM (5.9) Vector: AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Severity: LOW (3.6) Vector: AV:L/AC:L/Au:N/C:P/I:N/A:P
References:
Published: 2020-09-15
Modified: 2024-11-21

CVE-2020-14314

A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.

Severity: LOW (2.1) Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2021-06-24
Modified: 2024-11-21

CVE-2020-28097

The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.

Severity: LOW (3.6) Vector: AV:L/AC:L/Au:N/C:P/I:N/A:P
Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
References:
Published: 2021-04-07
Modified: 2024-11-21

CVE-2020-36312

An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d.

Severity: LOW (2.1) Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top