ALT Linux Team

Branch sisyphus update on 2020-12-25

2020-12-25

ALT-BU-2020-4206-1

Branch sisyphus update bulletin.

ALT-PU-2020-3555-1

Package ceph updated to version 15.2.8-alt1 for branch sisyphus in task 263597.

Closed vulnerabilities

Published: 2020-11-12

BDU:2021-06304

Уязвимость системы хранения данных Ceph, связанная с недостаточной защитой регистрационных данных, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность

Severity: HIGH (7.1) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References:
Published: 2020-12-19
Modified: 2024-11-21

CVE-2020-27781

User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0.

Severity: HIGH (7.1) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References:

ALT-PU-2020-3556-1

Package kernel-image-mp updated to version 5.9.16-alt1 for branch sisyphus in task 263845.

Closed vulnerabilities

Published: 2020-09-25

BDU:2020-04797

Уязвимость компонента net/bluetooth/l2cap_core.c ядра операционных систем Linux, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании

Severity: HIGH (8.8) Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2020-12-04

BDU:2021-00005

Уязвимость компонента drivers/tty/tty_jobctrl.c ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Severity: HIGH (7.8) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2020-12-04

BDU:2021-00006

Уязвимость компонентов drivers/tty/tty_jobctrl.c и drivers/tty/tty_io.c ядра операционной системы Linux, позволяющая нарушителю раскрыть защищаемую информацию

Severity: MEDIUM (4.4) Vector: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2020-11-23
Modified: 2024-11-21

CVE-2020-12351

Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2021-05-13
Modified: 2024-11-21

CVE-2020-27830

A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2020-12-09
Modified: 2024-11-21

CVE-2020-29660

A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.

Severity: MEDIUM (4.4) Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2020-12-09
Modified: 2024-11-21

CVE-2020-29661

A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top