ALT-BU-2021-3716-1
Branch sisyphus update bulletin.
Package chromium-gost updated to version 88.0.4324.96-alt1 for branch sisyphus in task 265419.
Closed vulnerabilities
BDU:2021-00858
Уязвимость интерфейса File System API веб-браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2021-00859
Уязвимость компонента USB Device Handler веб-браузера Google Chrome, позволяющая нарушителю оказать воздействие на целостность, конфиденциальность и доступность защищаемой информации
BDU:2021-00860
Уязвимость изолированной среды iframe веб-браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2021-00861
Уязвимость набора инструментов DevTools веб-браузера Google Chrome, позволяющая нарушителю выйти из изолированной программной среды
BDU:2021-00865
Уязвимость набора инструментов DevTools веб-браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2021-00902
Уязвимость интерфейса File System API веб-браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2021-00903
Уязвимость интерфейса File System API веб-браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2021-00904
Уязвимость интерфейса File System API веб-браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2021-00905
Уязвимость механизма отображения веб-страниц Blink веб-браузера Google Chrome, позволяющая нарушителю выполнить произвольный код
BDU:2021-00906
Уязвимость расширений веб-браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2021-00907
Уязвимость расширений веб-браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2021-00908
Уязвимость интерфейса File System API веб-браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2021-00909
Уязвимость средства распознавания речи веб-браузера Google Chrome, позволяющая нарушителю выйти из изолированной программной среды
BDU:2021-00910
Уязвимость интерфейса File System API веб-браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2021-00961
Уязвимость компонента Performance API веб-браузера Google Chrome, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
BDU:2021-00962
Уязвимость набора инструментов DevTools веб-браузера Google Chrome, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
BDU:2021-00963
Уязвимость компонента для отображения веб-страниц WebView веб-браузера Google Chrome, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
BDU:2021-00964
Уязвимость компонента Page Info веб-браузера Google Chrome, позволяющая нарушителю проводить спуфинг-атаки с помощью специально созданного запроса
BDU:2021-00965
Уязвимость функции Downloads веб-браузера Google Chrome, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2021-00982
Уязвимость механизма отображения веб-страниц Blink браузера Google Chrome, позволяющая нарушителю выполнить произвольный код
BDU:2021-00983
Уязвимость адресной строки Omnibox браузера Google Chrome, позволяющая нарушителю выполнить произвольный код
BDU:2021-00984
Уязвимость модуля WebSQL браузера Google Chrome, позволяющая нарушителю выполнить произвольный код
BDU:2021-00985
Уязвимость компонента Media браузера Google Chrome, позволяющая нарушителю выполнить произвольный код
BDU:2021-00986
Уязвимость обработчика JavaScript-сценариев V8 браузера Google Chrome, позволяющая нарушителю выполнить произвольный код
BDU:2021-00987
Уязвимость компонента Cryptohome браузера Google Chrome, позволяющая нарушителю повысить свои привилегии
BDU:2021-01665
Уязвимость реализации блока COOKIE-ECHO расширения WebRTC браузеров Google Chrome, Mozilla Firefox, Firefox ESR и Firefox for Android, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код
Modified: 2024-11-21
CVE-2020-16044
Use after free in WebRTC in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted SCTP packet.
Modified: 2024-11-21
CVE-2021-21117
Insufficient policy enforcement in Cryptohome in Google Chrome prior to 88.0.4324.96 allowed a local attacker to perform OS-level privilege escalation via a crafted file.
Modified: 2024-11-21
CVE-2021-21118
Insufficient data validation in V8 in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1161357
- https://crbug.com/1161357
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21118
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21118
Modified: 2024-11-21
CVE-2021-21119
Use after free in Media in Google Chrome prior to 88.0.4324.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1160534
- https://crbug.com/1160534
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21119
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21119
Modified: 2024-11-21
CVE-2021-21120
Use after free in WebSQL in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1160602
- https://crbug.com/1160602
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21120
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21120
Modified: 2024-11-21
CVE-2021-21121
Use after free in Omnibox in Google Chrome on Linux prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1161143
- https://crbug.com/1161143
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21121
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21121
Modified: 2024-11-21
CVE-2021-21122
Use after free in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1162131
- https://crbug.com/1162131
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21122
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21122
Modified: 2024-11-21
CVE-2021-21123
Insufficient data validation in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1137247
- https://crbug.com/1137247
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21123
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21123
Modified: 2024-11-21
CVE-2021-21124
Potential user after free in Speech Recognizer in Google Chrome on Android prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1131346
- https://crbug.com/1131346
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21124
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21124
Modified: 2024-11-21
CVE-2021-21125
Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1152327
- https://crbug.com/1152327
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21125
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21125
Modified: 2024-11-21
CVE-2021-21126
Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1108126
- https://crbug.com/1108126
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21126
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21126
Modified: 2024-11-21
CVE-2021-21127
Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass content security policy via a crafted Chrome Extension.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1115590
- https://crbug.com/1115590
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21127
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21127
Modified: 2024-11-21
CVE-2021-21128
Heap buffer overflow in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1138877
- https://crbug.com/1138877
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21128
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21128
Modified: 2024-11-21
CVE-2021-21129
Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1140403
- https://crbug.com/1140403
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21129
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21129
Modified: 2024-11-21
CVE-2021-21130
Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1140410
- https://crbug.com/1140410
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21130
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21130
Modified: 2024-11-21
CVE-2021-21131
Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1140417
- https://crbug.com/1140417
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21131
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21131
Modified: 2024-11-21
CVE-2021-21132
Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted Chrome Extension.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1128206
- https://crbug.com/1128206
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21132
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21132
Modified: 2024-11-21
CVE-2021-21133
Insufficient policy enforcement in Downloads in Google Chrome prior to 88.0.4324.96 allowed an attacker who convinced a user to download files to bypass navigation restrictions via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1157743
- https://crbug.com/1157743
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21133
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21133
Modified: 2024-11-21
CVE-2021-21134
Incorrect security UI in Page Info in Google Chrome on iOS prior to 88.0.4324.96 allowed a remote attacker to spoof security UI via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1157800
- https://crbug.com/1157800
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21134
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21134
Modified: 2024-11-21
CVE-2021-21135
Inappropriate implementation in Performance API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1157818
- https://crbug.com/1157818
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21135
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21135
Modified: 2024-11-21
CVE-2021-21136
Insufficient policy enforcement in WebView in Google Chrome on Android prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1038002
- https://crbug.com/1038002
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21136
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21136
Modified: 2024-11-21
CVE-2021-21137
Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to obtain potentially sensitive information from disk via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1093791
- https://crbug.com/1093791
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21137
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21137
Modified: 2024-11-21
CVE-2021-21138
Use after free in DevTools in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform a sandbox escape via a crafted file.
Modified: 2024-11-21
CVE-2021-21139
Inappropriate implementation in iframe sandbox in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/937131
- https://crbug.com/937131
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21139
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21139
Modified: 2024-11-21
CVE-2021-21140
Uninitialized use in USB in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform out of bounds memory access via via a USB device.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1136327
- https://crbug.com/1136327
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21140
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21140
Modified: 2024-11-21
CVE-2021-21141
Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass file extension policy via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
- https://crbug.com/1140435
- https://crbug.com/1140435
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21141
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21141
Closed bugs
/usr/lib64/chromium-gost/chromium: Нет такого файла или каталога
Closed vulnerabilities
Modified: 2024-11-21
CVE-2020-27846
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
- https://bugzilla.redhat.com/show_bug.cgi?id=1907670
- https://bugzilla.redhat.com/show_bug.cgi?id=1907670
- https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9
- https://github.com/crewjam/saml/security/advisories/GHSA-4hq8-gmxx-h6w9
- https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/
- https://grafana.com/blog/2020/12/17/grafana-6.7.5-7.2.3-and-7.3.6-released-with-important-security-fix-for-grafana-enterprise/
- FEDORA-2020-968067abfa
- FEDORA-2020-968067abfa
- FEDORA-2020-64e54abd9f
- FEDORA-2020-64e54abd9f
- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
- https://security.netapp.com/advisory/ntap-20210205-0002/
- https://security.netapp.com/advisory/ntap-20210205-0002/
Modified: 2024-11-21
CVE-2022-26148
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
Closed bugs
Не монтируется /home после загрузки ядра
Closed vulnerabilities
BDU:2021-00809
Уязвимость функции _gcry_md_block_write (cipher / hash-common.c) криптографической библиотеки Libgcrypt, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2021-3345
_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.
- https://bugs.gentoo.org/show_bug.cgi?id=767814
- https://bugs.gentoo.org/show_bug.cgi?id=767814
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=512c0c75276949f13b6373b5c04f7065af750b08
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=512c0c75276949f13b6373b5c04f7065af750b08
- https://gnupg.org
- https://gnupg.org
- https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html
- https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html
- https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html
- https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html