ALT-BU-2021-4190-2

Branch p10 update bulletin.

Package pam_pkcs11 updated to version 0.6.12-alt1 for branch p10 in task 284293.

Please migrate from libpwquality to libpasswdqc

CVE: не инициализированная память при работе с PAM-стеком

Package tcl-tdom updated to version 0.9.2-alt2 for branch p10 in task 284215.

tcl-tdom 0.9.2-alt1: no such file or directory

Package xfce4-settings updated to version 4.16.2-alt2 for branch p10 in task 284365.

Не регистрируется как браузер по умолчанию

Package python3-module-django updated to version 3.2.6-alt1 for branch p10 in task 283535.

Уязвимость функции QuerySet.order_by() программной платформы для веб-приложений Django, позволяющая нарушителю выполнить произвольные команды

Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

References:

CVE-2021-35042

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

Severity: HIGH (7.5)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: CRITICAL (9.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Version: 2.1.2

Branch p10 update on 2021-09-11

ALT-BU-2021-4190-2

ALT-PU-2021-2763-1

Closed bugs

Bug #39790

Bug #40814

ALT-PU-2021-2764-1

Closed bugs

Bug #40877

ALT-PU-2021-2765-1

Closed bugs

Bug #40502

ALT-PU-2021-2770-1

Closed vulnerabilities

BDU:2021-03557

CVE-2021-35042