ALT-BU-2021-4201-2
Branch sisyphus update bulletin.
Package element-web updated to version 1.8.4-alt1 for branch sisyphus in task 285172.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2021-40823
A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients.
Modified: 2024-11-21
CVE-2021-40824
A logic error in the room key sharing functionality of Element Android before 1.2.2 and matrix-android-sdk2 (aka Matrix SDK for Android) before 1.2.2 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the attacker to decrypt end-to-end encrypted messages sent by affected clients.
Package element-desktop updated to version 1.8.4-alt1 for branch sisyphus in task 285172.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2021-40823
A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients.
Modified: 2024-11-21
CVE-2021-40824
A logic error in the room key sharing functionality of Element Android before 1.2.2 and matrix-android-sdk2 (aka Matrix SDK for Android) before 1.2.2 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the attacker to decrypt end-to-end encrypted messages sent by affected clients.
Package thunderbird updated to version 91.1.0-alt2 for branch sisyphus in task 285174.
Closed bugs
В системе отсутствует пакет libotr5, из-за чего переписка в чате thunderbird выглядит нечитаемо. Нет возможности выставить статус шифрования
Package spawn-fcgi updated to version 1.6.4-alt5 for branch sisyphus in task 285221.
Closed bugs
'/var/run/spawn-fcgi': No such file or directory
Closed vulnerabilities
BDU:2021-04871
Уязвимость реализации криптографической трещотки Double Ratchet Libolm, связанная с записью за границами буфера, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2021-34813
Matrix libolm before 3.2.3 allows a malicious Matrix homeserver to crash a client (while it is attempting to retrieve an Olm encrypted room key backup from the homeserver) because olm_pk_decrypt has a stack-based buffer overflow. Remote code execution might be possible for some nonstandard build configurations.
- https://gitlab.matrix.org/matrix-org/olm/-/commit/ccc0d122ee1b4d5e5ca4ec1432086be17d5f901b
- https://gitlab.matrix.org/matrix-org/olm/-/releases/3.2.3
- https://matrix.org/blog/2021/06/14/adventures-in-fuzzing-libolm
- https://gitlab.matrix.org/matrix-org/olm/-/commit/ccc0d122ee1b4d5e5ca4ec1432086be17d5f901b
- https://gitlab.matrix.org/matrix-org/olm/-/releases/3.2.3
- https://matrix.org/blog/2021/06/14/adventures-in-fuzzing-libolm
Closed vulnerabilities
Modified: 2023-11-21
BDU:2021-04772
Уязвимость компонента макета модуля отображения Blink браузеров Google Chrome и Microsoft Edge, позволяющая нарушителю выполнить произвольный код
Modified: 2024-09-13
BDU:2021-04783
Уязвимость компонента Selection API браузеров Google Chrome и Microsoft Edge, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код
Modified: 2023-11-21
BDU:2021-04790
Уязвимость модуля отображения Blink браузеров Google Chrome и Microsoft Edge, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2023-11-21
BDU:2021-04791
Уязвимость интерфейса для хранения структурированных данных Indexed DB API браузеров Google Chrome и Microsoft Edge, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код
Modified: 2023-11-21
BDU:2021-04792
Уязвимость компонента Permissions браузеров Google Chrome и Microsoft Edge, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код
Modified: 2023-11-21
BDU:2021-04793
Уязвимость обработчика JavaScript-сценариев V8 браузеров Google Chrome и Microsoft Edge, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2023-11-21
BDU:2021-04794
Уязвимость компонента макета модуля отображения Blink браузеров Google Chrome и Microsoft Edge, позволяющая нарушителю выполнить произвольный код
Modified: 2023-11-21
BDU:2021-04795
Уязвимость библиотеки ANGLE браузеров Google Chrome и Microsoft Edge, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код
Modified: 2023-11-21
BDU:2021-04796
Уязвимость библиотеки ANGLE браузеров Google Chrome и Microsoft Edge, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код
Modified: 2024-11-21
CVE-2021-30625
Use after free in Selection API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who convinced the user the visit a malicious website to potentially exploit heap corruption via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1237533
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1352
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1237533
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1352
Modified: 2024-11-21
CVE-2021-30626
Out of bounds memory access in ANGLE in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1241036
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1241036
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
Modified: 2024-11-21
CVE-2021-30627
Type confusion in Blink layout in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1245786
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1245786
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
Modified: 2024-11-21
CVE-2021-30628
Stack buffer overflow in ANGLE in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1241123
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1241123
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
Modified: 2024-11-21
CVE-2021-30629
Use after free in Permissions in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1243646
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1243646
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
Modified: 2024-11-21
CVE-2021-30630
Inappropriate implementation in Blink in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1244568
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1244568
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
Modified: 2023-11-07
CVE-2021-30631
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none
Modified: 2025-10-24
CVE-2021-30632
Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- http://packetstormsecurity.com/files/172845/Chrome-JIT-Compiler-Type-Confusion.html
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1247763
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
- http://packetstormsecurity.com/files/172845/Chrome-JIT-Compiler-Type-Confusion.html
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1247763
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30632
Modified: 2025-10-24
CVE-2021-30633
Use after free in Indexed DB API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1247766
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
- https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
- https://crbug.com/1247766
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30633
Closed vulnerabilities
Modified: 2024-04-17
BDU:2022-02695
Уязвимость функции evdev_log_msg библиотеки libinput реализации протоколов серверов отображения X.Org и Wayland, позволяющая нарушителю выполнить произвольный код с повышенными привилегиями
Modified: 2024-11-21
CVE-2022-1215
A format string vulnerability was found in libinput