ALT-BU-2022-3516-1
Branch sisyphus_riscv64 update bulletin.
Package libcmis updated to version 0.5.2-alt6.git.f7466a8 for branch sisyphus_riscv64.
Closed bugs
Обновить до bce91e0854a0ff1d0b2023f1f3a54077a36e3738
Package nim-lang updated to version 1.4.6-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2021-04700
Уязвимость языка программирования Nim, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю оказать воздействие на целостность данных
Modified: 2024-11-21
CVE-2021-21372
Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
- https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37
- https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37
- https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
- https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
Modified: 2024-11-21
CVE-2021-21373
Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
- https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8
- https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8
Modified: 2024-11-21
CVE-2021-21374
Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
- https://github.com/nim-lang/Nim/pull/16940
- https://github.com/nim-lang/Nim/pull/16940
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
- https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx
- https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx
Modified: 2024-11-21
CVE-2021-29495
Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as documented.
Package lxde-common updated to version 0.99.2-alt6 for branch sisyphus_riscv64.
Closed bugs
Настройки lxde сбрасываются до дефолтных при каждом логине пользователя.
Package libldb updated to version 2.3.2-alt2 for branch sisyphus_riscv64.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2021-3670
MaxQueryDuration not honoured in Samba AD DC LDAP
- https://bugzilla.redhat.com/show_bug.cgi?id=2077533
- https://bugzilla.redhat.com/show_bug.cgi?id=2077533
- https://bugzilla.samba.org/show_bug.cgi?id=14694
- https://bugzilla.samba.org/show_bug.cgi?id=14694
- https://gitlab.com/samba-team/samba/-/commit/1d5b155619bc532c46932965b215bd73a920e56f
- https://gitlab.com/samba-team/samba/-/commit/1d5b155619bc532c46932965b215bd73a920e56f
- https://gitlab.com/samba-team/samba/-/commit/2b3af3b560c9617a233c131376c870fce146c002
- https://gitlab.com/samba-team/samba/-/commit/2b3af3b560c9617a233c131376c870fce146c002
- https://gitlab.com/samba-team/samba/-/commit/3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393
- https://gitlab.com/samba-team/samba/-/commit/3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393
- https://gitlab.com/samba-team/samba/-/commit/5f0590362c5c0c5ee20503a67467f9be2d50e73b
- https://gitlab.com/samba-team/samba/-/commit/5f0590362c5c0c5ee20503a67467f9be2d50e73b
- https://gitlab.com/samba-team/samba/-/commit/86fe9d48883f87c928bf31ccbd275db420386803
- https://gitlab.com/samba-team/samba/-/commit/86fe9d48883f87c928bf31ccbd275db420386803
- https://gitlab.com/samba-team/samba/-/commit/dcfcafdbf756e12d9077ad7920eea25478c29f81
- https://gitlab.com/samba-team/samba/-/commit/dcfcafdbf756e12d9077ad7920eea25478c29f81
- https://gitlab.com/samba-team/samba/-/commit/e1ab0c43629686d1d2c0b0b2bcdc90057a792049
- https://gitlab.com/samba-team/samba/-/commit/e1ab0c43629686d1d2c0b0b2bcdc90057a792049
- https://security.gentoo.org/glsa/202309-06
- https://security.gentoo.org/glsa/202309-06
Package samba updated to version 4.14.11-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2020-25727
The Reset Password add-on before 1.2.0 for Alfresco suffers from CMIS-SQL Injection, which allows a malicious user to inject a query within the email input field.
Modified: 2024-11-21
CVE-2021-3670
MaxQueryDuration not honoured in Samba AD DC LDAP
- https://bugzilla.redhat.com/show_bug.cgi?id=2077533
- https://bugzilla.redhat.com/show_bug.cgi?id=2077533
- https://bugzilla.samba.org/show_bug.cgi?id=14694
- https://bugzilla.samba.org/show_bug.cgi?id=14694
- https://gitlab.com/samba-team/samba/-/commit/1d5b155619bc532c46932965b215bd73a920e56f
- https://gitlab.com/samba-team/samba/-/commit/1d5b155619bc532c46932965b215bd73a920e56f
- https://gitlab.com/samba-team/samba/-/commit/2b3af3b560c9617a233c131376c870fce146c002
- https://gitlab.com/samba-team/samba/-/commit/2b3af3b560c9617a233c131376c870fce146c002
- https://gitlab.com/samba-team/samba/-/commit/3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393
- https://gitlab.com/samba-team/samba/-/commit/3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393
- https://gitlab.com/samba-team/samba/-/commit/5f0590362c5c0c5ee20503a67467f9be2d50e73b
- https://gitlab.com/samba-team/samba/-/commit/5f0590362c5c0c5ee20503a67467f9be2d50e73b
- https://gitlab.com/samba-team/samba/-/commit/86fe9d48883f87c928bf31ccbd275db420386803
- https://gitlab.com/samba-team/samba/-/commit/86fe9d48883f87c928bf31ccbd275db420386803
- https://gitlab.com/samba-team/samba/-/commit/dcfcafdbf756e12d9077ad7920eea25478c29f81
- https://gitlab.com/samba-team/samba/-/commit/dcfcafdbf756e12d9077ad7920eea25478c29f81
- https://gitlab.com/samba-team/samba/-/commit/e1ab0c43629686d1d2c0b0b2bcdc90057a792049
- https://gitlab.com/samba-team/samba/-/commit/e1ab0c43629686d1d2c0b0b2bcdc90057a792049
- https://security.gentoo.org/glsa/202309-06
- https://security.gentoo.org/glsa/202309-06
Package wolfssl updated to version 5.1.1-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-23408
wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c.