ALT-BU-2022-3949-1
Branch sisyphus_mipsel update bulletin.
Package python3-module-traitsui updated to version 7.2.1-alt4 for branch sisyphus_mipsel.
Closed bugs
Mayavi -> PolyDataNormals, View type = Advanced -> Аварийный останов при попытке сортировки столбца Value
Package fontconfig updated to version 2.13.1-alt3 for branch sisyphus_mipsel.
Closed bugs
fontconfig: please, register font.dtd in system xml catalog
Package libjpeg-turbo updated to version 2.1.2-alt1 for branch sisyphus_mipsel.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2021-46822
The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.
- https://exchange.xforce.ibmcloud.com/vulnerabilities/221567
- https://exchange.xforce.ibmcloud.com/vulnerabilities/221567
- https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2
- https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2
Package connman updated to version 1.41-alt1 for branch sisyphus_mipsel.
Closed vulnerabilities
BDU:2022-03145
Уязвимость пакета dnsproxy диспетчера соединений Connman, позволяющая нарушителю вызвать отказ в обслуживании или раскрыть защищаемую информацию
BDU:2022-03146
Уязвимость пакета dnsproxy диспетчера соединений Connman, позволяющая нарушителю получить доступ к конфиденциальной информации или вызвать отказ в обслуживании
BDU:2022-03147
Уязвимость пакета dnsproxy диспетчера соединений Connman, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2022-23096
An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read.
- https://git.kernel.org/pub/scm/network/connman/connman.git/log/
- https://git.kernel.org/pub/scm/network/connman/connman.git/log/
- [debian-lts-announce] 20220209 [SECURITY] [DLA 2915-1] connman security update
- [debian-lts-announce] 20220209 [SECURITY] [DLA 2915-1] connman security update
- GLSA-202310-21
- GLSA-202310-21
- DSA-5231
- DSA-5231
- https://www.openwall.com/lists/oss-security/2022/01/25/1
- https://www.openwall.com/lists/oss-security/2022/01/25/1
Modified: 2024-11-21
CVE-2022-23097
An issue was discovered in the DNS proxy in Connman through 1.40. forward_dns_reply mishandles a strnlen call, leading to an out-of-bounds read.
- https://git.kernel.org/pub/scm/network/connman/connman.git/log/
- https://git.kernel.org/pub/scm/network/connman/connman.git/log/
- [debian-lts-announce] 20220209 [SECURITY] [DLA 2915-1] connman security update
- [debian-lts-announce] 20220209 [SECURITY] [DLA 2915-1] connman security update
- GLSA-202310-21
- GLSA-202310-21
- DSA-5231
- DSA-5231
- https://www.openwall.com/lists/oss-security/2022/01/25/1
- https://www.openwall.com/lists/oss-security/2022/01/25/1
Modified: 2024-11-21
CVE-2022-23098
An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received.
- https://git.kernel.org/pub/scm/network/connman/connman.git/log/
- https://git.kernel.org/pub/scm/network/connman/connman.git/log/
- [debian-lts-announce] 20220209 [SECURITY] [DLA 2915-1] connman security update
- [debian-lts-announce] 20220209 [SECURITY] [DLA 2915-1] connman security update
- GLSA-202310-21
- GLSA-202310-21
- DSA-5231
- DSA-5231
- https://www.openwall.com/lists/oss-security/2022/01/25/1
- https://www.openwall.com/lists/oss-security/2022/01/25/1
Package janus updated to version 0.11.7-alt1 for branch sisyphus_mipsel.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2021-4020
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- https://github.com/meetecho/janus-gateway/commit/d3fc00ec803d6c41d8f98908732f44e7f4911a1c
- https://github.com/meetecho/janus-gateway/commit/d3fc00ec803d6c41d8f98908732f44e7f4911a1c
- https://huntr.dev/bounties/9814baa8-7bdd-4e31-a132-d9d15653409e
- https://huntr.dev/bounties/9814baa8-7bdd-4e31-a132-d9d15653409e
Modified: 2024-11-21
CVE-2021-4124
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- https://github.com/meetecho/janus-gateway/commit/f62bba6513ec840761f2434b93168106c7c65a3d
- https://github.com/meetecho/janus-gateway/commit/f62bba6513ec840761f2434b93168106c7c65a3d
- https://huntr.dev/bounties/a6ca142e-60aa-4d6f-b231-5d1bcd1b7190
- https://huntr.dev/bounties/a6ca142e-60aa-4d6f-b231-5d1bcd1b7190
Package minio updated to version 2022.02.01-alt1 for branch sisyphus_mipsel.
Closed vulnerabilities
BDU:2022-03596
Уязвимость сервера хранения объектов MinIO, связанная с небезопасным управлением привилегиями, позволяющая нарушителю повысить свои привилегии
Modified: 2024-11-21
CVE-2021-43858
MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.
- https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf
- https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf
- https://github.com/minio/minio/pull/13976
- https://github.com/minio/minio/pull/13976
- https://github.com/minio/minio/pull/7949
- https://github.com/minio/minio/pull/7949
- https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z
- https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z
- https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx
- https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx
Package libvirt updated to version 8.0.0-alt3 for branch sisyphus_mipsel.
Closed vulnerabilities
BDU:2022-05679
Уязвимость библиотеки управления виртуализацией Libvirt, связанная с недостаточной блокировкой, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2021-4147
A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition.
- https://bugzilla.redhat.com/show_bug.cgi?id=2034195
- https://bugzilla.redhat.com/show_bug.cgi?id=2034195
- [debian-lts-announce] 20240401 [SECURITY] [DLA 3778-1] libvirt security update
- [debian-lts-announce] 20240401 [SECURITY] [DLA 3778-1] libvirt security update
- https://security.netapp.com/advisory/ntap-20220513-0004/
- https://security.netapp.com/advisory/ntap-20220513-0004/
Package expat updated to version 2.4.4-alt1 for branch sisyphus_mipsel.
Closed vulnerabilities
BDU:2022-00999
Уязвимость функции doProlog() библиотеки Expat, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2022-01702
Уязвимость библиотеки синтаксического анализатора XML libexpat, связанная с целочисленным переполнением, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2022-23852
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- https://github.com/libexpat/libexpat/pull/550
- https://github.com/libexpat/libexpat/pull/550
- [debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update
- [debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update
- GLSA-202209-24
- GLSA-202209-24
- https://security.netapp.com/advisory/ntap-20220217-0001/
- https://security.netapp.com/advisory/ntap-20220217-0001/
- DSA-5073
- DSA-5073
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.tenable.com/security/tns-2022-05
- https://www.tenable.com/security/tns-2022-05
Modified: 2024-11-21
CVE-2022-23990
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- https://github.com/libexpat/libexpat/pull/551
- https://github.com/libexpat/libexpat/pull/551
- FEDORA-2022-88f6a3d290
- FEDORA-2022-88f6a3d290
- FEDORA-2022-d2abd0858e
- FEDORA-2022-d2abd0858e
- GLSA-202209-24
- GLSA-202209-24
- DSA-5073
- DSA-5073
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.tenable.com/security/tns-2022-05
- https://www.tenable.com/security/tns-2022-05
Package gem-puppet updated to version 7.14.0-alt3 for branch sisyphus_mipsel.
Closed bugs
Ошибка при установке пакета с помощью puppet если в системе установлен aptitude