Branch p10 update bulletin.

Package golang updated to version 1.16.14-alt1 for branch p10 in task 295237.

Published: 2022-01-20

BDU:2022-03899

Уязвимость реализации функции SetString() класса Rat пакета math/big языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

CVE-2022-23772

Published: 2022-02-11
Modified: 2024-11-21

CVE-2022-23772

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Published: 2022-02-11
Modified: 2024-11-21

CVE-2022-23773

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Published: 2022-02-11
Modified: 2024-11-21

CVE-2022-23806

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References:

Package ethtool updated to version 5.16-alt1 for branch p10 in task 294516.

В README.ALT осталось упоминание init-скрипта

Package jitsi-videobridge updated to version 2.1-alt0.7 for branch p10 in task 294023.

Не работает systemctl enable jitsi-videobridge

Version: 2.1.1

Branch p10 update on 2022-02-15

ALT-BU-2022-4025-1

ALT-PU-2022-1283-1

Closed vulnerabilities

BDU:2022-03899

CVE-2022-23772

CVE-2022-23773

CVE-2022-23806

ALT-PU-2022-1285-1

Closed bugs

Bug #41460

ALT-PU-2022-1286-1

Closed bugs

Bug #41778