ALT-BU-2022-4521-1
Branch sisyphus_e2k update bulletin.
Package kde5-krusader updated to version 2.7.2-alt3 for branch sisyphus_e2k.
Closed bugs
Обновить сборку
Package kde5-connect updated to version 21.12.3-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2020-26164
In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack.
- openSUSE-SU-2020:1647
- openSUSE-SU-2020:1647
- openSUSE-SU-2020:1650
- openSUSE-SU-2020:1650
- [oss-security] 20201013 kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon
- [oss-security] 20201013 kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon
- [oss-security] 20201013 Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon
- [oss-security] 20201013 Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon
- [oss-security] 20201014 Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon
- [oss-security] 20201014 Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon
- [oss-security] 20201130 Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon
- [oss-security] 20201130 Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon
- https://bugzilla.suse.com/show_bug.cgi?id=1176268
- https://bugzilla.suse.com/show_bug.cgi?id=1176268
- https://github.com/KDE/kdeconnect-kde/commit/024e5f23db8d8ad3449714b906b46094baaffb89
- https://github.com/KDE/kdeconnect-kde/commit/024e5f23db8d8ad3449714b906b46094baaffb89
- https://github.com/KDE/kdeconnect-kde/commit/4fbd01a3d44a0bcca888c49a77ec7cfd10e113d7
- https://github.com/KDE/kdeconnect-kde/commit/4fbd01a3d44a0bcca888c49a77ec7cfd10e113d7
- https://github.com/KDE/kdeconnect-kde/commit/542d94a70c56aa386c8d4d793481ce181b0422e8
- https://github.com/KDE/kdeconnect-kde/commit/542d94a70c56aa386c8d4d793481ce181b0422e8
- https://github.com/KDE/kdeconnect-kde/commit/613899be24b6e2a6b3e5cc719efce8ae8a122991
- https://github.com/KDE/kdeconnect-kde/commit/613899be24b6e2a6b3e5cc719efce8ae8a122991
- https://github.com/KDE/kdeconnect-kde/commit/8112729eb0f13e6947984416118531078e65580d
- https://github.com/KDE/kdeconnect-kde/commit/8112729eb0f13e6947984416118531078e65580d
- https://github.com/KDE/kdeconnect-kde/commit/ce0f00fc2d3eccb51d0af4eba61a4f60de086a59
- https://github.com/KDE/kdeconnect-kde/commit/ce0f00fc2d3eccb51d0af4eba61a4f60de086a59
- https://github.com/KDE/kdeconnect-kde/releases
- https://github.com/KDE/kdeconnect-kde/releases
- https://kde.org/info/security/advisory-20201002-1.txt
- https://kde.org/info/security/advisory-20201002-1.txt
- https://kdeconnect.kde.org/official/
- https://kdeconnect.kde.org/official/
- https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00014.html
- https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00014.html
- GLSA-202101-16
- GLSA-202101-16
Package kde5-kate updated to version 21.12.3-alt1.1 for branch sisyphus_e2k.
Closed vulnerabilities
BDU:2022-05725
Уязвимость плагина Language Server Protocol текстового редактора Kate, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2022-23853
The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted directory.
Package kde5-ark updated to version 21.12.3-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
BDU:2021-01751
Уязвимость функции emitEntryFromArchiveEntry из libarchiveplugin.cpp архиватора Ark, связанная с неверным определением ссылки перед доступом к файлу, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2021-03629
Уязвимость функции Job::onEntry из jobs.cpp архиватора Ark, связанная с недостатками ограничения имени пути к каталогу, позволяющая нарушителю оказать воздействие на целостность защищаемой информации
Modified: 2024-11-21
CVE-2020-16116
In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal.
- openSUSE-SU-2020:1183
- openSUSE-SU-2020:1183
- https://github.com/KDE/ark/commits/master
- https://github.com/KDE/ark/commits/master
- https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
- https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
- https://kde.org/info/security/advisory-20200730-1.txt
- https://kde.org/info/security/advisory-20200730-1.txt
- [debian-lts-announce] 20220520 [SECURITY] [DLA 3015-1] ark security update
- [debian-lts-announce] 20220520 [SECURITY] [DLA 3015-1] ark security update
- FEDORA-2020-e2fe8f0165
- FEDORA-2020-e2fe8f0165
- FEDORA-2020-cac5ae9b6e
- FEDORA-2020-cac5ae9b6e
- GLSA-202008-03
- GLSA-202008-03
- USN-4461-1
- USN-4461-1
- https://www.debian.org/security/2020/dsa-4738
- https://www.debian.org/security/2020/dsa-4738
Modified: 2024-11-21
CVE-2020-24654
In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.
- openSUSE-SU-2020:1310
- openSUSE-SU-2020:1310
- https://bugzilla.suse.com/show_bug.cgi?id=1175857
- https://bugzilla.suse.com/show_bug.cgi?id=1175857
- https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd
- https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd
- https://kde.org/info/security/advisory-20200827-1.txt
- https://kde.org/info/security/advisory-20200827-1.txt
- [debian-lts-announce] 20220520 [SECURITY] [DLA 3015-1] ark security update
- [debian-lts-announce] 20220520 [SECURITY] [DLA 3015-1] ark security update
- FEDORA-2020-c2f8a1e8a5
- FEDORA-2020-c2f8a1e8a5
- FEDORA-2020-f04f41bcc9
- FEDORA-2020-f04f41bcc9
- GLSA-202010-06
- GLSA-202010-06
- GLSA-202101-06
- GLSA-202101-06
- USN-4482-1
- USN-4482-1
- DSA-4759
- DSA-4759
Package kde5-kdf updated to version 21.12.3-alt1 for branch sisyphus_e2k.
Closed bugs
Не открывается диспетчер файлов
Package kde5-kcron updated to version 21.12.3-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-24986
KDE KCron through 21.12.2 uses a temporary file in /tmp when saving, but reuses the filename during an editing session. Thus, someone watching it be created the first time could potentially intercept the file the following time, enabling that person to run unauthorized commands.
Package plasma5-systemsettings updated to version 5.23.5-alt2 for branch sisyphus_e2k.
Closed bugs
Некорректное отображение меню приложений при поиске приложений
Package kf5-kguiaddons updated to version 5.91.0-alt1 for branch sisyphus_e2k.
Closed bugs
Не отрабатывает последняя клавиша вида CTRL + E, F в хоткеях из "Комбинации клавиш" для виджетов
Package kf5-kimageformats updated to version 5.91.0-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2021-36083
KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overflow in XCFImageFormat::loadTileRLE.
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/kimageformats/OSV-2021-695.yaml
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/kimageformats/OSV-2021-695.yaml
- https://invent.kde.org/frameworks/kimageformats/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f
- https://invent.kde.org/frameworks/kimageformats/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f
Package kf5-kdelibs4support updated to version 5.91.0-alt1 for branch sisyphus_e2k.
Closed bugs
Возможно ли убрать из kf5-kdelibs4support зависимость на python3(sipconfig) ?
Package kf5-breeze-icons updated to version 5.91.0-alt1 for branch sisyphus_e2k.
Closed bugs
Вернуть статусные иконки для Telegram
Package kf5-ktexteditor updated to version 5.91.0-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
BDU:2022-05725
Уязвимость плагина Language Server Protocol текстового редактора Kate, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2022-23853
The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted directory.
Package plasma5-nm updated to version 5.23.5-alt2.1 for branch sisyphus_e2k.
Closed bugs
Отсутствует модуль VPN (strongswan)
Package kde5-ktorrent updated to version 21.12.3-alt1 for branch sisyphus_e2k.
Closed bugs
ktorrent не добавляет модуль на панель инструментов при включении соответствующей опции в настройках
Package plasma5-desktop updated to version 5.23.5-alt5 for branch sisyphus_e2k.
Closed bugs
Исправление работы с несколькими мониторами
Иконка меню приложений меняется местами с точками входа, если изменить меню на любой из Взаимозаменяемых виджетов.
Исчезают все значки с рабочего стола после удаления комнаты
Package extra-cmake-modules updated to version 5.91.0-alt2 for branch sisyphus_e2k.
Closed bugs
extra-cmake-modules pulls in clang-devel
Лишняя зависимость на PyQt5
Package kde5-kio-extras updated to version 21.12.3-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2020-12755
fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0 makes a cacheAuthentication call even if the user had not set the keepPassword option. This may lead to unintended KWallet storage of a password.
Closed bugs
В dolphin не отображается миниатюра для файла DJVU
Ошибка в интерфейсе файлового менеджера Dolphin
Package samba updated to version 4.14.12-alt2 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2021-44142
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
- https://bugzilla.samba.org/show_bug.cgi?id=14914
- https://bugzilla.samba.org/show_bug.cgi?id=14914
- https://kb.cert.org/vuls/id/119678
- https://kb.cert.org/vuls/id/119678
- GLSA-202309-06
- GLSA-202309-06
- https://www.kb.cert.org/vuls/id/119678
- https://www.samba.org/samba/security/CVE-2021-44142.html
- https://www.samba.org/samba/security/CVE-2021-44142.html
- https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin
- https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin
Modified: 2024-11-21
CVE-2022-0336
The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present on that account, such as one added when a computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity.
- https://access.redhat.com/security/cve/CVE-2022-0336
- https://access.redhat.com/security/cve/CVE-2022-0336
- https://bugzilla.redhat.com/show_bug.cgi?id=2046134
- https://bugzilla.redhat.com/show_bug.cgi?id=2046134
- https://bugzilla.samba.org/show_bug.cgi?id=14950
- https://bugzilla.samba.org/show_bug.cgi?id=14950
- https://github.com/samba-team/samba/commit/1a5dc817c0c9379bbaab14c676681b42b0039a3c
- https://github.com/samba-team/samba/commit/1a5dc817c0c9379bbaab14c676681b42b0039a3c
- https://github.com/samba-team/samba/commit/c58ede44f382bd0125f761f0479c8d48156be400
- https://github.com/samba-team/samba/commit/c58ede44f382bd0125f761f0479c8d48156be400
- GLSA-202309-06
- GLSA-202309-06
- https://www.samba.org/samba/security/CVE-2022-0336.html
- https://www.samba.org/samba/security/CVE-2022-0336.html
Package plasma5-workspace updated to version 5.23.5-alt6.1 for branch sisyphus_e2k.
Closed bugs
Виджет даты разбивается на строки из-за пробела между днём недели и числом
sddm: некорретное поведение виртуальной клавиатуры при входе в систему
"Показать строку поиска и запуска" отсутствует
Не запускаются приложения из "Последние приложения"