ALT-BU-2022-4550-1
Branch sisyphus update bulletin.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-1271
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
- https://access.redhat.com/security/cve/CVE-2022-1271
- https://access.redhat.com/security/cve/CVE-2022-1271
- https://bugzilla.redhat.com/show_bug.cgi?id=2073310
- https://bugzilla.redhat.com/show_bug.cgi?id=2073310
- https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
- https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
- https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
- https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
- GLSA-202209-01
- GLSA-202209-01
- https://security.netapp.com/advisory/ntap-20220930-0006/
- https://security.netapp.com/advisory/ntap-20220930-0006/
- https://security-tracker.debian.org/tracker/CVE-2022-1271
- https://security-tracker.debian.org/tracker/CVE-2022-1271
- https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
- https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
- https://www.openwall.com/lists/oss-security/2022/04/07/8
- https://www.openwall.com/lists/oss-security/2022/04/07/8
Closed bugs
[FR] втащить апстримный коммит для поддержки e2k
Пожалуйста обновите до до версии 1.5.2
Package kernel-image-centos updated to version 5.14.0.77-alt1.el9 for branch sisyphus in task 298187.
Closed vulnerabilities
BDU:2022-01511
Уязвимость реализации режима Intra-mode BTI (IMBTI) микропрограммного обеспечения процессоров Intel, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
BDU:2022-01915
Уязвимость реализации режима Intra-mode BTI (IMBTI) микропрограммного обеспечения процессоров Intel, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
BDU:2022-03555
Уязвимость модуля LFENCE/JMP процессоров AMD, позволяющая нарушителю раскрыть защищаемую информацию
Modified: 2024-11-21
CVE-2021-26401
LFENCE/JMP (mitigation V2-2) may not sufficiently mitigate CVE-2017-5715 on some AMD CPUs.
- [oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues
- [oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues
- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036
- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036
Modified: 2025-04-01
CVE-2022-0001
Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
- [oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues
- [oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues
- https://security.netapp.com/advisory/ntap-20220818-0004/
- https://security.netapp.com/advisory/ntap-20220818-0004/
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html
- VU#155143
- VU#155143
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.vicarius.io/vsociety/posts/cve-2022-0001-detect-specter-vulnerability?prevUrl=wizard
- https://www.vicarius.io/vsociety/posts/cve-2022-0001-mitigate-specter-vulnerability?prevUrl=wizard
Modified: 2024-11-21
CVE-2022-0002
Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
- [oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues
- [oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues
- https://security.netapp.com/advisory/ntap-20220818-0004/
- https://security.netapp.com/advisory/ntap-20220818-0004/
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Closed vulnerabilities
Modified: 2024-11-21
CVE-2021-40529
The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
- https://eprint.iacr.org/2021/923
- https://eprint.iacr.org/2021/923
- https://github.com/randombit/botan/pull/2790
- https://github.com/randombit/botan/pull/2790
- https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
- https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
- https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
- https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
- FEDORA-2021-8d51cac49f
- FEDORA-2021-8d51cac49f
- FEDORA-2021-14b0d97496
- FEDORA-2021-14b0d97496
- GLSA-202208-14
- GLSA-202208-14