ALT-BU-2022-4830-1
Branch sisyphus_e2k update bulletin.
Package kdenlive updated to version 21.12.3-alt1 for branch sisyphus_e2k.
Closed bugs
[FR] версионировать зависимость от mlt по возможности
Package python3-module-mechanize updated to version 0.4.7-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2021-32837
mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.
- https://github.com/python-mechanize/mechanize/blob/3acb1836f3fd8edc5a758a417dd46b53832ae3b5/mechanize/_urllib2_fork.py#L878-L879
- https://github.com/python-mechanize/mechanize/commit/dd05334448e9f39814bab044d2eaa5ef69b410d6
- https://github.com/python-mechanize/mechanize/releases/tag/v0.4.6
- https://lists.debian.org/debian-lts-announce/2023/06/msg00022.html
- https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize/
- https://github.com/python-mechanize/mechanize/blob/3acb1836f3fd8edc5a758a417dd46b53832ae3b5/mechanize/_urllib2_fork.py#L878-L879
- https://github.com/python-mechanize/mechanize/commit/dd05334448e9f39814bab044d2eaa5ef69b410d6
- https://github.com/python-mechanize/mechanize/releases/tag/v0.4.6
- https://lists.debian.org/debian-lts-announce/2023/06/msg00022.html
- https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize/
Package python3-module-django updated to version 3.2.13-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2022-11-21
BDU:2022-02670
Уязвимость реализации функции QuerySet.explain() программной платформы для веб-приложений Django, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2023-11-13
BDU:2022-02671
Уязвимость реализации методов QuerySet.annotate(), aggregate() и extra() программной платформы для веб-приложений Django, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2024-11-21
CVE-2022-28346
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
- http://www.openwall.com/lists/oss-security/2022/04/11/1
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- https://security.netapp.com/advisory/ntap-20220609-0002/
- https://www.debian.org/security/2022/dsa-5254
- https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
- http://www.openwall.com/lists/oss-security/2022/04/11/1
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- https://security.netapp.com/advisory/ntap-20220609-0002/
- https://www.debian.org/security/2022/dsa-5254
- https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
Modified: 2024-11-21
CVE-2022-28347
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
- http://www.openwall.com/lists/oss-security/2022/04/11/1
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- https://www.debian.org/security/2022/dsa-5254
- https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
- http://www.openwall.com/lists/oss-security/2022/04/11/1
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- https://www.debian.org/security/2022/dsa-5254
- https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
Package python3-module-docutils updated to version 0.18.1-alt2 for branch sisyphus_e2k.
Closed bugs
Утилита rst2man снова упакована с расширением .py
Нет rst2man и других утилит без суффикса .py
Файловый конфликт
Package cups-pdf updated to version 3.0.1-alt2 for branch sisyphus_e2k.
Closed bugs
Cups-PDF создает пустой PDF файл
Останавливает cups в firsttime-скрипте