ALT Linux Team

Branch sisyphus update on 2022-09-21

2022-09-21

ALT-BU-2022-6236-1

Branch sisyphus update bulletin.

ALT-PU-2022-2642-1

Package enlightenment updated to version 0.25.4-alt1 for branch sisyphus in task 307098.

Closed vulnerabilities

Published: 2022-09-15

BDU:2022-06060

Уязвимость реализации системного файла Enlightenment_sys оконного менеджера Enlightenment, позволяющая нарушителю повысить свои привилегии

Severity: MEDIUM (6.8) Vector: AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Severity: MEDIUM (4.6) Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
References:
Published: 2022-12-25
Modified: 2025-04-14

CVE-2022-37706

enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:

ALT-PU-2022-2643-1

Package freeipa updated to version 4.9.10-alt3 for branch sisyphus in task 307099.

Closed bugs

Bug #43823

Ошибка в связанных пакетах рушит работу системы

ALT-PU-2022-2644-1

Package pdns updated to version 4.6.3-alt1 for branch sisyphus in task 306917.

Closed vulnerabilities

Published: 2020-10-02
Modified: 2024-11-21

CVE-2020-17482

An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory.

Severity: MEDIUM (4.0) Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References:
Published: 2020-10-02
Modified: 2024-11-21

CVE-2020-24696

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker can trigger a race condition leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature.

Severity: MEDIUM (5.1) Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P
Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2020-10-02
Modified: 2024-11-21

CVE-2020-24697

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker can cause a denial of service by sending crafted queries with a GSS-TSIG signature.

Severity: MEDIUM (4.3) Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2020-10-02
Modified: 2024-11-21

CVE-2020-24698

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker might be able to cause a double-free, leading to a crash or possibly arbitrary code execution. by sending crafted queries with a GSS-TSIG signature.

Severity: MEDIUM (6.8) Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2021-07-30
Modified: 2024-11-21

CVE-2021-36754

PowerDNS Authoritative Server 4.5.0 before 4.5.1 allows anybody to crash the process by sending a specific query (QTYPE 65535) that causes an out-of-bounds exception.

Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2022-03-25
Modified: 2024-11-21

CVE-2022-27227

In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1, insufficient validation of an IXFR end condition causes incomplete zone transfers to be handled as successful transfers.

Severity: MEDIUM (4.3) Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2022-2646-1

Package python3-module-joblib updated to version 1.2.0-alt1 for branch sisyphus in task 307106.

Closed vulnerabilities

Published: 2022-09-26
Modified: 2024-11-21

CVE-2022-21797

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:

ALT-PU-2022-2648-1

Package kernel-image-un-def updated to version 5.19.10-alt1 for branch sisyphus in task 307119.

Closed vulnerabilities

Published: 2022-09-08

BDU:2022-06054

Уязвимость функции stex_queuecommand_lck() ядра операционных систем Linux, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Severity: MEDIUM (5.5) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM (4.6) Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N
References:
Published: 2022-09-18
Modified: 2024-11-21

CVE-2022-40768

drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top