ALT-BU-2022-6236-1
Branch sisyphus update bulletin.
Package enlightenment updated to version 0.25.4-alt1 for branch sisyphus in task 307098.
Closed vulnerabilities
BDU:2022-06060
Уязвимость реализации системного файла Enlightenment_sys оконного менеджера Enlightenment, позволяющая нарушителю повысить свои привилегии
Modified: 2024-11-21
CVE-2022-37706
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.
- https://git.enlightenment.org/enlightenment/enlightenment/commit/cae78cbb169f237862faef123e4abaf63a1f5064
- https://git.enlightenment.org/enlightenment/enlightenment/commit/cc7faeccf77fef8b0ae70e312a21e4cde087e141
- https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
- https://git.enlightenment.org/enlightenment/enlightenment/commit/cae78cbb169f237862faef123e4abaf63a1f5064
- https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
- https://git.enlightenment.org/enlightenment/enlightenment/commit/cc7faeccf77fef8b0ae70e312a21e4cde087e141
Closed bugs
Ошибка в связанных пакетах рушит работу системы
Closed vulnerabilities
Modified: 2024-11-21
CVE-2020-17482
An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory.
Modified: 2024-11-21
CVE-2020-24696
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker can trigger a race condition leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature.
Modified: 2024-11-21
CVE-2020-24697
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker can cause a denial of service by sending crafted queries with a GSS-TSIG signature.
Modified: 2024-11-21
CVE-2020-24698
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker might be able to cause a double-free, leading to a crash or possibly arbitrary code execution. by sending crafted queries with a GSS-TSIG signature.
Modified: 2024-11-21
CVE-2021-36754
PowerDNS Authoritative Server 4.5.0 before 4.5.1 allows anybody to crash the process by sending a specific query (QTYPE 65535) that causes an out-of-bounds exception.
- [oss-security] 20210726 security advisory 2021-01 for PowerDNS Authoritative Server 4.5.0
- [oss-security] 20210726 security advisory 2021-01 for PowerDNS Authoritative Server 4.5.0
- https://doc.powerdns.com/authoritative/security-advisories/index.html
- https://doc.powerdns.com/authoritative/security-advisories/index.html
- https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html
- https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html
Modified: 2024-11-21
CVE-2022-27227
In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1, insufficient validation of an IXFR end condition causes incomplete zone transfers to be handled as successful transfers.
- [oss-security] 20220325 Security Advisory 2022-01 for PowerDNS Authoritative Server 4.4.2, 4.5.3, 4.6.0 and PowerDNS Recursor 4.4.7, 4.5.7, 4.6.0
- [oss-security] 20220325 Security Advisory 2022-01 for PowerDNS Authoritative Server 4.4.2, 4.5.3, 4.6.0 and PowerDNS Recursor 4.4.7, 4.5.7, 4.6.0
- https://doc.powerdns.com/authoritative/security-advisories/index.html
- https://doc.powerdns.com/authoritative/security-advisories/index.html
- https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html
- https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html
- https://docs.powerdns.com/recursor/security-advisories/index.html
- https://docs.powerdns.com/recursor/security-advisories/index.html
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html
- FEDORA-2022-8367cefdea
- FEDORA-2022-8367cefdea
- FEDORA-2022-6e19acf414
- FEDORA-2022-6e19acf414
- FEDORA-2022-ccfd5d1045
- FEDORA-2022-ccfd5d1045
- FEDORA-2022-1df2a841e4
- FEDORA-2022-1df2a841e4
Package python3-module-joblib updated to version 1.2.0-alt1 for branch sisyphus in task 307106.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-21797
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
- https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
- https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
- https://github.com/joblib/joblib/issues/1128
- https://github.com/joblib/joblib/issues/1128
- https://github.com/joblib/joblib/pull/1321
- https://github.com/joblib/joblib/pull/1321
- [debian-lts-announce] 20221117 [SECURITY] [DLA 3193-1] joblib security update
- [debian-lts-announce] 20221117 [SECURITY] [DLA 3193-1] joblib security update
- [debian-lts-announce] 20230330 [SECURITY] [DLA 3193-2] joblib security update
- [debian-lts-announce] 20230330 [SECURITY] [DLA 3193-2] joblib security update
- FEDORA-2022-c0bfe37ae5
- FEDORA-2022-c0bfe37ae5
- FEDORA-2022-c83ce1c000
- FEDORA-2022-c83ce1c000
- GLSA-202401-01
- GLSA-202401-01
- https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
- https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-37290
GNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive.
- https://gitlab.gnome.org/GNOME/nautilus/-/issues/2376
- https://gitlab.gnome.org/GNOME/nautilus/-/merge_requests/1001
- https://gitlab.gnome.org/GNOME/nautilus/-/tree/master
- FEDORA-2023-dbe1157188
- FEDORA-2023-f81ad89b81
- https://gitlab.gnome.org/GNOME/nautilus/-/issues/2376
- FEDORA-2023-f81ad89b81
- FEDORA-2023-dbe1157188
- https://gitlab.gnome.org/GNOME/nautilus/-/tree/master
- https://gitlab.gnome.org/GNOME/nautilus/-/merge_requests/1001
Package kernel-image-un-def updated to version 5.19.10-alt1 for branch sisyphus in task 307119.
Closed vulnerabilities
BDU:2022-06054
Уязвимость функции stex_queuecommand_lck() ядра операционных систем Linux, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Modified: 2024-11-21
CVE-2022-40768
drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.
- [oss-security] 20220919 Re: Linux kernel: information disclosure in stex_queuecommand_lck
- [oss-security] 20220919 Re: Linux kernel: information disclosure in stex_queuecommand_lck
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6022f210461fef67e6e676fd8544ca02d1bcfa7a
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6022f210461fef67e6e676fd8544ca02d1bcfa7a
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/scsi/stex.c
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/scsi/stex.c
- [debian-lts-announce] 20221223 [SECURITY] [DLA 3245-1] linux security update
- [debian-lts-announce] 20221223 [SECURITY] [DLA 3245-1] linux security update
- FEDORA-2022-2cfbe17910
- FEDORA-2022-2cfbe17910
- FEDORA-2022-1a5b125ac6
- FEDORA-2022-1a5b125ac6
- FEDORA-2022-b948fc3cfb
- FEDORA-2022-b948fc3cfb
- https://lore.kernel.org/all/20220908145154.2284098-1-gregkh%40linuxfoundation.org/
- https://lore.kernel.org/all/20220908145154.2284098-1-gregkh%40linuxfoundation.org/
- https://www.openwall.com/lists/oss-security/2022/09/09/1
- https://www.openwall.com/lists/oss-security/2022/09/09/1