ALT-BU-2022-6369-1
Branch sisyphus update bulletin.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-3287
When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file.
Package fluent-bit updated to version 1.9.9-alt1 for branch sisyphus in task 307780.
Closed bugs
носит с собой копию c-ares
Package python3-module-ujson updated to version 5.5.0-alt1 for branch sisyphus in task 307788.
Closed vulnerabilities
BDU:2022-04296
Уязвимость пакета UltraJSON языка программирования Python, позволяющая нарушителю оказать воздействие на целостность данных
Modified: 2024-11-21
CVE-2021-45958
UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml
- https://github.com/ultrajson/ultrajson/issues/501
- https://github.com/ultrajson/ultrajson/issues/501
- https://github.com/ultrajson/ultrajson/issues/502#issuecomment-1031747284
- https://github.com/ultrajson/ultrajson/issues/502#issuecomment-1031747284
- https://github.com/ultrajson/ultrajson/pull/504
- https://github.com/ultrajson/ultrajson/pull/504
- [debian-lts-announce] 20220226 [SECURITY] [DLA 2929-1] ujson security update
- [debian-lts-announce] 20220226 [SECURITY] [DLA 2929-1] ujson security update
- FEDORA-2022-dbf6e00ba8
- FEDORA-2022-dbf6e00ba8
- FEDORA-2022-33e816bc37
- FEDORA-2022-33e816bc37
- FEDORA-2022-d1452fd421
- FEDORA-2022-d1452fd421
- FEDORA-2022-569b6b45e2
- FEDORA-2022-569b6b45e2
Modified: 2024-11-21
CVE-2022-31116
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.
- https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687
- https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687
- https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r
- https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r
- FEDORA-2022-33e816bc37
- FEDORA-2022-33e816bc37
- FEDORA-2022-1b2b8d5177
- FEDORA-2022-1b2b8d5177
Modified: 2024-11-21
CVE-2022-31117
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. This issue has been resolved in version 5.4.0 and all users should upgrade to UltraJSON 5.4.0. There are no known workarounds for this issue.
- https://github.com/ultrajson/ultrajson/commit/9c20de0f77b391093967e25d01fb48671104b15b
- https://github.com/ultrajson/ultrajson/commit/9c20de0f77b391093967e25d01fb48671104b15b
- https://github.com/ultrajson/ultrajson/security/advisories/GHSA-fm67-cv37-96ff
- https://github.com/ultrajson/ultrajson/security/advisories/GHSA-fm67-cv37-96ff
- FEDORA-2022-33e816bc37
- FEDORA-2022-33e816bc37
- FEDORA-2022-1b2b8d5177
- FEDORA-2022-1b2b8d5177
Closed bugs
Новая версия ultrajson (5.5.0)
Closed bugs
WPS Office создаёт лишний раздел в меню
epm play chromium-gost: иконка Chromium в меню приложений
Package plasma5-kinfocenter updated to version 5.25.5-alt3 for branch sisyphus in task 307796.
Closed bugs
Ошибка при открытии раздела "Безопасность встроенного ПО" в kinfocenter
Closed bugs
installer: установка по HTTP с нераспакованного образа
Package installer-alterator-pkg updated to version 3.0.3-alt1 for branch sisyphus in task 307766.
Closed bugs
installer-alterator-pkg: установка по HTTP с нераспакованного образа
Closed bugs
Необходимо обновить пакет s3cmd