Branch p10 update bulletin.

Package vim updated to version 9.0.1240-alt1 for branch p10 in task 314191.

Published: 2023-01-25
Modified: 2024-09-13

BDU:2023-00387

Уязвимость компонента src/normal.c текстового редактора Vim, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (7.8) Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: HIGH (7.2) Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

References:

CVE-2023-0288

Published: 2023-01-30
Modified: 2024-09-13

BDU:2023-00451

Уязвимость функций same_leader() и utfc_ptr2len() текстового редактора Vim, позволяющая нарушителю выполнить произвольный код в целевой системе

Severity: HIGH (7.8) Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: HIGH (7.2) Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

References:

CVE-2023-0433

Published: 2023-01-13
Modified: 2024-11-21

CVE-2023-0288

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Published: 2023-01-21
Modified: 2024-11-21

CVE-2023-0433

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Package octave updated to version 7.3.0-alt2 for branch p10 in task 312564.

исправить octave.filetrigger, чтобы он не пытался использовать window system

Пакет octave должен зависеть от makeinfo

Package libxml2 updated to version 2.9.12-alt1.p10.1 for branch p10 in task 314068.

Published: 2022-03-25
Modified: 2025-09-05

BDU:2022-01453

Уязвимость файла valid.c библиотеки анализа XML-документов libxml2, связанная с использованием памяти после освобождения, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: CRITICAL (10.0) Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

References:

CVE-2022-23308

Published: 2022-05-20
Modified: 2024-09-13

BDU:2022-03033

Уязвимость компонентов buf.c и tree.c библиотеки libxml2, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Severity: HIGH (7.1) Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C

References:

CVE-2022-29824

Published: 2022-11-11
Modified: 2025-09-05

BDU:2022-06700

Уязвимость функции очистки объекта XML библиотеки анализа XML-документов libxml2, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (8.2) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Severity: HIGH (8.5) Vector: AV:N/AC:L/Au:N/C:N/I:P/A:C

References:

CVE-2022-40304

Published: 2022-11-11
Modified: 2025-09-05

BDU:2022-06701

Уязвимость функции xmlParseNameComplex() библиотеки анализа XML-документов libxml2, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании

Severity: HIGH (8.2) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Severity: HIGH (8.5) Vector: AV:N/AC:L/Au:N/C:N/I:P/A:C

References:

CVE-2022-40303

Published: 2022-02-26
Modified: 2025-05-05

CVE-2022-23308

valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.

Severity: MEDIUM (4.3) Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Published: 2022-05-03
Modified: 2024-11-21

CVE-2022-29824

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Severity: MEDIUM (4.3) Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Published: 2022-11-23
Modified: 2025-04-29

CVE-2022-40303

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Published: 2022-11-23
Modified: 2025-04-28

CVE-2022-40304

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Package alterator-bind updated to version 0.9.6-alt1 for branch p10 in task 314491.

При изменении имени компьютера создаётся некорректный ddns-key.conf

Version: 2.1.2

Branch p10 update on 2023-02-03

ALT-BU-2023-2424-1

ALT-PU-2023-1170-1

Closed vulnerabilities

BDU:2023-00387

BDU:2023-00451

CVE-2023-0288

CVE-2023-0433

ALT-PU-2023-1171-1

Closed bugs

Bug #38242

Bug #43252

ALT-PU-2023-1172-1

Closed vulnerabilities

BDU:2022-01453

BDU:2022-03033

BDU:2022-06700

BDU:2022-06701

CVE-2022-23308

CVE-2022-29824

CVE-2022-40303

CVE-2022-40304

ALT-PU-2023-1173-1

Closed bugs

Bug #45063