ALT-BU-2023-4377-1
Branch sisyphus_riscv64 update bulletin.
Package krb5 updated to version 1.21.1-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2023-36054
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.
- https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
- https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
- https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final
- https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final
- https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final
- https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final
- [debian-lts-announce] 20231022 [SECURITY] [DLA 3626-1] krb5 security update
- [debian-lts-announce] 20231022 [SECURITY] [DLA 3626-1] krb5 security update
- https://security.netapp.com/advisory/ntap-20230908-0004/
- https://security.netapp.com/advisory/ntap-20230908-0004/
- https://web.mit.edu/kerberos/www/advisories/
- https://web.mit.edu/kerberos/www/advisories/
Package golang updated to version 1.20.6-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2023-29406
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
- https://go.dev/cl/506996
- https://go.dev/issue/60374
- https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
- https://pkg.go.dev/vuln/GO-2023-1878
- https://security.gentoo.org/glsa/202311-09
- https://security.netapp.com/advisory/ntap-20230814-0002/
- https://go.dev/cl/506996
- https://security.netapp.com/advisory/ntap-20230814-0002/
- https://security.gentoo.org/glsa/202311-09
- https://pkg.go.dev/vuln/GO-2023-1878
- https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
- https://go.dev/issue/60374
Package python3-module-django updated to version 3.2.20-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2023-36053
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://groups.google.com/forum/#%21forum/django-announce
- [debian-lts-announce] 20230719 [SECURITY] [DLA 3500-1] python-django security update
- [debian-lts-announce] 20230719 [SECURITY] [DLA 3500-1] python-django security update
- FEDORA-2023-9d36d373f1
- FEDORA-2023-9d36d373f1
- FEDORA-2023-cc023fabb7
- FEDORA-2023-cc023fabb7
- FEDORA-2024-84fbbbb914
- FEDORA-2024-84fbbbb914
- DSA-5465
- DSA-5465
- https://www.djangoproject.com/weblog/2023/jul/03/security-releases/
- https://www.djangoproject.com/weblog/2023/jul/03/security-releases/