ALT Linux Team

Branch p10 update on 2023-09-27

2023-09-27

ALT-BU-2023-5888-1

Branch p10 update bulletin.

ALT-PU-2023-5824-2

Package bind updated to version 9.16.44-alt1 for branch p10 in task 330097.

Closed vulnerabilities

Published: 2023-09-20
Modified: 2024-11-21

CVE-2023-3341

The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.

References:

ALT-PU-2023-5828-3

Package docs-alt-kworkstation updated to version 10.2-alt9 for branch p10 in task 330104.

Closed bugs

Bug #47649

Отсутствует скриншот в примечании документации для Workstation K

Bug #47650

Обновить скриншот для KFind в документации ALT Workstation K

Bug #47662

Документация docs-alt-kworkstation, п.⁠62.4: указать о необходимости перезагрузки для появления модуля "Сервер обновлений" в веб-интерфейсе ЦУС

ALT-PU-2023-5843-2

Package squid updated to version 6.3-alt1 for branch p10 in task 327860.

Closed vulnerabilities

Published: 2021-02-20

BDU:2022-04051

Уязвимость реализации сетевого протокола Gopher прокси-сервера Squid, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2022-12-25

BDU:2023-00066

Уязвимость кэширующего прокси-сервера Squid, связанная с неправильным контролем доступа, позволяющая нарушителю получить доступ к конфиденциальной информации

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2022-09-23

BDU:2023-01309

Уязвимость интерфейса Security Support Provider Interface (SSPI) и реализации сетевого протокола Server Message Block (SMB) прокси-сервера Squid, позволяющая нарушителю раскрыть защищаемую информацию или вызвать отказ в обслуживании

Severity: HIGH (8.9) Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H
References:
Published: 2022-07-18
Modified: 2024-11-21

CVE-2021-46784

In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2022-12-25
Modified: 2024-11-21

CVE-2022-41317

An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2022-12-25
Modified: 2024-11-21

CVE-2022-41318

A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7.

Severity: HIGH (8.6) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
References:

Closed bugs

Bug #47423

Невозможно получить доступ к cache manager из под squidclient

VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top