ALT-BU-2024-10510-1
Branch c10f2 update bulletin.
Closed bugs
Отключение машинной политики настроек KDE не дает эффекта
Перестали применяться пользовательские групповые политики
Не отрабатывает групповая политика logon-скриптов при первой аутентификации доменного пользователя на клиентском узле введенным в домен Samba DC
Не работает выключение механизмов групповых политик
Скрипты machine/STARTUP попадают также в папку machine/SHUTDOWN
Некорректная работа c json для политики Управляемые закладки в Firefox
Closed bugs
При распаковке zip архива сообщает об уже существующем файле
Package mate-file-manager updated to version 1.26.1-alt2.1 for branch c10f2 in task 353369.
Closed bugs
Возникают визуальные артефакты при смене ориентации экрана
Closed vulnerabilities
BDU:2024-00723
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, связанная с неверным сроком действия сеанса, позволяющая нарушителю обойти процесс аутентификации
BDU:2024-04874
Уязвимость компонента Share облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, позволяющая нарушителю оказать воздействие на целостность данных или вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2024-22403
Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. It is recommended that the Nextcloud Server is upgraded to 28.0.0. There are no known workarounds for this vulnerability.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wppc-f5g8-vx36
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wppc-f5g8-vx36
- https://github.com/nextcloud/server/pull/40766
- https://github.com/nextcloud/server/pull/40766
- https://hackerone.com/reports/1784162
- https://hackerone.com/reports/1784162
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S6PN4GVJ5TZUC6WSG4X3ZA3AMPBEKNAX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S6PN4GVJ5TZUC6WSG4X3ZA3AMPBEKNAX/
Modified: 2024-11-21
CVE-2024-37882
Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jjm3-j9xh-5xmq
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jjm3-j9xh-5xmq
- https://github.com/nextcloud/server/pull/44339
- https://github.com/nextcloud/server/pull/44339
- https://hackerone.com/reports/2289425
- https://hackerone.com/reports/2289425
Closed vulnerabilities
BDU:2021-06259
Уязвимость почтового клиента Roundcube, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный SQL-код
BDU:2022-05555
Уязвимость почтового клиента Roundcube, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки
BDU:2023-06297
Уязвимость компонента program/lib/Roundcube/rcube_string_replacer.php почтового клиента RoundCube Webmail, позволяющая нарушителю провести атаку межсайтового скриптинга
BDU:2023-07143
Уязвимость библиотеки program/lib/Roundcube/rcube_washtml.php почтового клиента RoundCube Webmail, позволяющая нарушителю выполнить произвольный JavaScript-код
Modified: 2024-11-21
CVE-2021-44025
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
- https://bugs.debian.org/1000156
- https://bugs.debian.org/1000156
- https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
- https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
- https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
- https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
- https://github.com/roundcube/roundcubemail/issues/8193
- https://github.com/roundcube/roundcubemail/issues/8193
- [debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update
- [debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update
- FEDORA-2021-43d3c10590
- FEDORA-2021-43d3c10590
- FEDORA-2021-167865df98
- FEDORA-2021-167865df98
- DSA-5013
- DSA-5013
Modified: 2025-03-14
CVE-2021-44026
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
- https://bugs.debian.org/1000156
- https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
- https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
- [debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update
- FEDORA-2021-43d3c10590
- FEDORA-2021-167865df98
- DSA-5013
- https://bugs.debian.org/1000156
- DSA-5013
- FEDORA-2021-167865df98
- FEDORA-2021-43d3c10590
- [debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update
- https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
- https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
Modified: 2024-11-21
CVE-2021-46144
Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.
- https://bugs.debian.org/1003027
- https://bugs.debian.org/1003027
- https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0
- https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0
- https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8
- https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8
- [debian-lts-announce] 20220112 [SECURITY] [DLA 2878-1] roundcube security update
- [debian-lts-announce] 20220112 [SECURITY] [DLA 2878-1] roundcube security update
- https://roundcube.net/news/2021/12/30/security-update-1.4.13-released
- https://roundcube.net/news/2021/12/30/security-update-1.4.13-released
- https://roundcube.net/news/2021/12/30/update-1.5.2-released
- https://roundcube.net/news/2021/12/30/update-1.5.2-released
- DSA-5037
- DSA-5037
Modified: 2024-12-20
CVE-2023-43770
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
- https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49b
- https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49b
- [debian-lts-announce] 20230922 [SECURITY] [DLA 3577-1] roundcube security update
- [debian-lts-announce] 20230922 [SECURITY] [DLA 3577-1] roundcube security update
- https://roundcube.net/news/2023/09/15/security-update-1.6.3-released
- https://roundcube.net/news/2023/09/15/security-update-1.6.3-released
Modified: 2025-03-19
CVE-2023-5631
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
- http://www.openwall.com/lists/oss-security/2023/11/01/1
- http://www.openwall.com/lists/oss-security/2023/11/01/1
- http://www.openwall.com/lists/oss-security/2023/11/01/3
- http://www.openwall.com/lists/oss-security/2023/11/01/3
- http://www.openwall.com/lists/oss-security/2023/11/17/2
- http://www.openwall.com/lists/oss-security/2023/11/17/2
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079
- https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d
- https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d
- https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613
- https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613
- https://github.com/roundcube/roundcubemail/issues/9168
- https://github.com/roundcube/roundcubemail/issues/9168
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.15
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.15
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.5
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.5
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.4
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.4
- https://lists.debian.org/debian-lts-announce/2023/10/msg00035.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/
- https://roundcube.net/news/2023/10/16/security-update-1.6.4-released
- https://roundcube.net/news/2023/10/16/security-update-1.6.4-released
- https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15
- https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15
- https://www.debian.org/security/2023/dsa-5531
- https://www.debian.org/security/2023/dsa-5531