ALT-BU-2024-11258-1
Branch p10_e2k update bulletin.
Closed vulnerabilities
BDU:2023-02021
Уязвимость компонента mod_proxy_uwsgi веб-сервера Apache HTTP Server связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку "контрабанда HTTP-запросов"
Modified: 2025-02-13
CVE-2023-27522
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html
- https://security.gentoo.org/glsa/202309-01
- https://security.gentoo.org/glsa/202309-01
Closed vulnerabilities
Modified: 2024-11-21
CVE-2021-24032
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
- https://github.com/facebook/zstd/issues/2491
- https://github.com/facebook/zstd/issues/2491
- https://www.facebook.com/security/advisories/cve-2021-24032
- https://www.facebook.com/security/advisories/cve-2021-24032
Closed bugs
[FR] втащить апстримный коммит для поддержки e2k
Пожалуйста обновите до до версии 1.5.2
Во время сборки zstd на riscv64 не проходят некоторые тесты по таймау
Closed vulnerabilities
BDU:2024-02574
Уязвимость программного обеспечения OpenVPN, связанная с использованием памяти после её освобождения, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-02585
Уязвимость опции --fragment программного обеспечения OpenVPN, связанная с ошибками при делении на ноль, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-05533
Уязвимость компонента Plug-in Handler программного обеспечения OpenVPN, позволяющая нарушителю загружать произвольные модули
Modified: 2024-11-21
CVE-2023-46849
Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.
- https://community.openvpn.net/openvpn/wiki/CVE-2023-46849
- https://community.openvpn.net/openvpn/wiki/CVE-2023-46849
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3FS46ANNTAVLIQY56ZKGM5CBTRVBUNE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3FS46ANNTAVLIQY56ZKGM5CBTRVBUNE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O54I7D753V6PU6XBU26FEROD2DSHEJQ4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O54I7D753V6PU6XBU26FEROD2DSHEJQ4/
- https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/
- https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/
- https://www.debian.org/security/2023/dsa-5555
- https://www.debian.org/security/2023/dsa-5555
Modified: 2024-11-21
CVE-2023-46850
Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.
- https://community.openvpn.net/openvpn/wiki/CVE-2023-46850
- https://community.openvpn.net/openvpn/wiki/CVE-2023-46850
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3FS46ANNTAVLIQY56ZKGM5CBTRVBUNE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3FS46ANNTAVLIQY56ZKGM5CBTRVBUNE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O54I7D753V6PU6XBU26FEROD2DSHEJQ4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O54I7D753V6PU6XBU26FEROD2DSHEJQ4/
- https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/
- https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/
- https://www.debian.org/security/2023/dsa-5555
- https://www.debian.org/security/2023/dsa-5555
Modified: 2024-11-21
CVE-2023-7235
The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables.
Modified: 2024-11-21
CVE-2024-24974
The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.
- https://community.openvpn.net/openvpn/wiki/CVE-2024-24974
- https://community.openvpn.net/openvpn/wiki/CVE-2024-24974
- https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/
- https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/
- https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html
- https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html
Modified: 2024-11-21
CVE-2024-27459
The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.
- https://community.openvpn.net/openvpn/wiki/CVE-2024-27459
- https://community.openvpn.net/openvpn/wiki/CVE-2024-27459
- https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/
- https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/
- https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html
- https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html
Modified: 2024-11-21
CVE-2024-27903
OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.
- https://community.openvpn.net/openvpn/wiki/CVE-2024-27903
- https://community.openvpn.net/openvpn/wiki/CVE-2024-27903
- https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/
- https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/
- https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html
- https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html
Modified: 2024-11-21
CVE-2024-28882
OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session
No data currently available.
Modified: 2025-04-03
CVE-2024-5594
OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.
Closed bugs
Версия 2.6.5