ALT Linux Team

Branch c10f1 update on 2024-09-14

2024-09-14

ALT-BU-2024-12632-1

Branch c10f1 update bulletin.

ALT-PU-2024-12470-3

Package wget updated to version 1.24.5-alt2 for branch c10f1 in task 357284.

Closed vulnerabilities

Published: 2024-06-15

BDU:2024-04683

Уязвимость компонента userinfo URI менеджера загрузок GNU Wget, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации

Severity: MEDIUM (5.4) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References:
Published: 2024-06-16
Modified: 2024-11-21

CVE-2024-38428

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References:

Closed bugs

Bug #45799

Поломался wget

Bug #46124

wget выдаёт "Неверный системный вызов" на aarch64

ALT-PU-2024-12523-2

Package xdg-utils updated to version 1.2.1-alt2 for branch c10f1 in task 357354.

Closed vulnerabilities

Published: 2022-11-19
Modified: 2024-11-21

CVE-2022-4055

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

Severity: HIGH (7.4) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
References:

Closed bugs

Bug #49410

Устарел, есть 1.2.1

ALT-PU-2024-12527-2

Package atril-gtk updated to version 1.27.0-alt2 for branch c10f1 in task 357353.

Closed vulnerabilities

Published: 2024-01-12

BDU:2024-00525

Уязвимость программы для просмотра многостраничных документов Atril, связанная с возможностью внедрения команд, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.6) Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
References:
Published: 2024-01-25

BDU:2024-05041

Уязвимость программы для просмотра многостраничных документов Atril, связанная с возможностью обхода каталога с ограниченным доступом, позволяющая нарушителю записать произвольные файлы

Severity: HIGH (7.8) Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2024-01-13
Modified: 2025-04-10

CVE-2023-51698

Atril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2024-01-25
Modified: 2024-11-21

CVE-2023-52076

Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top