ALT-BU-2024-1337-7
Branch c10f2 update bulletin.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2023-41910
An issue was discovered in lldpd before 1.0.17. By crafting a CDP PDU packet with specific CDP_TLV_ADDRESSES TLVs, a malicious actor can remotely force the lldpd daemon to perform an out-of-bounds read on heap memory. This occurs in cdp_decode in daemon/protocols/cdp.c.
- https://github.com/lldpd/lldpd/commit/a9aeabdf879c25c584852a0bb5523837632f099b
- https://github.com/lldpd/lldpd/commit/a9aeabdf879c25c584852a0bb5523837632f099b
- https://github.com/lldpd/lldpd/releases/tag/1.0.17
- https://github.com/lldpd/lldpd/releases/tag/1.0.17
- [debian-lts-announce] 20230922 [SECURITY] [DLA 3578-1] lldpd security update
- [debian-lts-announce] 20230922 [SECURITY] [DLA 3578-1] lldpd security update
- DSA-5505
- DSA-5505
Closed vulnerabilities
BDU:2019-01250
Уязвимость реализации протокола Netatalk, связанная с записью за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код
BDU:2023-00621
Уязвимость функции dsi_writeinit реализации протокола Apple Filing Protocol Netatalk, позволяющая нарушителю выполнить произвольный код в контексте root-пользователя
Modified: 2024-11-21
CVE-2008-5718
The papd daemon in Netatalk before 2.0.4-beta2, when using certain variables in a pipe command for the print file, allows remote attackers to execute arbitrary commands via shell metacharacters in a print request, as demonstrated using a crafted Title.
- SUSE-SR:2009:004
- SUSE-SR:2009:004
- 50824
- 50824
- 33227
- 33227
- 33548
- 33548
- 34484
- 34484
- http://sourceforge.net/project/shownotes.php?release_id=648189
- http://sourceforge.net/project/shownotes.php?release_id=648189
- DSA-1705
- DSA-1705
- [oss-security] 20090114 update on CVE-2008-5718
- [oss-security] 20090114 update on CVE-2008-5718
- 32925
- 32925
- FEDORA-2009-3064
- FEDORA-2009-3064
- FEDORA-2009-3069
- FEDORA-2009-3069
Modified: 2025-01-14
CVE-2018-1160
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
- http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
- http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
- http://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html
- http://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html
- 106301
- 106301
- https://attachments.samba.org/attachment.cgi?id=14735
- https://attachments.samba.org/attachment.cgi?id=14735
- https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/
- https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/
- DSA-4356
- DSA-4356
- 46034
- 46034
- 46048
- 46048
- 46675
- 46675
- https://www.synology.com/security/advisory/Synology_SA_18_62
- https://www.synology.com/security/advisory/Synology_SA_18_62
- https://www.tenable.com/security/research/tra-2018-48
- https://www.tenable.com/security/research/tra-2018-48
Modified: 2025-01-14
CVE-2021-31439
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- GLSA-202311-02
- GLSA-202311-02
- DSA-5503
- DSA-5503
- https://www.synology.com/zh-hk/security/advisory/Synology_SA_20_26
- https://www.synology.com/zh-hk/security/advisory/Synology_SA_20_26
- https://www.zerodayinitiative.com/advisories/ZDI-21-492/
- https://www.zerodayinitiative.com/advisories/ZDI-21-492/
Modified: 2024-11-21
CVE-2022-0194
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ad_addcomment function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15876.
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- GLSA-202311-02
- GLSA-202311-02
- DSA-5503
- DSA-5503
- https://www.zerodayinitiative.com/advisories/ZDI-22-530/
- https://www.zerodayinitiative.com/advisories/ZDI-22-530/
Modified: 2024-11-21
CVE-2022-23121
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15819.
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- [debian-lts-announce] 20230601 [SECURITY] [DLA 3426-2] netatalk regression update
- [debian-lts-announce] 20230601 [SECURITY] [DLA 3426-2] netatalk regression update
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- GLSA-202311-02
- GLSA-202311-02
- DSA-5503
- DSA-5503
- https://www.zerodayinitiative.com/advisories/ZDI-22-527/
- https://www.zerodayinitiative.com/advisories/ZDI-22-527/
Modified: 2024-11-21
CVE-2022-23122
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15837.
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- GLSA-202311-02
- GLSA-202311-02
- DSA-5503
- DSA-5503
- https://www.zerodayinitiative.com/advisories/ZDI-22-529/
- https://www.zerodayinitiative.com/advisories/ZDI-22-529/
Modified: 2024-11-21
CVE-2022-23123
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getdirparams method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15830.
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- [debian-lts-announce] 20230813 [SECURITY] [DLA 3426-3] netatalk regression update
- [debian-lts-announce] 20230813 [SECURITY] [DLA 3426-3] netatalk regression update
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- GLSA-202311-02
- GLSA-202311-02
- DSA-5503
- DSA-5503
- https://www.zerodayinitiative.com/advisories/ZDI-22-528/
- https://www.zerodayinitiative.com/advisories/ZDI-22-528/
Modified: 2024-11-21
CVE-2022-23124
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the get_finderinfo method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15870.
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- GLSA-202311-02
- GLSA-202311-02
- DSA-5503
- DSA-5503
- https://www.zerodayinitiative.com/advisories/ZDI-22-525/
- https://www.zerodayinitiative.com/advisories/ZDI-22-525/
Modified: 2024-11-21
CVE-2022-23125
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869.
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- GLSA-202311-02
- GLSA-202311-02
- DSA-5503
- DSA-5503
- https://www.zerodayinitiative.com/advisories/ZDI-22-526/
- https://www.zerodayinitiative.com/advisories/ZDI-22-526/
Modified: 2024-11-21
CVE-2022-43634
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dsi_writeinit function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-17646.
- https://github.com/Netatalk/Netatalk/pull/186
- https://github.com/Netatalk/Netatalk/pull/186
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- FEDORA-2023-aaeb45fb73
- FEDORA-2023-aaeb45fb73
- FEDORA-2023-599faf1b1c
- FEDORA-2023-599faf1b1c
- FEDORA-2023-e714897e70
- FEDORA-2023-e714897e70
- DSA-5503
- DSA-5503
- https://www.zerodayinitiative.com/advisories/ZDI-23-094/
- https://www.zerodayinitiative.com/advisories/ZDI-23-094/
Modified: 2024-11-21
CVE-2022-45188
Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. This provides remote root access on some platforms such as FreeBSD (used for TrueNAS).
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update
- FEDORA-2023-aaeb45fb73
- FEDORA-2023-aaeb45fb73
- FEDORA-2023-599faf1b1c
- FEDORA-2023-599faf1b1c
- FEDORA-2023-e714897e70
- FEDORA-2023-e714897e70
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.14.html
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.14.html
- https://rushbnt.github.io/bug%20analysis/netatalk-0day/
- https://rushbnt.github.io/bug%20analysis/netatalk-0day/
- GLSA-202311-02
- GLSA-202311-02
- https://sourceforge.net/projects/netatalk/files/netatalk/
- https://sourceforge.net/projects/netatalk/files/netatalk/
- DSA-5503
- DSA-5503
Modified: 2024-11-21
CVE-2023-42464
A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control the value of the pointer and theoretically achieve Remote Code Execution on the host. This issue is similar to CVE-2023-34967.
- https://github.com/Netatalk/netatalk/issues/486
- https://github.com/Netatalk/netatalk/issues/486
- [debian-lts-announce] 20230925 [SECURITY] [DLA 3584-1] netatalk security update
- [debian-lts-announce] 20230925 [SECURITY] [DLA 3584-1] netatalk security update
- https://netatalk.io/security/CVE-2023-42464
- https://netatalk.io/security/CVE-2023-42464
- https://netatalk.sourceforge.io/
- https://netatalk.sourceforge.io/
- https://netatalk.sourceforge.io/3.1/htmldocs/afpd.8.html
- https://netatalk.sourceforge.io/3.1/htmldocs/afpd.8.html
- https://netatalk.sourceforge.io/CVE-2023-42464.php
- https://netatalk.sourceforge.io/CVE-2023-42464.php
- DSA-5503
- DSA-5503
Closed bugs
ERROR: Cannot create /var/lib/netatalk/afp_signature.conf
Ошибка /etc/netatalk//afppasswd doesn't exist при запуске afppasswd
Ошибка /usr/lib64/cracklib_dict.pwd.gz: No such file or directory при запуске afppasswd
Closed vulnerabilities
BDU:2023-05534
Уязвимость функции vim_regsub_both() текстового редактора Vim, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
BDU:2023-05667
Уязвимость функции bt_quickfix текстового редактора vim, позволяющая нарушителю выполнить произвольный код
BDU:2023-05668
Уязвимость функции buflist_altfpos текстового редактора vim, позволяющая нарушителю выполнить произвольный код
BDU:2023-05669
Уязвимость функции ins_compl_get_exp текстового редактора vim, позволяющая нарушителю выполнить произвольный код
BDU:2023-05670
Уязвимость текстового редактора vim, связанная с использованием ненадёжного пути поиска, позволяющая нарушителю выполнить произвольный код
BDU:2023-05671
Уязвимость функции f_fullcommand текстового редактора vim , вызванная целочисленным переполнением, позволяющая нарушителю выполнить произвольный код
BDU:2023-05672
Уязвимость текстового редактора vim, связанная с записью за границами буфера в памяти, позволяющая нарушителю выполнить произвольный код
BDU:2023-05673
Уязвимость функции vim_regsub_both текстового редактора vim, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2023-4733
Use After Free in GitHub repository vim/vim prior to 9.0.1840.
- http://seclists.org/fulldisclosure/2023/Oct/24
- http://seclists.org/fulldisclosure/2023/Oct/24
- https://github.com/vim/vim/commit/e1dc9a627536304bc4f738c21e909ad9fcf3974c
- https://github.com/vim/vim/commit/e1dc9a627536304bc4f738c21e909ad9fcf3974c
- https://huntr.dev/bounties/1ce1fd8c-050a-4373-8004-b35b61590217
- https://huntr.dev/bounties/1ce1fd8c-050a-4373-8004-b35b61590217
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/
- https://support.apple.com/kb/HT213984
- https://support.apple.com/kb/HT213984
Modified: 2024-11-21
CVE-2023-4734
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.
- http://seclists.org/fulldisclosure/2023/Oct/24
- http://seclists.org/fulldisclosure/2023/Oct/24
- https://github.com/vim/vim/commit/4c6fe2e2ea62469642ed1d80b16d39e616b25cf5
- https://github.com/vim/vim/commit/4c6fe2e2ea62469642ed1d80b16d39e616b25cf5
- https://huntr.dev/bounties/688e4382-d2b6-439a-a54e-484780f82217
- https://huntr.dev/bounties/688e4382-d2b6-439a-a54e-484780f82217
- https://support.apple.com/kb/HT213984
- https://support.apple.com/kb/HT213984
Modified: 2024-11-21
CVE-2023-4735
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.
- http://seclists.org/fulldisclosure/2023/Oct/24
- http://seclists.org/fulldisclosure/2023/Oct/24
- https://github.com/vim/vim/commit/889f6af37164775192e33b233a90e86fd3df0f57
- https://github.com/vim/vim/commit/889f6af37164775192e33b233a90e86fd3df0f57
- https://huntr.dev/bounties/fc83bde3-f621-42bd-aecb-8c1ae44cba51
- https://huntr.dev/bounties/fc83bde3-f621-42bd-aecb-8c1ae44cba51
- https://support.apple.com/kb/HT213984
- https://support.apple.com/kb/HT213984
Modified: 2024-11-21
CVE-2023-4736
Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.
- http://seclists.org/fulldisclosure/2023/Oct/24
- http://seclists.org/fulldisclosure/2023/Oct/24
- https://github.com/vim/vim/commit/816fbcc262687b81fc46f82f7bbeb1453addfe0c
- https://github.com/vim/vim/commit/816fbcc262687b81fc46f82f7bbeb1453addfe0c
- https://huntr.dev/bounties/e1ce0995-4df4-4dec-9cd7-3136ac3e8e71
- https://huntr.dev/bounties/e1ce0995-4df4-4dec-9cd7-3136ac3e8e71
- https://support.apple.com/kb/HT213984
- https://support.apple.com/kb/HT213984
Modified: 2024-11-21
CVE-2023-4738
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.
- http://seclists.org/fulldisclosure/2023/Oct/24
- http://seclists.org/fulldisclosure/2023/Oct/24
- https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1
- https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1
- https://huntr.dev/bounties/9fc7dced-a7bb-4479-9718-f956df20f612
- https://huntr.dev/bounties/9fc7dced-a7bb-4479-9718-f956df20f612
- https://support.apple.com/kb/HT213984
- https://support.apple.com/kb/HT213984
Modified: 2024-11-21
CVE-2023-4750
Use After Free in GitHub repository vim/vim prior to 9.0.1857.
- http://seclists.org/fulldisclosure/2023/Oct/24
- http://seclists.org/fulldisclosure/2023/Oct/24
- https://github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7ed
- https://github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7ed
- https://huntr.dev/bounties/1ab3ebdf-fe7d-4436-b483-9a586e03b0ea
- https://huntr.dev/bounties/1ab3ebdf-fe7d-4436-b483-9a586e03b0ea
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/
- https://support.apple.com/kb/HT213984
- https://support.apple.com/kb/HT213984
Modified: 2024-11-21
CVE-2023-4752
Use After Free in GitHub repository vim/vim prior to 9.0.1858.
- http://seclists.org/fulldisclosure/2023/Oct/24
- http://seclists.org/fulldisclosure/2023/Oct/24
- https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139
- https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139
- https://huntr.dev/bounties/85f62dd7-ed84-4fa2-b265-8a369a318757
- https://huntr.dev/bounties/85f62dd7-ed84-4fa2-b265-8a369a318757
- https://lists.debian.org/debian-lts-announce/2023/09/msg00035.html
- https://lists.debian.org/debian-lts-announce/2023/09/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/
- https://support.apple.com/kb/HT213984
- https://support.apple.com/kb/HT213984
Modified: 2024-11-21
CVE-2023-4781
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.
- http://seclists.org/fulldisclosure/2023/Oct/24
- http://seclists.org/fulldisclosure/2023/Oct/24
- https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93
- https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93
- https://huntr.dev/bounties/c867eb0a-aa8b-4946-a621-510350673883
- https://huntr.dev/bounties/c867eb0a-aa8b-4946-a621-510350673883
- https://lists.debian.org/debian-lts-announce/2023/09/msg00035.html
- https://lists.debian.org/debian-lts-announce/2023/09/msg00035.html
- https://support.apple.com/kb/HT213984
- https://support.apple.com/kb/HT213984
Package bootloader-utils updated to version 0.5.4-alt1 for branch c10f2 in task 330534.
Closed bugs
Не поддерживается загрузка с /boot на отдельном разделе при загрузке с extlinux.conf
Package alterator-sysconfig updated to version 1.3.10-alt1 for branch c10f2 in task 330534.
Closed bugs
Не умеет url-encoded переменную http_proxy
Closed bugs
Пакет с тестовыми утилитами libdrm
Не грузится система с видеокартой AMD Radeon RX 7600
Closed vulnerabilities
BDU:2022-04051
Уязвимость реализации сетевого протокола Gopher прокси-сервера Squid, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-00066
Уязвимость кэширующего прокси-сервера Squid, связанная с неправильным контролем доступа, позволяющая нарушителю получить доступ к конфиденциальной информации
BDU:2023-01309
Уязвимость интерфейса Security Support Provider Interface (SSPI) и реализации сетевого протокола Server Message Block (SMB) прокси-сервера Squid, позволяющая нарушителю раскрыть защищаемую информацию или вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2021-46784
In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.
- [oss-security] 20231013 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.
- [oss-security] 20231013 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.
- [oss-security] 20231013 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.
- [oss-security] 20231013 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.
- [oss-security] 20231021 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.
- [oss-security] 20231021 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.
- http://www.squid-cache.org/Versions/v4/changesets/SQUID-2021_7.patch
- http://www.squid-cache.org/Versions/v4/changesets/SQUID-2021_7.patch
- http://www.squid-cache.org/Versions/v5/changesets/SQUID-2021_7.patch
- http://www.squid-cache.org/Versions/v5/changesets/SQUID-2021_7.patch
- https://github.com/squid-cache/squid/commit/5e2ea2b13bd98f53e29964ca26bb0d602a8a12b9
- https://github.com/squid-cache/squid/commit/5e2ea2b13bd98f53e29964ca26bb0d602a8a12b9
- https://github.com/squid-cache/squid/security/advisories/GHSA-f5cp-6rh3-284w
- https://github.com/squid-cache/squid/security/advisories/GHSA-f5cp-6rh3-284w
- https://security.netapp.com/advisory/ntap-20221223-0007/
- https://security.netapp.com/advisory/ntap-20221223-0007/
- https://security-tracker.debian.org/tracker/CVE-2021-46784
- https://security-tracker.debian.org/tracker/CVE-2021-46784
Modified: 2024-11-21
CVE-2022-41317
An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.
- http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch
- http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch
- http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch
- http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch
- https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq
- https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq
- https://www.openwall.com/lists/oss-security/2022/09/23/1
- https://www.openwall.com/lists/oss-security/2022/09/23/1
Modified: 2024-11-21
CVE-2022-41318
A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7.
- http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_2.patch
- http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_2.patch
- http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_2.patch
- http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_2.patch
- https://github.com/squid-cache/squid/security/advisories/GHSA-394c-rr7q-6g78
- https://github.com/squid-cache/squid/security/advisories/GHSA-394c-rr7q-6g78
- https://www.openwall.com/lists/oss-security/2022/09/23/2
- https://www.openwall.com/lists/oss-security/2022/09/23/2
Closed bugs
Невозможно получить доступ к cache manager из под squidclient
Closed bugs
Опакетить /etc/dconf/profile/user
Closed vulnerabilities
BDU:2023-05718
Уязвимость файла go.mod языка программирования Go, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код
Modified: 2024-11-21
CVE-2023-39318
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in