ALT-BU-2024-13818-1
Branch p10 update bulletin.
Package python-module-pymysql updated to version 0.9.3-alt2 for branch p10 in task 358563.
Closed vulnerabilities
BDU:2024-04920
Уязвимость компонента JSON Handler библиотеки PyMySQL для языка программирования Python, позволяющая нарушителю получить несанкционированному доступу к данным, фальсификации данных или выполнить произвольный код на внутреннем сервере базы данных
Modified: 2024-11-21
CVE-2024-36039
PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.
- https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1
- https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1
- [debian-lts-announce] 20240527 [SECURITY] [DLA 3822-1] python-pymysql security update
- [debian-lts-announce] 20240527 [SECURITY] [DLA 3822-1] python-pymysql security update
- FEDORA-2024-b26f07d27b
- FEDORA-2024-b26f07d27b
- FEDORA-2024-e7141ab284
- FEDORA-2024-e7141ab284
Package libarchive updated to version 3.7.5-alt2 for branch p10 in task 358191.
Closed vulnerabilities
BDU:2023-05007
Уязвимость функции umask() компонента archive_write_disk_posix.c библиотеки Libarchive, позволяющая нарушителю удалять и переименовывать файлы внутри каталогов
BDU:2024-00408
Уязвимость библиотеки Libarchive операционной системы Windows, позволяющая нарушителю выполнить произвольный код
BDU:2024-02924
Уязвимость библиотеки архивирования libarchive операционных систем Windows, позволяющая нарушителю выполнить произвольный код
BDU:2024-04626
Уязвимость библиотеки libarchive, связанная с чтением за границами буфера памяти, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-01-14
CVE-2023-30571
Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.
Modified: 2024-11-21
CVE-2024-20696
Windows libarchive Remote Code Execution Vulnerability
Modified: 2025-01-08
CVE-2024-26256
Libarchive Remote Code Execution Vulnerability
- http://www.openwall.com/lists/oss-security/2024/06/04/2
- http://www.openwall.com/lists/oss-security/2024/06/05/1
- https://github.com/LeSuisse/nixpkgs/commit/81b82a2934521dffef76f7ca305d8d4e22fe7262
- https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237.patch
- https://github.com/libarchive/libarchive/releases/tag/v3.7.4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWANFZ6NEMXFCALXWI2AFKYBOLONAVFC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TWAMR5TY47UKVYMWQXB34CWSBNTRYMBV/
- libarchive Remote Code Execution Vulnerability
- Libarchive Remote Code Execution Vulnerability
- https://www.openwall.com/lists/oss-security/2024/06/04/2
Modified: 2025-03-14
CVE-2024-37407
Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurp_central_directory in archive_read_support_format_zip.c.
- https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0
- https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0
- https://github.com/libarchive/libarchive/pull/2145
- https://github.com/libarchive/libarchive/pull/2145
- https://github.com/libarchive/libarchive/releases/tag/v3.7.4
- https://github.com/libarchive/libarchive/releases/tag/v3.7.4
Package alterator-netinst updated to version 1.9.1-alt9 for branch p10 in task 359242.
Closed bugs
Загрузка образа по ссылке завершается с ошибкой