ALT-BU-2024-14124-1
Branch sisyphus update bulletin.
Closed bugs
Обновить пакет ru_tts
Package freespeech updated to version r1.0m.21-alt1 for branch sisyphus in task 355730.
Closed bugs
Обновить пакет freespeech
Closed vulnerabilities
BDU:2024-00708
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, связанная с отсутствием ограничений попыток аутентификации, позволяющая нарушителю обойти процесс аутентификации
BDU:2024-00723
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, связанная с неверным сроком действия сеанса, позволяющая нарушителю обойти процесс аутентификации
BDU:2024-04840
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с недостатками процедуры аутентификации, позволяющая нарушителю обойти процесс аутентификации
BDU:2024-04871
Уязвимость компонента Calendar облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, позволяющая нарушителю получить доступ к конфиденциальной информации
BDU:2024-04872
Уязвимость функции files_versions() облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, позволяющая нарушителю восстановить старые версии документа
BDU:2024-04873
Уязвимость компонента Delete облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-04874
Уязвимость компонента Share облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, позволяющая нарушителю оказать воздействие на целостность данных или вызвать отказ в обслуживании
BDU:2024-04875
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, связанная с неправильной аутентификацией, позволяющая нарушителю обойти процесс аутентификации
Modified: 2024-11-21
CVE-2023-49791
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f8p-6qww-2prr
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f8p-6qww-2prr
- https://github.com/nextcloud/server/pull/41520
- https://github.com/nextcloud/server/pull/41520
- https://hackerone.com/reports/2120667
- https://hackerone.com/reports/2120667
Modified: 2024-11-21
CVE-2023-49792
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5j2p-q736-hw98
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5j2p-q736-hw98
- https://github.com/nextcloud/server/pull/41526
- https://github.com/nextcloud/server/pull/41526
- https://hackerone.com/reports/2230915
- https://hackerone.com/reports/2230915
Modified: 2024-11-21
CVE-2024-22403
Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. It is recommended that the Nextcloud Server is upgraded to 28.0.0. There are no known workarounds for this vulnerability.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wppc-f5g8-vx36
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wppc-f5g8-vx36
- https://github.com/nextcloud/server/pull/40766
- https://github.com/nextcloud/server/pull/40766
- https://hackerone.com/reports/1784162
- https://hackerone.com/reports/1784162
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S6PN4GVJ5TZUC6WSG4X3ZA3AMPBEKNAX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S6PN4GVJ5TZUC6WSG4X3ZA3AMPBEKNAX/
Modified: 2024-11-21
CVE-2024-37313
Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c
- https://github.com/nextcloud/server/pull/44276
- https://github.com/nextcloud/server/pull/44276
- https://hackerone.com/reports/2419776
- https://hackerone.com/reports/2419776
Modified: 2024-11-21
CVE-2024-37315
Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5mq8-738w-5942
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5mq8-738w-5942
- https://github.com/nextcloud/server/pull/43727
- https://github.com/nextcloud/server/pull/43727
- https://hackerone.com/reports/1356508
- https://hackerone.com/reports/1356508
Modified: 2024-11-21
CVE-2024-37882
Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jjm3-j9xh-5xmq
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jjm3-j9xh-5xmq
- https://github.com/nextcloud/server/pull/44339
- https://github.com/nextcloud/server/pull/44339
- https://hackerone.com/reports/2289425
- https://hackerone.com/reports/2289425
Modified: 2024-11-21
CVE-2024-37884
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwgx-f37p-xh8c
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwgx-f37p-xh8c
- https://github.com/nextcloud/server/pull/43727
- https://github.com/nextcloud/server/pull/43727
- https://hackerone.com/reports/2290680
- https://hackerone.com/reports/2290680
Modified: 2024-11-21
CVE-2024-37887
Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595
- https://github.com/nextcloud/server/pull/45309
- https://github.com/nextcloud/server/pull/45309
- https://hackerone.com/reports/2479325
- https://hackerone.com/reports/2479325
Closed vulnerabilities
BDU:2024-07428
Уязвимость программного обеспечения Mbed TLS, связанная с использованием неисправного или рискованного криптографического алгоритма, позволяющая нарушителю раскрыть защищаемую информацию
Modified: 2025-03-14
CVE-2024-45157
An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
Modified: 2025-03-13
CVE-2024-45159
An issue was discovered in Mbed TLS 3.x before 3.6.1. With TLS 1.3, when a server enables optional authentication of the client, if the client-provided certificate does not have appropriate values in if keyUsage or extKeyUsage extensions, then the return value of mbedtls_ssl_get_verify_result() would incorrectly have the MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_KEY_USAGE bits clear. As a result, an attacker that had a certificate valid for uses other than TLS client authentication would nonetheless be able to use it for TLS client authentication. Only TLS 1.3 servers were affected, and only with optional authentication (with required authentication, the handshake would be aborted with a fatal alert).
Closed bugs
Отсутствует SDL2_gfxPrimitives_font.h