ALT-BU-2024-14208-1
Branch sisyphus_loongarch64 update bulletin.
Package flannel updated to version 0.25.7-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
BDU:2024-02688
Уязвимость библиотек net/http и net/http2 языка программирования Go, связана с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-04111
Уязвимость функции protojson.Unmarshal() пакета golang-google-protobuf языка программирования Golang, связанная с циклом с недостижимым условием выхода, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-45288
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
- http://www.openwall.com/lists/oss-security/2024/04/03/16
- http://www.openwall.com/lists/oss-security/2024/04/03/16
- http://www.openwall.com/lists/oss-security/2024/04/05/4
- http://www.openwall.com/lists/oss-security/2024/04/05/4
- https://go.dev/cl/576155
- https://go.dev/cl/576155
- https://go.dev/issue/65051
- https://go.dev/issue/65051
- https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
- https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/
- https://pkg.go.dev/vuln/GO-2024-2687
- https://pkg.go.dev/vuln/GO-2024-2687
- https://security.netapp.com/advisory/ntap-20240419-0009/
- https://security.netapp.com/advisory/ntap-20240419-0009/
Modified: 2024-11-21
CVE-2024-24786
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
- http://www.openwall.com/lists/oss-security/2024/03/08/4
- http://www.openwall.com/lists/oss-security/2024/03/08/4
- https://go.dev/cl/569356
- https://go.dev/cl/569356
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/
- https://pkg.go.dev/vuln/GO-2024-2611
- https://pkg.go.dev/vuln/GO-2024-2611
- https://security.netapp.com/advisory/ntap-20240517-0002/
- https://security.netapp.com/advisory/ntap-20240517-0002/
Package mbedtls updated to version 3.6.2-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
BDU:2024-07428
Уязвимость программного обеспечения Mbed TLS, связанная с использованием неисправного или рискованного криптографического алгоритма, позволяющая нарушителю раскрыть защищаемую информацию
Modified: 2025-03-14
CVE-2024-45157
An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
Modified: 2025-03-13
CVE-2024-45159
An issue was discovered in Mbed TLS 3.x before 3.6.1. With TLS 1.3, when a server enables optional authentication of the client, if the client-provided certificate does not have appropriate values in if keyUsage or extKeyUsage extensions, then the return value of mbedtls_ssl_get_verify_result() would incorrectly have the MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_KEY_USAGE bits clear. As a result, an attacker that had a certificate valid for uses other than TLS client authentication would nonetheless be able to use it for TLS client authentication. Only TLS 1.3 servers were affected, and only with optional authentication (with required authentication, the handshake would be aborted with a fatal alert).
Package SDL2_gfx updated to version 1.0.4-alt3 for branch sisyphus_loongarch64.
Closed bugs
Отсутствует SDL2_gfxPrimitives_font.h
Package branding-uzguard-workstation updated to version 1.0-alt0.3 for branch sisyphus_loongarch64.
Closed bugs
Оторвать зависимость на /etc/sysconfig/i18n
Package branding-uzguard-server updated to version 1.0-alt0.2 for branch sisyphus_loongarch64.
Closed bugs
Оторвать зависимость на /etc/sysconfig/i18n
Package MySQL updated to version 8.0.39-alt1.1 for branch sisyphus_loongarch64.
Closed bugs
QMYSQL driver not loaded