ALT-BU-2024-15681-1
Branch c10f1 update bulletin.
Package xorg-server updated to version 1.20.14-alt14 for branch c10f1 in task 362451.
Closed vulnerabilities
Modified: 2025-08-19
BDU:2024-09084
Уязвимость функции _XkbSetCompatMap реализации сервера X Window System X.Org Server, позволяющая нарушителю повысить свои привилегии
Modified: 2025-08-04
CVE-2024-9632
A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.
- https://access.redhat.com/errata/RHSA-2024:10090
- https://access.redhat.com/errata/RHSA-2024:8798
- https://access.redhat.com/errata/RHSA-2024:9540
- https://access.redhat.com/errata/RHSA-2024:9579
- https://access.redhat.com/errata/RHSA-2024:9601
- https://access.redhat.com/errata/RHSA-2024:9690
- https://access.redhat.com/errata/RHSA-2024:9816
- https://access.redhat.com/errata/RHSA-2024:9818
- https://access.redhat.com/errata/RHSA-2024:9819
- https://access.redhat.com/errata/RHSA-2024:9820
- https://access.redhat.com/errata/RHSA-2024:9901
- https://access.redhat.com/errata/RHSA-2025:12751
- https://access.redhat.com/errata/RHSA-2025:7163
- https://access.redhat.com/errata/RHSA-2025:7165
- https://access.redhat.com/errata/RHSA-2025:7458
- https://access.redhat.com/security/cve/CVE-2024-9632
- https://bugzilla.redhat.com/show_bug.cgi?id=2317233
- http://seclists.org/fulldisclosure/2024/Oct/20
- http://www.openwall.com/lists/oss-security/2024/10/29/2
- https://lists.debian.org/debian-lts-announce/2024/10/msg00031.html
Closed bugs
Падение Xorg после обновления до 1.20.14-alt12
Package xorg-xwayland updated to version 23.1.1-alt6 for branch c10f1 in task 362451.
Closed vulnerabilities
Modified: 2025-08-19
BDU:2024-09084
Уязвимость функции _XkbSetCompatMap реализации сервера X Window System X.Org Server, позволяющая нарушителю повысить свои привилегии
Modified: 2025-08-04
CVE-2024-9632
A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.
- https://access.redhat.com/errata/RHSA-2024:10090
- https://access.redhat.com/errata/RHSA-2024:8798
- https://access.redhat.com/errata/RHSA-2024:9540
- https://access.redhat.com/errata/RHSA-2024:9579
- https://access.redhat.com/errata/RHSA-2024:9601
- https://access.redhat.com/errata/RHSA-2024:9690
- https://access.redhat.com/errata/RHSA-2024:9816
- https://access.redhat.com/errata/RHSA-2024:9818
- https://access.redhat.com/errata/RHSA-2024:9819
- https://access.redhat.com/errata/RHSA-2024:9820
- https://access.redhat.com/errata/RHSA-2024:9901
- https://access.redhat.com/errata/RHSA-2025:12751
- https://access.redhat.com/errata/RHSA-2025:7163
- https://access.redhat.com/errata/RHSA-2025:7165
- https://access.redhat.com/errata/RHSA-2025:7458
- https://access.redhat.com/security/cve/CVE-2024-9632
- https://bugzilla.redhat.com/show_bug.cgi?id=2317233
- http://seclists.org/fulldisclosure/2024/Oct/20
- http://www.openwall.com/lists/oss-security/2024/10/29/2
- https://lists.debian.org/debian-lts-announce/2024/10/msg00031.html
Closed vulnerabilities
Modified: 2022-10-18
BDU:2022-01639
Уязвимость реализации сетевых блочных устройств nbd, связанная с целочисленным переполнением, позволяющая нарушителю выполнить произвольный код
Modified: 2022-10-18
BDU:2022-01643
Уязвимость реализации сетевых блочных устройств nbd, связанная с переполнением буфера в стека, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2022-26495
In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages.
- https://lists.debian.org/debian-lts-announce/2022/03/msg00014.html
- https://lists.debian.org/nbd/2022/01/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G2UPX62BIWOOHSACGUDB7E3O4URNN37F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZHR73XMAJTCFGKUZRXVTZKCK2X3IFNA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/
- https://security.gentoo.org/glsa/202402-10
- https://sourceforge.net/projects/nbd/files/nbd/
- https://www.debian.org/security/2022/dsa-5100
- https://lists.debian.org/debian-lts-announce/2022/03/msg00014.html
- https://lists.debian.org/nbd/2022/01/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G2UPX62BIWOOHSACGUDB7E3O4URNN37F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZHR73XMAJTCFGKUZRXVTZKCK2X3IFNA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/
- https://security.gentoo.org/glsa/202402-10
- https://sourceforge.net/projects/nbd/files/nbd/
- https://www.debian.org/security/2022/dsa-5100
Modified: 2024-11-21
CVE-2022-26496
In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name.
- http://packetstormsecurity.com/files/172148/Shannon-Baseband-fmtp-SDP-Attribute-Memory-Corruption.html
- https://lists.debian.org/nbd/2022/01/msg00036.html
- https://lists.debian.org/nbd/2022/01/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G2UPX62BIWOOHSACGUDB7E3O4URNN37F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZHR73XMAJTCFGKUZRXVTZKCK2X3IFNA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/
- https://security.gentoo.org/glsa/202402-10
- https://sourceforge.net/projects/nbd/files/nbd/
- https://www.debian.org/security/2022/dsa-5100
- http://packetstormsecurity.com/files/172148/Shannon-Baseband-fmtp-SDP-Attribute-Memory-Corruption.html
- https://lists.debian.org/nbd/2022/01/msg00036.html
- https://lists.debian.org/nbd/2022/01/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G2UPX62BIWOOHSACGUDB7E3O4URNN37F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZHR73XMAJTCFGKUZRXVTZKCK2X3IFNA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/
- https://security.gentoo.org/glsa/202402-10
- https://sourceforge.net/projects/nbd/files/nbd/
- https://www.debian.org/security/2022/dsa-5100
Closed bugs
Не стартует nbd-server с помощью systemd
Closed vulnerabilities
Modified: 2025-05-29
CVE-2023-52389
UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow and resultant stack buffer overflow because Poco::UTF32Encoding::convert() and Poco::UTF32::queryConvert() may return a negative integer if a UTF-32 byte sequence evaluates to a value of 0x80000000 or higher. This is fixed in 1.11.8p2, 1.12.5p2, and 1.13.0.
- https://github.com/pocoproject/poco/compare/poco-1.12.5p2-release...poco-1.13.0-release
- https://github.com/pocoproject/poco/issues/4320
- https://pocoproject.org/blog/?p=1226
- https://github.com/pocoproject/poco/compare/poco-1.12.5p2-release...poco-1.13.0-release
- https://github.com/pocoproject/poco/issues/4320
- https://lists.debian.org/debian-lts-announce/2025/01/msg00017.html
- https://pocoproject.org/blog/?p=1226
Package libreoffice-online updated to version 6.2.3.2-alt8 for branch c10f1 in task 362494.
Closed bugs
Ошибка в конфигурации /etc/httpd2/conf/sites-enabled/libreoffice-online.conf
Closed vulnerabilities
Modified: 2024-10-04
BDU:2024-07020
Уязвимость функции Parse языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-09-12
BDU:2024-07025
Уязвимость функции Decoder.Decode языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-10-04
BDU:2024-07026
Уязвимость функции Parse языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2024-34155
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
Modified: 2024-11-21
CVE-2024-34156
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Modified: 2024-11-21
CVE-2024-34158
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.