ALT Linux Team

Branch sisyphus_e2k update on 2024-11-22

2024-11-22

ALT-BU-2024-15993-1

Branch sisyphus_e2k update bulletin.

ALT-PU-2024-15983-1

Package fcitx5 updated to version 5.1.2-alt1_1.1 for branch sisyphus_e2k.

Closed bugs

Bug #51127

Лишние зависимости из fcitx5-configtool

ALT-PU-2024-15985-1

Package qt6-3d updated to version 6.7.2-alt1 for branch sisyphus_e2k.

Closed bugs

Bug #51214

Собрать с системным libassimp

ALT-PU-2024-15986-1

Package xorg-drv-ati updated to version 22.0.0-alt1 for branch sisyphus_e2k.

Closed bugs

Bug #51410

xrandr --scale crashes Xorg

ALT-PU-2024-15987-1

Package python3 updated to version 3.12.7-alt1 for branch sisyphus_e2k.

Closed vulnerabilities

Published: 2024-08-19

BDU:2024-08618

Уязвимость библиотеки http.cookies интерпретатора языка программирования Python, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-09-03

BDU:2024-08943

Уязвимость модуля tarfile интерпретатора языка программирования Python (CPython), позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-09-03
Modified: 2025-03-20

CVE-2024-6232

There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-08-19
Modified: 2025-02-06

CVE-2024-7592

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2024-15988-1

Package python3-module-stdlibs updated to version 2024.10.25-alt1 for branch sisyphus_e2k.

Closed bugs

Bug #51837

FTBFS

ALT-PU-2024-15989-1

Package python3-module-django updated to version 4.2.16-alt1 for branch sisyphus_e2k.

Closed vulnerabilities

Published: 2024-08-06

BDU:2024-06269

Уязвимость методов QuerySet.values() и values_list() моделей JSONField программной платформы для веб-приложений Django, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-08-24

BDU:2024-06736

Уязвимость функции django.utils.html.urlize программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-07-31

BDU:2024-07072

Уязвимость функции django.utils.html.urlize() программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-07-31

BDU:2024-07073

Уязвимость функции django.utils.numberformat.floatformat() программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-07-31

BDU:2024-07074

Уязвимость функции django.utils.html.urlize() программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-08-07
Modified: 2025-03-14

CVE-2024-41989

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-08-07
Modified: 2024-08-07

CVE-2024-41990

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-08-07
Modified: 2024-08-07

CVE-2024-41991

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-08-07
Modified: 2024-10-23

CVE-2024-42005

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

Severity: HIGH (7.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2024-10-08
Modified: 2025-03-17

CVE-2024-45230

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-10-08
Modified: 2025-03-17

CVE-2024-45231

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:

ALT-PU-2024-15990-1

Package qstardict updated to version 2.0.2-alt10 for branch sisyphus_e2k.

Closed bugs

Bug #51994

qstardict: FTBFS

ALT-PU-2024-15991-1

Package libgumbo updated to version 0.12.2-alt3 for branch sisyphus_e2k.

Closed bugs

Bug #52042

Ошибка libgumbo.so: cannot open shared object file при импорте модуля

ALT-PU-2024-15992-1

Package ntp updated to version 4.2.8p18-alt1 for branch sisyphus_e2k.

Closed vulnerabilities

Published: 2023-04-12

BDU:2023-02337

Уязвимость функции mstolfp() (libntp/mstolfp.c) программы мониторинга операций ntpq реализации протокола синхронизации времени NTP, позволяющая нарушителю выполнить произвольный код

Severity: MEDIUM (5.6) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2023-04-12

BDU:2023-02364

Уязвимость функции mstolfp() (libntp/mstolfp.c) программы мониторинга операций ntpq реализации протокола синхронизации времени NTP, позволяющая нарушителю выполнить произвольный код

Severity: MEDIUM (5.6) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2023-04-12

BDU:2023-02658

Уязвимость функции mstolfp() (libntp/mstolfp.c) программы мониторинга операций ntpq реализации протокола синхронизации времени NTP, позволяющая нарушителю выполнить произвольный код

Severity: MEDIUM (5.6) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2023-04-12

BDU:2023-02659

Уязвимость функции mstolfp() (libntp/mstolfp.c) программы мониторинга операций ntpq реализации протокола синхронизации времени NTP, позволяющая нарушителю выполнить произвольный код

Severity: MEDIUM (5.6) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2023-04-12

BDU:2023-02660

Уязвимость функции praecis_parse (ntpd/refclock_palisade.c) демона ntpd реализации протокола синхронизации времени NTP, позволяющая нарушителю вызвать отказ в обслуживании

Severity: LOW (3.1) Vector: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
References:
Published: 2023-04-12
Modified: 2025-02-11

CVE-2023-26551

mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write in the cp

Severity: MEDIUM (5.6) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2023-04-12
Modified: 2025-02-11

CVE-2023-26552

mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a decimal point. An adversary may be able to attack a client ntpq process, but cannot attack ntpd.

Severity: MEDIUM (5.6) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2023-04-12
Modified: 2025-02-11

CVE-2023-26553

mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when copying the trailing number. An adversary may be able to attack a client ntpq process, but cannot attack ntpd.

Severity: MEDIUM (5.6) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2023-04-12
Modified: 2025-02-11

CVE-2023-26554

mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a '\0' character. An adversary may be able to attack a client ntpq process, but cannot attack ntpd.

Severity: MEDIUM (5.6) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2023-04-12
Modified: 2025-02-12

CVE-2023-26555

praecis_parse in ntpd/refclock_palisade.c in NTP 4.2.8p15 has an out-of-bounds write. Any attack method would be complex, e.g., with a manipulated GPS receiver.

Severity: MEDIUM (6.4) Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top