ALT-BU-2024-16812-1
Branch p10 update bulletin.
Package libopenh264 updated to version 2.5.0-alt1 for branch p10 in task 363463.
Closed bugs
недостаёт Provides:/Obsoletes:
Closed vulnerabilities
BDU:2024-02279
Уязвимость библиотеки для обработки байт-кода Java Apache Commons BCEL, связанная с записью за границами буфера, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2022-42920
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.
- [oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing
- [oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing
- https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
- https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
- FEDORA-2022-01a56f581c
- FEDORA-2022-01a56f581c
- FEDORA-2022-f60a52e054
- FEDORA-2022-f60a52e054
- FEDORA-2022-0e358addb8
- FEDORA-2022-0e358addb8
- GLSA-202401-25
- GLSA-202401-25
Closed bugs
Центр управления Active Directory не отображает полностью информацию о домене
Package postgresql-jdbc updated to version 42.6.2-alt1 for branch p10 in task 363751.
Closed vulnerabilities
BDU:2024-01541
Уязвимость драйвера JDBC pgjdbc для подключения Java-программ к базе данных PostgreSQL, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2024-1597
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
- http://www.openwall.com/lists/oss-security/2024/04/02/6
- http://www.openwall.com/lists/oss-security/2024/04/02/6
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
- https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html
- https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/
- https://security.netapp.com/advisory/ntap-20240419-0008/
- https://security.netapp.com/advisory/ntap-20240419-0008/
- https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/
- https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/
- https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/
- https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/
Closed bugs
Для закрытия CVE-2024-1597 необходимо обновить пакет
Closed vulnerabilities
BDU:2022-04788
Уязвимость библиотеки Apache Xalan Java XSLT, связанная с ошибкой приведения целочисленного значения, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2022-34169
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
- http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
- http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
- [oss-security] 20220719 CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
- [oss-security] 20220719 CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
- [oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
- [oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
- [oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
- [oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
- [oss-security] 20220720 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
- [oss-security] 20220720 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
- [oss-security] 20221017 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
- [oss-security] 20221017 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
- [oss-security] 20221104 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing
- [oss-security] 20221104 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing
- [oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing
- [oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing
- https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
- https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
- https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
- https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
- [debian-lts-announce] 20221018 [SECURITY] [DLA 3155-1] bcel security update
- [debian-lts-announce] 20221018 [SECURITY] [DLA 3155-1] bcel security update
- FEDORA-2022-b76ab52e73
- FEDORA-2022-b76ab52e73
- FEDORA-2022-d26586b419
- FEDORA-2022-d26586b419
- FEDORA-2022-ae563934f7
- FEDORA-2022-ae563934f7
- FEDORA-2022-19b6f21746
- FEDORA-2022-19b6f21746
- FEDORA-2022-80afe2304a
- FEDORA-2022-80afe2304a
- FEDORA-2022-e573851f56
- FEDORA-2022-e573851f56
- https://security.gentoo.org/glsa/202401-25
- https://security.gentoo.org/glsa/202401-25
- https://security.netapp.com/advisory/ntap-20220729-0009/
- https://security.netapp.com/advisory/ntap-20220729-0009/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- DSA-5188
- DSA-5188
- DSA-5192
- DSA-5192
- DSA-5256
- DSA-5256
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Closed bugs
Для закрытия CVE-2022-34169 необходимо обновить пакет