ALT Linux Team

Branch c10f1 update on 2024-12-18

2024-12-18

ALT-BU-2024-17213-1

Branch c10f1 update bulletin.

ALT-PU-2024-16844-2

Package freeipa updated to version 4.9.14-alt1.c10f2.1 for branch c10f1 in task 364592.

Closed vulnerabilities

Published: 2024-02-13

BDU:2024-01678

Уязвимость функции run() сценария сервера FreeIPA, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации или вызвать отказ в обслуживании

Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References:
Published: 2024-04-11
Modified: 2024-11-21

CVE-2024-1481

A flaw was found in FreeIPA. This issue may allow a remote attacker to craft a HTTP request with parameters that can be interpreted as command arguments to kinit on the FreeIPA server, which can lead to a denial of service.

References:

ALT-PU-2024-17000-2

Package minio updated to version 2024.11.07-alt1 for branch c10f1 in task 364522.

Closed vulnerabilities

Published: 2024-01-26

BDU:2024-01131

Уязвимость сервера хранения объектов MinIO, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-05-28

BDU:2024-06172

Уязвимость сервера хранения объектов MinIO, связанная с раскрытием конфиденциальной информации неавторизованному лицу, позволяющая нарушителю раскрыть конфиденциальную информацию

Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:
Published: 2024-02-01
Modified: 2024-11-21

CVE-2024-24747

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-05-28
Modified: 2024-11-21

CVE-2024-36107

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of information such as `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue.

References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top