2024-12-19
ALT-BU-2024-17276-1
Branch c10f2 update bulletin.
Closed vulnerabilities
Published: 2022-12-10
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-45145
egg-compile.scm in CHICKEN 5.x before 5.3.1 allows arbitrary OS command execution during package installation via escape characters in a .egg file.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git%3Ba=blobdiff%3Bf=egg-compile.scm%3Bh=9ba4568113350ec75204cba55e43e27925e2d6fe%3Bhp=c1f2ceb0fb470f63c2ba2a1cf9d8d40083c2359f%3Bhb=a08f8f548d772ef410c672ba33a27108d8d434f3%3Bhpb=9c6fb001c25de4390f46ffd7c3c94237f4df92a9
- https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git%3Ba=blobdiff%3Bf=egg-compile.scm%3Bh=9ba4568113350ec75204cba55e43e27925e2d6fe%3Bhp=c1f2ceb0fb470f63c2ba2a1cf9d8d40083c2359f%3Bhb=a08f8f548d772ef410c672ba33a27108d8d434f3%3Bhpb=9c6fb001c25de4390f46ffd7c3c94237f4df92a9
- https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git%3Ba=blobdiff%3Bf=NEWS%3Bh=54888afff09353093453673c407cabfe76a5ce77%3Bhp=a3fd88a892f82c8353267f50509d018bbb1934b9%3Bhb=670478435a982fc4d1f001ea08669f53d35a51cd%3Bhpb=a08f8f548d772ef410c672ba33a27108d8d434f3
- https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git%3Ba=blobdiff%3Bf=NEWS%3Bh=54888afff09353093453673c407cabfe76a5ce77%3Bhp=a3fd88a892f82c8353267f50509d018bbb1934b9%3Bhb=670478435a982fc4d1f001ea08669f53d35a51cd%3Bhpb=a08f8f548d772ef410c672ba33a27108d8d434f3
- https://lists.gnu.org/archive/html/chicken-announce/2022-11/msg00000.html
- https://lists.gnu.org/archive/html/chicken-announce/2022-11/msg00000.html
Package python3-module-joblib updated to version 1.2.0-alt1 for branch c10f2 in task 365171.
Closed vulnerabilities
Published: 2022-09-26
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-21797
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
- https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
- https://github.com/joblib/joblib/issues/1128
- https://github.com/joblib/joblib/issues/1128
- https://github.com/joblib/joblib/pull/1321
- https://github.com/joblib/joblib/pull/1321
- [debian-lts-announce] 20221117 [SECURITY] [DLA 3193-1] joblib security update
- [debian-lts-announce] 20221117 [SECURITY] [DLA 3193-1] joblib security update
- [debian-lts-announce] 20230330 [SECURITY] [DLA 3193-2] joblib security update
- [debian-lts-announce] 20230330 [SECURITY] [DLA 3193-2] joblib security update
- FEDORA-2022-c0bfe37ae5
- FEDORA-2022-c0bfe37ae5
- FEDORA-2022-c83ce1c000
- FEDORA-2022-c83ce1c000
- GLSA-202401-01
- GLSA-202401-01
- https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
- https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033