ALT-BU-2024-17292-1
Branch sisyphus_riscv64 update bulletin.
Package gerbv updated to version 2.10.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2022-00105
Уязвимость программного обеспечения для разработки и массового производства печатных плат Gerbv, связанная с записью данных за пределами буфера, позволяющая нарушителю выполнить произвольный код
BDU:2022-00106
Уязвимость программного обеспечения для разработки и массового производства печатных плат Gerbv, связанная с записью данных за пределами буфера, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2021-40391
An out-of-bounds write vulnerability exists in the drill format T-code tool number functionality of Gerbv 2.7.0, dev (commit b5f1eacd), and the forked version of Gerbv (commit 71493260). A specially-crafted drill file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
- [debian-lts-announce] 20211203 [SECURITY] [DLA 2839-1] gerbv security update
- [debian-lts-announce] 20211203 [SECURITY] [DLA 2839-1] gerbv security update
- FEDORA-2022-4a3ef86baa
- FEDORA-2022-4a3ef86baa
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1402
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1402
Modified: 2024-11-21
CVE-2021-40393
An out-of-bounds write vulnerability exists in the RS-274X aperture macro variables handling functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit 71493260). A specially-crafted gerber file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
- [debian-lts-announce] 20230930 [SECURITY] [DLA 3593-1] gerbv security update
- [debian-lts-announce] 20230930 [SECURITY] [DLA 3593-1] gerbv security update
- FEDORA-2023-5f5bea627b
- FEDORA-2023-5f5bea627b
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1404
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1404
- DSA-5306
- DSA-5306
Modified: 2024-11-21
CVE-2021-40394
An out-of-bounds write vulnerability exists in the RS-274X aperture macro variables handling functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit 71493260). A specially-crafted gerber file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
- [debian-lts-announce] 20230930 [SECURITY] [DLA 3593-1] gerbv security update
- [debian-lts-announce] 20230930 [SECURITY] [DLA 3593-1] gerbv security update
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1404
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1404
- DSA-5306
- DSA-5306
Modified: 2024-11-21
CVE-2021-40400
An out-of-bounds read vulnerability exists in the RS-274X aperture macro outline primitive functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit d7f42a9a). A specially-crafted Gerber file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.
Modified: 2024-11-21
CVE-2021-40401
A use-after-free vulnerability exists in the RS-274X aperture definition tokenization functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and Gerbv forked 2.7.1. A specially-crafted gerber file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
Modified: 2024-11-21
CVE-2021-40402
An out-of-bounds read vulnerability exists in the RS-274X aperture macro multiple outline primitives functionality of Gerbv 2.7.0 and dev (commit b5f1eacd), and Gerbv forked 2.7.1 and 2.8.0. A specially-crafted Gerber file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.
Modified: 2024-11-21
CVE-2021-40403
An information disclosure vulnerability exists in the pick-and-place rotation parsing functionality of Gerbv 2.7.0 and dev (commit b5f1eacd), and Gerbv forked 2.8.0. A specially-crafted pick-and-place file can exploit the missing initialization of a structure to leak memory contents. An attacker can provide a malicious file to trigger this vulnerability.
Modified: 2024-11-21
CVE-2023-4508
A user able to control file input to Gerbv, between versions 2.4.0 and 2.10.0, can cause a crash and cause denial-of-service with a specially crafted Gerber RS-274X file.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4508
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4508
- https://github.com/gerbv/gerbv/commit/5517e22250e935dc7f86f64ad414aeae3dbcb36a
- https://github.com/gerbv/gerbv/commit/5517e22250e935dc7f86f64ad414aeae3dbcb36a
- https://github.com/gerbv/gerbv/issues/191
- https://github.com/gerbv/gerbv/issues/191
Package python3-module-dbus-deviation updated to version 0.6.1-alt3 for branch sisyphus_riscv64.
Closed bugs
Убрать зависимость на python3(pipes)
Package qt6-base updated to version 6.7.2-alt6 for branch sisyphus_riscv64.
Closed bugs
Оключение tls в qt6.6
Package nextcloud updated to version 30.0.4-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2024-10840
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с хранением защищаемой информации в незашифрованном виде, позволяющая нарушителю получить доступ к конфиденциальной информации
BDU:2024-10846
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с недостаточной защитой служебных данных, позволяющая нарушителю оказывать влияние на конфиденциальность
BDU:2024-10847
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с недостаточной защитой служебных данных, позволяющая нарушителю оказывать влияние на конфиденциальность
BDU:2024-10851
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с недостатками процедуры аутентификации, позволяющая нарушителю раскрыть защищаемую информацию
BDU:2024-10853
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с использованием обратимой односторонней хэш-функции, позволяющая нарушителю сделать фоновое задание актуальным
Modified: 2024-11-18
CVE-2024-52513
Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
Modified: 2025-01-06
CVE-2024-52517
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
Modified: 2025-01-23
CVE-2024-52518
Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.
Modified: 2025-01-23
CVE-2024-52521
Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased the chances of a background job with arguments falsely being identified as already existing and not be queued for execution. By changing the Hash to SHA256 the probability was heavily decreased. It is recommended that the Nextcloud Server is upgraded to 28.0.10, 29.0.7 or 30.0.0.
Modified: 2024-11-18
CVE-2024-52523
Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator defined external storage with fixed credentials, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2 and Nextcloud Enterprise Server is upgraded to 25.0.13.14, 26.0.13.10, 27.1.11.10, 28.0.12, 29.0.9 or 30.0.2.
Modified: 2025-01-23
CVE-2024-52525
Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a user was stored unencrypted in the session data. The session data is encrypted before being saved in the session storage (Redis or disk), but it would allow a malicious process that gains access to the memory of the PHP process, to get access to the cleartext password of the user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.
Package apa updated to version 0.1.4.alpha-alt1 for branch sisyphus_riscv64.
Closed bugs
Прошу обновить `apa` до версии 0.1.3-alpha