ALT-BU-2024-2360-1
Branch c10f2 update bulletin.
Package knot-resolver updated to version 5.7.0-alt1 for branch c10f2 in task 340323.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-32983
Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an attempt to limit forwarding actions by filters.
- https://github.com/CZ-NIC/knot-resolver/commit/ccb9d9794db5eb757c33becf65cb1cf48ecfd968
- https://github.com/CZ-NIC/knot-resolver/commit/ccb9d9794db5eb757c33becf65cb1cf48ecfd968
- https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#forwarding
- https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#forwarding
Modified: 2024-11-21
CVE-2022-40188
Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During an attack, an authoritative server must return large NS sets or address sets.
- https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1343#note_262558
- https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1343#note_262558
- [debian-lts-announce] 20221008 [SECURITY] [DLA 3139-1] knot-resolver security update
- [debian-lts-announce] 20221008 [SECURITY] [DLA 3139-1] knot-resolver security update
- FEDORA-2022-357cc1a81b
- FEDORA-2022-357cc1a81b
- FEDORA-2022-68ad89b21c
- FEDORA-2022-68ad89b21c
- FEDORA-2022-2a4ca7b18d
- FEDORA-2022-2a4ca7b18d
Modified: 2025-03-14
CVE-2023-26249
Knot Resolver before 5.6.0 enables attackers to consume its resources, launching amplification attacks and potentially causing a denial of service. Specifically, a single client query may lead to a hundred TCP connection attempts if a DNS server closes connections without providing a response.
Modified: 2024-11-21
CVE-2023-46317
Knot Resolver before 5.7.0 performs many TCP reconnections upon receiving certain nonsensical responses from servers.
Closed vulnerabilities
BDU:2024-00706
Уязвимость функции freerdp_bitmap_planar_context_reset() RDP-клиента FreeRDP, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-02-13
CVE-2024-22211
FreeRDP is a set of free and open source remote desktop protocol library and clients. In affected versions an integer overflow in `freerdp_bitmap_planar_context_reset` leads to heap-buffer overflow. This affects FreeRDP based clients. FreeRDP based server implementations and proxy are not affected. A malicious server could prepare a `RDPGFX_RESET_GRAPHICS_PDU` to allocate too small buffers, possibly triggering later out of bound read/write. Data extraction over network is not possible, the buffers are used to display an image. This issue has been addressed in version 2.11.5 and 3.2.0. Users are advised to upgrade. there are no know workarounds for this vulnerability.
- https://github.com/FreeRDP/FreeRDP/commit/939e922936e9c3ae8fc204968645e5e7563a2fff
- https://github.com/FreeRDP/FreeRDP/commit/939e922936e9c3ae8fc204968645e5e7563a2fff
- https://github.com/FreeRDP/FreeRDP/commit/aeac3040cc99eeaff1e1171a822114c857b9dca9
- https://github.com/FreeRDP/FreeRDP/commit/aeac3040cc99eeaff1e1171a822114c857b9dca9
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rjhp-44rv-7v59
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rjhp-44rv-7v59
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44VOA5KQQT7KQPW7CLST4Y4SQTKK3IOU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44VOA5KQQT7KQPW7CLST4Y4SQTKK3IOU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PIQE3YSPOJPAUS7DPWIBTR5IQSQX35VM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PIQE3YSPOJPAUS7DPWIBTR5IQSQX35VM/
Closed vulnerabilities
BDU:2022-00244
Уязвимость компонента tftpd_file.c клиента TFTP Atftp, связанная с копированием буфера без проверки входных данных, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2022-05753
Уязвимость компонента options клиента TFTP Atftp, позволяющая нарушителю получить доступ к конфиденциальным данным
Modified: 2024-11-21
CVE-2021-41054
tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and other options.
- https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-41054
- https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-41054
- [debian-lts-announce] 20211117 [SECURITY] [DLA 2820-1] atftp security update
- [debian-lts-announce] 20211117 [SECURITY] [DLA 2820-1] atftp security update
- https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/
- https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/
Modified: 2024-11-21
CVE-2021-46671
options.c in atftp before 0.7.5 reads past the end of an array, and consequently discloses server-side /etc/group data to a remote client.
- https://bugs.debian.org/1004974
- https://bugs.debian.org/1004974
- [debian-lts-announce] 20220527 [SECURITY] [DLA 3028-1] atftp security update
- [debian-lts-announce] 20220527 [SECURITY] [DLA 3028-1] atftp security update
- https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5
- https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5
Closed bugs
atftp: Необходимо обеспечить совместимость службы с systemd
Сервис atftpd нельзя добавить в автозапуск, используя systemctl enable