ALT-BU-2024-2364-1
Branch p10 update bulletin.
Closed bugs
apt_rpm не обновляет пакеты
Package alterator-net-eth updated to version 5.2.7-alt1 for branch p10 in task 340036.
Closed bugs
В веб-интерфейсе не отображается информация о сетевом интерфейсе
Package knot-resolver updated to version 5.7.0-alt1 for branch p10 in task 340322.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-32983
Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an attempt to limit forwarding actions by filters.
- https://github.com/CZ-NIC/knot-resolver/commit/ccb9d9794db5eb757c33becf65cb1cf48ecfd968
- https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#forwarding
- https://github.com/CZ-NIC/knot-resolver/commit/ccb9d9794db5eb757c33becf65cb1cf48ecfd968
- https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#forwarding
Modified: 2025-05-27
CVE-2022-40188
Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During an attack, an authoritative server must return large NS sets or address sets.
- https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1343#note_262558
- https://lists.debian.org/debian-lts-announce/2022/10/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMDNIUI7GTUEKIBBYYW7OCTJQFPDNXL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S2VE5K3VDUHJOIA2IGT3G5R76IBADMNE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO6LIVQS62MI5GG4OVYB5RHVZMYNHAHG/
- https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1343#note_262558
- https://lists.debian.org/debian-lts-announce/2022/10/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMDNIUI7GTUEKIBBYYW7OCTJQFPDNXL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S2VE5K3VDUHJOIA2IGT3G5R76IBADMNE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO6LIVQS62MI5GG4OVYB5RHVZMYNHAHG/
Modified: 2025-03-14
CVE-2023-26249
Knot Resolver before 5.6.0 enables attackers to consume its resources, launching amplification attacks and potentially causing a denial of service. Specifically, a single client query may lead to a hundred TCP connection attempts if a DNS server closes connections without providing a response.
Modified: 2024-11-21
CVE-2023-46317
Knot Resolver before 5.7.0 performs many TCP reconnections upon receiving certain nonsensical responses from servers.
Package ansible-core updated to version 2.15.9-alt0.p10.1 for branch p10 in task 336268.
Closed vulnerabilities
BDU:2023-07854
Уязвимость системы управления конфигурациями Ansible, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2023-5764
A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.
- https://access.redhat.com/errata/RHSA-2023:7773
- https://access.redhat.com/security/cve/CVE-2023-5764
- https://bugzilla.redhat.com/show_bug.cgi?id=2247629
- https://access.redhat.com/errata/RHSA-2023:7773
- https://access.redhat.com/security/cve/CVE-2023-5764
- https://bugzilla.redhat.com/show_bug.cgi?id=2247629
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7Q6CHPVCHMZS5M7V22GOKFSXZAQ24EU/
- https://security.netapp.com/advisory/ntap-20241025-0001/
Modified: 2025-01-17
CVE-2024-0690
An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
- https://access.redhat.com/errata/RHSA-2024:0733
- https://access.redhat.com/errata/RHSA-2024:2246
- https://access.redhat.com/errata/RHSA-2024:3043
- https://access.redhat.com/security/cve/CVE-2024-0690
- https://bugzilla.redhat.com/show_bug.cgi?id=2259013
- https://github.com/ansible/ansible/pull/82565
- https://access.redhat.com/errata/RHSA-2024:0733
- https://access.redhat.com/errata/RHSA-2024:2246
- https://access.redhat.com/errata/RHSA-2024:3043
- https://access.redhat.com/security/cve/CVE-2024-0690
- https://bugzilla.redhat.com/show_bug.cgi?id=2259013
- https://github.com/ansible/ansible/pull/82565
- https://security.netapp.com/advisory/ntap-20250117-0001/
Closed bugs
apt_rpm не обновляет пакеты
Closed vulnerabilities
BDU:2022-00244
Уязвимость компонента tftpd_file.c клиента TFTP Atftp, связанная с копированием буфера без проверки входных данных, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2022-05753
Уязвимость компонента options клиента TFTP Atftp, позволяющая нарушителю получить доступ к конфиденциальным данным
Modified: 2024-11-21
CVE-2021-41054
tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and other options.
- https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-41054
- https://lists.debian.org/debian-lts-announce/2021/11/msg00014.html
- https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/
- https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-41054
- https://lists.debian.org/debian-lts-announce/2021/11/msg00014.html
- https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/
Modified: 2024-11-21
CVE-2021-46671
options.c in atftp before 0.7.5 reads past the end of an array, and consequently discloses server-side /etc/group data to a remote client.
- https://bugs.debian.org/1004974
- https://lists.debian.org/debian-lts-announce/2022/05/msg00040.html
- https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5
- https://bugs.debian.org/1004974
- https://lists.debian.org/debian-lts-announce/2022/05/msg00040.html
- https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5
Closed bugs
atftp: Необходимо обеспечить совместимость службы с systemd
Сервис atftpd нельзя добавить в автозапуск, используя systemctl enable