ALT-BU-2024-2481-1
Branch p10 update bulletin.
Package kde5-digikam updated to version 8.2.0-alt2 for branch p10 in task 339775.
Closed bugs
Сбой digikam при поиске действий
Некорректное отображение скриншотов в разделе ShowFoto
Package libvirglrenderer updated to version 1.0.1-alt2 for branch p10 in task 340222.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-0135
An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer (virglrenderer). This flaw allows a malicious guest to create a specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a denial of service or possible code execution.
- https://bugzilla.redhat.com/show_bug.cgi?id=2037790
- https://bugzilla.redhat.com/show_bug.cgi?id=2037790
- [debian-lts-announce] 20221207 [SECURITY] [DLA 3232-1] virglrenderer security update
- [debian-lts-announce] 20221207 [SECURITY] [DLA 3232-1] virglrenderer security update
- GLSA-202210-05
- GLSA-202210-05
Modified: 2024-11-21
CVE-2022-0175
A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure.
- https://access.redhat.com/security/cve/CVE-2022-0175
- https://access.redhat.com/security/cve/CVE-2022-0175
- https://bugzilla.redhat.com/show_bug.cgi?id=2039003
- https://bugzilla.redhat.com/show_bug.cgi?id=2039003
- https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c
- https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c
- https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654
- https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654
- GLSA-202210-05
- GLSA-202210-05
- https://security-tracker.debian.org/tracker/CVE-2022-0175
- https://security-tracker.debian.org/tracker/CVE-2022-0175
Closed vulnerabilities
BDU:2023-06559
Уязвимость реализации протокола HTTP/2, связанная с возможностью формирования потока запросов в рамках уже установленного сетевого соединения, без открытия новых сетевых соединений и без подтверждения получения пакетов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-04-03
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- [oss-security] 20231010 CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231010 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231018 Vulnerability in Jenkins
- [oss-security] 20231018 Vulnerability in Jenkins
- [oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
- [oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
- [oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- https://access.redhat.com/security/cve/cve-2023-44487
- https://access.redhat.com/security/cve/cve-2023-44487
- https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
- https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
- https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
- https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
- https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
- https://blog.vespa.ai/cve-2023-44487/
- https://blog.vespa.ai/cve-2023-44487/
- https://bugzilla.proxmox.com/show_bug.cgi?id=4988
- https://bugzilla.proxmox.com/show_bug.cgi?id=4988
- https://bugzilla.redhat.com/show_bug.cgi?id=2242803
- https://bugzilla.redhat.com/show_bug.cgi?id=2242803
- https://bugzilla.suse.com/show_bug.cgi?id=1216123
- https://bugzilla.suse.com/show_bug.cgi?id=1216123
- https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
- https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
- https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
- https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
- https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
- https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
- https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
- https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
- https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
- https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
- https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
- https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
- https://github.com/advisories/GHSA-qppj-fm5r-hxr3
- https://github.com/advisories/GHSA-qppj-fm5r-hxr3
- https://github.com/advisories/GHSA-vx74-f528-fxqg
- https://github.com/advisories/GHSA-vx74-f528-fxqg
- https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
- https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
- https://github.com/akka/akka-http/issues/4323
- https://github.com/akka/akka-http/issues/4323
- https://github.com/alibaba/tengine/issues/1872
- https://github.com/alibaba/tengine/issues/1872
- https://github.com/apache/apisix/issues/10320
- https://github.com/apache/apisix/issues/10320
- https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
- https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
- https://github.com/apache/httpd-site/pull/10
- https://github.com/apache/httpd-site/pull/10
- https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
- https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
- https://github.com/apache/trafficserver/pull/10564
- https://github.com/apache/trafficserver/pull/10564
- https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
- https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
- https://github.com/Azure/AKS/issues/3947
- https://github.com/Azure/AKS/issues/3947
- https://github.com/bcdannyboy/CVE-2023-44487
- https://github.com/bcdannyboy/CVE-2023-44487
- https://github.com/caddyserver/caddy/issues/5877
- https://github.com/caddyserver/caddy/issues/5877
- https://github.com/caddyserver/caddy/releases/tag/v2.7.5
- https://github.com/caddyserver/caddy/releases/tag/v2.7.5
- https://github.com/dotnet/announcements/issues/277
- https://github.com/dotnet/announcements/issues/277
- https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
- https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
- https://github.com/eclipse/jetty.project/issues/10679
- https://github.com/eclipse/jetty.project/issues/10679
- https://github.com/envoyproxy/envoy/pull/30055
- https://github.com/envoyproxy/envoy/pull/30055
- https://github.com/etcd-io/etcd/issues/16740
- https://github.com/etcd-io/etcd/issues/16740
- https://github.com/facebook/proxygen/pull/466
- https://github.com/facebook/proxygen/pull/466
- https://github.com/golang/go/issues/63417
- https://github.com/golang/go/issues/63417
- https://github.com/grpc/grpc/releases/tag/v1.59.2
- https://github.com/grpc/grpc-go/pull/6703
- https://github.com/grpc/grpc-go/pull/6703
- https://github.com/h2o/h2o/pull/3291
- https://github.com/h2o/h2o/pull/3291
- https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
- https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
- https://github.com/haproxy/haproxy/issues/2312
- https://github.com/haproxy/haproxy/issues/2312
- https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
- https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
- https://github.com/junkurihara/rust-rpxy/issues/97
- https://github.com/junkurihara/rust-rpxy/issues/97
- https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
- https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
- https://github.com/kazu-yamamoto/http2/issues/93
- https://github.com/kazu-yamamoto/http2/issues/93
- https://github.com/Kong/kong/discussions/11741
- https://github.com/Kong/kong/discussions/11741
- https://github.com/kubernetes/kubernetes/pull/121120
- https://github.com/kubernetes/kubernetes/pull/121120
- https://github.com/line/armeria/pull/5232
- https://github.com/line/armeria/pull/5232
- https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
- https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
- https://github.com/micrictor/http2-rst-stream
- https://github.com/micrictor/http2-rst-stream
- https://github.com/microsoft/CBL-Mariner/pull/6381
- https://github.com/microsoft/CBL-Mariner/pull/6381
- https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
- https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
- https://github.com/nghttp2/nghttp2/pull/1961
- https://github.com/nghttp2/nghttp2/pull/1961
- https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
- https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
- https://github.com/ninenines/cowboy/issues/1615
- https://github.com/ninenines/cowboy/issues/1615
- https://github.com/nodejs/node/pull/50121
- https://github.com/nodejs/node/pull/50121
- https://github.com/openresty/openresty/issues/930
- https://github.com/openresty/openresty/issues/930
- https://github.com/opensearch-project/data-prepper/issues/3474
- https://github.com/opensearch-project/data-prepper/issues/3474
- https://github.com/oqtane/oqtane.framework/discussions/3367
- https://github.com/oqtane/oqtane.framework/discussions/3367
- https://github.com/projectcontour/contour/pull/5826
- https://github.com/projectcontour/contour/pull/5826
- https://github.com/tempesta-tech/tempesta/issues/1986
- https://github.com/tempesta-tech/tempesta/issues/1986
- https://github.com/varnishcache/varnish-cache/issues/3996
- https://github.com/varnishcache/varnish-cache/issues/3996
- https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
- https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
- https://istio.io/latest/news/security/istio-security-2023-004/
- https://istio.io/latest/news/security/istio-security-2023-004/
- https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
- https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
- https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
- https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
- [debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update
- [debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update
- [debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update
- [debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update
- [debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update
- [debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update
- [debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update
- [debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update
- [debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update
- [debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update
- FEDORA-2023-c0c6a91330
- FEDORA-2023-7b52921cae
- FEDORA-2023-0259c3f26f
- FEDORA-2023-4bf641255e
- FEDORA-2023-d5030c983c
- FEDORA-2023-4d2fd884ea
- FEDORA-2023-dbe64661af
- FEDORA-2023-5ff7bf1dd8
- FEDORA-2023-ed2642fd58
- FEDORA-2023-fe53e13b5b
- FEDORA-2023-f66fc0f62a
- FEDORA-2023-b2c50535cb
- FEDORA-2023-1caffb88af
- FEDORA-2023-3f70b8d406
- FEDORA-2023-492b7be466
- FEDORA-2023-17efd3f2cd
- FEDORA-2023-e9c04d81c1
- FEDORA-2023-822aab0a5a
- FEDORA-2023-7934802344
- FEDORA-2023-54fadada12
- FEDORA-2023-2a9214af5f
- FEDORA-2023-c0c6a91330
- FEDORA-2023-7b52921cae
- FEDORA-2023-0259c3f26f
- FEDORA-2023-4bf641255e
- FEDORA-2023-d5030c983c
- FEDORA-2023-4d2fd884ea
- FEDORA-2023-dbe64661af
- FEDORA-2023-5ff7bf1dd8
- FEDORA-2023-ed2642fd58
- FEDORA-2023-fe53e13b5b
- FEDORA-2023-f66fc0f62a
- FEDORA-2023-b2c50535cb
- FEDORA-2023-1caffb88af
- FEDORA-2023-3f70b8d406
- FEDORA-2023-492b7be466
- FEDORA-2023-17efd3f2cd
- FEDORA-2023-e9c04d81c1
- FEDORA-2023-822aab0a5a
- FEDORA-2023-7934802344
- FEDORA-2023-54fadada12
- FEDORA-2023-2a9214af5f
- https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
- https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
- https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
- https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
- https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
- https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
- https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
- https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
- https://my.f5.com/manage/s/article/K000137106
- https://my.f5.com/manage/s/article/K000137106
- https://netty.io/news/2023/10/10/4-1-100-Final.html
- https://netty.io/news/2023/10/10/4-1-100-Final.html
- https://news.ycombinator.com/item?id=37830987
- https://news.ycombinator.com/item?id=37830987
- https://news.ycombinator.com/item?id=37830998
- https://news.ycombinator.com/item?id=37830998
- https://news.ycombinator.com/item?id=37831062
- https://news.ycombinator.com/item?id=37831062
- https://news.ycombinator.com/item?id=37837043
- https://news.ycombinator.com/item?id=37837043
- https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
- https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
- https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- GLSA-202311-09
- GLSA-202311-09
- https://security.netapp.com/advisory/ntap-20231016-0001/
- https://security.netapp.com/advisory/ntap-20231016-0001/
- https://security.netapp.com/advisory/ntap-20240426-0007/
- https://security.netapp.com/advisory/ntap-20240426-0007/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://security.paloaltonetworks.com/CVE-2023-44487
- https://security.paloaltonetworks.com/CVE-2023-44487
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
- https://ubuntu.com/security/CVE-2023-44487
- https://ubuntu.com/security/CVE-2023-44487
- https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
- https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
- https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
- https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
- DSA-5521
- DSA-5521
- DSA-5522
- DSA-5522
- DSA-5540
- DSA-5540
- DSA-5549
- DSA-5549
- DSA-5558
- DSA-5558
- DSA-5570
- DSA-5570
- https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
- https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
- https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
- https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
- https://www.openwall.com/lists/oss-security/2023/10/10/6
- https://www.openwall.com/lists/oss-security/2023/10/10/6
- https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
- https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
- https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
- https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
- https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause
Closed vulnerabilities
Modified: 2025-02-13
CVE-2023-4399
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode encoding of the characters in the request address.
Modified: 2025-02-13
CVE-2023-4822
Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user. The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of.
Package postgresql16 updated to version 16.2-alt0.p10.1 for branch p10 in task 340531.
Closed vulnerabilities
BDU:2024-01121
Уязвимость функции REFRESH MATERIALIZED VIEW CONCURRENTLY системы управления базами данных PostgreSQL, позволяющая нарушителю выполнять произвольные SQL-команды
Modified: 2024-12-20
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://security.netapp.com/advisory/ntap-20241220-0005/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
Package postgresql12 updated to version 12.18-alt0.p10.1 for branch p10 in task 340531.
Closed vulnerabilities
BDU:2024-01121
Уязвимость функции REFRESH MATERIALIZED VIEW CONCURRENTLY системы управления базами данных PostgreSQL, позволяющая нарушителю выполнять произвольные SQL-команды
Modified: 2024-12-20
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://security.netapp.com/advisory/ntap-20241220-0005/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
Package postgresql13 updated to version 13.14-alt0.p10.1 for branch p10 in task 340531.
Closed vulnerabilities
BDU:2024-01121
Уязвимость функции REFRESH MATERIALIZED VIEW CONCURRENTLY системы управления базами данных PostgreSQL, позволяющая нарушителю выполнять произвольные SQL-команды
Modified: 2024-12-20
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://security.netapp.com/advisory/ntap-20241220-0005/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
Package postgresql14 updated to version 14.11-alt0.p10.1 for branch p10 in task 340531.
Closed vulnerabilities
BDU:2024-01121
Уязвимость функции REFRESH MATERIALIZED VIEW CONCURRENTLY системы управления базами данных PostgreSQL, позволяющая нарушителю выполнять произвольные SQL-команды
Modified: 2024-12-20
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://security.netapp.com/advisory/ntap-20241220-0005/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
Package postgresql15 updated to version 15.6-alt0.p10.1 for branch p10 in task 340531.
Closed vulnerabilities
BDU:2024-01121
Уязвимость функции REFRESH MATERIALIZED VIEW CONCURRENTLY системы управления базами данных PostgreSQL, позволяющая нарушителю выполнять произвольные SQL-команды
Modified: 2024-12-20
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://security.netapp.com/advisory/ntap-20241220-0005/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
Package postgresql15-1C updated to version 15.5-alt0.p10.3 for branch p10 in task 340531.
Closed vulnerabilities
BDU:2024-01121
Уязвимость функции REFRESH MATERIALIZED VIEW CONCURRENTLY системы управления базами данных PostgreSQL, позволяющая нарушителю выполнять произвольные SQL-команды
Modified: 2024-12-20
CVE-2024-0985
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://www.postgresql.org/support/security/CVE-2024-0985/
- https://saites.dev/projects/personal/postgres-cve-2024-0985/
- https://security.netapp.com/advisory/ntap-20241220-0005/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
Package mongo-tools updated to version 100.9.4-alt1 for branch p10 in task 340515.
Closed bugs
Обновить до версии 100.9.4
Closed bugs
Из пакета пропал скрипт run.go, необходимый для запуска тестов