ALT-BU-2024-4013-1
Branch sisyphus_riscv64 update bulletin.
Package libxml2 updated to version 2.12.5-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2024-01415
Уязвимость функции xmlValidatePopElement компонента XML Reader Interface библиотеки Libxml2, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2024-25062
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Package unbound updated to version 1.19.2-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2024-01923
Уязвимость DNS-сервера Unbound, связанная с выполнением цикла с недоступным условием выхода, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-12-17
CVE-2024-1931
NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely.
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4VCBRQ7KMSIGBQ6A4SBL5PF326DIJIIV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4VCBRQ7KMSIGBQ6A4SBL5PF326DIJIIV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B2JUIFPA7H75Q2W3VXW2TUNHK6NVGOX4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B2JUIFPA7H75Q2W3VXW2TUNHK6NVGOX4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBR4H7RCVMJ6H76S4LLRSY5EBFTYWGXK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBR4H7RCVMJ6H76S4LLRSY5EBFTYWGXK/
- https://lists.freebsd.org/archives/freebsd-security/2024-July/000283.html
- https://lists.freebsd.org/archives/freebsd-security/2024-July/000283.html
- https://security.netapp.com/advisory/ntap-20240705-0006/
- https://security.netapp.com/advisory/ntap-20240705-0006/
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt
Package zlib updated to version 1.3.1-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-07116
Уязвимость функции zipOpenNewFileInZip4_64() пакета MiniZip библиотеки zlib, позволяющая нарушителю оказать воздействие на целостность, доступность и конфиденциальность защищаемой информации
Modified: 2024-12-20
CVE-2023-45853
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
- [oss-security] 20231020 CVE-2023-45853: overflows in MiniZip in zlib through 1.3
- [oss-security] 20231020 CVE-2023-45853: overflows in MiniZip in zlib through 1.3
- [oss-security] 20240124 Re: CVE-2023-45853: overflows in MiniZip in zlib through 1.3
- [oss-security] 20240124 Re: CVE-2023-45853: overflows in MiniZip in zlib through 1.3
- https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
- https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
- https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
- https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
- https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
- https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
- https://github.com/madler/zlib/pull/843
- https://github.com/madler/zlib/pull/843
- [debian-lts-announce] 20231127 [SECURITY] [DLA 3670-1] minizip security update
- [debian-lts-announce] 20231127 [SECURITY] [DLA 3670-1] minizip security update
- https://pypi.org/project/pyminizip/#history
- https://pypi.org/project/pyminizip/#history
- GLSA-202401-18
- GLSA-202401-18
- https://security.netapp.com/advisory/ntap-20231130-0009/
- https://security.netapp.com/advisory/ntap-20231130-0009/
- https://www.winimage.com/zLibDll/minizip.html
- https://www.winimage.com/zLibDll/minizip.html