ALT Linux Team

Branch sisyphus_e2k update on 2024-03-20

2024-03-20

ALT-BU-2024-4293-1

Branch sisyphus_e2k update bulletin.

ALT-PU-2024-4289-1

Package avahi updated to version 0.8-alt3 for branch sisyphus_e2k.

Closed vulnerabilities

Published: 2023-04-25

BDU:2023-08473

Уязвимость функции avahi_rdata_parse() системы обнаружения сервисов в локальной сети Avahi, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (5.5) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2023-11-02
Modified: 2024-11-21

CVE-2023-38469

A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2023-11-02
Modified: 2024-11-21

CVE-2023-38470

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2023-11-02
Modified: 2024-11-21

CVE-2023-38471

A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2023-11-02
Modified: 2024-11-21

CVE-2023-38472

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2023-11-02
Modified: 2024-11-21

CVE-2023-38473

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2024-4291-1

Package lua5.4 updated to version 5.4.6-alt1 for branch sisyphus_e2k.

Closed vulnerabilities

Published: 2022-02-15

BDU:2022-04620

Уязвимость реализации функции singlevar() интерпретатора скриптов Lua, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.1) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References:
Published: 2022-04-08
Modified: 2024-11-21

CVE-2022-28805

singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References:
Published: 2022-07-01
Modified: 2024-11-21

CVE-2022-33099

An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2024-4292-1

Package zabbix updated to version 6.0.27-alt2 for branch sisyphus_e2k.

Closed vulnerabilities

Published: 2023-12-18

BDU:2023-09066

Уязвимость файла cookie zbx_session универсальной системы мониторинга Zabbix, позволяющая нарушителю повысить свои привилегии

Severity: CRITICAL (9.6) Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References:
Published: 2023-12-18

BDU:2024-00033

Уязвимость функции icmpping универсальной системы мониторинга Zabbix, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (7.2) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2023-12-18

BDU:2024-00645

Уязвимость компонента DNS Response Handler агента универсальной системы мониторинга Zabbix, позволяющая нарушителю вызвать переполнение буфера

Severity: HIGH (8.1) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2023-12-18
Modified: 2024-11-21

CVE-2023-32725

The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2023-12-18
Modified: 2024-11-21

CVE-2023-32726

The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server.

Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2023-12-18
Modified: 2024-11-21

CVE-2023-32727

An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.

Severity: HIGH (7.2) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2023-12-18
Modified: 2024-11-21

CVE-2023-32728

The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-02-09
Modified: 2024-11-21

CVE-2024-22119

The cause of vulnerability is improper validation of form input field “Name” on Graph page in Items section.

Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top