ALT-BU-2024-7096-1
Branch sisyphus_e2k update bulletin.
Package gem-rexml updated to version 3.2.5-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
BDU:2022-00302
Уязвимость интерпретатора языка программирования Ruby, связанная с неверным ограничением XML-ссылок на внешние объекты, позволяющая нарушителю оказать воздействие на целостность данных
Modified: 2024-11-21
CVE-2021-28965
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
- FEDORA-2021-7b8b65bc7a
- FEDORA-2021-7b8b65bc7a
- https://security.netapp.com/advisory/ntap-20210528-0003/
- https://security.netapp.com/advisory/ntap-20210528-0003/
- https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
- https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
Package libcaca updated to version 0.99-alt23 for branch sisyphus_e2k.
Closed vulnerabilities
BDU:2021-03712
Уязвимость функции caca_resize библиотеки для преобразования изображения в ASCII art libcaca, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2021-3410
A flaw was found in libcaca v0.99.beta19. A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context.
- https://bugzilla.redhat.com/show_bug.cgi?id=1928437
- https://bugzilla.redhat.com/show_bug.cgi?id=1928437
- https://github.com/cacalabs/libcaca/issues/52
- https://github.com/cacalabs/libcaca/issues/52
- [debian-lts-announce] 20210307 [SECURITY] [DLA 2584-1] libcaca security update
- [debian-lts-announce] 20210307 [SECURITY] [DLA 2584-1] libcaca security update
- FEDORA-2022-fc6b53e7a2
- FEDORA-2022-fc6b53e7a2
- FEDORA-2022-e3b9986722
- FEDORA-2022-e3b9986722
- FEDORA-2022-3d291845d8
- FEDORA-2022-3d291845d8
Closed bugs
uninitialized constant Caca::
libcaca FTBFS: /usr/local/lib/ruby
Package gem-rack updated to version 2.2.6.3-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
BDU:2021-01344
Уязвимость функции parse_cookies_header из utils.rb модульного интерфейса между веб-серверами и веб-приложениями Rack, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2022-04200
Уязвимость модульного интерфейса между веб-серверами и веб-приложениями Rack, связанная с неправильной проверкой ввода, позволяющая нарушителю выполнить атаку типа «отказ в обслуживании» (DoS)
BDU:2022-04201
Уязвимость модульного интерфейса между веб-серверами и веб-приложениями Rack, связанная с неправильной нейтрализацией специальных элементов используемых в команде ОС, позволяющая нарушителю выполнять произвольные команды оболочки в целевой системе
Modified: 2024-11-21
CVE-2020-8184
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
- https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
- https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
- https://hackerone.com/reports/895727
- https://hackerone.com/reports/895727
- [debian-lts-announce] 20200710 [SECURITY] [DLA 2275-1] ruby-rack security update
- [debian-lts-announce] 20200710 [SECURITY] [DLA 2275-1] ruby-rack security update
- [debian-lts-announce] 20230130 [SECURITY] [DLA 3298-1] ruby-rack security update
- [debian-lts-announce] 20230130 [SECURITY] [DLA 3298-1] ruby-rack security update
- USN-4561-1
- USN-4561-1
Modified: 2024-11-21
CVE-2022-30122
A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.
- https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729
- https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729
- GLSA-202310-18
- GLSA-202310-18
- https://security.netapp.com/advisory/ntap-20231208-0012/
- https://security.netapp.com/advisory/ntap-20231208-0012/
- DSA-5530
- DSA-5530
Modified: 2024-11-21
CVE-2022-30123
A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.
- https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728
- https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728
- GLSA-202310-18
- GLSA-202310-18
- https://security.netapp.com/advisory/ntap-20231208-0011/
- https://security.netapp.com/advisory/ntap-20231208-0011/
- DSA-5530
- DSA-5530
Package gem-addressable updated to version 2.8.1-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
BDU:2021-04454
Уязвимость библиотеки Addressable, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2021-32740
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.
- https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc
- https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc
- https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g
- https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g
- FEDORA-2021-e9fc035565
- FEDORA-2021-e9fc035565
- FEDORA-2021-5d14763df8
- FEDORA-2021-5d14763df8
Package python3-module-pooch updated to version 1.8.1-alt1.1 for branch sisyphus_e2k.
Closed bugs
missing runtime dependency on requests