ALT Linux Team

Branch p10 update on 2024-06-15

2024-06-15

ALT-BU-2024-9097-1

Branch p10 update bulletin.

ALT-PU-2024-8892-3

Package snapd updated to version 2.61.3-alt1.1 for branch p10 in task 350710.

Closed vulnerabilities

Published: 2022-11-30

BDU:2022-07107

Уязвимость функции must_mkdir_and_open_with_perms() утилиты snap-confine операционной системы Ubuntu, позволяющая нарушителю

Severity: HIGH (8.4) Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-01-08
Modified: 2024-11-21

CVE-2022-3328

Race condition in snap-confine's must_mkdir_and_open_with_perms()

Severity: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2023-09-01
Modified: 2024-11-21

CVE-2023-1523

Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console.

Severity: CRITICAL (10.0) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References:

ALT-PU-2024-8904-3

Package git updated to version 2.42.2-alt1 for branch p10 in task 350723.

Closed vulnerabilities

Published: 2022-02-11

BDU:2023-01718

Уязвимость распределенной системы управления версиями Git, связанная с раскрытием информации в ошибочной области данных, позволяющая нарушителю получить доступ к конфиденциальным данным

Severity: MEDIUM (5.9) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2024-05-14

BDU:2024-03872

Уязвимость распределенной системы контроля версий Git, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.0) Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
References:
Published: 2022-02-11
Modified: 2024-11-21

CVE-2022-24975

The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2024-05-14
Modified: 2024-11-21

CVE-2024-32002

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Severity: CRITICAL (9.0) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
References:

Closed bugs

Bug #47999

git version update

VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top