ALT-BU-2025-10705-1
Branch p11 update bulletin.
Package appstream-data-desktop updated to version 20250808-alt0.p11.1 for branch p11 in task 391690.
Closed bugs
Отсутствуют плагины для программы Тюнер в магазине приложений
Прошу добавить isoimagewriter в магазины приложений
Closed vulnerabilities
BDU:2025-05708
Уязвимость сервера приложений Apache Tomcat, связанная с неполной очисткой временных или вспомогательных ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-07526
Уязвимость сервера приложений Apache Tomcat, связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-08-08
CVE-2025-31650
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
Modified: 2025-08-08
CVE-2025-48988
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Closed vulnerabilities
BDU:2025-09074
Уязвимость программного средства управления и запуска OCI-контейнеров Podman, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю выполнить атаку типа «человек посередине»
Modified: 2025-07-30
CVE-2025-6032
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
- https://access.redhat.com/errata/RHSA-2025:10295
- https://access.redhat.com/errata/RHSA-2025:10549
- https://access.redhat.com/errata/RHSA-2025:10550
- https://access.redhat.com/errata/RHSA-2025:10551
- https://access.redhat.com/errata/RHSA-2025:10668
- https://access.redhat.com/errata/RHSA-2025:11363
- https://access.redhat.com/errata/RHSA-2025:11677
- https://access.redhat.com/errata/RHSA-2025:11681
- https://access.redhat.com/errata/RHSA-2025:9726
- https://access.redhat.com/errata/RHSA-2025:9751
- https://access.redhat.com/errata/RHSA-2025:9766
- https://access.redhat.com/security/cve/CVE-2025-6032
- https://bugzilla.redhat.com/show_bug.cgi?id=2372501
Package go-containerregistry updated to version 0.20.6-alt1 for branch p11 in task 392212.
Closed bugs
Некорректное отображение версии crane и gcrane
Closed bugs
Вместо onboard черное окно
Closed vulnerabilities
BDU:2025-06002
Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с ошибками разграничения доступа, позволяющая нарушителю нарушить работу программы
BDU:2025-06809
Уязвимость компонента Custom Frontend Plugin платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)
BDU:2025-08873
Уязвимость службы оповещения Alerts & IRM платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю раскрыть защищаемую информацию
BDU:2025-08910
Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)
BDU:2025-09887
Уязвимость компонента OSS Organization Switching платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю перенаправить пользователя на произвольный сайт
Modified: 2025-07-17
CVE-2025-3415
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
Modified: 2025-05-23
CVE-2025-3580
An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.
Modified: 2025-08-15
CVE-2025-4123
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
Modified: 2025-07-22
CVE-2025-6023
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01
Modified: 2025-07-22
CVE-2025-6197
An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL
Package kubernetes1.32 updated to version 1.32.7-alt1 for branch p11 in task 391028.
Closed vulnerabilities
BDU:2025-03638
Уязвимость языка программирования Go, связанная с неправильной проверкой синтаксической корректности ввода, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-05-01
CVE-2025-22868
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.