ALT-BU-2025-11934-1
Branch sisyphus_e2k update bulletin.
Package exiv2 updated to version 0.28.7-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2025-09-02
CVE-2025-54080
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6.
Modified: 2025-09-02
CVE-2025-55304
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.
Package alt-components-base updated to version 0.8.3-alt1 for branch sisyphus_e2k.
Closed bugs
В образе отсутствует пакет glibc
Пакеты haproxy и keepalived отсутствуют в составе образа
Package alterator-l10n updated to version 2.9.166-alt1 for branch sisyphus_e2k.
Closed bugs
Отсутствует перевод сообщения о несовпадающих паролях
Package diag-domain-client updated to version 0.5-alt1 for branch sisyphus_e2k.
Closed bugs
diag-domain-client: check_domain_controllers: ldapsearch: unrecognized option -h
Package adt updated to version 0.1.12-alt1 for branch sisyphus_e2k.
Closed bugs
Белый шрифт на белом фоне в подсказке
Package libsoup updated to version 2.74.3-alt2.1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2025-10-29
BDU:2025-04723
Уязвимость функции soup_message_headers_get_content_disposition() библиотеки libsoup графического интерфейса GNOME, позволяющая нарушителю выполнить произвольный код
Modified: 2025-10-29
BDU:2025-06242
Уязвимость функции soup_message_headers_get_content_disposition() библиотеки libsoup графического интерфейса GNOME, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-11-18
CVE-2025-32911
A use-after-free type vulnerability was found in libsoup, in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server.
- https://access.redhat.com/errata/RHSA-2025:21657
- https://access.redhat.com/errata/RHSA-2025:4439
- https://access.redhat.com/errata/RHSA-2025:4440
- https://access.redhat.com/errata/RHSA-2025:4508
- https://access.redhat.com/errata/RHSA-2025:4538
- https://access.redhat.com/errata/RHSA-2025:4560
- https://access.redhat.com/errata/RHSA-2025:4568
- https://access.redhat.com/errata/RHSA-2025:4609
- https://access.redhat.com/errata/RHSA-2025:4624
- https://access.redhat.com/errata/RHSA-2025:7436
- https://access.redhat.com/errata/RHSA-2025:8292
- https://access.redhat.com/errata/RHSA-2025:9179
- https://access.redhat.com/security/cve/CVE-2025-32911
- https://bugzilla.redhat.com/show_bug.cgi?id=2359355
- https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html
Modified: 2025-11-18
CVE-2025-32913
A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function.
- https://access.redhat.com/errata/RHSA-2025:21657
- https://access.redhat.com/errata/RHSA-2025:4439
- https://access.redhat.com/errata/RHSA-2025:4440
- https://access.redhat.com/errata/RHSA-2025:4508
- https://access.redhat.com/errata/RHSA-2025:4538
- https://access.redhat.com/errata/RHSA-2025:4560
- https://access.redhat.com/errata/RHSA-2025:4568
- https://access.redhat.com/errata/RHSA-2025:4609
- https://access.redhat.com/errata/RHSA-2025:4624
- https://access.redhat.com/errata/RHSA-2025:7436
- https://access.redhat.com/errata/RHSA-2025:8292
- https://access.redhat.com/errata/RHSA-2025:9179
- https://access.redhat.com/security/cve/CVE-2025-32913
- https://bugzilla.redhat.com/show_bug.cgi?id=2359357
- https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html
Closed bugs
Уязвимость BDU:2025-06242
Package 7-zip updated to version 25.01-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
Modified: 2025-10-29
BDU:2025-09673
Уязвимость файлового архиватора 7-Zip, связанная с неверным определением символических ссылок перед доступом к файлу, позволяющая нарушителю обойти ограничения безопасности
Modified: 2025-11-04
CVE-2025-55188
7-Zip before 25.01 does not always properly handle symbolic links during extraction.
- https://github.com/ip7z/7zip/compare/25.00...25.01
- https://github.com/ip7z/7zip/releases/tag/25.01
- https://github.com/lunbun/CVE-2025-55188/
- https://lunbun.dev/blog/cve-2025-55188/
- https://sourceforge.net/p/sevenzip/discussion/45797/thread/da14cd780b/
- https://www.openwall.com/lists/oss-security/2025/08/09/1
- https://www.vicarius.io/vsociety/posts/cve-2025-55188-detect-7-zip-vulnerable-version
- https://www.vicarius.io/vsociety/posts/cve-2025-55188-mitigate-7-zip-vulnerability
- https://youtu.be/sWT6M1cfnwM
- http://www.openwall.com/lists/oss-security/2025/08/09/1
- http://www.openwall.com/lists/oss-security/2025/08/10/1
- http://www.openwall.com/lists/oss-security/2025/08/13/1
- http://www.openwall.com/lists/oss-security/2025/10/12/2
- http://www.openwall.com/lists/oss-security/2025/10/16/7