ALT-BU-2025-12393-1
Branch sisyphus update bulletin.
Closed vulnerabilities
BDU:2025-09899
Уязвимость обработчика HTTP2 сервера приложений Apache Tomcat, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-08-18
CVE-2025-48989
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
Closed vulnerabilities
Modified: 2025-09-08
CVE-2025-58056
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
- https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding
- https://github.com/JLLeitschuh/unCVEed/issues/1
- https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284
- https://github.com/netty/netty/issues/15522
- https://github.com/netty/netty/pull/15611
- https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49
- https://w4ke.info/2025/06/18/funky-chunks.html
Modified: 2025-09-08
CVE-2025-58057
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Package make-initrd updated to version 2.55.1-alt5 for branch sisyphus in task 395818.
Closed bugs
modules-virtio feature не добавляет модули
Closed vulnerabilities
Modified: 2025-09-08
CVE-2025-57052
cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.
Package docs-alt-domain updated to version 11.0-alt2 for branch sisyphus in task 395863.
Closed bugs
Исправить опечатки в документации docs-alt-domain
Исправить опечатки в документации docs-alt-domain
Исправить опечатки в документации docs-alt-domain
Исправить опечатки в документации docs-alt-domain
Исправить опечатки в документации docs-alt-domain
Опечатки в тексте документации
Не распознаются опции -H и --URL при попыке добавить DNS-запись
Неудачный интервал обновления при изменении параметров зоны
[FR] Добавить команду выхода в nsupdate
Не верифицируется самоподписанный сертификат по команде из документации
[FR] Добавить указание, что при создании двухстороннего доверия, его достаточно создать на одной стороне
IP на скриншоте не соответствует IP в тексте