ALT-BU-2025-12529-1
Branch p11 update bulletin.
Package u-boot-rockchip updated to version 2025.07-alt1 for branch p11 in task 390418.
Closed bugs
Поддержка портативных приставок Powkiddy
Package libopenjpeg2.0 updated to version 2.5.4-alt1 for branch p11 in task 395555.
Closed vulnerabilities
Modified: 2025-09-26
CVE-2025-54874
OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through 2.5.3, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized.
Closed vulnerabilities
Modified: 2025-09-08
CVE-2025-58056
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
- https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding
- https://github.com/JLLeitschuh/unCVEed/issues/1
- https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284
- https://github.com/netty/netty/issues/15522
- https://github.com/netty/netty/pull/15611
- https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49
- https://w4ke.info/2025/06/18/funky-chunks.html
Modified: 2025-09-08
CVE-2025-58057
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Closed vulnerabilities
Modified: 2025-09-08
CVE-2025-57052
cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.
Closed bugs
Неисправимая ошибка: Failed to obtain authentication.
altcenter - Раздел "Полезная информация"