ALT Linux Team

Branch sisyphus update on 2025-10-12

2025-10-12

ALT-BU-2025-12857-1

Branch sisyphus update bulletin.

ALT-PU-2025-12773-2

Package redis updated to version 7.2.11-alt1 for branch sisyphus in task 396608.

Closed vulnerabilities

Published: 2025-10-03

BDU:2025-12553

Уязвимость системы управления базами данных (СУБД) Redis, связанная с использованием памяти после её освобождения, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.9) Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity: CRITICAL (9.0) Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
References:
Published: 2025-10-03

BDU:2025-12557

Уязвимость системы управления базами данных (СУБД) Redis, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

Severity: MEDIUM (6.0) Vector: AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Severity: MEDIUM (5.5) Vector: AV:L/AC:H/Au:S/C:C/I:C/A:N
References:
Published: 2025-10-03
Modified: 2025-10-08

CVE-2025-46817

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2025-10-03
Modified: 2025-10-10

CVE-2025-46818

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

Severity: HIGH (7.3) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2025-10-03
Modified: 2025-10-10

CVE-2025-46819

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

Severity: HIGH (7.1) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
References:
Published: 2025-10-03
Modified: 2025-10-16

CVE-2025-49844

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Severity: CRITICAL (9.9) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References:

ALT-PU-2025-12775-2

Package docs-alt-workstation updated to version 11.1-alt4 for branch sisyphus in task 396647.

Closed bugs

Bug #56263

В "⁠⁠76.1.1. Создание ключей для OpenVPN-туннеля средствами утилиты openssl" отзывается несуществующий сертификат

Bug #56277

В "⁠46.1.3. Настройка VPN-подключения по протоколу OpenVPN" указано неправильное изображение

ALT-PU-2025-12789-2

Package keycloak updated to version 26.4.0-alt1 for branch sisyphus in task 396676.

Closed vulnerabilities

Published: 2025-07-11

BDU:2025-08956

Уязвимость функции ClassUtils.getClass() библиотеки Apache Commons Lang для языка программирования Java, позволяющая нарушителю вызывать отказ в обслуживании

Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
References:
Published: 2025-07-11
Modified: 2025-07-28

CVE-2025-48924

Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References:
Published: 2025-07-21
Modified: 2025-08-06

CVE-2025-7962

In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: MEDIUM (6.0) Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:

ALT-PU-2025-12825-2

Package raptor2 updated to version 2.0.16-alt2 for branch sisyphus in task 396625.

Closed vulnerabilities

Published: 2025-01-10

BDU:2025-03460

Уязвимость функции raptor_uri_normalize_path() библиотеки Raptor, позволяющая нарушителю получить выполнить произвольный код

Severity: CRITICAL (9.3) Vector: AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity: HIGH (7.2) Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2024-03-28

BDU:2025-11887

Уязвимость функции raptor_ntriples_parse_term_internal() библиотеки RAPtor, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (4.0) Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: LOW (2.1) Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P
References:
Published: 2025-01-10
Modified: 2025-09-29

CVE-2024-57822

In Raptor RDF Syntax Library through 2.0.16, there is a heap-based buffer over-read when parsing triples with the nquads parser in raptor_ntriples_parse_term_internal().

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2025-01-10
Modified: 2025-09-29

CVE-2024-57823

In Raptor RDF Syntax Library through 2.0.16, there is an integer underflow when normalizing a URI with the turtle parser in raptor_uri_normalize_path().

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2025-12835-1

Package golang updated to version 1.25.2-alt1 for branch sisyphus in task 396636.

Closed vulnerabilities

CVE-2025-47912

No data currently available.

CVE-2025-58183

No data currently available.

CVE-2025-58185

No data currently available.

CVE-2025-58186

No data currently available.

CVE-2025-58187

No data currently available.

CVE-2025-58188

No data currently available.

CVE-2025-58189

No data currently available.

CVE-2025-61723

No data currently available.

CVE-2025-61724

No data currently available.

CVE-2025-61725

No data currently available.

ALT-PU-2025-12851-1

Package krita updated to version 5.2.13-alt1 for branch sisyphus in task 396168.

Closed vulnerabilities

CVE-2025-59820

No data currently available.

VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top