ALT Linux Team

Branch c10f2 update on 2025-10-15

2025-10-15

ALT-BU-2025-12989-1

Branch c10f2 update bulletin.

ALT-PU-2025-12795-3

Package python3 updated to version 3.9.20-alt0.c10f2.2 for branch c10f2 in task 396684.

Closed vulnerabilities

Published: 2025-03-27
Modified: 2025-11-19

BDU:2025-03332

Уязвимость модуля cpython языка программирования Python, позволяющая нарушителю нарушить выполнить произвольный код

Severity: HIGH (7.8) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: MEDIUM (6.8) Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C
References:
Published: 2024-10-22
Modified: 2025-11-03

CVE-2024-9287

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: MEDIUM (5.3) Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
References:

ALT-PU-2025-12815-3

Package jackson-databind updated to version 2.11.4-alt1_3jpp11 for branch c10f2 in task 392875.

Closed vulnerabilities

Published: 2024-01-06
Modified: 2024-09-13

BDU:2024-00088

Уязвимость библиотеки jackson-databind, связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2023-03-18
Modified: 2025-02-26

CVE-2021-46877

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2025-12927-2

Package raptor2 updated to version 2.0.16-alt2 for branch c10f2 in task 396993.

Closed vulnerabilities

Published: 2025-03-27
Modified: 2025-11-19

BDU:2025-03460

Уязвимость функции raptor_uri_normalize_path() библиотеки Raptor, позволяющая нарушителю получить выполнить произвольный код

Severity: CRITICAL (9.3) Vector: AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity: HIGH (7.2) Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2025-09-28
Modified: 2025-10-29

BDU:2025-11887

Уязвимость функции raptor_ntriples_parse_term_internal() библиотеки RAPtor, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (4.0) Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: LOW (2.1) Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P
References:
Published: 2025-01-10
Modified: 2025-11-03

CVE-2024-57822

In Raptor RDF Syntax Library through 2.0.16, there is a heap-based buffer over-read when parsing triples with the nquads parser in raptor_ntriples_parse_term_internal().

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2025-01-10
Modified: 2025-11-03

CVE-2024-57823

In Raptor RDF Syntax Library through 2.0.16, there is an integer underflow when normalizing a URI with the turtle parser in raptor_uri_normalize_path().

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top