ALT-BU-2025-14243-1
Branch sisyphus_loongarch64 update bulletin.
Package alterator-users updated to version 10.27-alt1 for branch sisyphus_loongarch64.
Closed bugs
Не сохраняет реальное имя
Package lua5.3-module-luafilesystem updated to version 1.8.0-alt5_lr1 for branch sisyphus_loongarch64.
Closed bugs
lua5.4-module-luafilesystem-1.8.0-alt4_lr1.x86_64 конфликтует с файлом из пакета lua5.4-module-luafilesystem-1.8.0-alt3_lr1.x86_64
Package squid updated to version 7.3-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
Modified: 2025-10-27
BDU:2025-13226
Уязвимость конфигурации email_err_data on прокси-сервера Squid, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации
Modified: 2025-10-07
CVE-2025-59362
Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This occurs in asn_build_objid in lib/snmplib/asn1.c.
Modified: 2025-11-05
CVE-2025-62168
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
Package jackson-databind updated to version 2.20.1-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
Modified: 2025-03-05
BDU:2023-05617
Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-03-05
BDU:2023-05618
Уязвимость библиотеки Jackson-databind проекта FasterXML, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-09-13
BDU:2024-00088
Уязвимость библиотеки jackson-databind, связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-03-05
BDU:2024-00114
Уязвимость библиотеки Jackson-databind, связанная с записью за границами буфера, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-01074
Уязвимость библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-08-27
CVE-2020-36518
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
- https://github.com/FasterXML/jackson-databind/issues/2816
- https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://security.netapp.com/advisory/ntap-20220506-0004/
- https://www.debian.org/security/2022/dsa-5283
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/FasterXML/jackson-databind/issues/2816
- https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://security.netapp.com/advisory/ntap-20220506-0004/
- https://www.debian.org/security/2022/dsa-5283
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Modified: 2025-02-26
CVE-2021-46877
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
Modified: 2024-11-21
CVE-2022-42003
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020
- https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33
- https://github.com/FasterXML/jackson-databind/issues/3590
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://security.gentoo.org/glsa/202210-21
- https://security.netapp.com/advisory/ntap-20221124-0004/
- https://www.debian.org/security/2022/dsa-5283
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020
- https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33
- https://github.com/FasterXML/jackson-databind/issues/3590
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://security.gentoo.org/glsa/202210-21
- https://security.netapp.com/advisory/ntap-20221124-0004/
- https://www.debian.org/security/2022/dsa-5283
Modified: 2024-11-21
CVE-2022-42004
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
- https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
- https://github.com/FasterXML/jackson-databind/issues/3582
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://security.gentoo.org/glsa/202210-21
- https://security.netapp.com/advisory/ntap-20221118-0008/
- https://www.debian.org/security/2022/dsa-5283
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
- https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
- https://github.com/FasterXML/jackson-databind/issues/3582
- https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
- https://security.gentoo.org/glsa/202210-21
- https://security.netapp.com/advisory/ntap-20221118-0008/
- https://www.debian.org/security/2022/dsa-5283
Modified: 2024-11-21
CVE-2023-35116
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
Package lua5.4-module-luafilesystem updated to version 1.8.0-alt5_lr1 for branch sisyphus_loongarch64.
Closed bugs
lua5.4-module-luafilesystem-1.8.0-alt4_lr1.x86_64 конфликтует с файлом из пакета lua5.4-module-luafilesystem-1.8.0-alt3_lr1.x86_64
Package kea updated to version 3.0.2-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
Modified: 2025-11-04
CVE-2025-11232
To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must *NOT* be empty (the default is empty). DDNS updates do not need to be enabled for this issue to manifest. A client that sends certain option content would then cause kea-dhcp4 to exit unexpectedly. This issue affects Kea versions 3.0.1 through 3.0.1 and 3.1.1 through 3.1.2.
Package installer updated to version 1.16.29-alt1 for branch sisyphus_loongarch64.
Closed bugs
При установке на RAID не создан mdadm.conf, в результате система в состоянии degraded
Package python3 updated to version 3.13.9-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
Modified: 2025-10-29
BDU:2025-03332
Уязвимость модуля cpython языка программирования Python, позволяющая нарушителю нарушить выполнить произвольный код
Modified: 2025-11-03
CVE-2024-9287
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
- https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7
- https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db
- https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8
- https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97
- https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b
- https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483
- https://github.com/python/cpython/issues/124651
- https://github.com/python/cpython/pull/124712
- https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
- https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
- https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
- https://security.netapp.com/advisory/ntap-20250425-0006/
Package docs-alt-workstation updated to version 11.1-alt5 for branch sisyphus_loongarch64.
Closed bugs
Исправления в описании утилиты chmod
Package openssh-gostcrypto updated to version 9.6p1-alt6.gost for branch sisyphus_loongarch64.
Closed vulnerabilities
Modified: 2025-10-29
BDU:2025-04768
Уязвимость службы sshd средства криптографической защиты OpenSSH, позволяющая нарушителю оказать воздействие на целостность защищаемой информации
Modified: 2025-05-22
CVE-2025-32728
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sig
- https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367
- https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html
- https://www.openssh.com/txt/release-10.0
- https://www.openssh.com/txt/release-7.4
- https://lists.debian.org/debian-lts-announce/2025/05/msg00008.html
- https://security.netapp.com/advisory/ntap-20250425-0002/
Closed bugs
Настройка OpenSSH доступа по Рутокен MFA
ssh не подключается к некоторым серверам
Package lua5.1-module-luafilesystem updated to version 1.8.0-alt5_lr1 for branch sisyphus_loongarch64.
Closed bugs
lua5.4-module-luafilesystem-1.8.0-alt4_lr1.x86_64 конфликтует с файлом из пакета lua5.4-module-luafilesystem-1.8.0-alt3_lr1.x86_64
Package openvpn updated to version 2.6.15-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
Modified: 2025-09-22
BDU:2025-05051
Уязвимость функции TLS-crypt-v2 сервера программного обеспечения OpenVPN, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-23
CVE-2025-2704
OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase