ALT Linux Team

Branch c10f2 update on 2025-11-18

2025-11-18

ALT-BU-2025-14669-1

Branch c10f2 update bulletin.

ALT-PU-2025-14427-3

Package hostapd updated to version 2.11-alt1 for branch c10f2 in task 399950.

Closed vulnerabilities

Published: 2025-02-11
Modified: 2025-11-03

CVE-2022-37660

In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public keys, re-using the encrypting element Qi and subtracting it from the captured message M (X = M - Qi). This will result in the public ephemeral key X; the only element required to subvert the PKEX association.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References:

ALT-PU-2025-14520-2

Package alt-chksum updated to version 0.1.6-alt1 for branch c10f2 in task 400092.

Closed vulnerabilities

OVE-20251114-0001

No data currently available.

ALT-PU-2025-14522-2

Package expat updated to version 2.5.0-alt3 for branch c10f2 in task 400094.

Closed vulnerabilities

Published: 2024-03-14
Modified: 2025-12-03

BDU:2024-01976

Уязвимость библиотеки синтаксического анализатора XML libexpat, связанная с неверным ограничением XML-ссылок на внешние объекты, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2024-06-04
Modified: 2025-12-03

BDU:2024-04334

Уязвимость библиотеки для анализа XML-файлов libexpat, связанная с неправильным ограничением рекурсивных ссылок на объекты в DTD, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (5.1) Vector: AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: MEDIUM (4.0) Vector: AV:L/AC:H/Au:N/C:N/I:N/A:C
References:
Published: 2024-09-13
Modified: 2025-12-03

BDU:2024-07004

Уязвимость библиотеки для анализа XML-файлов libexpat, связанная с неправильным ограничением ссылки на внешнюю сущность XML, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0) Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2024-09-23
Modified: 2025-12-03

BDU:2024-07376

Уязвимость функции nextScaffoldPart() (xmlparse.c) библиотеки для анализа XML-файлов libexpat, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код

Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0) Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2024-02-04
Modified: 2025-11-04

CVE-2023-52426

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-03-10
Modified: 2025-11-04

CVE-2024-28757

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-08-30
Modified: 2025-11-04

CVE-2024-45490

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-08-30
Modified: 2025-11-04

CVE-2024-45492

An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:

ALT-PU-2025-14528-2

Package libraw updated to version 0.20.2-alt1.2 for branch c10f2 in task 400105.

Closed vulnerabilities

Published: 2023-06-26
Modified: 2025-12-03

BDU:2023-03406

Уязвимость функции raw2image_ex() библиотеки для обработки изображений LibRaw, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2025-09-01
Modified: 2025-12-03

BDU:2025-10595

Уязвимость функции phase_one_correct() компонента decoders/load_mfbacks.cpp библиотеки для обработки изображений LibRaw, позволяющая нарушителю выполнить произвольный код

Severity: LOW (2.9) Vector: AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: LOW (1.2) Vector: AV:L/AC:H/Au:N/C:N/I:N/A:P
References:
Published: 2025-09-01
Modified: 2025-12-03

BDU:2025-10596

Уязвимость компонента metadata/tiff.cpp библиотеки для обработки изображений LibRaw, позволяющая нарушителю выполнить произвольный код

Severity: LOW (2.9) Vector: AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: LOW (1.2) Vector: AV:L/AC:H/Au:N/C:N/I:N/A:P
References:
Published: 2025-09-01
Modified: 2025-12-03

BDU:2025-10597

Уязвимость функции phase_one_correct() компонента decoders/load_mfbacks.cpp библиотеки для обработки изображений LibRaw, позволяющая нарушителю выполнить произвольный код

Severity: LOW (2.9) Vector: AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: LOW (1.2) Vector: AV:L/AC:H/Au:N/C:N/I:N/A:P
References:
Published: 2025-09-01
Modified: 2025-12-03

BDU:2025-10598

Уязвимость функции phase_one_correct() компонента decoders/load_mfbacks.cpp библиотеки для обработки изображений LibRaw, позволяющая нарушителю выполнить произвольный код

Severity: LOW (2.9) Vector: AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: LOW (1.2) Vector: AV:L/AC:H/Au:N/C:N/I:N/A:P
References:
Published: 2023-05-15
Modified: 2025-03-20

CVE-2023-1729

A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() caused by a maliciously crafted file may lead to an application crash.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2025-04-21
Modified: 2025-11-03

CVE-2025-43961

In LibRaw before 0.21.4, metadata/tiff.cpp has an out-of-bounds read in the Fujifilm 0xf00c tag parser.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References:
Published: 2025-04-21
Modified: 2025-11-03

CVE-2025-43962

In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp has out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References:
Published: 2025-04-21
Modified: 2025-11-03

CVE-2025-43963

In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp allows out-of-buffer access because split_col and split_row values are not checked in 0x041f tag processing.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References:
Published: 2025-04-21
Modified: 2025-11-03

CVE-2025-43964

In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct in decoders/load_mfbacks.cpp does not enforce minimum w0 and w1 values.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:

ALT-PU-2025-14634-2

Package alt-chksum updated to version 0.1.7-alt1 for branch c10f2 in task 400331.

Closed vulnerabilities

OVE-20251117-0001

No data currently available.

VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top