Branch c10f2 update bulletin.

Package libjemalloc2 updated to version 5.3.0-alt2.1 for branch c10f2 in task 401287.

No data currently available.

Package golang updated to version 1.25.5-alt1 for branch c10f2 in task 401654.

Published: 2024-04-10
Modified: 2025-11-18

CVE-2024-3566

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Published: 2025-12-03
Modified: 2025-12-18

CVE-2025-61727

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Published: 2025-12-02
Modified: 2025-12-19

CVE-2025-61729

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Version: 2.1.2

Branch c10f2 update on 2025-12-04

ALT-BU-2025-15327-1

ALT-PU-2025-15179-2

Closed vulnerabilities

OVE-20251128-0004

ALT-PU-2025-15286-2

Closed vulnerabilities

CVE-2024-3566

CVE-2025-61727

CVE-2025-61729