ALT Linux Team

Branch p11 update on 2025-12-06

2025-12-06

ALT-BU-2025-15420-3

Branch p11 update bulletin.

ALT-PU-2025-14856-2

Package sbctl updated to version 0.18-alt1 for branch p11 in task 400649.

Closed bugs

Bug #54781

Ошибки /boot/efi/EFI/BOOT/grub.cfg: invalid pe header

ALT-PU-2025-15127-2

Package uwsm updated to version 0.24.3-alt2 for branch p11 in task 400650.

Closed bugs

Bug #57047

Много лишних зависимостей

ALT-PU-2025-15267-2

Package chromium updated to version 142.0.7444.175-alt0.p11.1 for branch p11 in task 401550.

Closed vulnerabilities

Published: 2025-11-20
Modified: 2026-03-04

BDU:2025-14497

Уязвимость обработчика JavaScript-сценариев V8 браузера Google Chrome, связанная с ошибками смешения типов данных, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (8.8)Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2025-11-20
Modified: 2026-03-04

BDU:2025-14498

Уязвимость обработчика JavaScript-сценариев V8 браузера Google Chrome, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (8.8)Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2025-11-17
Modified: 2025-12-02

CVE-2025-13223

Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2025-11-17
Modified: 2025-11-19

CVE-2025-13224

Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:

ALT-PU-2025-15279-2

Package libaccounts-glib updated to version 1.27-alt2 for branch p11 in task 401617.

Closed bugs

Bug #53179

Не отображаются сервисы, для которых можно добавить учетные записи

ALT-PU-2025-15321-2

Package catfish updated to version 4.20.1-alt2 for branch p11 in task 400977.

Closed bugs

Bug #57104

Не работает поиск по содержимому файла в catfish

ALT-PU-2025-15343-3

Package pgbouncer updated to version 1.25.1-alt1 for branch p11 in task 401757.

Closed vulnerabilities

Published: 2025-12-05
Modified: 2026-03-13

BDU:2025-15208

Уязвимость программного обеспечения для пула соединения в PostgreSQL PgBouncer, связанная с ненадежным путем поиска, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5)Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.1)Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C
References:
Published: 2025-12-03
Modified: 2025-12-27

CVE-2025-12819

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

Severity: HIGH (8.1)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:

ALT-PU-2025-15362-3

Package golang updated to version 1.25.5-alt1 for branch p11 in task 401653.

Closed vulnerabilities

Published: 2025-12-24
Modified: 2026-04-20

BDU:2025-16242

Уязвимость функции HostnameError.Error() пакета crypto/x509 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2026-01-12
Modified: 2026-04-20

BDU:2026-00268

Уязвимость языка программирования Go, связанная с недостатками процедуры авторизации, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity: MEDIUM (6.4)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N
References:
Published: 2025-12-03
Modified: 2025-12-18

CVE-2025-61727

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References:
Published: 2025-12-02
Modified: 2025-12-19

CVE-2025-61729

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2025-12-10

GHSA-mjcp-gpgx-ggcg

OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs

Severity: MEDIUM (5.9)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
References:
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top