ALT Linux Team

Branch sisyphus_riscv64 update on 2025-12-19

2025-12-19

ALT-BU-2025-15960-1

Branch sisyphus_riscv64 update bulletin.

ALT-PU-2025-15956-1

Package libreoffice updated to version 25.8.4.2-alt1 for branch sisyphus_riscv64.

Closed vulnerabilities

Published: 2025-12-15
Modified: 2025-12-15

CVE-2025-14714

An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.

Severity: LOW (0.9) Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:

ALT-PU-2025-15958-1

Package dogtag-pki updated to version 11.6.1-alt2 for branch sisyphus_riscv64.

Closed bugs

Bug #57281

fails to start with JDK 25

ALT-PU-2025-15959-1

Package zabbix updated to version 7.0.22-alt1 for branch sisyphus_riscv64.

Closed vulnerabilities

Published: 2025-12-15

BDU:2025-15873

Уязвимость сценария imgstore.php системы мониторинга ИТ-инфраструктуры Zabbix, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (6.5) Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: MEDIUM (6.1) Vector: AV:A/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2025-12-15

BDU:2025-15875

Уязвимость компонента Agent системы мониторинга ИТ-инфраструктуры Zabbix, позволяющая нарушителю получить доступ на запись произвольных системных файлов

Severity: HIGH (7.3) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Severity: MEDIUM (6.4) Vector: AV:L/AC:L/Au:S/C:P/I:C/A:C
References:
Published: 2025-12-01
Modified: 2025-12-01

CVE-2025-49642

Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory.

Severity: MEDIUM (5.8) Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2025-12-01
Modified: 2025-12-01

CVE-2025-49643

An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.

Severity: MEDIUM (6.0) Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top