ALT-BU-2025-16080-1
Branch sisyphus update bulletin.
Package nextcloud-client updated to version 4.0.4-alt1 for branch sisyphus in task 403000.
Closed vulnerabilities
Modified: 2025-12-09
CVE-2025-66549
Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.
Closed bugs
Собрать свежую версию Nextcloud-client и зависимые пакеты для gnome
Closed bugs
Ошибка 'JAVA_HOME is not set' при установке пакета linstor-controller
Closed vulnerabilities
Modified: 2025-12-29
CVE-2025-14177
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Modified: 2025-12-29
CVE-2025-14178
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
Modified: 2025-12-29
CVE-2025-14180
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
Package docs-alt-virtualization-pve updated to version 11.1-alt2 for branch sisyphus in task 403547.
Closed bugs
Опечатка в "Глава 21. Загрузка системы"
Опечатка в главе "28.2. Имена сетевых устройств"
Опечатка в главе "28.4.2. Внутренняя сеть для ВМ"
Опечатки в главе "30.3. Управление ВМ с помощью qm"
Опечатка в главе "45.3. pvestatd — служба PVE Status"
Неправильная ссылка на продукт в шапке документации
Опечатки в разделе 30.6.9.1. Настройка сопоставление каталогов
Опечатка в разделе "40.3.1. Создание ресурса"
Опечатка в разделе "37.7.1. Формат расписания"
Опечатка в разделе "37.1. Режимы резервного копирования"
Опечатка в разделе "30.6.10. Гостевой агент QEMU"
Опечатки в разделе "30.6.9.2. Добавление VirtioFS в ВМ"
Опечатка в разделе "55.2. Команда useradd"
Опечатка в разделе "30.6.6. Доверенный платформенный модуль (TPM)"
Опечатка в разделе "26.4.7. Локальный ZFS"
Опечатки в разделе "38.1.3. Webhook"
Опечатка в разделе "26.4.14.2. Шифрование"
Опечатки в разделе "26.4.10. iSCSI"
Опечатка в разделе "26.6.5.2. Удаление OSD"
Опечатка в разделе "30.6.1.4. Перемещение диска в другое хранилище"
Опечатка в разделе "30.6.7. Проброс PCI(e)"
Опечатки в разделе "26.5.2.1. Конфигурация multipath"
Опечатка в разделе "30.4. Сценарии перехвата (hookscripts)"
Пропущенная запятая в примере раздела "38.2.1. Правила сопоставления по календарю (match-calendar)"
Опечатка в разделе "26.5.1.1. Особенности подключения СХД по FC"
Опечатка в разделе "26.4.4. NFS"
Опечатка в разделе "30.6.1.3. Изменение размера диска"
Опечатка в разделе "26.4.8. LVM"
Опечатка в разделе "30.6.5. BIOS и UEFI"
Опечатка в главе "38. Уведомления"
Лишний предлог в разделе "30.6.1. Управление образами виртуальных дисков"
Closed vulnerabilities
Modified: 2025-12-29
CVE-2025-14177
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Modified: 2025-12-29
CVE-2025-14178
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
Modified: 2025-12-29
CVE-2025-14180
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.