ALT-BU-2025-16140-1
Branch sisyphus_loongarch64 update bulletin.
Package apt updated to version 0.5.15lorg2-alt98 for branch sisyphus_loongarch64.
Closed bugs
Ошибка при установке пакетов больше 2 Гб на ALT Linux
Package lightdm-kde-greeter updated to version 6.1.2-alt1 for branch sisyphus_loongarch64.
Closed bugs
После переподключения второго монитора в kwin_wayland greeter'е перестаёт работать клавиатура
Package erc updated to version 1.1.7-alt1 for branch sisyphus_loongarch64.
Closed bugs
Не работает опция -b для бенчмарка процессора, хотя указана в справке
Package php8.4 updated to version 8.4.16-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
Modified: 2025-12-29
CVE-2025-14177
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Modified: 2025-12-29
CVE-2025-14178
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
Modified: 2025-12-29
CVE-2025-14180
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
Package duckdb updated to version 1.4.3-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
Modified: 2025-11-25
CVE-2025-64429
DuckDB is a SQL database management system. DuckDB implemented block-based encryption of DB on the filesystem starting with DuckDB 1.4.0. There are a few issues related to this implementation. The DuckDB can fall back to an insecure random number generator (pcg32) to generate cryptographic keys or IVs. When clearing keys from memory, the compiler may remove the memset() and leave sensitive data on the heap. By modifying the database header, an attacker could downgrade the encryption mode from GCM to CTR to bypass integrity checks. There may be a failure to check return value on call to OpenSSL `rand_bytes()`. An attacker could use public IVs to compromise the internal state of RNG and determine the randomly generated key used to encrypt temporary files, get access to cryptographic keys if they have access to process memory (e.g. through memory leak),circumvent GCM integrity checks, and/or influence the OpenSSL random number generator and DuckDB would not be able to detect a failure of the generator. Version 1.4.2 has disabled the insecure random number generator by no longer using the fallback to write to or create databases. Instead, DuckDB will now attempt to install and load the OpenSSL implementation in the `httpfs` extension. DuckDB now uses secure MbedTLS primitive to clear memory as recommended and requires explicit specification of ciphers without integrity checks like CTR on `ATTACH`. Additionally, DuckDB now checks the return code.
Package php8.3 updated to version 8.3.29-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
Modified: 2025-12-29
CVE-2025-14177
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Modified: 2025-12-29
CVE-2025-14178
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
Modified: 2025-12-29
CVE-2025-14180
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
Package docs-alt-virtualization-pve updated to version 11.1-alt2 for branch sisyphus_loongarch64.
Closed bugs
Опечатка в "Глава 21. Загрузка системы"
Опечатка в главе "28.2. Имена сетевых устройств"
Опечатка в главе "28.4.2. Внутренняя сеть для ВМ"
Опечатки в главе "30.3. Управление ВМ с помощью qm"
Опечатка в главе "45.3. pvestatd — служба PVE Status"
Неправильная ссылка на продукт в шапке документации
Опечатки в разделе 30.6.9.1. Настройка сопоставление каталогов
Опечатка в разделе "40.3.1. Создание ресурса"
Опечатка в разделе "37.7.1. Формат расписания"
Опечатка в разделе "37.1. Режимы резервного копирования"
Опечатка в разделе "30.6.10. Гостевой агент QEMU"
Опечатки в разделе "30.6.9.2. Добавление VirtioFS в ВМ"
Опечатка в разделе "55.2. Команда useradd"
Опечатка в разделе "30.6.6. Доверенный платформенный модуль (TPM)"
Опечатка в разделе "26.4.7. Локальный ZFS"
Опечатки в разделе "38.1.3. Webhook"
Опечатка в разделе "26.4.14.2. Шифрование"
Опечатки в разделе "26.4.10. iSCSI"
Опечатка в разделе "26.6.5.2. Удаление OSD"
Опечатка в разделе "30.6.1.4. Перемещение диска в другое хранилище"
Опечатка в разделе "30.6.7. Проброс PCI(e)"
Опечатки в разделе "26.5.2.1. Конфигурация multipath"
Опечатка в разделе "30.4. Сценарии перехвата (hookscripts)"
Пропущенная запятая в примере раздела "38.2.1. Правила сопоставления по календарю (match-calendar)"
Опечатка в разделе "26.5.1.1. Особенности подключения СХД по FC"
Опечатка в разделе "26.4.4. NFS"
Опечатка в разделе "30.6.1.3. Изменение размера диска"
Опечатка в разделе "26.4.8. LVM"
Опечатка в разделе "30.6.5. BIOS и UEFI"
Опечатка в главе "38. Уведомления"
Лишний предлог в разделе "30.6.1. Управление образами виртуальных дисков"
Package alien updated to version 8.95.9-alt4 for branch sisyphus_loongarch64.
Closed bugs
alien ожидает slack-специфичную структуру пакета при преобразовании из tgz