ALT Linux Team

Branch sisyphus_e2k update on 2025-01-26

2025-01-26

ALT-BU-2025-2001-1

Branch sisyphus_e2k update bulletin.

ALT-PU-2025-1997-1

Package phpMyAdmin updated to version 5.2.2-alt1 for branch sisyphus_e2k.

Closed vulnerabilities

Published: 2024-04-17

BDU:2024-03171

Уязвимость функции iconv() системной библиотеки glibc, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2023-04-18
Modified: 2024-11-21

CVE-2023-30536

slim/psr7 is a PSR-7 implementation for use with Slim 4. In versions prior to 1.6.1 an attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. An attacker that is able to control the header names that are passed to Slilm-Psr7 would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests. The issue has been patched in version 1.6.1. There are no known workarounds to this issue. Users are advised to upgrade.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
References:
Published: 2024-04-17
Modified: 2025-02-13

CVE-2024-2961

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

References:

ALT-PU-2025-1999-1

Package valkey updated to version 8.0.2-alt1 for branch sisyphus_e2k.

Closed vulnerabilities

Published: 2025-01-06

BDU:2025-00214

Уязвимость системы управления базами данных (СУБД) Redis, связанная с использованием памяти после её освобождения, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (7.0) Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-10-31

BDU:2025-00449

Уязвимость системы управления базами данных Redis, связанная с недостаточной проверкой входных данных, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (4.4) Vector: AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2025-01-07
Modified: 2025-03-20

CVE-2024-46981

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

References:
Published: 2025-01-07

CVE-2024-51741

Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2.

References:

ALT-PU-2025-2000-1

Package libgtop updated to version 2.41.3-alt2 for branch sisyphus_e2k.

Closed bugs

Bug #41695

Содержит suid-бинарник

VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top