ALT-BU-2025-2364-1
Branch p10_e2k update bulletin.
Closed vulnerabilities
BDU:2023-07324
Уязвимость компонентов lib/comp/comp.c, lib/comp/zstd/zstd.c, lib/dl/multipart.c или lib/header.c программного средства для уменьшения размера файлов в формате RPM zchunk, позволяющая нарушителю выполнить произвольный код
Modified: 2024-11-21
CVE-2023-46228
zchunk before 1.3.2 has multiple integer overflows via malformed zchunk files to lib/comp/comp.c, lib/comp/zstd/zstd.c, lib/dl/multipart.c, or lib/header.c.
- https://bugzilla.suse.com/show_bug.cgi?id=1216268
- https://bugzilla.suse.com/show_bug.cgi?id=1216268
- https://github.com/zchunk/zchunk/commit/08aec2b4dfd7f709b6e3d511411ffcc83ed4efbe
- https://github.com/zchunk/zchunk/commit/08aec2b4dfd7f709b6e3d511411ffcc83ed4efbe
- https://github.com/zchunk/zchunk/compare/1.3.1...1.3.2
- https://github.com/zchunk/zchunk/compare/1.3.1...1.3.2
Package python3-module-tqdm updated to version 4.66.5-alt1.p10.1 for branch p10_e2k.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2024-34062
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
- https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
- https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
- https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
- https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/
Package alterator-update-kernel updated to version 1.4-alt5 for branch p10_e2k.
Closed bugs
При обновлении ядра не создается initrd образ
Closed vulnerabilities
BDU:2024-10840
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с хранением защищаемой информации в незашифрованном виде, позволяющая нарушителю получить доступ к конфиденциальной информации
BDU:2024-10846
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с недостаточной защитой служебных данных, позволяющая нарушителю оказывать влияние на конфиденциальность
BDU:2024-10847
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с недостаточной защитой служебных данных, позволяющая нарушителю оказывать влияние на конфиденциальность
BDU:2024-10851
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с недостатками процедуры аутентификации, позволяющая нарушителю раскрыть защищаемую информацию
BDU:2024-10853
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с использованием обратимой односторонней хэш-функции, позволяющая нарушителю сделать фоновое задание актуальным
Modified: 2024-11-18
CVE-2024-52513
Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
Modified: 2025-01-06
CVE-2024-52517
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
Modified: 2025-01-23
CVE-2024-52518
Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.
Modified: 2025-01-23
CVE-2024-52521
Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased the chances of a background job with arguments falsely being identified as already existing and not be queued for execution. By changing the Hash to SHA256 the probability was heavily decreased. It is recommended that the Nextcloud Server is upgraded to 28.0.10, 29.0.7 or 30.0.0.
Modified: 2024-11-18
CVE-2024-52523
Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator defined external storage with fixed credentials, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2 and Nextcloud Enterprise Server is upgraded to 25.0.13.14, 26.0.13.10, 27.1.11.10, 28.0.12, 29.0.9 or 30.0.2.
Modified: 2025-01-23
CVE-2024-52525
Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a user was stored unencrypted in the session data. The session data is encrypted before being saved in the session storage (Redis or disk), but it would allow a malicious process that gains access to the memory of the PHP process, to get access to the cleartext password of the user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.
Package php8.2-pdo_mysql updated to version 8.2.27-alt1 for branch p10_e2k.
Closed bugs
Нехватает зависимости на php8.1-mysqlnd