ALT-BU-2025-3608-1
Branch sisyphus_loongarch64 update bulletin.
Package packagekit updated to version 1.3.0-alt2 for branch sisyphus_loongarch64.
Closed bugs
pkmon: finalized without ever returning
Package docs-alt-server-v updated to version 10.4-alt5 for branch sisyphus_loongarch64.
Closed bugs
Документация docs-alt-server-v, п.39.4.14. CephFS: опечатка в примечании
Документация docs-alt-server-v, п. 39.5. FC/iSCSI SAN: опечатка в предложении
Документация docs-alt-server-v, п. 43.5. Доступ к LXC контейнеру: дополнить командой в предупреждении
Документация docs-alt-server-v, Глава 44. Миграция ВМ и контейнеров: ошибки пунктуации
Документация docs-alt-server-v, п. 51.4. Двухфакторная аутентификация: ошибки пунктуации
Глава "39.6.3.2. Удаление монитора": необходимо внести правки в пример команды
Глава "39.6.4.2. Удаление менеджера": внести правки в пример команды
Проблемы с пунктуацией в главе "39.6.7. Ceph CRUSH и классы устройств"
Package userpasswd-gnome updated to version 0.0.1-alt2 for branch sisyphus_loongarch64.
Closed bugs
Права устнавливаются серез %post
Package docs-alt-education updated to version 10.4-alt4 for branch sisyphus_loongarch64.
Closed bugs
Документация docs-alt-education - гл. 66: исправить пунктуацию
Package docs-alt-server updated to version 10.4-alt6 for branch sisyphus_loongarch64.
Closed bugs
Опечатка в главе 42.4.2. Правила по VID&PID документации docs-alt-server
Package alterator-sysconfig updated to version 1.3.22-alt1 for branch sisyphus_loongarch64.
Closed bugs
В OEM установке на шаге "Язык" меняются местами варианты переключения раскладки клавиатуры
Package navidrome updated to version 0.54.5-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
Modified: 2025-02-27
CVE-2025-27112
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.
Package grass updated to version 8.4.1-alt1 for branch sisyphus_loongarch64.
Closed bugs
Отсутствуют драйвера баз данных
Package toxcore updated to version 0.2.20-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2018-25021
The TCP Server module in toxcore before 0.2.8 doesn't free the TCP priority queue under certain conditions, which allows a remote attacker to exhaust the system's memory, causing a denial of service (DoS).
- https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/
- https://github.com/TokTok/c-toxcore/issues/1214
- https://github.com/TokTok/c-toxcore/pull/1216
- https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/
- https://github.com/TokTok/c-toxcore/issues/1214
- https://github.com/TokTok/c-toxcore/pull/1216
Modified: 2024-11-21
CVE-2018-25022
The Onion module in toxcore before 0.2.2 doesn't restrict which packets can be onion-routed, which allows a remote attacker to discover a target user's IP address (when knowing only their Tox Id) by positioning themselves close to target's Tox Id in the DHT for the target to establish an onion connection with the attacker, guessing the target's DHT public key and creating a DHT node with public key close to it, and finally onion-routing a NAT Ping Request to the target, requesting it to ping the just created DHT node.
- https://blog.tox.chat/2018/04/security-vulnerability-and-new-toxcore-release
- https://github.com/TokTok/c-toxcore/issues/873
- https://github.com/TokTok/c-toxcore/pull/872
- https://blog.tox.chat/2018/04/security-vulnerability-and-new-toxcore-release
- https://github.com/TokTok/c-toxcore/issues/873
- https://github.com/TokTok/c-toxcore/pull/872
Modified: 2024-11-21
CVE-2021-44847
A stack-based buffer overflow in handle_request function in DHT.c in toxcore 0.1.9 through 0.1.11 and 0.2.0 through 0.2.12 (caused by an improper length calculation during the handling of received network packets) allows remote attackers to crash the process or potentially execute arbitrary code via a network packet.
- https://github.com/TokTok/c-toxcore/pull/1718
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7EBS3NIRYJ7V3PTNINP3PJSVUHGZTGA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLTKINSPO5T65LB3ZASDPCREKUE22RYE/
- https://github.com/TokTok/c-toxcore/pull/1718
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7EBS3NIRYJ7V3PTNINP3PJSVUHGZTGA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLTKINSPO5T65LB3ZASDPCREKUE22RYE/
Package linstor updated to version 1.30.4-alt2 for branch sisyphus_loongarch64.
Closed bugs
Не работает с Java 17 (java.lang.NoClassDefFoundError: jdk/nashorn/api/scripting/ClassFilter)
Package installer updated to version 1.16.9-alt1 for branch sisyphus_loongarch64.
Closed bugs
Во время установки образа при переходе в tty сообщение: "mkdir: cannot create directory `/root/.kbd': File exists"