ALT Linux Team

Branch sisyphus update on 2025-03-03

2025-03-03

ALT-BU-2025-3724-1

Branch sisyphus update bulletin.

ALT-PU-2025-3676-2

Package openexr updated to version 3.3.1-alt1 for branch sisyphus in task 376389.

Closed vulnerabilities

Published: 2024-02-02

BDU:2024-02272

Уязвимость программного обеспечения для хранения изображений с широкими динамическими диапазоном яркости OpenEXR, вызванная переполнением буфера в динамической памяти, позволяющая нарушителю прочитать или записать произвольные данные

Severity: CRITICAL (9.1) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References:
Published: 2024-02-01
Modified: 2025-02-13

CVE-2023-5841

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References:

ALT-PU-2025-3708-2

Package keycloak updated to version 26.1.3-alt1 for branch sisyphus in task 376630.

Closed vulnerabilities

Published: 2024-11-07

BDU:2024-09422

Уязвимость компонента BinaryStreamDriver Java-библиотеки для преобразования объектов в XML или JSON формат XStream, позволяющая нарушителю выполнить атаку типа «отказ в обслуживании»

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2025-01-23

BDU:2025-01357

Уязвимость конфигурации JDBC_PING программного обеспечения для хранения данных Infinispan, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации

Severity: MEDIUM (5.5) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2024-11-08
Modified: 2024-11-08

CVE-2024-47072

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

References:
Published: 2025-01-28
Modified: 2025-03-12

CVE-2025-0736

A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors.

References:

ALT-PU-2025-3718-2

Package busybox updated to version 1.37.0-alt1 for branch sisyphus in task 376590.

Closed vulnerabilities

Published: 2023-11-27

BDU:2023-08323

Уязвимость функции copyvar (awk.c) набора UNIX-утилит командной строки BusyBox, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (5.5) Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2023-11-27

BDU:2023-08324

Уязвимость функции evaluate (awk.c) набора UNIX-утилит командной строки BusyBox, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (5.5) Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2023-11-27

BDU:2023-08325

Уязвимость функции next_token (awk.c) набора UNIX-утилит командной строки BusyBox, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (5.5) Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2023-11-27

BDU:2024-07096

Уязвимость функции xasprintf (xfuncs_printf.c:344) набора UNIX-утилит командной строки BusyBox, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (5.5) Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2023-11-28
Modified: 2024-11-21

CVE-2023-42363

A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2023-11-28
Modified: 2024-11-21

CVE-2023-42364

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2023-11-28
Modified: 2024-11-21

CVE-2023-42365

A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
Published: 2023-11-28
Modified: 2024-12-06

CVE-2023-42366

A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:

ALT-PU-2025-3720-2

Package mkimage-profiles updated to version 1.7.4-alt1 for branch sisyphus in task 376648.

Closed bugs

Bug #33530

Добавляет шрифты без необходимости

VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top