ALT-BU-2025-4440-1
Branch c10f2 update bulletin.
Package python3-module-cryptography updated to version 41.0.7-alt0.p10.2 for branch c10f2 in task 377828.
Closed vulnerabilities
BDU:2024-03237
Уязвимость функций pkcs12.serialize_key_and_certificates пакета cryptography интерпретатора языка программирования Python, позволяющая нарушителю вызвать сбой процесса Python
Modified: 2025-02-06
CVE-2024-26130
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.
- https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
- https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
- https://github.com/pyca/cryptography/pull/10423
- https://github.com/pyca/cryptography/pull/10423
- https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
- https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
Package php8.2-swoole updated to version 6.0.1-alt2.28 for branch c10f2 in task 377997.
Closed bugs
Unable to load dynamic library 'swoole.so'
Unable to load dynamic library 'swoole.so'
В системе остаётся файл swoole.ini после удаления пакета php8.4-swoole
swoole отсутствует в списке загруженных модулей
swoole.so: undefined symbol: BrotliEncoderCompress
Closed vulnerabilities
Modified: 2025-03-31
CVE-2025-1217
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.
Modified: 2025-03-31
CVE-2025-1219
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
CVE-2025-1734
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
CVE-2025-1736
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
CVE-2025-1861
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
Closed bugs
Дважды подключаются расширения mysqlnd и openssl
Package php8.2-pdo_mysql updated to version 8.2.28-alt1 for branch c10f2 in task 377997.
Closed bugs
Нехватает зависимости на php8.1-mysqlnd