ALT-BU-2025-4492-2
Branch sisyphus update bulletin.
Closed vulnerabilities
Modified: 2026-03-04
BDU:2025-06052
Уязвимость мультимедийной библиотеки Ffmpeg, связанная с чтением данных за границами буфера в памяти, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
BDU:2025-06797
Уязвимость функции mov_read_trak библиотеки libavformat мультимедийной библиотеки FFmpeg, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2026-02-10
BDU:2025-11468
Уязвимость функции ff_aac_search_for_tns компонента libavcodec/aacenc_tns.c мультимедийной библиотеки FFmpeg, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации, нарушить её целостность, а также вызвать отказ в обслуживании
Modified: 2025-06-03
CVE-2024-55069
ffmpeg 7.1 is vulnerable to Null Pointer Dereference in function iamf_read_header in /libavformat/iamfdec.c.
Modified: 2025-11-03
CVE-2025-0518
Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1. Issue was fixed: https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a This issue was discovered by: Simcha Kosman
Modified: 2025-06-03
CVE-2025-1373
A vulnerability was found in FFmpeg up to 7.1. It has been rated as problematic. Affected by this issue is the function mov_read_trak of the file libavformat/mov.c of the component MOV Parser. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The patch is identified as 43be8d07281caca2e88bfd8ee2333633e1fb1a13. It is recommended to apply a patch to fix this issue.
Modified: 2025-06-03
CVE-2025-1594
A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Package python3-module-jinja2 updated to version 3.1.6-alt1 for branch sisyphus in task 377889.
Closed vulnerabilities
Modified: 2026-04-20
BDU:2025-06562
Уязвимость компилятора инструмента для html-шаблонизации jinja, связанная с непринятием мер по нейтрализации специальных элементов в механизме создания шаблонов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-11-03
CVE-2025-27516
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.
Modified: 2025-11-04
GHSA-cpwx-vrp4-4pq7
Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
- https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7
- https://nvd.nist.gov/vuln/detail/CVE-2025-27516
- https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403
- https://github.com/pallets/jinja
- https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html
- https://lists.debian.org/debian-lts-announce/2025/04/msg00045.html
Package ImageMagick updated to version 7.1.1.45-alt1 for branch sisyphus in task 378356.
Closed vulnerabilities
Modified: 2026-01-20
BDU:2025-04922
Уязвимость функции SetQuantumFormat() консольного графического редактора ImageMagick, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-14
BDU:2025-10909
Уязвимость консольного графического редактора ImageMagick, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-12-31
CVE-2025-43965
In MIFF image processing in ImageMagick before 7.1.1-44, image depth is mishandled after SetQuantumFormat is used.
Modified: 2025-12-31
CVE-2025-46393
In multispectral MIFF image processing in ImageMagick before 7.1.1-44, packet_size is mishandled (related to the rendering of all channels in an arbitrary order).
Package python3-module-django updated to version 5.1.7-alt1 for branch sisyphus in task 377889.
Closed vulnerabilities
Modified: 2025-10-24
BDU:2025-08584
Уязвимость программной платформы для веб-приложений Django, связанная с недостаточной проверкой входных данных, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-10-03
CVE-2025-26699
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
Modified: 2025-04-09
GHSA-p3fp-8748-vqfq
Django vulnerable to Allocation of Resources Without Limits or Throttling
- https://nvd.nist.gov/vuln/detail/CVE-2025-26699
- https://docs.djangoproject.com/en/dev/releases/security
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-13.yaml
- https://groups.google.com/g/django-announce
- https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html
- https://www.djangoproject.com/weblog/2025/mar/06/security-releases
- http://www.openwall.com/lists/oss-security/2025/03/06/12
Package distro-licenses updated to version 1.3.15-alt1 for branch sisyphus in task 378419.
Closed bugs
distro-license-check: distribution branch 'p11' is not valid
Closed bugs
Неверный путь к базе данных innodb в конфиге