ALT-BU-2025-6048-1
Branch c10f2 update bulletin.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-23437
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
- http://www.openwall.com/lists/oss-security/2022/01/24/3
- https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
- https://security.netapp.com/advisory/ntap-20221028-0005/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://www.openwall.com/lists/oss-security/2022/01/24/3
- https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
- https://security.netapp.com/advisory/ntap-20221028-0005/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Closed vulnerabilities
Modified: 2025-05-09
CVE-2023-24626
socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process.
- https://git.savannah.gnu.org/cgit/screen.git/patch/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7
- https://savannah.gnu.org/bugs/?63195
- https://www.exploit-db.com/exploits/51252
- https://git.savannah.gnu.org/cgit/screen.git/patch/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7
- https://savannah.gnu.org/bugs/?63195
- https://security.netapp.com/advisory/ntap-20250509-0003/
- https://www.exploit-db.com/exploits/51252
- https://www.exploit-db.com/exploits/51252
Closed vulnerabilities
Modified: 2025-06-09
BDU:2023-07638
Уязвимость средства разархивирования файлов UnRAR, связанная с неверным определением символических ссылок перед доступом к файлу, позволяющая нарушителю получить доступ к конфиденциальным данным
Modified: 2024-11-21
CVE-2022-48579
UnRAR before 6.2.3 allows extraction of files outside of the destination folder via symlink chains.
- https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f#diff-ca3086f578522062d7e390ed2cd7e10f646378a8b8cbf287a6e4db5966df68ee
- https://lists.debian.org/debian-lts-announce/2023/08/msg00023.html
- https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f#diff-ca3086f578522062d7e390ed2cd7e10f646378a8b8cbf287a6e4db5966df68ee
- https://lists.debian.org/debian-lts-announce/2023/08/msg00023.html