ALT Linux Team

Branch p11 update on 2025-05-08

2025-05-08

ALT-BU-2025-6443-3

Branch p11 update bulletin.

ALT-PU-2025-16458-1

Package mongo6.0 updated to version 6.0.22-alt1 for branch p11 in task 382470.

Closed vulnerabilities

Published: 2025-09-26

BDU:2025-11726

Уязвимость сервера системы управления базами данных MongoDB, позволяющая нарушителю повысить свои привилегии

Severity: HIGH (7.7)Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Severity: MEDIUM (6.8)Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N
References:
Published: 2025-07-07
Modified: 2025-10-03

CVE-2025-6713

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:

ALT-PU-2025-16467-1

Package mongo8.0 updated to version 8.0.8-alt1 for branch p11 in task 382636.

Closed vulnerabilities

Published: 2025-09-26

BDU:2025-11726

Уязвимость сервера системы управления базами данных MongoDB, позволяющая нарушителю повысить свои привилегии

Severity: HIGH (7.7)Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Severity: MEDIUM (6.8)Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N
References:
Published: 2025-07-07
Modified: 2025-10-03

CVE-2025-6713

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:

ALT-PU-2025-16496-1

Package php8.3-soap updated to version 8.3.19-alt1 for branch p11 in task 380092.

Closed vulnerabilities

Published: 2025-05-20
Modified: 2025-10-29

BDU:2025-02827

Уязвимость интерпретатора языка программирования PHP, связанная с недостатками обработки заголовков HTTP-запросов, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

Severity: MEDIUM (4.3)Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
References:
Published: 2025-03-17
Modified: 2025-08-27

BDU:2025-02828

Уязвимость интерпретатора языка программирования PHP, связанная с недостатками обработки заголовков HTTP-запросов, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

Severity: MEDIUM (4.3)Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
References:
Published: 2025-03-17
Modified: 2025-10-29

BDU:2025-02829

Уязвимость функций php_libxml_input_buffer_create_filename() и php_libxml_sniff_charset_from_stream() интерпретатора языка программирования PHP, позволяющая нарушителю перенаправить пользователя на произвольный URL-адрес

Severity: LOW (3.5)Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
References:
Published: 2025-03-18
Modified: 2025-10-29

BDU:2025-02834

Уязвимость функции check_has_header() интерпретатора языка программирования PHP, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (4.3)Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
References:
Published: 2025-05-28
Modified: 2026-02-16

BDU:2025-06050

Уязвимость функции php_request_shutdown интерпретатора языка программирования PHP, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (8.1)Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.6)Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
References:
Published: 2025-04-04
Modified: 2025-04-30

CVE-2024-11235

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

Severity: HIGH (8.1)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (9.2)Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
References:
Published: 2025-03-29
Modified: 2025-11-03

CVE-2025-1217

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.

Severity: LOW (3.1)Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Severity: MEDIUM (6.3)Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:X/U:X
References:
Published: 2025-03-30
Modified: 2025-11-03

CVE-2025-1219

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

Severity: MEDIUM (5.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Severity: MEDIUM (6.3)Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2025-03-30
Modified: 2025-11-03

CVE-2025-1734

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

Severity: MEDIUM (5.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Severity: MEDIUM (6.3)Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2025-03-30
Modified: 2025-11-03

CVE-2025-1736

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.

Severity: HIGH (7.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity: MEDIUM (6.3)Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:

ALT-PU-2025-16529-1

Package mongo7.0 updated to version 7.0.19-alt1 for branch p11 in task 382596.

Closed vulnerabilities

Published: 2025-09-26

BDU:2025-11726

Уязвимость сервера системы управления базами данных MongoDB, позволяющая нарушителю повысить свои привилегии

Severity: HIGH (7.7)Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Severity: MEDIUM (6.8)Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N
References:
Published: 2025-07-07
Modified: 2025-10-03

CVE-2025-6713

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:

ALT-PU-2025-6046-2

Package qt5-webengine updated to version 5.15.18-alt1 for branch p11 in task 382772.

Closed vulnerabilities

Published: 2025-04-17
Modified: 2026-03-04

BDU:2025-04695

Уязвимость функции encrypted() кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (8.6)Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N
References:
Published: 2024-07-04
Modified: 2025-11-29

CVE-2024-39936

An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..

Severity: MEDIUM (5.9)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top