ALT-BU-2025-6912-4
Branch c10f2 update bulletin.
Package kernel-image-un-def updated to version 6.1.136-alt0.c10f.2 for branch c10f2 in task 383025.
Closed vulnerabilities
Modified: 2025-11-03
CVE-2025-37838
In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().
- https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86
- https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f
- https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78
- https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa
- https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1
- https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088
- https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6
- https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3
- https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Package kubernetes1.27 updated to version 1.27.16-alt3 for branch c10f2 in task 381505.
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Package kubernetes1.31 updated to version 1.31.8-alt2 for branch c10f2 in task 381505.
Closed vulnerabilities
Modified: 2025-06-09
BDU:2025-00672
Уязвимость утилиты kubelet программного средства управления кластерами виртуальных машин Kubernetes для операционных систем Windows, позволяющая нарушителю выполнить произвольные команды
CVE-2024-9042
This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
Modified: 2025-02-13
CVE-2025-0426
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Package kubernetes1.26 updated to version 1.26.15-alt3 for branch c10f2 in task 381505.
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Package kubernetes1.29 updated to version 1.29.15-alt2 for branch c10f2 in task 381505.
Closed vulnerabilities
Modified: 2025-06-09
BDU:2025-00672
Уязвимость утилиты kubelet программного средства управления кластерами виртуальных машин Kubernetes для операционных систем Windows, позволяющая нарушителю выполнить произвольные команды
CVE-2024-9042
This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
Modified: 2025-02-13
CVE-2025-0426
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Package kubernetes1.28 updated to version 1.28.15-alt3 for branch c10f2 in task 381505.
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Package kubernetes1.24 updated to version 1.24.17-alt3 for branch c10f2 in task 381505.
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Closed vulnerabilities
Modified: 2025-07-02
CVE-2024-8676
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
- https://access.redhat.com/errata/RHBA-2024:10826
- https://access.redhat.com/errata/RHSA-2025:0648
- https://access.redhat.com/errata/RHSA-2025:1908
- https://access.redhat.com/errata/RHSA-2025:3297
- https://access.redhat.com/errata/RHSA-2025:4211
- https://access.redhat.com/errata/RHSA-2025:9765
- https://access.redhat.com/security/cve/CVE-2024-8676
- https://bugzilla.redhat.com/show_bug.cgi?id=2313842
Modified: 2025-07-02
GHSA-7p9f-6x8j-gxxp
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
- https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp
- https://nvd.nist.gov/vuln/detail/CVE-2024-8676
- https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7
- https://access.redhat.com/errata/RHBA-2024:10826
- https://access.redhat.com/errata/RHSA-2025:0648
- https://access.redhat.com/errata/RHSA-2025:1908
- https://access.redhat.com/errata/RHSA-2025:3297
- https://access.redhat.com/errata/RHSA-2025:4211
- https://access.redhat.com/errata/RHSA-2025:9765
- https://access.redhat.com/security/cve/CVE-2024-8676
- https://bugzilla.redhat.com/show_bug.cgi?id=2313842
- https://github.com/cri-o/cri-o
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Closed vulnerabilities
Modified: 2025-07-02
CVE-2024-8676
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
- https://access.redhat.com/errata/RHBA-2024:10826
- https://access.redhat.com/errata/RHSA-2025:0648
- https://access.redhat.com/errata/RHSA-2025:1908
- https://access.redhat.com/errata/RHSA-2025:3297
- https://access.redhat.com/errata/RHSA-2025:4211
- https://access.redhat.com/errata/RHSA-2025:9765
- https://access.redhat.com/security/cve/CVE-2024-8676
- https://bugzilla.redhat.com/show_bug.cgi?id=2313842
Modified: 2025-07-02
GHSA-7p9f-6x8j-gxxp
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
- https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp
- https://nvd.nist.gov/vuln/detail/CVE-2024-8676
- https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7
- https://access.redhat.com/errata/RHBA-2024:10826
- https://access.redhat.com/errata/RHSA-2025:0648
- https://access.redhat.com/errata/RHSA-2025:1908
- https://access.redhat.com/errata/RHSA-2025:3297
- https://access.redhat.com/errata/RHSA-2025:4211
- https://access.redhat.com/errata/RHSA-2025:9765
- https://access.redhat.com/security/cve/CVE-2024-8676
- https://bugzilla.redhat.com/show_bug.cgi?id=2313842
- https://github.com/cri-o/cri-o
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Package kubernetes1.30 updated to version 1.30.12-alt2 for branch c10f2 in task 381505.
Closed vulnerabilities
Modified: 2025-06-09
BDU:2025-00672
Уязвимость утилиты kubelet программного средства управления кластерами виртуальных машин Kubernetes для операционных систем Windows, позволяющая нарушителю выполнить произвольные команды
CVE-2024-9042
This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
Modified: 2025-02-13
CVE-2025-0426
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Package kubernetes1.25 updated to version 1.25.16-alt3 for branch c10f2 in task 381505.
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Package kubernetes1.23 updated to version 1.23.17-alt4 for branch c10f2 in task 381505.
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Package kubernetes1.22 updated to version 1.22.17-alt3 for branch c10f2 in task 381505.
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"
Closed vulnerabilities
Modified: 2025-07-02
CVE-2024-8676
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
- https://access.redhat.com/errata/RHBA-2024:10826
- https://access.redhat.com/errata/RHSA-2025:0648
- https://access.redhat.com/errata/RHSA-2025:1908
- https://access.redhat.com/errata/RHSA-2025:3297
- https://access.redhat.com/errata/RHSA-2025:4211
- https://access.redhat.com/errata/RHSA-2025:9765
- https://access.redhat.com/security/cve/CVE-2024-8676
- https://bugzilla.redhat.com/show_bug.cgi?id=2313842
Modified: 2025-07-02
GHSA-7p9f-6x8j-gxxp
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
- https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp
- https://nvd.nist.gov/vuln/detail/CVE-2024-8676
- https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7
- https://access.redhat.com/errata/RHBA-2024:10826
- https://access.redhat.com/errata/RHSA-2025:0648
- https://access.redhat.com/errata/RHSA-2025:1908
- https://access.redhat.com/errata/RHSA-2025:3297
- https://access.redhat.com/errata/RHSA-2025:4211
- https://access.redhat.com/errata/RHSA-2025:9765
- https://access.redhat.com/security/cve/CVE-2024-8676
- https://bugzilla.redhat.com/show_bug.cgi?id=2313842
- https://github.com/cri-o/cri-o
Closed bugs
При удалении пакетов kubernetes/cri-o "ошибка чтения информации о сервисе: Нет такого файла или каталога"