ALT-BU-2025-7129-2
Branch sisyphus update bulletin.
Closed vulnerabilities
Modified: 2025-11-17
BDU:2025-11787
Уязвимость графического редактора GIMP, связанная с целочисленным переполнением, позволяющая нарушителю выполнить произвольный код
Modified: 2025-11-03
CVE-2025-5473
GIMP ICO File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26752.
Package containerd updated to version 2.1.1-alt1 for branch sisyphus in task 384821.
Closed vulnerabilities
Modified: 2025-09-19
CVE-2025-47290
containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
Modified: 2025-05-28
GHSA-cm76-qm8v-3j95
containerd allows host filesystem access on pull
- https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95
- https://nvd.nist.gov/vuln/detail/CVE-2025-47290
- https://github.com/containerd/containerd/commit/cada13298fba85493badb6fecb6ccf80e49673cc
- https://github.com/containerd/containerd
- https://github.com/containerd/containerd/releases/tag/v2.1.1
Closed bugs
Собрать пакет codelite версии 18.1.0
Closed bugs
recollq is missing
Closed bugs
crudini: просьба обновить и добавить в p11
Package python3-module-fenrir updated to version 1.9.9-alt2 for branch sisyphus in task 384792.
Closed bugs
Unit fenrir.service could not be found
Package userpasswd updated to version 1.0.1-alt1 for branch sisyphus in task 384804.
Closed bugs
Содержит dekstop-файл для запуска несуществующей программы
Не работает смена пароля с samba доменом
userpasswd-gnome
Package firefox-esr updated to version 128.10.1-alt1 for branch sisyphus in task 384815.
Closed vulnerabilities
Modified: 2026-03-04
BDU:2025-06016
Уязвимость обработчика JavaScript-сценариев браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании
Modified: 2026-03-04
BDU:2025-06048
Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с записью за границами буфера в памяти, позволяющая нарушителю выполнить произвольный код
Modified: 2026-04-13
CVE-2025-4918
An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1966612
- https://www.mozilla.org/security/advisories/mfsa2025-36/
- https://www.mozilla.org/security/advisories/mfsa2025-37/
- https://www.mozilla.org/security/advisories/mfsa2025-38/
- https://www.mozilla.org/security/advisories/mfsa2025-40/
- https://www.mozilla.org/security/advisories/mfsa2025-41/
- https://lists.debian.org/debian-lts-announce/2025/05/msg00024.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00046.html
- https://www.vicarius.io/vsociety/posts/cve-2025-4918-detect-firefox-out-of-bounds-write
- https://www.vicarius.io/vsociety/posts/cve-2025-4918-mitigate-firefox-out-of-bounds-write
Modified: 2026-04-13
CVE-2025-4919
An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1966614
- https://www.mozilla.org/security/advisories/mfsa2025-36/
- https://www.mozilla.org/security/advisories/mfsa2025-37/
- https://www.mozilla.org/security/advisories/mfsa2025-38/
- https://www.mozilla.org/security/advisories/mfsa2025-40/
- https://www.mozilla.org/security/advisories/mfsa2025-41/
- https://lists.debian.org/debian-lts-announce/2025/05/msg00024.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00046.html
Package integrity-notifier updated to version 0.7.2-alt1 for branch sisyphus in task 384886.
Closed bugs
integrity-notifier.service crash and not restart