ALT-BU-2025-8044-1
Branch sisyphus update bulletin.
Package python3-module-requests updated to version 2.32.4-alt1 for branch sisyphus in task 386815.
Closed vulnerabilities
Modified: 2025-06-12
CVE-2024-47081
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.
- https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
- https://github.com/psf/requests/pull/6965
- https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7
- https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env
- https://seclists.org/fulldisclosure/2025/Jun/2
- http://seclists.org/fulldisclosure/2025/Jun/2
- http://www.openwall.com/lists/oss-security/2025/06/03/11
- http://www.openwall.com/lists/oss-security/2025/06/03/9
- http://www.openwall.com/lists/oss-security/2025/06/04/1
- http://www.openwall.com/lists/oss-security/2025/06/04/6
Closed bugs
grub-mkconfig некорректно определяет доступность раздела /boot на запись
Нет поддержки zfs
Добавить переводы новых пунктов меню iso образов
Closed bugs
Ошибки /boot/efi/EFI/BOOT/grub.cfg: invalid pe header
Closed bugs
Не запускается ctwf из меню приложений (несоответствие Exec=python3 /usr/bin/ctwf с /usr/bin/cttestB)
Closed vulnerabilities
BDU:2025-01120
Уязвимость функции assert системной библиотеки GNU C Library, связанная с некорректными вычислениями размера выделяемого буфера, позволяющая нарушителю оказать воздействие на доступность защищаемой информации
Modified: 2025-04-30
CVE-2025-0395
When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.
- https://sourceware.org/bugzilla/show_bug.cgi?id=32582
- https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001
- https://sourceware.org/pipermail/libc-announce/2025/000044.html
- https://www.openwall.com/lists/oss-security/2025/01/22/4
- http://www.openwall.com/lists/oss-security/2025/01/22/4
- http://www.openwall.com/lists/oss-security/2025/01/23/2
- http://www.openwall.com/lists/oss-security/2025/04/13/1
- http://www.openwall.com/lists/oss-security/2025/04/24/7
- https://lists.debian.org/debian-lts-announce/2025/04/msg00039.html
- https://security.netapp.com/advisory/ntap-20250228-0006/
Package thunderbird updated to version 139.0.2-alt1 for branch sisyphus in task 386946.
Closed vulnerabilities
Modified: 2025-07-02
CVE-2025-5986
A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird < 128.11.1 and Thunderbird < 139.0.2.