ALT-BU-2025-8441-1
Branch p10 update bulletin.
Closed vulnerabilities
BDU:2021-01679
Уязвимость функции Parser_parseDocument() набора средств для UPnP устройств PUPnP, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2021-28302
A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.
Closed bugs
Лишние зависимости из fcitx5-configtool
Package libopenimageio updated to version 2.3.21.0-alt1 for branch p10 in task 379224.
Closed vulnerabilities
Modified: 2024-09-24
BDU:2023-04789
Уязвимость библиотеки обработки изображений OpenImageIO, связанная с ошибкой единичного смещения, позволяющая нарушителю получить доступ к конфиденциальным данным
Modified: 2024-09-24
BDU:2023-04793
Уязвимость библиотеки обработки изображений OpenImageIO, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Modified: 2024-09-24
BDU:2023-04795
Уязвимость библиотеки обработки изображений OpenImageIO, связанная с чтением за допустимыми границами буфера данных, позволяющая нарушителю получить доступ к конфиденциальным данным
Modified: 2024-09-24
BDU:2023-04797
Уязвимость функции decode_iptc_iim() библиотеки обработки изображений OpenImageIO, позволяющая нарушителю получить доступ к конфиденциальным данным
Modified: 2024-11-21
CVE-2022-36354
A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability.
Modified: 2024-11-21
CVE-2022-41639
A heap based buffer overflow vulnerability exists in tile decoding code of TIFF image parser in OpenImageIO master-branch-9aeece7a and v2.3.19.0. A specially-crafted TIFF file can lead to an out of bounds memory corruption, which can result in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
- https://security.gentoo.org/glsa/202305-33
- https://talosintelligence.com/vulnerability_reports/TALOS-2022-1633
- https://www.debian.org/security/2023/dsa-5384
- https://security.gentoo.org/glsa/202305-33
- https://talosintelligence.com/vulnerability_reports/TALOS-2022-1633
- https://www.debian.org/security/2023/dsa-5384
Modified: 2024-11-21
CVE-2022-41977
An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.19.0 processes string fields in TIFF image files. A specially-crafted TIFF file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.
- https://security.gentoo.org/glsa/202305-33
- https://talosintelligence.com/vulnerability_reports/TALOS-2022-1627
- https://www.debian.org/security/2023/dsa-5384
- https://security.gentoo.org/glsa/202305-33
- https://talosintelligence.com/vulnerability_reports/TALOS-2022-1627
- https://www.debian.org/security/2023/dsa-5384
Modified: 2024-11-21
CVE-2022-41988
An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability.
- https://security.gentoo.org/glsa/202305-33
- https://talosintelligence.com/vulnerability_reports/TALOS-2022-1643
- https://www.debian.org/security/2023/dsa-5384
- https://security.gentoo.org/glsa/202305-33
- https://talosintelligence.com/vulnerability_reports/TALOS-2022-1643
- https://www.debian.org/security/2023/dsa-5384
Closed vulnerabilities
No data currently available.
No data currently available.
Closed bugs
Не работают URLы с literal IPv6 адресами в sources.list
Проблема запуска apt-get через прокси сервер
apt-https игнорирует настройки HTTPS прокси
[FR] закомментированная отладка "из коробки"
Неправильное форматирование списка удаляемых системных пакетов
Implementation of 'apt-get changelog'
^(NVIDIA_)?(kernel|alsa)[0-9]*(-adv|-linus)?($|-up|-smp|-secure|-custom|-enterprise|-BOOT|-tape|-aureal)
Package libisc-export-dhcp updated to version 9.11.36-alt2 for branch p10 in task 386777.
Closed vulnerabilities
Modified: 2025-07-07
BDU:2022-00686
Уязвимость DNS-сервера BIND, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-07-07
BDU:2022-05754
Уязвимость сервера DNS BIND, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю оказать воздействие на целостность данных
Modified: 2024-11-21
CVE-2021-25219
In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://kb.isc.org/v1/docs/cve-2021-25219
- https://lists.debian.org/debian-lts-announce/2021/11/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EF4NAVRV4H3W4GA3LGGZYUKD3HSJBAVW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YGV7SA27CTYLGFJSPUM3V36ZWK7WWDI4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTKC4E3HUOLYN5IA4EBL4VAQSWG2ZVTX/
- https://security.gentoo.org/glsa/202210-25
- https://security.netapp.com/advisory/ntap-20211118-0002/
- https://www.debian.org/security/2021/dsa-4994
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://kb.isc.org/v1/docs/cve-2021-25219
- https://lists.debian.org/debian-lts-announce/2021/11/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EF4NAVRV4H3W4GA3LGGZYUKD3HSJBAVW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YGV7SA27CTYLGFJSPUM3V36ZWK7WWDI4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTKC4E3HUOLYN5IA4EBL4VAQSWG2ZVTX/
- https://security.gentoo.org/glsa/202210-25
- https://security.netapp.com/advisory/ntap-20211118-0002/
- https://www.debian.org/security/2021/dsa-4994
- https://www.oracle.com/security-alerts/cpuapr2022.html
Modified: 2024-11-21
CVE-2021-25220
BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://kb.isc.org/v1/docs/cve-2021-25220
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SXT7247QTKNBQ67MNRGZD23ADXU6E5U/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VX3I2U3ICOIEI5Y7OYA6CHOLFMNH3YQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/API7U5E7SX7BAAVFNW366FFJGD6NZZKV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DE3UAVCPUMAKG27ZL5YXSP2C3RIOW3JZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYD7US4HZRFUGAJ66ZTHFBYVP5N3OQBY/
- https://security.gentoo.org/glsa/202210-25
- https://security.netapp.com/advisory/ntap-20220408-0001/
- https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-SRX-Series-Cache-poisoning-vulnerability-in-BIND-used-by-DNS-Proxy-CVE-2021-25220?language=en_US
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://kb.isc.org/v1/docs/cve-2021-25220
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SXT7247QTKNBQ67MNRGZD23ADXU6E5U/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VX3I2U3ICOIEI5Y7OYA6CHOLFMNH3YQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/API7U5E7SX7BAAVFNW366FFJGD6NZZKV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DE3UAVCPUMAKG27ZL5YXSP2C3RIOW3JZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYD7US4HZRFUGAJ66ZTHFBYVP5N3OQBY/
- https://security.gentoo.org/glsa/202210-25
- https://security.netapp.com/advisory/ntap-20220408-0001/
- https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-SRX-Series-Cache-poisoning-vulnerability-in-BIND-used-by-DNS-Proxy-CVE-2021-25220?language=en_US