ALT Linux Team

Branch p10 update on 2025-06-24

2025-06-24

ALT-BU-2025-8441-1

Branch p10 update bulletin.

ALT-PU-2025-5462-8

Package libupnp updated to version 1.14.10-alt0.p10.1 for branch p10 in task 379224.

Closed vulnerabilities

Published: 2021-03-30

BDU:2021-01679

Уязвимость функции Parser_parseDocument() набора средств для UPnP устройств PUPnP, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
References:
Published: 2021-03-12
Modified: 2024-11-21

CVE-2021-28302

A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.

Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:

ALT-PU-2025-6824-5

Package fcitx5 updated to version 5.1.2-alt1_1.2 for branch p10 in task 379224.

Closed bugs

Bug #51127

Лишние зависимости из fcitx5-configtool

ALT-PU-2025-6890-6

Package libopenimageio updated to version 2.3.21.0-alt1 for branch p10 in task 379224.

Closed vulnerabilities

Published: 2023-08-21
Modified: 2024-09-24

BDU:2023-04789

Уязвимость библиотеки обработки изображений OpenImageIO, связанная с ошибкой единичного смещения, позволяющая нарушителю получить доступ к конфиденциальным данным

Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
References:
Published: 2023-08-21
Modified: 2024-09-24

BDU:2023-04793

Уязвимость библиотеки обработки изображений OpenImageIO, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0) Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2023-08-21
Modified: 2024-09-24

BDU:2023-04795

Уязвимость библиотеки обработки изображений OpenImageIO, связанная с чтением за допустимыми границами буфера данных, позволяющая нарушителю получить доступ к конфиденциальным данным

Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
References:
Published: 2023-08-21
Modified: 2024-09-24

BDU:2023-04797

Уязвимость функции decode_iptc_iim() библиотеки обработки изображений OpenImageIO, позволяющая нарушителю получить доступ к конфиденциальным данным

Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
References:
Published: 2022-12-22
Modified: 2024-11-21

CVE-2022-36354

A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability.

Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:
Published: 2022-12-22
Modified: 2024-11-21

CVE-2022-41639

A heap based buffer overflow vulnerability exists in tile decoding code of TIFF image parser in OpenImageIO master-branch-9aeece7a and v2.3.19.0. A specially-crafted TIFF file can lead to an out of bounds memory corruption, which can result in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2022-12-22
Modified: 2024-11-21

CVE-2022-41977

An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.19.0 processes string fields in TIFF image files. A specially-crafted TIFF file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

Severity: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
References:
Published: 2022-12-22
Modified: 2024-11-21

CVE-2022-41988

An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:

ALT-PU-2025-7817-2

Package apt updated to version 0.5.15lorg2-alt95.p10.1 for branch p10 in task 380656.

Closed vulnerabilities

OVE-20250602-0001

No data currently available.

OVE-20250602-0002

No data currently available.

Closed bugs

Bug #34000

Не работают URLы с literal IPv6 адресами в sources.list

Bug #38277

Проблема запуска apt-get через прокси сервер

Bug #38543

apt-https игнорирует настройки прокси

Bug #49565

[FR] закомментированная отладка "из коробки"

Bug #51546

Неправильное форматирование списка удаляемых системных пакетов

Bug #51975

Implementation of 'apt-get changelog'

Bug #53988

^(NVIDIA_)?(kernel|alsa)[0-9]*(-adv|-linus)?($|-up|-smp|-secure|-custom|-enterprise|-BOOT|-tape|-aureal)

ALT-PU-2025-8034-2

Package libisc-export-dhcp updated to version 9.11.36-alt2 for branch p10 in task 386777.

Closed vulnerabilities

Published: 2022-02-10
Modified: 2025-07-07

BDU:2022-00686

Уязвимость DNS-сервера BIND, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
References:
Published: 2022-09-16
Modified: 2025-07-07

BDU:2022-05754

Уязвимость сервера DNS BIND, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю оказать воздействие на целостность данных

Severity: HIGH (8.6) Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N
References:
Published: 2021-10-27
Modified: 2024-11-21

CVE-2021-25219

In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.

Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References:
Published: 2022-03-23
Modified: 2024-11-21

CVE-2021-25220

BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.

Severity: MEDIUM (4.0) Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
Severity: MEDIUM (6.8) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top