ALT-BU-2025-9705-1
Branch p11 update bulletin.
Package docs-alt-virtualization-pve updated to version 11.0-alt2 for branch p11 in task 388066.
Closed bugs
Неизвестная опция --iso в pvesm list
Closed bugs
Упаковать libllama.so
Package alterator-usbmount updated to version 0.1.4-alt2 for branch p11 in task 388561.
Closed bugs
Alterator-usbmount пустой список устройств, не отключается автомонтирование
Closed bugs
frrinit.sh: can't open logfile /var/log/frr/frr.log
Package gst-plugins-base1.0 updated to version 1.26.4-alt1 for branch p11 in task 390118.
Closed vulnerabilities
Modified: 2025-08-12
CVE-2025-47806
In GStreamer through 1.26.1, the subparse plugin's parse_subrip_time function may write data past the bounds of a stack buffer, leading to a crash.
Modified: 2025-08-12
CVE-2025-47807
In GStreamer through 1.26.1, the subparse plugin's subrip_unescape_formatting function may dereference a NULL pointer while parsing a subtitle file, leading to a crash.
Package gst-plugins-bad1.0 updated to version 1.26.4-alt1 for branch p11 in task 390118.
Closed vulnerabilities
Modified: 2025-08-14
CVE-2025-6663
GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of H266 sei messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27381.
Package gst-plugins-good1.0 updated to version 1.26.4-alt1 for branch p11 in task 390118.
Closed vulnerabilities
Modified: 2025-08-12
CVE-2025-47183
In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure.
Modified: 2025-08-12
CVE-2025-47219
In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure.
Package apache2-mod_http2 updated to version 2.0.33-alt1 for branch p11 in task 390521.
Closed vulnerabilities
BDU:2025-08695
Уязвимость функции mod_proxy_http2 веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-08955
Уязвимость веб-сервера Apache HTTP Server, связанная с утечкой памяти, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-07-29
CVE-2025-49630
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
Modified: 2025-07-29
CVE-2025-53020
Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.