ALT-BU-2026-1123-1
Branch sisyphus_riscv64 update bulletin.
Package rclone updated to version 1.72.1-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2025-16242
Уязвимость функции HostnameError.Error() пакета crypto/x509 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-12-19
CVE-2025-61729
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
Package libsodium updated to version 1.0.21-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
Modified: 2026-01-07
CVE-2025-69277
libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.
- https://00f.net/2025/12/30/libsodium-vulnerability/
- https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae
- https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7
- https://github.com/pyca/pynacl/commit/ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cf
- https://github.com/pyca/pynacl/issues/920
- https://ianix.com/pub/ed25519-deployment.html
- https://news.ycombinator.com/item?id=46435614
- https://lists.debian.org/debian-lts-announce/2026/01/msg00004.html