ALT Linux Team

Branch c10f2 update on 2026-01-13

2026-01-13

ALT-BU-2026-1184-1

Branch c10f2 update bulletin.

ALT-PU-2026-1137-2

Package forgejo-runner updated to version 12.3.1-alt1 for branch c10f2 in task 403875.

Closed bugs

Bug #54407

В user-unit'е forgejo-runner указаны User и Group, что препятствует его запуску

ALT-PU-2026-1175-3

Package mimir updated to version 3.0.2-alt1 for branch c10f2 in task 404903.

Closed vulnerabilities

Published: 2025-12-24

BDU:2025-16242

Уязвимость функции HostnameError.Error() пакета crypto/x509 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2025-12-03
Modified: 2025-12-18

CVE-2025-61727

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References:
Published: 2025-12-02
Modified: 2025-12-19

CVE-2025-61729

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top