ALT-BU-2026-1186-1
Branch p11 update bulletin.
Closed bugs
Опции для улучшения безопасности для сменных носителей
Closed vulnerabilities
CVE-2025-24369
Anubis is a tool that allows administrators to protect bots against AI scrapers through bot-checking heuristics and a proof-of-work challenge to discourage scraping from multiple IP addresses. Anubis allows attackers to bypass the bot protection by requesting a challenge, formulates any nonce (such as 42069), and then passes the challenge with difficulty zero. Commit e09d0226a628f04b1d80fd83bee777894a45cd02 fixes this behavior by not using a client-specified difficulty value.
Closed vulnerabilities
BDU:2025-16319
Уязвимость компонента WebGPU браузеров Google Chrome и Microsoft Edge, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-16320
Уязвимость обработчика JavaScript-сценариев V8 браузеров Google Chrome и Microsoft Edge, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-12-15
CVE-2025-14174
Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Modified: 2025-12-18
CVE-2025-14765
Use after free in WebGPU in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Modified: 2025-12-23
CVE-2025-14766
Out of bounds read and write in V8 in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Closed vulnerabilities
Modified: 2026-01-07
CVE-2025-69277
libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.
- https://00f.net/2025/12/30/libsodium-vulnerability/
- https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae
- https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7
- https://github.com/pyca/pynacl/commit/ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cf
- https://github.com/pyca/pynacl/issues/920
- https://ianix.com/pub/ed25519-deployment.html
- https://news.ycombinator.com/item?id=46435614
- https://lists.debian.org/debian-lts-announce/2026/01/msg00004.html
Closed vulnerabilities
BDU:2025-16242
Уязвимость функции HostnameError.Error() пакета crypto/x509 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-12-19
CVE-2025-61729
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.