All errata/c10f2/ALT-PU-2025-10968-4
ALT-PU-2025-10968-4

Package update portainer in branch c10f2

Version2.33.1-alt1
Task#393364
Published2026-02-05
Max severityCRITICAL
Severity:

Closed issues (39)

BDU:2025-01010
MEDIUM5.3

Уязвимость языка программирования Go, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-02-03Modified: 2025-12-08
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2025-02476
MEDIUM4.4

Уязвимость пакетов net/http, x/net/proxy и x/net/http/httpproxy языка программирования Go, позволяющая нарушителю оказать воздействие на конфиденциальность и доступность защищаемой информации

Published: 2025-07-02Modified: 2026-04-20
CVSS 3.xMEDIUM 4.4
CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
CVSS 2.0LOW 3.2
CVSS:2.0/AV:L/AC:L/Au:S/C:P/I:N/A:P
References
BDU:2025-02667
MEDIUM6.1

Уязвимость языка программирования Golang, связанная с недостаточной защитой служебных данных, позволяющая нарушителю получить несанкционированный доступ к учетным данным

Published: 2025-03-13
CVSS 3.xMEDIUM 6.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
BDU:2025-03335
MEDIUM6.1

Уязвимость языка программирования Golang, связанная с неправильной проверкой входных данных, позволяющая нарушителю обойти внедренные ограничения безопасности

Published: 2025-03-27
CVSS 3.xMEDIUM 6.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
BDU:2025-03456
MEDIUM4.0

Уязвимость компонента crypto-elliptic языка программирования Golang, позволяющая нарушителю получить доступ к конфиденциальной информации

Published: 2025-03-27Modified: 2026-03-04
CVSS 3.xMEDIUM 4.0
CVSS:3.x/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0LOW 2.1
CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2025-03638
HIGH7.5

Уязвимость языка программирования Go, связанная с неправильной проверкой синтаксической корректности ввода, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-04-01Modified: 2026-03-20
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2025-04014
CRITICAL9.1

Уязвимость пакета net/http языка программирования Go, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнить произвольный код

Published: 2025-04-09Modified: 2025-11-19
CVSS 3.xCRITICAL 9.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.0CRITICAL 9.4
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:N
References
BDU:2025-05194
MEDIUM4.6

Уязвимость среды выполнения контейнеров containerd, связанная с целочисленным переполнением, позволяющая нарушителю выполнить произвольный код

Published: 2025-05-05Modified: 2026-05-06
CVSS 3.xMEDIUM 4.6
CVSS:3.x/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
CVSS 2.0LOW 3.2
CVSS:2.0/AV:L/AC:L/Au:S/C:P/I:P/A:N
References
BDU:2025-06560
HIGH7.5

Уязвимость SSH-сервера языка программирования Golang, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-06-09Modified: 2025-12-08
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2025-08473
MEDIUM6.5

Уязвимость языка программирования Golang, связанная с неправильной проверкой входных данных, позволяющая нарушителю выполнить произвольный код

Published: 2025-07-15Modified: 2026-04-20
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
CVSS 2.0MEDIUM 5.1
CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P
References
BDU:2025-08599
MEDIUM6.8

Уязвимость языка программирования Golang, связанная с недостаточной защитой служебных данных, позволяющая нарушителю получить доступ к потенциально конфиденциальной информации

Published: 2025-07-17Modified: 2026-04-20
CVSS 3.xMEDIUM 6.8
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 2.0MEDIUM 5.4
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:N/A:N
References
BDU:2025-08600
MEDIUM5.5

Уязвимость языка программирования Golang, связанная с неверным определением символических ссылок перед доступом к файлу, позволяющая нарушителю повысить привилегии в системе

Published: 2025-07-17Modified: 2026-03-20
CVSS 3.xMEDIUM 5.5
CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 2.0MEDIUM 4.6
CVSS:2.0/AV:L/AC:L/Au:S/C:N/I:C/A:N
References
BDU:2025-09312
LOW3.3

Уязвимость демона firewalld программного средства для создания систем контейнерной изоляции Moby, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2025-08-04Modified: 2025-12-26
CVSS 3.xLOW 3.3
CVSS:3.x/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
CVSS 2.0LOW 2.4
CVSS:2.0/AV:L/AC:H/Au:S/C:P/I:P/A:N
References
BDU:2025-15587
MEDIUM5.3

Уязвимость библиотеки Go для декодирования общих значений карт в структуры и наоборот mapstructure, связанная с неправильной обработкой выходных данных для журналов регистрации, позволяющая нарушителю получить доступ к конфиденциальной информации

Published: 2025-12-11Modified: 2026-02-17
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS 2.0MEDIUM 5.4
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:N/A:N
References
CVE-2024-40635
HIGH7.8

containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

Published: 2025-03-17Modified: 2025-10-02
CVSS 3.xHIGH 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2024-45336
MEDIUM6.1

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

Published: 2025-01-28Modified: 2026-04-15
CVSS 3.xMEDIUM 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
CVE-2024-45338
MEDIUM5.3

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Published: 2024-12-18Modified: 2026-04-15
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
CVE-2024-45341
MEDIUM6.1

A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.

Published: 2025-01-28Modified: 2026-04-15
CVSS 3.xMEDIUM 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
CVE-2025-0913
MEDIUM5.5

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

Published: 2025-06-11Modified: 2025-08-08
CVSS 3.xMEDIUM 5.5
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References
CVE-2025-11065
MEDIUM5.3

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Published: 2026-01-26Modified: 2026-04-15
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
References
CVE-2025-22866
MEDIUM4.0

Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.

Published: 2025-02-06Modified: 2026-04-15
CVSS 3.xMEDIUM 4.0
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2025-22869
HIGH7.5

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Published: 2025-02-26Modified: 2025-05-01
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2025-22870
MEDIUM4.4

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Published: 2025-03-12Modified: 2026-04-16
CVSS 3.xMEDIUM 4.4
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
References
CVE-2025-22871
CRITICAL9.1

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Published: 2025-04-08Modified: 2026-05-12
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
CVE-2025-22872
MEDIUM6.5

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Published: 2025-04-16Modified: 2026-04-15
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
References
CVE-2025-54410
MEDIUM5.2

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fails to re-create iptables rules that isolate bridge networks, allowing any container to access all ports on any other container across different bridge networks on the same host. This breaks network segmentation between containers that should be isolated, creating significant risk in multi-tenant environments. Only containers in --internal networks remain protected. Workarounds include reloading firewalld and either restarting the docker daemon, re-creating bridge networks, or using rootless mode. Maintainers anticipate a fix for this issue in version 25.0.13.

Published: 2025-07-30Modified: 2025-08-22
CVSS 3.xMEDIUM 5.2
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
References
GHSA-2464-8j7c-4cjm
MEDIUM5.3

go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data

Published: 2025-08-21Modified: 2026-01-28
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
References
GHSA-265r-hfxg-fhmg
MEDIUM4.6

containerd has an integer overflow in User ID handling

Published: 2025-03-18Modified: 2025-05-05
CVSS 3.xMEDIUM 4.6
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
References
GHSA-4vq8-7jfc-9cvp
LOW3.3

Moby firewalld reload removes bridge network isolation

Published: 2025-07-29Modified: 2026-03-27
CVSS 3.xLOW 3.3
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
References
GHSA-5423-jcjm-2gpv
CRITICAL9.1

Traefik affected by Go HTTP Request Smuggling Vulnerability

Published: 2025-04-18
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
GHSA-g9pc-8g42-g6vq
CRITICAL9.1

RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency

Published: 2025-04-09Modified: 2026-05-13
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
GHSA-hcg3-q754-cr77
HIGH7.5

golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

Published: 2025-04-12Modified: 2025-04-14
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-qxp5-gwg8-xv66
MEDIUM4.4

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Published: 2025-03-13Modified: 2026-04-24
CVSS 3.xMEDIUM 4.4
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
References
GHSA-w32m-9786-jp63
HIGH8.7

Non-linear parsing of case-insensitive content in golang.org/x/net/html

Published: 2024-12-19Modified: 2025-03-16
CVSS 4.0HIGH 8.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References