ALT-PU-2025-15865-1
Package portainer updated to version 2.33.6-alt1 for branch sisyphus_loongarch64.
Closed vulnerabilities
BDU:2025-11595
Уязвимость языка программирования Go, связанная с неправильной проверкой входных данных, позволяющая нарушителю повысить свои привилегии
Modified: 2025-10-15
BDU:2025-11599
Уязвимость языка программирования Go, связанная с неправильной проверкой входных данных, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2025-13562
Уязвимость компонента crypto-x509 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-13936
Уязвимость функции ParseAddress() языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-13937
Уязвимость языка программирования Go, связанная с недостаточной проверкой входных данных, позволяющая нарушителю оказать воздействие на доступность защищаемой информации
BDU:2025-13938
Уязвимость функции Reader.ReadResponse() языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-11-18
BDU:2025-14002
Уязвимость инструмента для управления многоконтейнерными приложениями Docker Compose, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю перезаписать произвольные файлы
BDU:2025-14525
Уязвимость функции Equal() компонента crypto-x509 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-14526
Уязвимость компонента crypto/tls языка программирования Go, позволяющая нарушителю раскрыть защищаемую информацию
BDU:2025-14527
Уязвимость функции Parse() компонента net-url языка программирования Go, позволяющая нарушителю выполнить произвольный код
BDU:2025-14528
Уязвимость компонента tar.Reader языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-14529
Уязвимость компонента net/http языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-14530
Уязвимость компонента encoding/asn1 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-14682
Уязвимость сервера агента ssh-agent библиотеки для языка программирования Go crypto, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-14688
Уязвимость SSH-сервера библиотеки для языка программирования Go crypto, позволяющая нарушителю оказать воздействие на доступность защищаемой информации
Modified: 2025-12-31
CVE-2024-25621
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
Modified: 2025-11-04
CVE-2025-47906
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
Modified: 2025-09-24
CVE-2025-47910
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.
Modified: 2025-11-04
CVE-2025-47912
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
Modified: 2025-12-16
CVE-2025-47913
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
Modified: 2025-12-11
CVE-2025-47914
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
Modified: 2025-12-11
CVE-2025-58181
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Modified: 2025-11-04
CVE-2025-58183
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.
Modified: 2025-11-04
CVE-2025-58185
Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
Modified: 2025-11-04
CVE-2025-58186
Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
Modified: 2025-11-20
CVE-2025-58187
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
Modified: 2025-11-04
CVE-2025-58188
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
Modified: 2025-11-04
CVE-2025-58189
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
Modified: 2025-11-04
CVE-2025-61723
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
Modified: 2025-11-04
CVE-2025-61724
The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.
Modified: 2025-12-09
CVE-2025-61725
The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.
Modified: 2025-10-30
CVE-2025-62725
Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there. This affects any platform or workflow that resolves remote OCI compose artifacts, Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud dev environments is affected. An attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read‑only commands such as docker compose config or docker compose ps. This issue is fixed in v2.40.2.