Все бюллетени/c10f2/ALT-PU-2026-10326-2
ALT-PU-2026-10326-2

Обновление пакета portainer-agent в ветке c10f2

Версия2.39.4-alt1
Задание#417422
Опубликовано2026-07-02
Макс. серьёзностьCRITICAL
Серьёзность:

Закрытые проблемы (24)

BDU:2026-04597
HIGH7.5

Уязвимость библиотеки net/http2 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2026-04-02Изменено: 2026-04-26
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
BDU:2026-08587
HIGH7.5

Уязвимость реализации протокола HTTP/2 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2026-06-22
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
CVE-2026-33762
LOW2.8

go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.

Опубликовано: 2026-03-31Изменено: 2026-06-17
CVSS 3.xНИЗКАЯ 2.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
CVE-2026-39830
CRITICAL9.1

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Опубликовано: 2026-05-22Изменено: 2026-07-06
CVSS 3.xКРИТИЧЕСКАЯ 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVE-2026-39831
CRITICAL9.1

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Опубликовано: 2026-05-22Изменено: 2026-06-17
CVSS 3.xКРИТИЧЕСКАЯ 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2026-39832
CRITICAL9.1

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Опубликовано: 2026-05-22Изменено: 2026-07-06
CVSS 3.xКРИТИЧЕСКАЯ 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2026-39833
CRITICAL9.1

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Опубликовано: 2026-05-22Изменено: 2026-06-17
CVSS 3.xКРИТИЧЕСКАЯ 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2026-39834
CRITICAL9.1

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Опубликовано: 2026-05-22Изменено: 2026-06-17
CVSS 3.xКРИТИЧЕСКАЯ 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVE-2026-41506
HIGH7.4

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2.

Опубликовано: 2026-05-08Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 7.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
GHSA-3xc5-wrhm-f963
MEDIUM4.7

go-git: Credential leak via cross-host redirect in smart HTTP transport

Опубликовано: 2026-04-17Изменено: 2026-05-12
CVSS 3.xСРЕДНЯЯ 4.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
GHSA-89gr-r52h-f8rx
CRITICAL9.1

golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed

Опубликовано: 2026-06-25
CVSS 3.xКРИТИЧЕСКАЯ 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
GHSA-jppx-rxg9-jmrx
CRITICAL9.1

golang.org/x/crypto/ssh/agent doesn't enforce invoking key constraints

Опубликовано: 2026-06-25
CVSS 3.xКРИТИЧЕСКАЯ 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
GHSA-pmwq-pjrm-6p5r
MEDIUM4.1

in-toto-golang and in-toto-python have inconsistent negation behavior

Опубликовано: 2026-05-08
CVSS 3.xСРЕДНЯЯ 4.1
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
GHSA-rm3j-f69w-wqmq
CRITICAL9.1

golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes

Опубликовано: 2026-06-25
CVSS 3.xКРИТИЧЕСКАЯ 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H