Все бюллетени/sisyphus/ALT-PU-2026-5804-1
ALT-PU-2026-5804-1

Обновление пакета gitlab-runner в ветке sisyphus

Версия18.10.1-alt1
Задание#414439
Опубликовано2026-04-07
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (11)

BDU:2025-03638
HIGH7.5

Уязвимость языка программирования Go, связанная с неправильной проверкой синтаксической корректности ввода, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2025-04-01Изменено: 2026-03-20
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
Ссылки
BDU:2025-08688
HIGH8.6

Уязвимость распределенной системы контроля версий Git средства разработки программного обеспечения Microsoft Visual Studio, позволяющая нарушителю выполнить произвольный код

Опубликовано: 2025-07-21Изменено: 2026-04-20
CVSS 3.xВЫСОКАЯ 8.6
CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS 2.0ВЫСОКАЯ 7.2
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C
Ссылки
BDU:2025-08690
HIGH8.6

Уязвимость графического инструмента Git GUI распределенной системы контроля версий Git средства разработки программного обеспечения Microsoft Visual Studio, позволяющая нарушителю выполнить произвольные команды

Опубликовано: 2025-07-21Изменено: 2025-08-07
CVSS 3.xВЫСОКАЯ 8.6
CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS 2.0ВЫСОКАЯ 7.2
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C
Ссылки
BDU:2025-08691
HIGH8.0

Уязвимость распределенной системы контроля версий Git средства разработки программного обеспечения Microsoft Visual Studio, позволяющая нарушителю выполнить произвольный код

Опубликовано: 2025-07-21Изменено: 2026-04-20
CVSS 3.xВЫСОКАЯ 8.0
CVSS:3.x/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS 2.0ВЫСОКАЯ 7.1
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:C/A:C
Ссылки
BDU:2025-10834
HIGH7.0

Уязвимость языка программирования Go, связанная с ошибками синхронизации при использовании общего ресурса, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2025-09-08Изменено: 2026-03-20
CVSS 3.xВЫСОКАЯ 7.0
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
CVSS 2.0СРЕДНЯЯ 6.6
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:P/A:P
Ссылки
CVE-2025-46334
HIGH8.6

Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

Опубликовано: 2025-07-10Изменено: 2026-04-15
CVSS 3.xВЫСОКАЯ 8.6
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Ссылки
CVE-2025-47907
HIGH7.0

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

Опубликовано: 2025-08-07Изменено: 2026-01-29
CVSS 3.xВЫСОКАЯ 7.0
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Ссылки
CVE-2025-48384
HIGH8.0

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Опубликовано: 2025-07-08Изменено: 2025-11-06
CVSS 3.xВЫСОКАЯ 8.0
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Ссылки
CVE-2025-48385
HIGH8.6

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Опубликовано: 2025-07-08Изменено: 2026-04-15
CVSS 4.0ВЫСОКАЯ 8.6
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки