ALT Linux Sisyphus - Segurança

cups-2.4.7-alt1 build Anton Farygin, 2023-09-29

- 2.4.7 (Fixes: CVE-2023-4504)
- updated Ubuntu-9100-ppd-cache-add-auto-presets.patch
- removed unused and/or integrated to upstream patches:
- FC-multilib.patch
- FC-uri-compat.patch
- FC-0001-scheduler-ipp.c-Allocate-device_uri-via-cupsdSetStri.patch
- Ubuntu-0016-Debian-po4a-infrastructure-and-translations-for-manp.patch
- Ubuntu-9110-create-local-printer-localhost-fix.patch
- ALT-1.6.1-hardening.patch
- ALT-1.4.6-config-libs.patch
- ALT-config-nolibs.patch

libppd-2.0.0-alt1 build Anton Farygin, 2023-09-29

- 2.0.0 (Fixes: CVE-2023-4504)

firefox-esr-115.3.1-alt1 build Pavel Vasenkov, 2023-09-29

- New ESR version.
- Security fixes
+ CVE-2023-5168 Out-of-bounds write in FilterNodeD2D1
+ CVE-2023-5169 Out-of-bounds write in PathOps
+ CVE-2023-5171 Use-after-free in Ion Compiler
+ CVE-2023-5174 Double-free in process spawning on Windows
+ CVE-2023-5176 Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3
+ CVE-2023-5217 Heap buffer overflow in libvpx

netatalk-3.1.17-alt1 build Ilya Mashkin, 2023-09-28

- 3.1.17 (fixed CVE-2023-42464, CVE-2022-23121, CVE-2022-23123,
CVE-2022-43634 and CVE-2022-45188)
- Add /etc/netatalk/afppasswd (Closes: #46445)
- Add /var/lib/netatalk (Closes: #46441)
- Add Requires: cracklib-words (Closes: #46446)

chromium-117.0.5938.132-alt1 build Alexey Gladkov, 2023-09-28

- New version (117.0.5938.132).
- Security fixes:
- CVE-2023-5186: Use after free in Passwords.
- CVE-2023-5187: Use after free in Extensions.
- CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx.

xrdp-0.9.23.1-alt1 build Andrey Cherepanov, 2023-09-28

- New version.
- Security fixes:
+ CVE-2023-42822: Unchecked access to font glyph info

firefox-118.0-alt1 build Alexey Gladkov, 2023-09-26

- New release (118.0).
- Security fixes:
+ CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1
+ CVE-2023-5169: Out-of-bounds write in PathOps
+ CVE-2023-5170: Memory leak from a privileged process
+ CVE-2023-5171: Use-after-free in Ion Compiler
+ CVE-2023-5172: Memory Corruption in Ion Hints
+ CVE-2023-5173: Out-of-bounds write in HTTP Alternate Services
+ CVE-2023-5174: Double-free in process spawning on Windows
+ CVE-2023-5175: Use-after-free of ImageBitmap during process shutdown
+ CVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3

kernel-image-centos-5.14.0.368-alt1.el9 build Alexey Gladkov, 2023-09-25

- Updated to kernel-5.14.0-368.el9 (fixes: CVE-2022-45934):
+ Bluetooth: L2CAP: Fix u8 overflow
+ Draft: Merge tag 'kernel-5.14.0-362.4.1.el9_3' from 9.3
+ Expose TPMI interface for SST
+ Merge commit '77fd6b887cd98bac29adffaa04362d033174698e'
+ Merge commit 'ba2e0054d2bb347988c85b4429ef30077cfdc431'
+ Merge tag 'kernel-5.14.0-362.4.1.el9_3' from 9.3
+ arm64: dts: qcom: sa8775p: Backport four commits to silence bogus error messages due to probe deferrals
+ crypto: Backport fixes to eliminate running crypto selftests when FIPS is disabled for automotive
+ drm/amd/display: fix the white screen issue when >= 64GB DRAM
+ net: macsec: fix performance regression between RHEL8 and RHEL9
+ nfsd: fix change_info in NFSv4 RENAME replies
+ perf: sync with upstream v6.5
+ power: TPMI UFS (Uncore Frequency Scaling) Driver
+ power: Update RAPL driver to use TPMI
+ power: pmc: Add PMC driver support for IOE die
+ redhat: add additional gating boot tests
+ sched/nohz: Make nohz_full play nice with cfs bandwidth
+ Various changes and improvements that are poorly described in merge.

scala-2.13.9-alt1 build Andrey Cherepanov, 2023-09-22

- New version (fixes: CVE-2022-36944).

xrdp-0.9.23-alt1 build Andrey Cherepanov, 2023-09-22

- New version.
- Security fixes:
+ CVE-2023-40184: Improper handling of session establishment errors allows bypassing OS-level session restrictions

bind-9.16.44-alt1 build Stanislav Levin, 2023-09-20

- 9.16.42 -> 9.16.44 (fixes: CVE-2023-3341).

openssl3-3.1.3-alt1 build Gleb F-Malinovskiy, 2023-09-19

- Updated to 3.1.3 (fixes CVE-2023-4807).

php8.0-8.0.30-alt1 build Anton Farygin, 2023-09-14

- 8.0.29 -> 8.0.30 (Fixes: CVE-2023-3823, CVE-2023-3824)
- for sisyphus and p11: added conflicts with the installer-stage3 to avoid
using php8.0 in distributios: The first stage of EOL plan

libwebp-1.3.2-alt1 build Yuri N. Sedunov, 2023-09-14

- 1.3.2 (fixed CVE-2023-4863)

thunderbird-115.2.2-alt1 build Pavel Vasenkov, 2023-09-14

- New version.
- Security fixes:
+ CVE-2023-3600 Use-after-free in workers
+ CVE-2023-3417 File Extension Spoofing using the Text Direction Override Character
+ CVE-2023-4045 Offscreen Canvas could have bypassed cross-origin restrictions
+ CVE-2023-4046 Incorrect value used during WASM compilation
+ CVE-2023-4047 Potential permissions request bypass via clickjacking
+ CVE-2023-4048 Crash in DOMParser due to out-of-memory conditions
+ CVE-2023-4049 Fix potential race conditions when releasing platform objects
+ CVE-2023-4050 Stack buffer overflow in StorageManager
+ CVE-2023-4052 File deletion and privilege escalation through Firefox uninstaller
+ CVE-2023-4054 Lack of warning when opening appref-ms files
+ CVE-2023-4055 Cookie jar overflow caused unexpected cookie jar state
+ CVE-2023-4056 Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
+ CVE-2023-4057 Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1
+ CVE-2023-4573 Memory corruption in IPC CanvasTranslator
+ CVE-2023-4574 Memory corruption in IPC ColorPickerShownCallback
+ CVE-2023-4575 Memory corruption in IPC FilePickerShownCallback
+ CVE-2023-4576 Integer Overflow in RecordedSourceSurfaceCreation
+ CVE-2023-4577 Memory corruption in JIT UpdateRegExpStatics
+ CVE-2023-4051 Full screen notification obscured by file open dialog
+ CVE-2023-4578 Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception
+ CVE-2023-4053 Full screen notification obscured by external program
+ CVE-2023-4580 Push notifications saved to disk unencrypted
+ CVE-2023-4581 XLL file extensions were downloadable without warnings
+ CVE-2023-4582 Buffer Overflow in WebGL glGetProgramiv
+ CVE-2023-4583 Browsing Context potentially not cleared when closing Private Window
+ CVE-2023-4584 Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
+ CVE-2023-4585 Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2
+ CVE-2023-4863 Heap buffer overflow in libwebp

chromium-gost-117.0.5938.62-alt1 build Alexey Gladkov, 2023-09-13

- New version (117.0.5938.62).
- Security fixes:
- CVE-2023-4863: Heap buffer overflow in WebP.
- CVE-2023-4900: Inappropriate implementation in Custom Tabs.
- CVE-2023-4901: Inappropriate implementation in Prompts.
- CVE-2023-4902: Inappropriate implementation in Input.
- CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs.
- CVE-2023-4904: Insufficient policy enforcement in Downloads.
- CVE-2023-4905: Inappropriate implementation in Prompts.
- CVE-2023-4906: Insufficient policy enforcement in Autofill.
- CVE-2023-4907: Inappropriate implementation in Intents.
- CVE-2023-4908: Inappropriate implementation in Picture in Picture.
- CVE-2023-4909: Inappropriate implementation in Interstitials.

curl-8.3.0-alt1 build Anton Farygin, 2023-09-13

- 8.2.1 -> 8.3.0
- Fixes:
* CVE-2023-38039 HTTP headers eat all memory
- relaxed check on armh

firefox-117.0.1-alt1 build Alexey Gladkov, 2023-09-13

- New release (117.0.1).
- Security fixes:
+ CVE-2023-4863: Heap buffer overflow in libwebp

chromium-117.0.5938.62-alt1 build Alexey Gladkov, 2023-09-13

salt-3006.3-alt2 build Andrey Cherepanov, 2023-09-12

- Added missing CVE-2023-20897 and CVE-2023-20898 for 3006.2.

vim-9.0.1893-alt1 build Alexander Danilov, 2023-09-11

- Updated to v9.0.1893 (fixes CVE-2023-4781, CVE-2023-4752, CVE-2023-4750,
CVE-2023-4733, CVE-2023-4738, CVE-2023-4736, CVE-2023-4735, CVE-2023-4734).

kernel-image-centos-5.14.0.364-alt1.el9 build Alexey Gladkov, 2023-09-11

- Updated to kernel-5.14.0-364.el9 (fixes: CVE-2023-3776):
+ Draft: Merge tag 'kernel-5.14.0-362.2.1.el9_3' from 9.3
+ Fixes for tracing subsystem
+ Merge commit '22c722feb2234cc45732b4461007d11563119595'
+ Merge tag 'kernel-5.14.0-362.2.1.el9_3' from 9.3
+ PCI: hv: Fix a crash in hv_pci_restore_msi_msg() during hibernation
+ amd64_edac: add support for F19h models 0x60 - 0x7f (Ryzen)
+ arm64: dts: qcom: sa8775p: add the PMU node
+ bonding: update port speed when getting bond speed
+ bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire
+ gpio: davinci: Stop using ARCH_NR_GPIOS
+ gpio: remove MODULE_LICENSE in non-modules
+ iio: adc: imx93: fix a signedness bug in imx93_adc_read_raw()
+ locking: revert comment from KRTS JiraReadiness exercise
+ net/sched: cls_fw: Fix improper refcount update leads to use-after-free
+ pinctrl: qcom: Add intr_target_width field to support increased number of interrupt targets
+ rhel: Re-add can-dev features that were removed accidentally
+ scsi: libfc: Remove get_cpu() semantics in fc_exch_em_alloc()
+ scsi: st: Add third party poweron reset handling
+ Various changes and improvements that are poorly described in merge.

cve-manager-0.81.1-alt1 build Alexey Appolonov, 2023-09-09

- Fixed filtering of cve-monitor reports using bin lists.

cve-manager-0.82.0-alt1 build Alexey Appolonov, 2023-09-09

- New module "cve-issues-prep" used to export a shortened version of
a vulnerability database containing all the necessary information for
detecting vulnerabilities via the "cve-issues" module.

firefox-esr-115.2.1-alt1 build Pavel Vasenkov, 2023-09-08

- New ESR version.
- Security fixes
+ CVE-2023-3600 Use-after-free in workers
+ CVE-2023-4045 Offscreen Canvas could have bypassed cross-origin restrictions
+ CVE-2023-4046 Incorrect value used during WASM compilation
+ CVE-2023-4047 Potential permissions request bypass via clickjacking
+ CVE-2023-4048 Crash in DOMParser due to out-of-memory conditions
+ CVE-2023-4049 Fix potential race conditions when releasing platform objects
+ CVE-2023-4050 Stack buffer overflow in StorageManager
+ CVE-2023-4052 File deletion and privilege escalation through Firefox uninstaller
+ CVE-2023-4054 Lack of warning when opening appref-ms files
+ CVE-2023-4055 Cookie jar overflow caused unexpected cookie jar state
+ CVE-2023-4056 Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
+ CVE-2023-4057 Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1
+ CVE-2023-4573 Memory corruption in IPC CanvasTranslator
+ CVE-2023-4574 Memory corruption in IPC ColorPickerShownCallback
+ CVE-2023-4575 Memory corruption in IPC FilePickerShownCallback
+ CVE-2023-4576 Integer Overflow in RecordedSourceSurfaceCreation
+ CVE-2023-4577 Memory corruption in JIT UpdateRegExpStatics
+ CVE-2023-4051 Full screen notification obscured by file open dialog
+ CVE-2023-4578 Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception
+ CVE-2023-4053 Full screen notification obscured by external program
+ CVE-2023-4580 Push notifications saved to disk unencrypted
+ CVE-2023-4581 XLL file extensions were downloadable without warnings
+ CVE-2023-4582 Buffer Overflow in WebGL glGetProgramiv
+ CVE-2023-4583 Browsing Context potentially not cleared when closing Private Window
+ CVE-2023-4584 Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
+ CVE-2023-4585 Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2
+ CVE-2023-4863 Heap buffer overflow in libwebp

projeto & código: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
mantenedor atual: Michael Shigorin
mantenedor da tradução: Fernando Martini aka fmartini © 2009