Sisyphus repository
Last update: 26 november 2022 | SRPMs: 17930 | Visits: 25402486
en ru br
Security fixes

multipath-tools-0.9.3-alt1   build Alexey Shabalin, 2022-11-25


- 0.9.3 (Fexes: CVE-2022-41973, CVE-2022-41974) (ALT #44440)

node-16.18.1-alt1   build Vitaly Lipatov, 2022-11-23


- new version 16.18.1 (with rpmrb script)
- CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium)

salt-3004.2-alt1   build Andrey Cherepanov, 2022-11-21


- New version.
- Security fixes: CVE-2022-22967, CVE-2022-22941, CVE-2022-22936,
CVE-2022-22935, CVE-2022-22934.

sysstat-12.6.0-alt2   build Alexander Danilov, 2022-11-18


- fixes CVE-2022-39377

chromium-107.0.5304.110-alt1   build Alexey Gladkov, 2022-11-18


- New version (107.0.5304.110).
- Security fixes:
- CVE-2022-3885: Use after free in V8.
- CVE-2022-3886: Use after free in Speech Recognition.
- CVE-2022-3887: Use after free in Web Workers.
- CVE-2022-3888: Use after free in WebCodecs.
- CVE-2022-3889: Type Confusion in V8.
- CVE-2022-3890: Heap buffer overflow in Crashpad.

freerdp-2.9.0-alt1   build Andrey Cherepanov, 2022-11-18


- New version.
- Fixed multiple client side input validation issues
(CVE-2022-39316, CVE-2022-39317, CVE-2022-39318, CVE-2022-39319,
CVE-2022-39320, CVE-2022-41877, CVE-2022-39347).

netatalk-3.1.13-alt1   build Yuri N. Sedunov, 2022-11-17


- 3.1.13 (fixed CVE-2021-31439, CVE-2022-23121, CVE-2022-23122,
CVE-2022-23123, CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194)

krb5-1.19.4-alt1   build Ivan A. Melnikov, 2022-11-16


- 1.19.4 (Fixes: CVE-2022-42898)

thunderbird-102.5.0-alt1   build Pavel Vasenkov, 2022-11-16


- New version.
- Security fixes:
+ CVE-2022-45403 Service Workers might have learned size of cross-origin media files
+ CVE-2022-45404 Fullscreen notification bypass
+ CVE-2022-45405 Use-after-free in InputStream implementation
+ CVE-2022-45406 Use-after-free of a JavaScript Realm
+ CVE-2022-45408 Fullscreen notification bypass via windowName
+ CVE-2022-45409 Use-after-free in Garbage Collection
+ CVE-2022-45410 ServiceWorker-intercepted requests bypassed SameSite cookie policy
+ CVE-2022-45411 Cross-Site Tracing was possible via non-standard override headers
+ CVE-2022-45412 Symlinks may resolve to partially uninitialized buffers
+ CVE-2022-45416 Keystroke Side-Channel Leakage
+ CVE-2022-45418 Custom mouse cursor could have been drawn over browser UI
+ CVE-2022-45420 Iframe contents could be rendered outside the iframe
+ CVE-2022-45421 Memory safety bugs fixed in Thunderbird 102.5

firefox-esr-102.5.0-alt1   build Pavel Vasenkov, 2022-11-16


- New ESR version.
- Security fixes:
+ CVE-2022-45403 Service Workers might have learned size of cross-origin media files
+ CVE-2022-45404 Fullscreen notification bypass
+ CVE-2022-45405 Use-after-free in InputStream implementation
+ CVE-2022-45406 Use-after-free of a JavaScript Realm
+ CVE-2022-45408 Fullscreen notification bypass via windowName
+ CVE-2022-45409 Use-after-free in Garbage Collection
+ CVE-2022-45410 ServiceWorker-intercepted requests bypassed SameSite cookie policy
+ CVE-2022-45411 Cross-Site Tracing was possible via non-standard override headers
+ CVE-2022-45412 Symlinks may resolve to partially uninitialized buffers
+ CVE-2022-45416 Keystroke Side-Channel Leakage
+ CVE-2022-45418 Custom mouse cursor could have been drawn over browser UI
+ CVE-2022-45420 Iframe contents could be rendered outside the iframe
+ CVE-2022-45421 Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

firefox-107.0-alt1   build Alexey Gladkov, 2022-11-15


- New release (107.0).
- Security fixes:
+ CVE-2022-45403: Service Workers might have learned size of cross-origin media files
+ CVE-2022-45404: Fullscreen notification bypass
+ CVE-2022-45405: Use-after-free in InputStream implementation
+ CVE-2022-45406: Use-after-free of a JavaScript Realm
+ CVE-2022-45407: Loading fonts on workers was not thread-safe
+ CVE-2022-45408: Fullscreen notification bypass via windowName
+ CVE-2022-45409: Use-after-free in Garbage Collection
+ CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy
+ CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers
+ CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers
+ CVE-2022-45413: SameSite=Strict cookies could have been sent cross-site via intent URLs
+ CVE-2022-40674: Use-after-free vulnerability in expat
+ CVE-2022-45415: Downloaded file may have been saved with malicious extension
+ CVE-2022-45416: Keystroke Side-Channel Leakage
+ CVE-2022-45417: Service Workers in Private Browsing Mode may have been written to disk
+ CVE-2022-45418: Custom mouse cursor could have been drawn over browser UiI
+ CVE-2022-45419: Deleting a security exception did not take effect immediately
+ CVE-2022-45420: Iframe contents could be rendered outside the iframe
+ CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

qemu-7.1.0-alt1   build Alexey Shabalin, 2022-11-14


- 7.1.0 (Fixes: CVE-2020-14394, CVE-2022-0216).

pve-qemu-7.1.0-alt1   build Alexey Shabalin, 2022-11-14


- 7.1.0-3 (Fixes: CVE-2020-14394, CVE-2022-0216, CVE-2021-3507
CVE-2021-4206, CVE-2021-4207, CVE-2021-3611, CVE-2022-26353
CVE-2022-26354, CVE-2021-3929)

kernel-image-centos-5.14.0.192-alt1.el9   build Alexey Gladkov, 2022-11-11


- Updated to kernel-5.14.0-192.el9 (fixes: CVE-2022-2663, CVE-2022-3028, CVE-2022-42703):
+ af_key: Do not call xfrm_probe_algs in parallel
+ audit: backport fixes and cleanups up to upstream v6.1
+ Backport fs v6.0 and earlier commits for kernel-rt
+ block: update with v6.1-rc2
+ CNB: ethernet: add a helper for assigning port addresses
+ CNB: inet: Separate DSCP from ECN bits and use dscp_t for TOS fields
+ CNB: net: disambiguate the TSO and GSO limits
+ CNB: net: HW counters for soft devices
+ CNB: net/sched: act_police: allow 'continue' action offload
+ crypto: xts - restrict key lengths to approved values in FIPS mode
+ drm: fix duplicated code in drm_connector_register
+ drm/mgag200: Fix PLL setup for G200_SE_A rev >=4
+ Enable the RTC rv8803 driver
+ Fix and stabilize vm selftests results before including in CI
+ iavf: Fix adminq error handling
+ iomap update to v5.16
+ io_uring: update to v5.16
+ io_uring: update to v5.17
+ io_uring: update to v5.18
+ ipv4: Backport upstream fixes.
+ kselftests 9.2 P1 backport
+ KVM on s390x resync, Protected dump, Enhanced Interpretation for PCI Functions and CPU topology
+ KVM: selftests: replace assertion with warning in access_tracking_perf_test
+ KVM: VMX: fully disable SGX if SECONDARY_EXEC_ENCLS_EXITING unavailable
+ memcg: Add memory.reclaim support
+ memcg: Backport some useful upstream patches
+ Merge commit '0e769f75b4fb40e853ac8c3a8974516424a57c23'
+ Merge commit '5df889efab934c03c35799d3338d36bd722e093c'
+ mm/rmap: Fix use-after-free related to leaf anon_vma double reuse (CVE-2022-42703)
+ mm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.
+ netfilter: 9.2 phase 1 backports
+ netfilter: fix message handling flaw
+ net: team: Unsync device addresses on ndo_stop
+ NFS/SUNRPC: Client needs to handle session trunking group membership changes
+ owners: Remove Inaki Malerba from the owner's list as he is leaving the company
+ PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time
+ perf/arm-cmn: cmn updates, cmn650/700 support
+ perf: Sync with upstream v5.19
+ powerpc/pseries: Use lparcfg to reconfig VAS windows for DLPAR CPU
+ powerpc/pseries/vas: Pass hw_cpu_id to node associativity HCALL
+ redhat: create /boot symvers link if it doesn't exist
+ redhat: fix the branch we pull from the documentation tree
+ redhat/Makefile: Rename LOCALVERSION to DISTLOCALVERSION
+ remoteproc: imx_rproc : updates
+ [RHEL-9.2] iommu: amd: Updates for 9.2
+ scsi: fix mpi3mr: for rt-kernels
+ scsi: iscsi: driver updates
+ scsi: qedi: update driver to latest upstream
+ scsi: scsi_transport_fc: Use %u for dev_loss_tmo
+ selftests/bpf: Limit unroll_count for pyperf600 test
+ spec: fix path to `installing_core` stamp file for subpackages
+ tipc: backports from upstream
+ Update ACPI to match Linux v6.0
+ Update drivers/rtc for known edge platforms
+ Update kernel's PCI subsystem to v6.0
+ Update objtool to v5.19
+ Update USB And Thunderbolt to v6.0
+ watchdog: imx7ulp: updates
+ x86/fpu: Do not leak fpstate pointer on fork
+ x86/fpu: Prevent FPU state corruption
+ xfrm: backports from upstream
+ Various changes and improvements that are poorly described in merge.

gmp-6.2.1-alt5   build Alexander Danilov, 2022-11-10


- Backported upstream commit "mpz/inp_raw.c: Avoid bit size overflows"
(thx Marco Bodrato) (fixes CVE-2021-43618).

ntfs-3g-2021.8.22-alt2   build Alexander Danilov, 2022-11-08


- Fixes (CVE-2021-46790, CVE-2022-30783, CVE-2022-30784, CVE-2022-30785,
CVE-2022-30786, CVE-2022-30787, CVE-2022-30788, CVE-2022-30789,
CVE-2022-40284)

sudo-1.9.12p1-alt1   build Evgeny Sinelnikov, 2022-11-07


- Update to latest stable bugfix and security release (fixes: CVE-2022-43995).
- Major improvements from latest Sisyphus release:
+ For ptrace-based intercept mode, sudo will now attempt to verify that the
command path name, arguments and environment have not changed from the time
when they were authorized by the security policy. The new intercept_verify
sudoers setting can be used to control this behavior.
+ Sudo now supports passing the execve(2) system call the NULL pointer for the
argv and/or envp arguments when in intercept mode. Linux treats a NULL pointer
like an empty array.
+ Neovim has been added to the list of visudo editors that support passing the
line number on the command line.
+ Added a new -N (no-update) command line option to sudo which can be used to
prevent sudo from updating the user's cached credentials.
+ PAM approval modules are no longer invoked when running sub-commands in
intercept mode unless the intercept_authenticate option is set. There is a
substantial performance penalty for calling into PAM for each command run.
PAM approval modules are still called for the initial command.
+ Intercept mode on Linux now uses process_vm_readv(2) and process_vm_writev(2)
if available.
+ The XDG_CURRENT_DESKTOP environment variable is now preserved by default.
This makes it possible for graphical applications to choose the correct theme
when run via sudo.
+ The cvtsudoers manual now documents the JSON and CSV output formats.
+ The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout sudoers
settings can be used to support more fine-grained I/O logging. The sudo
front-end no longer allocates a pseudo-terminal when running a command if the
I/O logging plugin requests logging of stdin, stdout, or stderr but not
terminal input/output.
+ Added the -I option to visudo which only edits the main sudoers file.
Include files are not edited unless a syntax error is found.

libpixman-0.42.2-alt1   build Valery Inozemtsev, 2022-11-05


- 0.42.2 (fixed CVE-2022-44638)

glpi-10.0.5-alt1   build Pavel Zilke, 2022-11-04


- New version 10.0.4
- This release fixes several security issues that has been recently discovered. Update is recommended!
- Security fixes:
+ CVE-2022-39276 : Blind SSRF in RSS feeds and planning
+ CVE-2022-39372 : Stored XSS in user information
+ CVE-2022-39373 : Stored XSS in entity name
+ CVE-2022-39376 : Improper input validation on emails links
+ CVE-2022-39370 : Improper access to debug panel
+ CVE-2022-39234 : User's session persist after permanently deleting his account
+ CVE-2022-39262 : Stored XSS on login page
+ CVE-2022-39277 : XSS in external links
+ CVE-2022-39375 : XSS through public RSS feed
+ CVE-2022-39323 : SQL Injection on REST API
+ CVE-2022-39371 : Stored XSS through asset inventory

php7-7.4.33-alt1   build Anton Farygin, 2022-11-03


- 7.4.32 -> 7.4.33 (Fixes: CVE-2022-31630, CVE-2022-37454)

golang-1.19.3-alt1   build Alexey Shabalin, 2022-11-03


- New version (1.19.3) (Fixes: CVE-2022-41716).

perl-DBI-1.643-alt3   build Alexander Danilov, 2022-11-02


- rename patch lib-DBD-File.pm-fix-CVE-2014-10401.patch
- fixes changelog

vim-9.0.0823-alt1   build Alexander Danilov, 2022-11-01


- Updated to v9.0.0823 (fixes CVE-2022-3705).

poco-1.12.4-alt1   build Alexei Takaseev, 2022-11-01


- 1.12.4 (Fixes CVE-2022-43680)

chromium-gost-107.0.5304.87-alt1   build Alexey Gladkov, 2022-11-01


- New version (107.0.5304.87).
- Security fixes:
- CVE-2022-3723: Type Confusion in V8.
- CVE-2022-3652: Type Confusion in V8.
- CVE-2022-3653: Heap buffer overflow in Vulkan.
- CVE-2022-3654: Use after free in Layout.
- CVE-2022-3655: Heap buffer overflow in Media Galleries.
- CVE-2022-3656: Insufficient data validation in File System.
- CVE-2022-3657: Use after free in Extensions.
- CVE-2022-3658: Use after free in Feedback service on Chrome OS.
- CVE-2022-3659: Use after free in Accessibility.
- CVE-2022-3660: Inappropriate implementation in Full screen mode.
- CVE-2022-3661: Insufficient data validation in Extensions.
 
design & coding: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
current maintainer: Michael Shigorin