Sisyphus repository
Last update: 22 january 2022 | SRPMs: 17486 | Visits: 22821349
en ru br
Security fixes

kernel-image-centos-5.14.0.47-alt1.el9   build Alexey Gladkov, 2022-01-22


- Updated to kernel-5.14.0-47.el9 (fixes: CVE-2021-4001):
+ nvmet: make discovery NQN configurable
+ nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert
+ include/linux/pci.h: Exclude struct hotplug_slot from KABI
+ net/vsock: backport vsock fixes for RHEL-9.0
+ include/linux/irq*.h: Pad irq structs for KABI
+ include/linux/fwnode.h: Exclude fwnode structs from KABI
+ bpf: Fix toctou on read-only map's constant scalar tracking
+ ACPI: tables: FPDT: Do not print FW_BUG message if record types are reserved
+ virtio: support virtio-mem on x86-64 as tech-preview

rust-1.58.1-alt1   build Alexey Gladkov, 2022-01-21


- New version (1.58.1).
- Security fixes:
+ CVE-2022-21658: Fix race condition in std::fs::remove_dir_all

libvirt-8.0.0-alt1   build Alexey Shabalin, 2022-01-21


- 8.0.0 (Fixes: CVE-2021-4147)

flatpak-1.12.4-alt1   build Yuri N. Sedunov, 2022-01-19


- 1.12.4 (fixed CVE-2022-21682, CVE-2021-43860)

flatpak-builder-1.2.2-alt1   build Yuri N. Sedunov, 2022-01-19


- 1.2.2 (fixed CVE-2022-21682)

kernel-image-centos-5.14.0.45-alt1.el9   build Alexey Gladkov, 2022-01-19


- Workqueue update for RT prerequisites
- nvme: avoid race in shutdown namespace removal
- powerpc/xmon: Dump XIVE information for online-only processors.
- CVE-2021-20322 - ipv4: make exception cache less predictible
- [s390] s390/cio: make ccw_device_dma_* more robust
- [s390] s390/pci: add s390_iommu_aperture kernel parameter
- [s390] s390/pci: cleanup resources only if necessary
- [s390] s390/sclp: fix Secure-IPL facility detection
- Revert "[redhat] Generate a crashkernel.default for each kernel build"
- ibmvnic: fix kdump over nfs when auto priority disabled for ibmvnic
- ibmvnic: don't stop queue in xmit
- bpf/selftests: allow disabling tests
- kernel/crash_core: suppress unknown crashkernel parameter warning
- mm: fix memory onlining under the debug kernel
- Fixing CVE-2021-3752 for RHEL-9
- zstd: Sync with upstream 5.16 fixes and improvements

MySQL-8.0.28-alt1   build Nikolai Kostrigin, 2022-01-19


- new version
+ (fixes: CVE-2021-22946, CVE-2022-21245, CVE-2022-21249, CVE-2022-21253)
+ (fixes: CVE-2022-21254, CVE-2022-21256, CVE-2022-21264, CVE-2022-21265)
+ (fixes: CVE-2022-21270, CVE-2022-21278, CVE-2022-21297, CVE-2022-21301)
+ (fixes: CVE-2022-21302, CVE-2022-21303, CVE-2022-21304, CVE-2022-21339)
+ (fixes: CVE-2022-21342, CVE-2022-21344, CVE-2022-21348, CVE-2022-21351)
+ (fixes: CVE-2022-21352, CVE-2022-21358, CVE-2022-21362, CVE-2022-21367)
+ (fixes: CVE-2022-21368, CVE-2022-21370, CVE-2022-21372, CVE-2022-21374)
+ (fixes: CVE-2022-21378, CVE-2022-21379)
- update mysql-shell 8.0.27 -> 8.0.28
- unbundle libicu
- add libssh-devel to BR: for mysql-router

expat-2.4.3-alt1   build Vladimir D. Seleznev, 2022-01-18


- Updated to 2.4.3 (with multiple security fixes).
- Fixes:
+ CVE-2021-45960 issues with left shift by >= 29 places in function storeAtts that
can lead to realloc misbehavior;
+ CVE-2021-46143 Integer overflow on variable m_groupSize in function doProlog;
+ CVE-2022-22822 Integer overflows near memory allocation in function addBinding;
+ CVE-2022-22823 Integer overflows near memory allocation in function build_model;
+ CVE-2022-22824 Integer overflows near memory allocation in function defineAttribute;
+ CVE-2022-22825 Integer overflows near memory allocation in function lookup;
+ CVE-2022-22826 Integer overflows near memory allocation in function nextScaffoldPart;
+ CVE-2022-22827 Integer overflows near memory allocation in function storeAtts.

clamav-0.103.5-alt1   build Sergey Y. Afonin, 2022-01-18


- 0.103.5 (CVE-2022-20698)

python3-module-django-3.2.11-alt1   build Alexey Shabalin, 2022-01-18


- new version 3.2.11
- Fixes for the following security vulnerabilities:
+ CVE-2021-45115 Prevented DoS vector in UserAttributeSimilarityValidator.
+ CVE-2021-45116 Fixed potential information disclosure in dictsort template filter.
+ CVE-2021-45452 Fixed potential path traversal in storage subsystem.

prosody-0.11.12-alt1   build Vladimir D. Seleznev, 2022-01-17


- Updated to 0.11.12 (fixes CVE-2022-0217).

cryptsetup-2.4.3-alt1   build Alexey Shabalin, 2022-01-17


- 2.4.3 (Fixes: CVE-2021-4122).

systemd-249.9-alt1   build Alexey Shabalin, 2022-01-14


- 249.9 (Fixes: CVE-2021-3997)

cve-manager-0.60.0-alt1   build Alexey Appolonov, 2022-01-14


- Improved module "cve-backup";
- Improved exception handling;
- The names of sections for DB connection params and SMTP connection params,
as well as the names of the parameters themselves, have been changed (use
the "transitions/from-0.59-to-0.60" script for the transition).

firefox-96.0-alt1   build Alexey Gladkov, 2022-01-12


- New release (96.0).
- Disable webrtc for armh, ppc64le.
- Security fixes:
+ CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof
+ CVE-2022-22743: Browser window spoof using fullscreen mode
+ CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode
+ CVE-2022-22741: Browser window spoof using fullscreen mode
+ CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner
+ CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur
+ CVE-2022-22737: Race condition when playing audio files
+ CVE-2021-4140: Iframe sandbox bypass with XSLT
+ CVE-2022-22750: IPC passing of resource handles could have lead to sandbox bypass
+ CVE-2022-22749: Lack of URL restrictions when scanning QR codes
+ CVE-2022-22748: Spoofed origin on external protocol launch dialog
+ CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event
+ CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
+ CVE-2022-22747: Crash when handling empty pkcs7 sequence
+ CVE-2022-22736: Potential local privilege escalation when loading modules from the install directory.
+ CVE-2022-22739: Missing throttling on external protocol launch dialog
+ CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5
+ CVE-2022-22752: Memory safety bugs fixed in Firefox 96

thunderbird-91.5.0-alt1   build Andrey Cherepanov, 2022-01-12


- New version.
- Security fixes:
+ CVE-2022-22746 Calling into reportValidity could have lead to fullscreen window spoof
+ CVE-2022-22743 Browser window spoof using fullscreen mode
+ CVE-2022-22742 Out-of-bounds memory access when inserting text in edit mode
+ CVE-2022-22741 Browser window spoof using fullscreen mode
+ CVE-2022-22740 Use-after-free of ChannelEventQueue::mOwner
+ CVE-2022-22738 Heap-buffer-overflow in blendGaussianBlur
+ CVE-2022-22737 Race condition when playing audio files
+ CVE-2021-4140 Iframe sandbox bypass with XSLT
+ CVE-2022-22748 Spoofed origin on external protocol launch dialog
+ CVE-2022-22745 Leaking cross-origin URLs through securitypolicyviolation event
+ CVE-2022-22744 The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
+ CVE-2022-22747 Crash when handling empty pkcs7 sequence
+ CVE-2022-22739 Missing throttling on external protocol launch dialog
+ CVE-2022-22751 Memory safety bugs fixed in Thunderbird 91.5

firefox-esr-91.5.0-alt1   build Andrey Cherepanov, 2022-01-11


- New ESR version.
- Security fixes:
+ CVE-2022-22746 Calling into reportValidity could have lead to fullscreen window spoof
+ CVE-2022-22743 Browser window spoof using fullscreen mode
+ CVE-2022-22742 Out-of-bounds memory access when inserting text in edit mode
+ CVE-2022-22741 Browser window spoof using fullscreen mode
+ CVE-2022-22740 Use-after-free of ChannelEventQueue::mOwner
+ CVE-2022-22738 Heap-buffer-overflow in blendGaussianBlur
+ CVE-2022-22737 Race condition when playing audio files
+ CVE-2021-4140 Iframe sandbox bypass with XSLT
+ CVE-2022-22748 Spoofed origin on external protocol launch dialog
+ CVE-2022-22745 Leaking cross-origin URLs through securitypolicyviolation event
+ CVE-2022-22744 The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
+ CVE-2022-22747 Crash when handling empty pkcs7 sequence
+ CVE-2022-22739 Missing throttling on external protocol launch dialog
+ CVE-2022-22751 Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

kernel-image-centos-5.14.0.40-alt1.el9   build Alexey Gladkov, 2022-01-11


- Replace deprecated CPU-hotplug functions for kernel-rt
- Input: i8042 - Add quirk for Fujitsu Lifebook T725
- sctp: backports from upstream
- sctp: enhancements for the verification tag
- Fix CVE-2020-27820
- redhat/configs: NFS: disable UDP, insecure enctypes

chromium-97.0.4692.71-alt1   build Alexey Gladkov, 2022-01-05


- New version (97.0.4692.71).
- Security fixes:
- CVE-2022-0096: Use after free in Storage.
- CVE-2022-0097: Inappropriate implementation in DevTools.
- CVE-2022-0098: Use after free in Screen Capture.
- CVE-2022-0099: Use after free in Sign-in.
- CVE-2022-0100: Heap buffer overflow in Media streams API.
- CVE-2022-0101: Heap buffer overflow in Bookmarks.
- CVE-2022-0102: Type Confusion in V8 .
- CVE-2022-0103: Use after free in SwiftShader.
- CVE-2022-0104: Heap buffer overflow in ANGLE.
- CVE-2022-0105: Use after free in PDF.
- CVE-2022-0106: Use after free in Autofill.
- CVE-2022-0107: Use after free in File Manager API.
- CVE-2022-0108: Inappropriate implementation in Navigation.
- CVE-2022-0109: Inappropriate implementation in Autofill.
- CVE-2022-0110: Incorrect security UI in Autofill.
- CVE-2022-0111: Inappropriate implementation in Navigation.
- CVE-2022-0112: Incorrect security UI in Browser UI.
- CVE-2022-0113: Inappropriate implementation in Blink.
- CVE-2022-0114: Out of bounds memory access in Web Serial.
- CVE-2022-0115: Uninitialized Use in File API.
- CVE-2022-0116: Inappropriate implementation in Compositing.
- CVE-2022-0117: Policy bypass in Service Workers.
- CVE-2022-0118: Inappropriate implementation in WebShare.
- CVE-2022-0120: Inappropriate implementation in Passwords.

wireshark-3.6.1-alt1   build Anton Farygin, 2022-01-03


- 3.6.1 (Fixes: CVE-2021-4185, CVE-2021-4184, CVE-2021-4183, CVE-2021-4182, CVE-2021-4181)

mc-4.8.27-alt1   build Sergey Y. Afonin, 2021-12-21


- 4.8.27 (CVE-2021-36370; ALT #40217)

apache2-2.4.52-alt1   build Anton Farygin, 2021-12-21


- 2.4.52 (Fixes: CVE-2021-44790, CVE-2021-44224)

thunderbird-91.4.1-alt1   build Andrey Cherepanov, 2021-12-21


- New version.
- Security fixes:
+ CVE-2021-4126 OpenPGP signature status doesn't consider additional message content
+ CVE-2021-44538 Matrix chat library libolm bundled with Thunderbird vulnerable to a buffer overflow

libwebkitgtk4-2.34.3-alt1   build Yuri N. Sedunov, 2021-12-20


- 2.34.3 (fixed CVE-2021-30809, CVE-2021-30818, CVE-2021-30823,
CVE-2021-30836, CVE-2021-30884, CVE-2021-30887, CVE-2021-30888,
CVE-2021-30889, CVE-2021-30890, CVE-2021-30897)
- enabled libavif support

mediawiki-1.37.1-alt1   build Vitaly Lipatov, 2021-12-19


- new version 1.37.1 (with rpmrb script)
- (T292763, CVE-2021-44854) (T271037, CVE-2021-44856)
- (T297322, CVE-2021-44857) (T297322, CVE-2021-44858)
- (T297574, CVE-2021-45038) (T293589, CVE-2021-44855) (T294686)
 
design & coding: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
current maintainer: Michael Shigorin