Sisyphus repository
Last update: 5 july 2022 | SRPMs: 17503 | Visits: 24515001
en ru br
Security fixes

openssl1.1-1.1.1q-alt1   build Gleb F-Malinovskiy, 2022-07-05


- Updated to 1.1.1q (fixes CVE-2022-2068).

MySQL-8.0.29-alt1   build Nikolai Kostrigin, 2022-06-30


- new version
+ (fixes: CVE-2021-22570, CVE-2022-0778, CVE-2022-21454, CVE-2022-21457)
+ (fixes: CVE-2022-21425, CVE-2022-21440, CVE-2022-21459, CVE-2022-21478)
+ (fixes: CVE-2022-21479, CVE-2022-21418, CVE-2022-21417, CVE-2022-21413)
+ (fixes: CVE-2022-21427, CVE-2022-21412, CVE-2022-21414, CVE-2022-21435)
+ (fixes: CVE-2022-21436, CVE-2022-21437, CVE-2022-21438, CVE-2022-21452)
+ (fixes: CVE-2022-21462, CVE-2022-21415, CVE-2022-21451, CVE-2022-21444)
+ (fixes: CVE-2022-21460, CVE-2022-21423)
- update mysql-shell 8.0.28 -> 8.0.29
- update alt-disable-run-libmysql_api_test patch
- update bundled boost headers 1.73.0 -> 1.77.0
- spec: turn build of mysql-shell and mysql-router off
- add boostfix_multiprecision_issue_419-ppc64le patch

java-11-openjdk-11.0.15.0.10-alt1_1jpp11   build Andrey Cherepanov, 2022-06-29


- New version.
- Security fixes
+ JDK-8270504, CVE-2022-21426: Better XPath expression handling
+ JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0
+ JDK-8275151, CVE-2022-21443: Improved Object Identification
+ JDK-8277672, CVE-2022-21434: Better invocation handler handling
+ JDK-8278972, CVE-2022-21496: Improve URL supports

firefox-102.0-alt1   build Alexey Gladkov, 2022-06-29


- New release (102.0).
- Use internal libevent.
- Security fixes:
+ CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content
+ CVE-2022-34470: Use-after-free in nsSHistory
+ CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
+ CVE-2022-34482: Drag and drop of malicious image could have led to malicious executable and potential code execution
+ CVE-2022-34483: Drag and drop of malicious image could have led to malicious executable and potential code execution
+ CVE-2022-34476: ASN.1 parser could have been tricked into accepting malformed ASN.1
+ CVE-2022-34481: Potential integer overflow in ReplaceElementsAt
+ CVE-2022-34474: Sandboxed iframes could redirect to external schemes
+ CVE-2022-34469: TLS certificate errors on HSTS-protected domains could be bypassed by the user on Firefox for Android
+ CVE-2022-34471: Compromised server could trick a browser into an addon downgrade
+ CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked
+ CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt
+ CVE-2022-2200: Undesired attributes could be set as part of prototype pollution
+ CVE-2022-34480: Free of uninitialized pointer in lg_init
+ CVE-2022-34477: MediaError message property leaked information on cross-origin same-site pages
+ CVE-2022-34475: HTML Sanitizer could have been bypassed via same-origin script via use tags
+ CVE-2022-34473: HTML Sanitizer could have been bypassed via use tags
+ CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
+ CVE-2022-34485: Memory safety bugs fixed in Firefox 102

firefox-esr-91.11.0-alt1   build Pavel Vasenkov, 2022-06-29


- New ESR version.
- Security fixes:
+ CVE-2022-34479 A popup window could be resized in a way to overlay the address bar with web content
+ CVE-2022-34470 Use-after-free in nsSHistory
+ CVE-2022-34468 CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
+ CVE-2022-34481 Potential integer overflow in ReplaceElementsAt
+ CVE-2022-31744 CSP bypass enabling stylesheet injection
+ CVE-2022-34472 Unavailable PAC file resulted in OCSP requests being blocked
+ CVE-2022-34478 Microsoft protocols can be attacked if a user accepts a prompt
+ CVE-2022-2200 Undesired attributes could be set as part of prototype pollution
+ CVE-2022-34484 Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11

vim-8.2.5172-alt1   build Alexander Danilov, 2022-06-28


- Updated to 8.2.5172 (fixes CVE-2022-2129, CVE-2022-2126, CVE-2022-2125,
CVE-2022-2124).

kernel-image-centos-5.14.0.120-alt1.el9   build Alexey Gladkov, 2022-06-27


- Updated to kernel-5.14.0-120.el9 (fixes: CVE-2022-1998, CVE-2022-2078):
+ block: update with 5.18 for rhel 9.1
+ fanotify: Fix stale file descriptor in copy_event_to_user()
+ netfilter: nf_tables: sanitize nft_set_desc_concat_parse()
+ ntb: update from upstream v5.17
+ redhat: spec: trigger dracut when modules are installed separately
+ [s390] s390/zcrypt: Add admask to zcdn
+ scsi: mpi3mr: Add bsg device support
+ tcp: Don't acquire inet_listen_hashbucket::lock with disabled BH.
+ vmxnet3: Update network driver for RHEL 9.1

chromium-103.0.5060.53-alt1   build Alexey Gladkov, 2022-06-25


- New version (103.0.5060.53).
- Security fixes:
- CVE-2022-2156: Use after free in Base.
- CVE-2022-2157: Use after free in Interest groups.
- CVE-2022-2158: Type Confusion in V8.
- CVE-2022-2160: Insufficient policy enforcement in DevTools.
- CVE-2022-2161: Use after free in WebApp Provider.
- CVE-2022-2162: Insufficient policy enforcement in File System API.
- CVE-2022-2163: Use after free in Cast UI and Toolbar.
- CVE-2022-2164: Inappropriate implementation in Extensions API.
- CVE-2022-2165: Insufficient data validation in URL formatting.

mediawiki-1.37.2-alt1   build Vitaly Lipatov, 2022-06-24


- new version 1.37.2 (with rpmrb script)
- (T297571, CVE-2022-28201) (T297731, CVE-2022-28203)
- (T297754, CVE-2022-28204) (T297543, CVE-2022-28202)

openssl1.1-1.1.1p-alt1   build Gleb F-Malinovskiy, 2022-06-22


- Updated to 1.1.1p (fixes CVE-2022-1292, CVE-2022-2068).

openscad-2021.01-alt4   build Anton Midyukov, 2022-06-20


- Fixes:
+ CVE-2022-0496 Out-of-bounds memory access in DXF loader (path
identification)
+ CVE-2022-0497 Out-of-bounds memory access in comment parser
+ Fix build issue with overloaded join().
- cleanup spec

dropbear-2022.82-alt1   build Vitaly Chikunov, 2022-06-19


- Update to DROPBEAR_2022.82 (2022-04-01). (Fixes: CVE-2018-15599,
CVE-2018-5399, CVE-2018-20685, CVE-2019-12953, CVE-2020-15833,
CVE-2020-36254).
- Disable DSS keys.
- Allow password auth.
- Undo authkey_fp patch (as it does not apply to the new codebase).
- Use bundled libtom{crypt,math} maintained by the authors of Dropbear.
- Doc and client packages are merged into main package.
- Add systemd services.
- Correct sftp-server path (to openssh-server binary).

apache2-2.4.54-alt1   build Anton Farygin, 2022-06-19


- 2.4.54 (Fixes: CVE-2022-31813, CVE-2022-30556, CVE-2022-30522, CVE-2022-29404,
CVE-2022-28615, CVE-2022-28614, CVE-2022-28330, CVE-2022-26377)

kernel-image-un-def-5.17.15-alt2   build Vitaly Chikunov, 2022-06-18


- Pick fixes of Intel-specific processor MMIO stale-data vulnerabilities.
(Fixes: CVE-2022-21166, CVE-2022-21125, CVE-2022-21123).

tor-0.4.7.8-alt1   build Hihin Ruslan, 2022-06-18


- Update version
- CVE-2021-3838

python-2.7.18-alt10   build Vladimir D. Seleznev, 2022-06-17


- Secutiry update (fixed: CVE-2015-20107).
- Fixed Url field.

kernel-image-centos-5.14.0.114-alt1.el9   build Alexey Gladkov, 2022-06-17


- Updated to kernel-5.14.0-114.el9 (fixes: CVE-2022-1729):
+ block: ignore RWF_HIPRI hint for sync dio
+ lpfc cs9 (rhel9.1) update
+ perf: Fix sys_perf_event_open() race against self
+ redhat/configs: Drop outdated CRYPTO_ECDH and unify CRYPTO_USER configs
+ [s390] Upgrade the zfcp driver to latest from upstream, e.g. kernel 5.18
+ Update ext4 and jbd2 to upstream v5.17

php7-7.4.30-alt1   build Anton Farygin, 2022-06-16


- 7.4.28 -> 7.4.30 (Fixes: CVE-2022-31626, CVE-2022-31625)

php8.0-8.0.20-alt1   build Anton Farygin, 2022-06-16


- 8.0.19 -> 8.0.20 (Fixes: CVE-2022-31626, CVE-2022-31625)

php8.1-8.1.7-alt1   build Anton Farygin, 2022-06-16


- 8.1.6 -> 8.1.7 (Fixes: CVE-2022-31626, CVE-2022-31625)

libexo-4.17.2-alt1   build Mikhail Efremov, 2022-06-14


- Updated Url tag.
- Updated to 4.17.2 (fixes: CVE-2022-32278).

kernel-image-centos-5.14.0.111-alt1.el9   build Alexey Gladkov, 2022-06-14


- Updated to kernel-5.14.0-111.el9 (fixes: CVE-2022-1966):
+ Add pinctrl support for ADL-N
+ block, loop: support partitions without scanning
+ [Intel 9.1 FEAT] [RPL-P] perf: PerfMon support
+ ipv4: do not use per netns icmp sockets
+ netfilter: nf_tables: disallow non-stateful expression in sets earlier
+ remoteproc: updates
+ scsi: fnic: Finish scsi_cmnd before dropping the spinlock
+ turbostat: fix PC6 displaying on some systems

golang-1.18.3-alt1   build Alexey Shabalin, 2022-06-12


- New version (1.18.3) (Fixes: CVE-2022-30580, CVE-2022-30634, CVE-2022-30629, CVE-2022-29804).

containerd-1.6.6-alt1   build Vladimir Didenko, 2022-06-08


- 1.6.6 (Fixes: CVE-2022-31030)

qemu-7.0.0-alt1   build Alexey Shabalin, 2022-06-07


- 7.0.0.
- Split out qemu-virtiofsd subpackage.
- Backport patches from upstream for fix virtio-scsi.
- Fixes for the following security vulnerabilities:
+ CVE-2021-3507 hw/block/fdc: Prevent end-of-track overrun
+ CVE-2021-4206 ui/cursor: fix integer overflow in cursor_alloc
+ CVE-2021-4207 display/qxl-render: fix race condition in qxl_cursor
+ CVE-2021-3611 hw/audio/intel-hda: Restrict DMA engine to memories
+ CVE-2022-26353 virtio-net: fix map leaking on error during receive
+ CVE-2022-26354 vhost-vsock: detach the virqueue element in case of error
+ CVE-2021-3929 hw/nvme: fix
 
design & coding: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
current maintainer: Michael Shigorin