IMG Image: alt-workstation-10.1-aarch64.img.xz

Version: 102.6.0-alt1 → 115.10.0-alt1

Summary: The Mozilla Firefox project is a redesign of Mozilla's browser (ESR version)

April 16, 2024 Pavel Vasenkov:

- New ESR version.
- Security fixes
  + CVE-2024-3852 GetBoundName in the JIT returned the wrong object
  + CVE-2024-3854 Out-of-bounds-read after mis-optimized switch statement
  + CVE-2024-3857 Incorrect JITting of arguments led to use-after-free during garbage collection
  + CVE-2024-2609 Permission prompt input delay could expire when not in focus
  + CVE-2024-3859 Integer-overflow led to out-of-bounds-read in the OpenType sanitizer
  + CVE-2024-3861 Potential use-after-free due to AlignedBuffer self-move
  + CVE-2024-3863 Download Protections were bypassed by .xrm-ms files on Windows
  + CVE-2024-3302 Denial of Service using HTTP/2 CONTINUATION frames
  + CVE-2024-3864 Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10

Version: 1.14.1-alt1 → 1.14.6-alt1

Summary: Libraries for flatpak

April 22, 2024 Yuri N. Sedunov:

- 1.14.6 (fixed CVE-2024-32462)

Version: 6.2.0-alt1.p10 → 8.2.2-alt0.p10

Summary: QEMU auxiliary package

April 8, 2024 Alexey Shabalin:

- 8.2.2.
- Fixes: CVE-2023-42467, CVE-2023-1544, CVE-2023-3255, CVE-2023-3019,
         CVE-2021-3527, CVE-2023-6693, CVE-2023-0330, CVE-2023-6683.
- backkport patches (Fixes:  CVE-2024-26327, CVE-2024-26328).
- LoongArch KVM support from https://github.com/loongson/qemu.git,
  branch kvm-loongarch, commit 432f4cf89493f2a1ac144018224e7d1b4fbc31a4.
- qemu-user: fixed running 32-bit x86 binaries on hosts with a page
  size > 4KB (such as LoongArch, ppc64*)
- spec:
  + LoongArch: work around old glibc-kernheaders (thanks iv@)
  + LoongArch: pmem is not supported [yet]
- update vitastor block driver to vitastor-v1.3.1.

Version: 6.2.0-alt1.p10 → 8.2.2-alt0.p10

Summary: QEMU guest agent

April 8, 2024 Alexey Shabalin:

- 8.2.2.
- Fixes: CVE-2023-42467, CVE-2023-1544, CVE-2023-3255, CVE-2023-3019,
         CVE-2021-3527, CVE-2023-6693, CVE-2023-0330, CVE-2023-6683.
- backkport patches (Fixes:  CVE-2024-26327, CVE-2024-26328).
- LoongArch KVM support from https://github.com/loongson/qemu.git,
  branch kvm-loongarch, commit 432f4cf89493f2a1ac144018224e7d1b4fbc31a4.
- qemu-user: fixed running 32-bit x86 binaries on hosts with a page
  size > 4KB (such as LoongArch, ppc64*)
- spec:
  + LoongArch: work around old glibc-kernheaders (thanks iv@)
  + LoongArch: pmem is not supported [yet]
- update vitastor block driver to vitastor-v1.3.1.

Version: 1.20.14-alt6 → 1.20.14-alt12

Summary: Xserver - X Window System display server

April 4, 2024 Valery Inozemtsev:

- cherry pick upstream fixes for CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083

Version: 1.20.14-alt6 → 1.20.14-alt12

Summary: The X server common files

April 4, 2024 Valery Inozemtsev:

- cherry pick upstream fixes for CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083

Version: 102.6.0-alt1 → 115.9.1-alt1

Summary: The Mozilla Firefox project is a redesign of Mozilla's browser (ESR version)

April 3, 2024 Pavel Vasenkov:

- New ESR version.
- Security fixes
  + CVE-2024-0743 Crash in NSS TLS method
  + CVE-2024-2605 Windows Error Reporter could be used as a Sandbox escape vector
  + CVE-2024-2607 JIT code failed to save return registers on Armv7-A
  + CVE-2024-2608 Integer overflow could have led to out of bounds write
  + CVE-2024-2616 Improve handling of out-of-memory conditions in ICU
  + CVE-2023-5388 NSS susceptible to timing attack against RSA decryption
  + CVE-2024-2610 Improper handling of html and body tags enabled CSP nonce leakage
  + CVE-2024-2611 Clickjacking vulnerability could have led to a user accidentally granting permissions
  + CVE-2024-2612 Self referencing object could have potentially led to a use-after-free
  + CVE-2024-2614 Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9
  + CVE-2024-29944 Privileged JavaScript Execution via Event Handlers

Version: 1.41.0-alt1 → 1.61.0-alt1

Summary: HTTP/2.0 C Library

April 5, 2024 Anton Farygin:

- 1.60.0 -> 1.61.0 (Fixes: CVE-2024-28182)

Version: 3.6.16-alt2 → 3.6.16-alt5

Summary: Transport Layer Security library

March 29, 2024 Mikhail Efremov:

- Fix side-channel in the deterministic ECDSA (fixes: CVE-2024-28834).
- tests: Add test for CVE-2024-28835.
- rsa-psk: minimize branching after decryption (fixes: CVE-2024-0553).
- x509: detect loop in certificate chain (fixes: CVE-2024-0567).

Version: 7.87.0-alt1 → 8.7.1-alt1

Summary: The shared library for file transfer

March 27, 2024 Anton Farygin:

- 8.6.0 -> 8.7.1
- Fixes:
   * CVE-2024-2398: HTTP/2 push headers memory-leak
   * CVE-2024-2004: Usage of disabled protocol

Version: 7.87.0-alt1 → 8.7.1-alt1

Summary: Gets a file from a FTP, GOPHER or HTTP server

March 27, 2024 Anton Farygin:

- 8.6.0 -> 8.7.1
- Fixes:
   * CVE-2024-2398: HTTP/2 push headers memory-leak
   * CVE-2024-2004: Usage of disabled protocol

Version: 3.0.1-alt1 → 3.0.1-alt1.p10.1

Summary: The new and improved version of a small but fast template engine

Feb. 26, 2024 Andrey Cherepanov:

- Fixed CVE-2024-22195.

Version: 7.87.0-alt1 → 8.6.0-alt1

Summary: Gets a file from a FTP, GOPHER or HTTP server

Jan. 31, 2024 Anton Farygin:

- 8.5.0 -> 8.6.0
- Fixes:
   * CVE-2024-0853 : OCSP verification bypass with TLS session reuse

Version: 7.87.0-alt1 → 8.6.0-alt1

Summary: The shared library for file transfer

Jan. 31, 2024 Anton Farygin:

- 8.5.0 -> 8.6.0
- Fixes:
   * CVE-2024-0853 : OCSP verification bypass with TLS session reuse

Version: 4.4.2-alt1 → 4.4.4-alt1

Summary: FFmpeg image scaling and colorspace and pixel format conversion library

June 20, 2023 Anton Farygin:

- 4.4.3 -> 4.4.4 (Fixes: CVE-2022-3964, CVE-2022-3341, CVE-2022-3109)

Version: 4.4.2-alt1 → 4.4.4-alt1

Summary: FFmpeg audio, video and subtitle streams (de)multiplexing library

June 20, 2023 Anton Farygin:

- 4.4.3 -> 4.4.4 (Fixes: CVE-2022-3964, CVE-2022-3341, CVE-2022-3109)

Version: 4.4.2-alt1 → 4.4.4-alt1

Summary: provides implementation of a wider range of codecs

June 20, 2023 Anton Farygin:

- 4.4.3 -> 4.4.4 (Fixes: CVE-2022-3964, CVE-2022-3341, CVE-2022-3109)

Version: 4.4.2-alt1 → 4.4.4-alt1

Summary: FFmpeg audio resampling, rematrixing and sample format conversion library

June 20, 2023 Anton Farygin:

- 4.4.3 -> 4.4.4 (Fixes: CVE-2022-3964, CVE-2022-3341, CVE-2022-3109)

Version: 4.4.2-alt1 → 4.4.4-alt1

Summary: FFmpeg postprocessing library

June 20, 2023 Anton Farygin:

- 4.4.3 -> 4.4.4 (Fixes: CVE-2022-3964, CVE-2022-3341, CVE-2022-3109)

Version: 4.4.2-alt1 → 4.4.4-alt1

Summary: Utility library to aid portable multimedia programming

June 20, 2023 Anton Farygin:

- 4.4.3 -> 4.4.4 (Fixes: CVE-2022-3964, CVE-2022-3341, CVE-2022-3109)

Version: 4.4.2-alt1 → 4.4.4-alt1

Summary: FFmpeg video postprocessing library

June 20, 2023 Anton Farygin:

- 4.4.3 -> 4.4.4 (Fixes: CVE-2022-3964, CVE-2022-3341, CVE-2022-3109)

Version: 4.4.2-alt1 → 4.4.4-alt1

Summary: FFmpeg filter layer library

June 20, 2023 Anton Farygin:

- 4.4.3 -> 4.4.4 (Fixes: CVE-2022-3964, CVE-2022-3341, CVE-2022-3109)

Version: 3.9.6-alt1 → 3.9.18-alt1

Summary: Version 3 of the Python programming language aka Python 3000

Feb. 15, 2024 Grigory Ustinov:

- Updated to upstream version 3.9.18 (Closes: #49415).
- Fixed CVE's (Fixes: CVE-2023-0286, CVE-2022-4303, CVE-2023-40217, CVE-2023-24329).

Version: 3.9.6-alt1 → 3.9.18-alt1

Summary: DB-API 2.0 interface for SQLite databases

Feb. 15, 2024 Grigory Ustinov:

- Updated to upstream version 3.9.18 (Closes: #49415).
- Fixed CVE's (Fixes: CVE-2023-0286, CVE-2022-4303, CVE-2023-40217, CVE-2023-24329).

Version: 3.9.6-alt1 → 3.9.18-alt1

Summary: Python3 shared library

Feb. 15, 2024 Grigory Ustinov:

- Updated to upstream version 3.9.18 (Closes: #49415).
- Fixed CVE's (Fixes: CVE-2023-0286, CVE-2022-4303, CVE-2023-40217, CVE-2023-24329).

Version: 3.9.6-alt1 → 3.9.18-alt1

Summary: Libraries and header files needed for Python 3 development

Feb. 15, 2024 Grigory Ustinov:

- Updated to upstream version 3.9.18 (Closes: #49415).
- Fixed CVE's (Fixes: CVE-2023-0286, CVE-2022-4303, CVE-2023-40217, CVE-2023-24329).

Version: 3.9.6-alt1 → 3.9.18-alt1

Summary: Python3 "curses" module

Feb. 15, 2024 Grigory Ustinov:

- Updated to upstream version 3.9.18 (Closes: #49415).
- Fixed CVE's (Fixes: CVE-2023-0286, CVE-2022-4303, CVE-2023-40217, CVE-2023-24329).

Version: 3.9.6-alt1 → 3.9.18-alt1

Summary: Python 3 runtime libraries

Feb. 15, 2024 Grigory Ustinov:

- Updated to upstream version 3.9.18 (Closes: #49415).
- Fixed CVE's (Fixes: CVE-2023-0286, CVE-2022-4303, CVE-2023-40217, CVE-2023-24329).

Version: 102.6.0-alt1 → 115.8.0-alt1

Summary: The Mozilla Firefox project is a redesign of Mozilla's browser (ESR version)

Feb. 21, 2024 Pavel Vasenkov:

- New ESR version.
- Security fixes
  + CVE-2024-1546 Out-of-bounds memory read in networking channels
  + CVE-2024-1547 Alert dialog could have been spoofed on another site
  + CVE-2024-1548 Fullscreen Notification could have been hidden by select element
  + CVE-2024-1549 Custom cursor could obscure the permission dialog
  + CVE-2024-1550 Mouse cursor re-positioned unexpectedly could have led to unintended permission grants
  + CVE-2024-1551 Multipart HTTP Responses would accept the Set-Cookie header in response parts
  + CVE-2024-1552 Incorrect code generation on 32-bit ARM devices
  + CVE-2024-1553 Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8

Version: 2.88-alt1 → 2.90-alt1

Summary: A lightweight caching nameserver

Feb. 19, 2024 Mikhail Efremov:

- Fixed different signedness comparison on 32bit systems.
- Dropped obsoleted patches.
- Patches from upstream git:
  + Add missing CHANGELOG entries for 2.90;
  + Fix spurious "resource limit exceeded" messages.
- Updated to 2.90 (fixes: CVE-2023-50387,CVE 2023-50868).

Version: 3.35.5-alt1 → 3.35.5-alt1.p10.1

Summary: An Embeddable SQL Database Engine (shared library)

Feb. 17, 2024 Andrey Cherepanov:

- Fixed CVE-2023-7104.

Version: 15.1-alt1 → 16.2-alt0.p10.1

Summary: The shared libraries required for any PostgreSQL clients

Feb. 12, 2024 Alexei Takaseev:

- 16.2 (Fixes CVE-2024-0985)

Version: 102.6.0-alt1 → 115.7.0-alt1

Summary: The Mozilla Firefox project is a redesign of Mozilla's browser (ESR version)

Feb. 4, 2024 Pavel Vasenkov:

- New ESR version.
- Security fixes
  + CVE-2024-0741 Out of bounds write in ANGLE
  + CVE-2024-0742 Failure to update user input timestamp
  + CVE-2024-0746 Crash when listing printers on Linux
  + CVE-2024-0747 Bypass of Content Security Policy when directive unsafe-inline was set
  + CVE-2024-0749 Phishing site popup could show local origin in address bar
  + CVE-2024-0750 Potential permissions request bypass via clickjacking
  + CVE-2024-0751 Privilege escalation through devtools
  + CVE-2024-0753 HSTS policy on subdomain could bypass policy of upper domain
  + CVE-2024-0755 Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7

Version: 2.06-alt7 → 2.06-alt17

Summary: GRand Unified Bootloader (UEFI variant)

Oct. 6, 2023 Egor Ignatov:

- backport upstream NTFS patch set (fixes: CVE-2023-4692, CVE-2023-4693)
  + bump grub SBAT level to 4 and reset grub.altlinux
- backport upstream ext2 fs patches (closes: #48343)
- backport: Fix md array device enumeration (closes #47850)
- return backward compatibility for grub config (closes: #48056)

Version: 2.06-alt7 → 2.06-alt17

Summary: GRand Unified Bootloader (common part)

Oct. 6, 2023 Egor Ignatov:

- backport upstream NTFS patch set (fixes: CVE-2023-4692, CVE-2023-4693)
  + bump grub SBAT level to 4 and reset grub.altlinux
- backport upstream ext2 fs patches (closes: #48343)
- backport: Fix md array device enumeration (closes #47850)
- return backward compatibility for grub config (closes: #48056)

Version: 17.0.6.0.1-alt0.1.ea → 17.0.10.0.7-alt1

Summary: OpenJDK 17 Headless Runtime Environment

Feb. 5, 2024 Andrey Cherepanov:

- New version.
- Security fixes:
  - CVE-2024-20918
  - CVE-2024-20919
  - CVE-2024-20921
  - CVE-2024-20932
  - CVE-2024-20945
  - CVE-2024-20952

Version: 17.0.6.0.1-alt0.1.ea → 17.0.10.0.7-alt1

Summary: OpenJDK 17 Runtime Environment

Feb. 5, 2024 Andrey Cherepanov:

- New version.
- Security fixes:
  - CVE-2024-20918
  - CVE-2024-20919
  - CVE-2024-20921
  - CVE-2024-20932
  - CVE-2024-20945
  - CVE-2024-20952

Version: 8.0.30-alt1.1 → 8.0.36-alt1

Summary: Shared libraries for MySQL

Jan. 18, 2024 Nikolai Kostrigin:

- new version
  + (fixes: CVE-2024-20960, CVE-2024-20961, CVE-2024-20962, CVE-2024-20963)
  + (fixes: CVE-2024-20964, CVE-2024-20965, CVE-2024-20966, CVE-2024-20967)
  + (fixes: CVE-2024-20968, CVE-2024-20969, CVE-2024-20970, CVE-2024-20971)
  + (fixes: CVE-2024-20972, CVE-2024-20973, CVE-2024-20974, CVE-2024-20975)
  + (fixes: CVE-2024-20976, CVE-2024-20977, CVE-2024-20978, CVE-2024-20981)
  + (fixes: CVE-2024-20982, CVE-2024-20983, CVE-2024-20984, CVE-2024-20985)
- update mysql-shell 8.0.35 -> 8.0.36

Version: 1.19.4-alt1 → 1.19.4-alt3

Summary: Kerberos 5 programs for use on workstations

Jan. 15, 2024 Stanislav Levin:

- Backport fixes for bronze bit attack (fixes: CVE-2022-37967).

Version: 1.19.4-alt1 → 1.19.4-alt3

Summary: The shared libraries used by Kerberos 5

Jan. 15, 2024 Stanislav Levin:

- Backport fixes for bronze bit attack (fixes: CVE-2022-37967).

Version: 249.14-alt1 → 249.17-alt1

Summary: systemd System V init tools