* [git.ipfire.org] IPFire 2.x development tree branch, core202, created. dfcc64bd8aac6809d1c058cd891fddb373cb94d5
@ 2026-05-21 9:00 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2026-05-21 9:00 UTC (permalink / raw)
To: ipfire-scm
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core202 has been created
at dfcc64bd8aac6809d1c058cd891fddb373cb94d5 (commit)
- Log -----------------------------------------------------------------
commit dfcc64bd8aac6809d1c058cd891fddb373cb94d5
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu May 21 08:59:06 2026 +0000
unbound: Update to 1.25.1
This release consolidates security fixes for issues reported over
a period of time. There are fixes for CVE-2026-33278,
CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622,
CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960,
CVE-2026-44390 and CVE-2026-44608.
Bug Fixes
Fix CVE-2026-33278, Possible remote code execution during DNSSEC
validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-42944, Heap overflow and crash with multiple nsid,
cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto
Networks, for the report.
Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
Griffiths from 'calif.io' for the report.
Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan
Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-41292, Parsing a long list of incoming EDNS options
degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan
Zhang from Palo Alto Networks, for the report.
Fix CVE-2026-42534, Jostle logic bypass degrades resolution
performance. Thanks to Qifan Zhang, Palo Alto Networks, for the
report.
Fix CVE-2026-42923, Degradation of service with unbounded NSEC3
hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for
the report.
Fix CVE-2026-42960, Possible cache poisoning attack while following
delegation. Thanks to TaoFei Guo from Peking University, Yang Luo
and JianJun Chen, Tsinghua University, for the report.
Fix CVE-2026-44390, Unbounded name compression in certain cases
causes degradation of service. Thanks to Qifan Zhang, Palo Alto
Networks, for the report.
Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks
to Qifan Zhang, Palo Alto Networks, for the report.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit c9f577122c69dcdb8682cb03015f8b9f2b0874ac
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 20 15:22:27 2026 +0000
core202: Ship header.pl
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 2f97c9a22ce197f361dc02da13247ef0a807e969
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 20 16:15:44 2026 +0100
sambactrl: Fix local priviledge escalation
From the reporter:
LPE in /usr/local/bin/sambactrl 'join' action
File: src/misc-progs/sambactrl.c, lines 117-126.
All other actions call is_valid_argument_alnum() on argv[2]. The
'join' branch skips it entirely and feeds argv[2]/argv[3] into
snprintf + safe_system (which is /bin/sh -c). Binary is installed
-m 4750 -g nobody (src/misc-progs/Makefile:41), so any nobody-context
process can invoke it and escalate to root.
Reported-by: valent1 <gooads612@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 35d45aad9c59e87fe60d2c66cb18dcd015960d71
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 20 16:04:25 2026 +0100
samba: Fix shell command execution vulnerability in join operation
From the reporter:
File: html/cgi-bin/samba.cgi, lines 96-98 and 790-798.
joindomain() builds @options = ("/usr/local/bin/sambactrl","join",
$username, $password) and runs qx(@options). In Perl, qx(@array)
joins with $" and passes the result to /bin/sh -c. POST parameters
USERNAME and PASSWORD reach this with no validation on the 'join'
code path. RCE as the web user (nobody).
Reported-by: valent1 <gooads612@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f607f40952821ee52bdf28d34ba91bf95bdbc01f
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 20 16:00:33 2026 +0100
header.pl: Escape titles for openbox()
Reported-by: valent1 <gooads612@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-21 9:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-21 9:00 [git.ipfire.org] IPFire 2.x development tree branch, core202, created. dfcc64bd8aac6809d1c058cd891fddb373cb94d5 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox