262 lines
12 KiB
JSON
Raw Normal View History

2024-12-12 21:07:30 +00:00
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20181702",
"Version": "oval:org.altlinux.errata:def:20181702",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2018-1702: package `php5` update to version 5.6.36-alt1.S1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p11"
],
"Products": [
"ALT Container"
]
}
],
"References": [
{
"RefID": "ALT-PU-2018-1702",
"RefURL": "https://errata.altlinux.org/ALT-PU-2018-1702",
"Source": "ALTPU"
},
{
"RefID": "BDU:2018-00525",
"RefURL": "https://bdu.fstec.ru/vul/2018-00525",
"Source": "BDU"
},
{
"RefID": "BDU:2018-01504",
"RefURL": "https://bdu.fstec.ru/vul/2018-01504",
"Source": "BDU"
},
{
"RefID": "BDU:2019-04233",
"RefURL": "https://bdu.fstec.ru/vul/2019-04233",
"Source": "BDU"
},
{
"RefID": "BDU:2019-04234",
"RefURL": "https://bdu.fstec.ru/vul/2019-04234",
"Source": "BDU"
},
{
"RefID": "BDU:2019-04235",
"RefURL": "https://bdu.fstec.ru/vul/2019-04235",
"Source": "BDU"
},
{
"RefID": "BDU:2019-04236",
"RefURL": "https://bdu.fstec.ru/vul/2019-04236",
"Source": "BDU"
},
{
"RefID": "CVE-2018-10545",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-10545",
"Source": "CVE"
},
{
"RefID": "CVE-2018-10546",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-10546",
"Source": "CVE"
},
{
"RefID": "CVE-2018-10547",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-10547",
"Source": "CVE"
},
{
"RefID": "CVE-2018-10548",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-10548",
"Source": "CVE"
},
{
"RefID": "CVE-2018-10549",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-10549",
"Source": "CVE"
},
{
"RefID": "CVE-2018-7584",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-7584",
"Source": "CVE"
}
],
"Description": "This update upgrades php5 to version 5.6.36-alt1.S1. \nSecurity Fix(es):\n\n * BDU:2018-00525: Уязвимость функции php_stream_url_wrap_http_ex интерпретатора PHP, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании\n\n * BDU:2018-01504: Уязвимость функции ldap_get_dn интерпретатора PHP, связанная с ошибкой разыменования указателя, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2019-04233: Уязвимость дочерних FPM-процессов интерпретатора языка программирования PHP, позволяющая нарушителю обойти проверку доступа opcache и получить несанкционированный доступ к защищаемой информации\n\n * BDU:2019-04234: Уязвимость потокового фильтра iconv (ext/iconv/iconv.c) интерпретатора языка программирования PHP, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2019-04235: Уязвимость компонента ext/phar/phar_object.c интерпретатора языка программирования PHP, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)\n\n * BDU:2019-04236: Уязвимость функции exif_read_data (ext/exif/exif.c) интерпретатора языка программирования PHP, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании\n\n * CVE-2018-10545: An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.\n\n * CVE-2018-10546: An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.\n\n * CVE-2018-10547: An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.\n\n * CVE-2018-10548: An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.\n\n * CVE-2018-10549: An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\\0' character.\n\n * CVE-2018-7584: In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.\n\n * #34143: [FR] собирать без pcre jit на e2k",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Critical",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2018-05-12"
},
"Updated": {
"Date": "2018-05-12"
},
"BDUs": [
{
"ID": "BDU:2018-00525",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-119",
"Href": "https://bdu.fstec.ru/vul/2018-00525",
"Impact": "Critical",
"Public": "20180301"
},
{
"ID": "BDU:2018-01504",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-476",
"Href": "https://bdu.fstec.ru/vul/2018-01504",
"Impact": "High",
"Public": "20180429"
},
{
"ID": "BDU:2019-04233",
"CVSS": "AV:L/AC:H/Au:S/C:C/I:N/A:N",
"CVSS3": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-200",
"Href": "https://bdu.fstec.ru/vul/2019-04233",
"Impact": "Low",
"Public": "20180329"
},
{
"ID": "BDU:2019-04234",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-835",
"Href": "https://bdu.fstec.ru/vul/2019-04234",
"Impact": "High",
"Public": "20180426"
},
{
"ID": "BDU:2019-04235",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"CWE": "CWE-79",
"Href": "https://bdu.fstec.ru/vul/2019-04235",
"Impact": "Low",
"Public": "20180426"
},
{
"ID": "BDU:2019-04236",
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"CWE": "CWE-125",
"Href": "https://bdu.fstec.ru/vul/2019-04236",
"Impact": "High",
"Public": "20180426"
}
],
"CVEs": [
{
"ID": "CVE-2018-10545",
"CVSS": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-200",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-10545",
"Impact": "Low",
"Public": "20180429"
},
{
"ID": "CVE-2018-10546",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-835",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-10546",
"Impact": "High",
"Public": "20180429"
},
{
"ID": "CVE-2018-10547",
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"CWE": "CWE-79",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-10547",
"Impact": "Low",
"Public": "20180429"
},
{
"ID": "CVE-2018-10548",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-476",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-10548",
"Impact": "High",
"Public": "20180429"
},
{
"ID": "CVE-2018-10549",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"CWE": "CWE-125",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-10549",
"Impact": "High",
"Public": "20180429"
},
{
"ID": "CVE-2018-7584",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-119",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-7584",
"Impact": "Critical",
"Public": "20180301"
}
],
"Bugzilla": [
{
"ID": "34143",
"Href": "https://bugzilla.altlinux.org/34143",
"Data": "[FR] собирать без pcre jit на e2k"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:container:11"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20181702001",
"Comment": "php5 is earlier than 0:5.6.36-alt1.S1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181702002",
"Comment": "php5-devel is earlier than 0:5.6.36-alt1.S1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181702003",
"Comment": "php5-libs is earlier than 0:5.6.36-alt1.S1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181702004",
"Comment": "php5-mysqlnd is earlier than 0:5.6.36-alt1.S1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181702005",
"Comment": "rpm-build-php-version is earlier than 0:5.6.36-alt1.S1"
}
]
}
]
}
}
]
}