pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
68a7f4e115
vuln-list-alt/oval/p9/ALT-PU-2021-2908/definitions.json

291 lines
16 KiB
JSON
Raw Normal View History

ALT Vulnerability
2024-04-16 14:26:14 +00:00
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20212908",
"Version": "oval:org.altlinux.errata:def:20212908",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2021-2908: package `curl` update to version 7.79.0-alt2",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p9"
],
"Products": [
"ALT Server",
"ALT Virtualization Server",
"ALT Workstation",
"ALT Workstation K",
"ALT Education",
"Simply Linux",
"Starterkit"
]
}
],
"References": [
{
"RefID": "ALT-PU-2021-2908",
"RefURL": "https://errata.altlinux.org/ALT-PU-2021-2908",
"Source": "ALTPU"
},
{
"RefID": "BDU:2021-05346",
"RefURL": "https://bdu.fstec.ru/vul/2021-05346",
"Source": "BDU"
},
{
"RefID": "BDU:2021-05649",
"RefURL": "https://bdu.fstec.ru/vul/2021-05649",
"Source": "BDU"
},
{
"RefID": "BDU:2021-06010",
"RefURL": "https://bdu.fstec.ru/vul/2021-06010",
"Source": "BDU"
},
{
"RefID": "BDU:2022-00343",
"RefURL": "https://bdu.fstec.ru/vul/2022-00343",
"Source": "BDU"
},
{
"RefID": "BDU:2022-02169",
"RefURL": "https://bdu.fstec.ru/vul/2022-02169",
"Source": "BDU"
},
{
"RefID": "BDU:2022-02170",
"RefURL": "https://bdu.fstec.ru/vul/2022-02170",
"Source": "BDU"
},
{
"RefID": "CVE-2021-22922",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922",
"Source": "CVE"
},
{
"RefID": "CVE-2021-22923",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-22923",
"Source": "CVE"
},
{
"RefID": "CVE-2021-22925",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-22925",
"Source": "CVE"
},
{
"RefID": "CVE-2021-22926",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-22926",
"Source": "CVE"
},
{
"RefID": "CVE-2021-22945",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-22945",
"Source": "CVE"
},
{
"RefID": "CVE-2021-22946",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-22946",
"Source": "CVE"
},
{
"RefID": "CVE-2021-22947",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-22947",
"Source": "CVE"
}
],
"Description": "This update upgrades curl to version 7.79.0-alt2. \nSecurity Fix(es):\n\n * BDU:2021-05346: Уязвимость реализации протокола STARTTLS программного средства для взаимодействия с серверами cURL, позволяющая нарушителю проводить атаки типа «человек посередине»\n\n * BDU:2021-05649: Уязвимость реализации команды «--ssl-reqd» программного средства для взаимодействия с серверами cURL, позволяющая нарушителю проводить атаки типа \u0026quot;человек посередине\u0026quot;\n\n * BDU:2021-06010: Уязвимость утилиты cURL, связанная с повторным освобождением памяти, позволяющая нарушителю выполнить отказ в обслуживании\n\n * BDU:2022-00343: Уязвимость служебной программы командной строки cURL, связанная с использованием неинициализированного ресурса, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2022-02169: Уязвимость программного средства для взаимодействия с серверами CURL, связанная с недостатками алгоритма вычисления контрольной суммы, позволяющая нарушителю оказать воздействие на целостность данных\n\n * BDU:2022-02170: Уязвимость программного средства для взаимодействия с серверами CURL, связанная с недостаточной защитой регистрационных данных, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * CVE-2021-22922: When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.\n\n * CVE-2021-22923: When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.\n\n * CVE-2021-22925: curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.\n\n * CVE-2021-22926: libcurl-using applications can ask for a specific client certificate to be used
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Critical",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2021-09-27"
},
"Updated": {
"Date": "2021-09-27"
},
"BDUs": [
{
"ID": "BDU:2021-05346",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:C/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"CWE": "CWE-310, CWE-345",
"Href": "https://bdu.fstec.ru/vul/2021-05346",
"Impact": "High",
"Public": "20210915"
},
{
"ID": "BDU:2021-05649",
"CVSS": "AV:N/AC:L/Au:N/C:C/I:P/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"CWE": "CWE-319, CWE-325",
"Href": "https://bdu.fstec.ru/vul/2021-05649",
"Impact": "High",
"Public": "20210915"
},
{
"ID": "BDU:2021-06010",
"CVSS": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"CWE": "CWE-415",
"Href": "https://bdu.fstec.ru/vul/2021-06010",
"Impact": "Low",
"Public": "20210915"
},
{
"ID": "BDU:2022-00343",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"CWE": "CWE-908",
"Href": "https://bdu.fstec.ru/vul/2022-00343",
"Impact": "Low",
"Public": "20210805"
},
{
"ID": "BDU:2022-02169",
"CVSS": "AV:N/AC:M/Au:N/C:N/I:C/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"CWE": "CWE-354",
"Href": "https://bdu.fstec.ru/vul/2022-02169",
"Impact": "Low",
"Public": "20210805"
},
{
"ID": "BDU:2022-02170",
"CVSS": "AV:N/AC:H/Au:N/C:C/I:N/A:N",
"CVSS3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"CWE": "CWE-522",
"Href": "https://bdu.fstec.ru/vul/2022-02170",
"Impact": "Low",
"Public": "20210805"
}
],
"CVEs": [
{
"ID": "CVE-2021-22922",
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"CWE": "CWE-755",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922",
"Impact": "Low",
"Public": "20210805"
},
{
"ID": "CVE-2021-22923",
"CVSS": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"CWE": "CWE-319",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-22923",
"Impact": "Low",
"Public": "20210805"
},
{
"ID": "CVE-2021-22925",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"CWE": "CWE-908",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-22925",
"Impact": "Low",
"Public": "20210805"
},
{
"ID": "CVE-2021-22926",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-295",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-22926",
"Impact": "High",
"Public": "20210805"
},
{
"ID": "CVE-2021-22945",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"CWE": "CWE-415",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-22945",
"Impact": "Critical",
"Public": "20210923"
},
{
"ID": "CVE-2021-22946",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-319",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-22946",
"Impact": "High",
"Public": "20210929"
},
{
"ID": "CVE-2021-22947",
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "CWE-345",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-22947",
"Impact": "Low",
"Public": "20210929"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:kworkstation:9",
"cpe:/o:alt:workstation:9",
"cpe:/o:alt:server:9",
"cpe:/o:alt:server-v:9",
"cpe:/o:alt:education:9",
"cpe:/o:alt:slinux:9",
"cpe:/o:alt:starterkit:p9",
"cpe:/o:alt:kworkstation:9.1",
"cpe:/o:alt:workstation:9.1",
"cpe:/o:alt:server:9.1",
"cpe:/o:alt:server-v:9.1",
"cpe:/o:alt:education:9.1",
"cpe:/o:alt:slinux:9.1",
"cpe:/o:alt:starterkit:9.1",
"cpe:/o:alt:kworkstation:9.2",
"cpe:/o:alt:workstation:9.2",
"cpe:/o:alt:server:9.2",
"cpe:/o:alt:server-v:9.2",
"cpe:/o:alt:education:9.2",
"cpe:/o:alt:slinux:9.2",
"cpe:/o:alt:starterkit:9.2"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:1001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20212908001",
"Comment": "curl is earlier than 0:7.79.0-alt2"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212908002",
"Comment": "libcurl is earlier than 0:7.79.0-alt2"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212908003",
"Comment": "libcurl-devel is earlier than 0:7.79.0-alt2"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212908004",
"Comment": "libcurl-devel-static is earlier than 0:7.79.0-alt2"
}
]
}
]
}
}
]
}
Reference in New Issue Copy Permalink