vuln-list-alt/oval/p11/ALT-PU-2022-2649/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20222649",
      "Version": "oval:org.altlinux.errata:def:20222649",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2022-2649: package `lighttpd` update to version 1.4.67-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p11"
            ],
            "Products": [
              "ALT Container"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2022-2649",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2022-2649",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2022-06126",
            "RefURL": "https://bdu.fstec.ru/vul/2022-06126",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2022-06197",
            "RefURL": "https://bdu.fstec.ru/vul/2022-06197",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2022-37797",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-37797",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2022-41556",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-41556",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades lighttpd to version 1.4.67-alt1. \nSecurity Fix(es):\n\n * BDU:2022-06126: Уязвимость модуля mod_wstunnel веб-сервера lighttpd, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2022-06197: Уязвимость модулей mod_fastcgi и mod_scgi веб-сервера lighttpd, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2022-37797: In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.\n\n * CVE-2022-41556: A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2022-09-21"
          },
          "Updated": {
            "Date": "2022-09-21"
          },
          "BDUs": [
            {
              "ID": "BDU:2022-06126",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-476",
              "Href": "https://bdu.fstec.ru/vul/2022-06126",
              "Impact": "High",
              "Public": "20220808"
            },
            {
              "ID": "BDU:2022-06197",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-401",
              "Href": "https://bdu.fstec.ru/vul/2022-06197",
              "Impact": "High",
              "Public": "20220902"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2022-37797",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-476",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-37797",
              "Impact": "High",
              "Public": "20220912"
            },
            {
              "ID": "CVE-2022-41556",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-401",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-41556",
              "Impact": "High",
              "Public": "20221006"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:container:11"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:3001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20222649001",
                "Comment": "lighttpd is earlier than 0:1.4.67-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20222649002",
                "Comment": "lighttpd-auth-gssapi is earlier than 0:1.4.67-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20222649003",
                "Comment": "lighttpd-auth-ldap is earlier than 0:1.4.67-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20222649004",
                "Comment": "lighttpd-doc is earlier than 0:1.4.67-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20222649005",
                "Comment": "lighttpd-ldap-vhost is earlier than 0:1.4.67-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20222649006",
                "Comment": "lighttpd-maxminddb is earlier than 0:1.4.67-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20222649007",
                "Comment": "lighttpd-mysql-vhost is earlier than 0:1.4.67-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20222649008",
                "Comment": "lighttpd-pgsql-vhost is earlier than 0:1.4.67-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20222649009",
                "Comment": "lighttpd-rrdtool is earlier than 0:1.4.67-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}
ALT Vulnerability 2024-12-12 21:07:30 +00:00			`{`
			`"Definition": [`
			`{`
			`"ID": "oval:org.altlinux.errata:def:20222649",`
			`"Version": "oval:org.altlinux.errata:def:20222649",`
			`"Class": "patch",`
			`"Metadata": {`
			"Title": "ALT-PU-2022-2649: package `lighttpd` update to version 1.4.67-alt1",
			`"AffectedList": [`
			`{`
			`"Family": "unix",`
			`"Platforms": [`
			`"ALT Linux branch p11"`
			`],`
			`"Products": [`
			`"ALT Container"`
			`]`
			`}`
			`],`
			`"References": [`
			`{`
			`"RefID": "ALT-PU-2022-2649",`
			`"RefURL": "https://errata.altlinux.org/ALT-PU-2022-2649",`
			`"Source": "ALTPU"`
			`},`
			`{`
			`"RefID": "BDU:2022-06126",`
			`"RefURL": "https://bdu.fstec.ru/vul/2022-06126",`
			`"Source": "BDU"`
			`},`
			`{`
			`"RefID": "BDU:2022-06197",`
			`"RefURL": "https://bdu.fstec.ru/vul/2022-06197",`
			`"Source": "BDU"`
			`},`
			`{`
			`"RefID": "CVE-2022-37797",`
			`"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-37797",`
			`"Source": "CVE"`
			`},`
			`{`
			`"RefID": "CVE-2022-41556",`
			`"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-41556",`
			`"Source": "CVE"`
			`}`
			`],`
			"Description": "This update upgrades lighttpd to version 1.4.67-alt1. \nSecurity Fix(es):\n\n * BDU:2022-06126: Уязвимость модуля mod_wstunnel веб-сервера lighttpd, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2022-06197: Уязвимость модулей mod_fastcgi и mod_scgi веб-сервера lighttpd, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2022-37797: In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.\n\n * CVE-2022-41556: A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.",
			`"Advisory": {`
			`"From": "errata.altlinux.org",`
			`"Severity": "High",`
			`"Rights": "Copyright 2024 BaseALT Ltd.",`
			`"Issued": {`
			`"Date": "2022-09-21"`
			`},`
			`"Updated": {`
			`"Date": "2022-09-21"`
			`},`
			`"BDUs": [`
			`{`
			`"ID": "BDU:2022-06126",`
			`"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",`
			`"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",`
			`"CWE": "CWE-476",`
			`"Href": "https://bdu.fstec.ru/vul/2022-06126",`
			`"Impact": "High",`
			`"Public": "20220808"`
			`},`
			`{`
			`"ID": "BDU:2022-06197",`
			`"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",`
			`"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",`
			`"CWE": "CWE-401",`
			`"Href": "https://bdu.fstec.ru/vul/2022-06197",`
			`"Impact": "High",`
			`"Public": "20220902"`
			`}`
			`],`
			`"CVEs": [`
			`{`
			`"ID": "CVE-2022-37797",`
			`"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",`
			`"CWE": "CWE-476",`
			`"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-37797",`
			`"Impact": "High",`
			`"Public": "20220912"`
			`},`
			`{`
			`"ID": "CVE-2022-41556",`
			`"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",`
			`"CWE": "CWE-401",`
			`"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-41556",`
			`"Impact": "High",`
			`"Public": "20221006"`
			`}`
			`],`
			`"AffectedCPEs": {`
			`"CPEs": [`
			`"cpe:/o:alt:container:11"`
			`]`
			`}`
			`}`
			`},`
			`"Criteria": {`
			`"Operator": "AND",`
			`"Criterions": [`
			`{`
			`"TestRef": "oval:org.altlinux.errata:tst:3001",`
			`"Comment": "ALT Linux must be installed"`
			`}`
			`],`
			`"Criterias": [`
			`{`
			`"Operator": "OR",`
			`"Criterions": [`
			`{`
			`"TestRef": "oval:org.altlinux.errata:tst:20222649001",`
			`"Comment": "lighttpd is earlier than 0:1.4.67-alt1"`
			`},`
			`{`
			`"TestRef": "oval:org.altlinux.errata:tst:20222649002",`
			`"Comment": "lighttpd-auth-gssapi is earlier than 0:1.4.67-alt1"`
			`},`
			`{`
			`"TestRef": "oval:org.altlinux.errata:tst:20222649003",`
			`"Comment": "lighttpd-auth-ldap is earlier than 0:1.4.67-alt1"`
			`},`
			`{`
			`"TestRef": "oval:org.altlinux.errata:tst:20222649004",`
			`"Comment": "lighttpd-doc is earlier than 0:1.4.67-alt1"`
			`},`
			`{`
			`"TestRef": "oval:org.altlinux.errata:tst:20222649005",`
			`"Comment": "lighttpd-ldap-vhost is earlier than 0:1.4.67-alt1"`
			`},`
			`{`
			`"TestRef": "oval:org.altlinux.errata:tst:20222649006",`
			`"Comment": "lighttpd-maxminddb is earlier than 0:1.4.67-alt1"`
			`},`
			`{`
			`"TestRef": "oval:org.altlinux.errata:tst:20222649007",`
			`"Comment": "lighttpd-mysql-vhost is earlier than 0:1.4.67-alt1"`
			`},`
			`{`
			`"TestRef": "oval:org.altlinux.errata:tst:20222649008",`
			`"Comment": "lighttpd-pgsql-vhost is earlier than 0:1.4.67-alt1"`
			`},`
			`{`
			`"TestRef": "oval:org.altlinux.errata:tst:20222649009",`
			`"Comment": "lighttpd-rrdtool is earlier than 0:1.4.67-alt1"`
			`}`
			`]`
			`}`
			`]`
			`}`
			`}`
			`]`
			`}`