diff --git a/oval/c10f1/ALT-PU-2024-6864/definitions.json b/oval/c10f1/ALT-PU-2024-6864/definitions.json new file mode 100644 index 0000000000..a085dc0500 --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-6864/definitions.json @@ -0,0 +1,122 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20246864", + "Version": "oval:org.altlinux.errata:def:20246864", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-6864: package `golang` update to version 1.21.9-alt1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch c10f1" + ], + "Products": [ + "ALT SP Workstation", + "ALT SP Server" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-6864", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-6864", + "Source": "ALTPU" + }, + { + "RefID": "BDU:2024-02688", + "RefURL": "https://bdu.fstec.ru/vul/2024-02688", + "Source": "BDU" + }, + { + "RefID": "CVE-2023-45288", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", + "Source": "CVE" + } + ], + "Description": "This update upgrades golang to version 1.21.9-alt1. \nSecurity Fix(es):\n\n * BDU:2024-02688: Уязвимость библиотек net/http и net/http2 языка программирования Go, связана с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "Low", + "Rights": "Copyright 2024 BaseALT Ltd.", + "Issued": { + "Date": "2024-04-22" + }, + "Updated": { + "Date": "2024-04-22" + }, + "BDUs": [ + { + "ID": "BDU:2024-02688", + "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "CWE": "CWE-400", + "Href": "https://bdu.fstec.ru/vul/2024-02688", + "Impact": "Low", + "Public": "20240404" + } + ], + "CVEs": [ + { + "ID": "CVE-2023-45288", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", + "Impact": "None", + "Public": "20240404" + } + ], + "AffectedCPEs": { + "CPEs": [ + "cpe:/o:alt:spworkstation:10", + "cpe:/o:alt:spserver:10" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:4001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20246864001", + "Comment": "golang is earlier than 0:1.21.9-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20246864002", + "Comment": "golang-docs is earlier than 0:1.21.9-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20246864003", + "Comment": "golang-gdb is earlier than 0:1.21.9-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20246864004", + "Comment": "golang-misc is earlier than 0:1.21.9-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20246864005", + "Comment": "golang-shared is earlier than 0:1.21.9-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20246864006", + "Comment": "golang-src is earlier than 0:1.21.9-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20246864007", + "Comment": "golang-tests is earlier than 0:1.21.9-alt1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/c10f1/ALT-PU-2024-6864/objects.json b/oval/c10f1/ALT-PU-2024-6864/objects.json new file mode 100644 index 0000000000..0d7145312b --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-6864/objects.json @@ -0,0 +1,70 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:4001", + "Version": "1", + "Comment": "Evaluate `/etc/os-release` file content", + "Path": { + "Datatype": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RPMInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20246864001", + "Version": "1", + "Comment": "golang is installed", + "Name": "golang" + }, + { + "ID": "oval:org.altlinux.errata:obj:20246864002", + "Version": "1", + "Comment": "golang-docs is installed", + "Name": "golang-docs" + }, + { + "ID": "oval:org.altlinux.errata:obj:20246864003", + "Version": "1", + "Comment": "golang-gdb is installed", + "Name": "golang-gdb" + }, + { + "ID": "oval:org.altlinux.errata:obj:20246864004", + "Version": "1", + "Comment": "golang-misc is installed", + "Name": "golang-misc" + }, + { + "ID": "oval:org.altlinux.errata:obj:20246864005", + "Version": "1", + "Comment": "golang-shared is installed", + "Name": "golang-shared" + }, + { + "ID": "oval:org.altlinux.errata:obj:20246864006", + "Version": "1", + "Comment": "golang-src is installed", + "Name": "golang-src" + }, + { + "ID": "oval:org.altlinux.errata:obj:20246864007", + "Version": "1", + "Comment": "golang-tests is installed", + "Name": "golang-tests" + } + ] +} \ No newline at end of file diff --git a/oval/c10f1/ALT-PU-2024-6864/states.json b/oval/c10f1/ALT-PU-2024-6864/states.json new file mode 100644 index 0000000000..5384ab8d8a --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-6864/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:4001", + "Version": "1", + "Text": {} + } + ], + "RPMInfoStates": [ + { + "ID": "oval:org.altlinux.errata:ste:20246864001", + "Version": "1", + "Comment": "package EVR is earlier than 0:1.21.9-alt1", + "Arch": {}, + "EVR": { + "Text": "0:1.21.9-alt1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/c10f1/ALT-PU-2024-6864/tests.json b/oval/c10f1/ALT-PU-2024-6864/tests.json new file mode 100644 index 0000000000..39a5e45339 --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-6864/tests.json @@ -0,0 +1,102 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:4001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'c10f1' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:4001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:4001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20246864001", + "Version": "1", + "Check": "all", + "Comment": "golang is earlier than 0:1.21.9-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20246864001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20246864001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20246864002", + "Version": "1", + "Check": "all", + "Comment": "golang-docs is earlier than 0:1.21.9-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20246864002" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20246864001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20246864003", + "Version": "1", + "Check": "all", + "Comment": "golang-gdb is earlier than 0:1.21.9-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20246864003" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20246864001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20246864004", + "Version": "1", + "Check": "all", + "Comment": "golang-misc is earlier than 0:1.21.9-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20246864004" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20246864001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20246864005", + "Version": "1", + "Check": "all", + "Comment": "golang-shared is earlier than 0:1.21.9-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20246864005" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20246864001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20246864006", + "Version": "1", + "Check": "all", + "Comment": "golang-src is earlier than 0:1.21.9-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20246864006" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20246864001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20246864007", + "Version": "1", + "Check": "all", + "Comment": "golang-tests is earlier than 0:1.21.9-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20246864007" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20246864001" + } + } + ] +} \ No newline at end of file