pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ALT Vulnerability

Browse Source
This commit is contained in:
Иван Пепеляев 2024-05-27 15:02:20 +00:00
parent 38165dd396
commit 651a8379ba
8 changed files with 576 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
oval/c10f2/ALT-PU-2024-8176/definitions.json Normal file
View File

@ -0,0 +1,112 @@
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20248176",
"Version": "oval:org.altlinux.errata:def:20248176",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-8176: package `zlib` update to version 1.3.1-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c10f2"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-8176",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-8176",
"Source": "ALTPU"
},
{
"RefID": "BDU:2023-07116",
"RefURL": "https://bdu.fstec.ru/vul/2023-07116",
"Source": "BDU"
},
{
"RefID": "CVE-2023-45853",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853",
"Source": "CVE"
}
],
"Description": "This update upgrades zlib to version 1.3.1-alt1. \nSecurity Fix(es):\n\n * BDU:2023-07116: Уязвимость функции zipOpenNewFileInZip4_64() пакета MiniZip библиотеки zlib, позволяющая нарушителю оказать воздействие на целостность, доступность и конфиденциальность защищаемой информации\n\n * CVE-2023-45853: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Critical",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-05-27"
},
"Updated": {
"Date": "2024-05-27"
},
"BDUs": [
{
"ID": "BDU:2023-07116",
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-122, CWE-190",
"Href": "https://bdu.fstec.ru/vul/2023-07116",
"Impact": "Critical",
"Public": "20230811"
}
],
"CVEs": [
{
"ID": "CVE-2023-45853",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-190",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853",
"Impact": "Critical",
"Public": "20231014"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:spworkstation:10",
"cpe:/o:alt:spserver:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:5001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20248176001",
"Comment": "libminizip is earlier than 0:1.3.1-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20248176002",
"Comment": "libminizip-devel is earlier than 0:1.3.1-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20248176003",
"Comment": "zlib is earlier than 0:1.3.1-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20248176004",
"Comment": "zlib-devel is earlier than 0:1.3.1-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20248176005",
"Comment": "zlib-devel-static is earlier than 0:1.3.1-alt1"
}
]
}
]
}
}
]
}

58
oval/c10f2/ALT-PU-2024-8176/objects.json Normal file
View File

@ -0,0 +1,58 @@
{
"TextFileContent54Objects": [
{
"ID": "oval:org.altlinux.errata:obj:5001",
"Version": "1",
"Comment": "Evaluate `/etc/os-release` file content",
"Path": {
"Datatype": "string",
"Text": "/etc"
},
"Filepath": {
"Datatype": "string",
"Text": "os-release"
},
"Pattern": {
"Datatype": "string",
"Operation": "pattern match",
"Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)"
},
"Instance": {
"Datatype": "int",
"Text": "1"
}
}
],
"RPMInfoObjects": [
{
"ID": "oval:org.altlinux.errata:obj:20248176001",
"Version": "1",
"Comment": "libminizip is installed",
"Name": "libminizip"
},
{
"ID": "oval:org.altlinux.errata:obj:20248176002",
"Version": "1",
"Comment": "libminizip-devel is installed",
"Name": "libminizip-devel"
},
{
"ID": "oval:org.altlinux.errata:obj:20248176003",
"Version": "1",
"Comment": "zlib is installed",
"Name": "zlib"
},
{
"ID": "oval:org.altlinux.errata:obj:20248176004",
"Version": "1",
"Comment": "zlib-devel is installed",
"Name": "zlib-devel"
},
{
"ID": "oval:org.altlinux.errata:obj:20248176005",
"Version": "1",
"Comment": "zlib-devel-static is installed",
"Name": "zlib-devel-static"
}
]
}

23
oval/c10f2/ALT-PU-2024-8176/states.json Normal file
View File

@ -0,0 +1,23 @@
{
"TextFileContent54State": [
{
"ID": "oval:org.altlinux.errata:ste:5001",
"Version": "1",
"Text": {}
}
],
"RPMInfoStates": [
{
"ID": "oval:org.altlinux.errata:ste:20248176001",
"Version": "1",
"Comment": "package EVR is earlier than 0:1.3.1-alt1",
"Arch": {},
"EVR": {
"Text": "0:1.3.1-alt1",
"Datatype": "evr_string",
"Operation": "less than"
},
"Subexpression": {}
}
]
}

78
oval/c10f2/ALT-PU-2024-8176/tests.json Normal file
View File

@ -0,0 +1,78 @@
{
"TextFileContent54Tests": [
{
"ID": "oval:org.altlinux.errata:tst:5001",
"Version": "1",
"Check": "all",
"Comment": "ALT Linux based on branch 'c10f2' must be installed",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:5001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:5001"
}
}
],
"RPMInfoTests": [
{
"ID": "oval:org.altlinux.errata:tst:20248176001",
"Version": "1",
"Check": "all",
"Comment": "libminizip is earlier than 0:1.3.1-alt1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20248176001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20248176001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20248176002",
"Version": "1",
"Check": "all",
"Comment": "libminizip-devel is earlier than 0:1.3.1-alt1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20248176002"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20248176001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20248176003",
"Version": "1",
"Check": "all",
"Comment": "zlib is earlier than 0:1.3.1-alt1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20248176003"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20248176001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20248176004",
"Version": "1",
"Check": "all",
"Comment": "zlib-devel is earlier than 0:1.3.1-alt1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20248176004"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20248176001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20248176005",
"Version": "1",
"Check": "all",
"Comment": "zlib-devel-static is earlier than 0:1.3.1-alt1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20248176005"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20248176001"
}
}
]
}

164
oval/p10/ALT-PU-2024-8078/definitions.json Normal file
View File

@ -0,0 +1,164 @@
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20248078",
"Version": "oval:org.altlinux.errata:def:20248078",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-8078: package `libxerces-c` update to version 3.2.5-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p10"
],
"Products": [
"ALT Server",
"ALT Virtualization Server",
"ALT Workstation",
"ALT Workstation K",
"ALT Education",
"Simply Linux",
"Starterkit"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-8078",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-8078",
"Source": "ALTPU"
},
{
"RefID": "BDU:2021-03489",
"RefURL": "https://bdu.fstec.ru/vul/2021-03489",
"Source": "BDU"
},
{
"RefID": "BDU:2023-06960",
"RefURL": "https://bdu.fstec.ru/vul/2023-06960",
"Source": "BDU"
},
{
"RefID": "CVE-2018-1311",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-1311",
"Source": "CVE"
},
{
"RefID": "CVE-2023-37536",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-37536",
"Source": "CVE"
}
],
"Description": "This update upgrades libxerces-c to version 3.2.5-alt1. \nSecurity Fix(es):\n\n * BDU:2021-03489: Уязвимость библиотеки для работы с XML Xerces-C, связанная с использованием памяти после её освобождения, позволяющая нарушителю получить доступ к конфиденциальной информации или вызвать отказ в обслуживании\n\n * BDU:2023-06960: Уязвимость библиотеки Хerces C++ платформы совместного управления ИТ-оборудованием BigFix Platform, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2018-1311: The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.\n\n * CVE-2023-37536: An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-05-27"
},
"Updated": {
"Date": "2024-05-27"
},
"BDUs": [
{
"ID": "BDU:2021-03489",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-416",
"Href": "https://bdu.fstec.ru/vul/2021-03489",
"Impact": "High",
"Public": "20191226"
},
{
"ID": "BDU:2023-06960",
"CVSS": "AV:N/AC:L/Au:S/C:P/I:P/A:C",
"CVSS3": "AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H",
"CWE": "CWE-190",
"Href": "https://bdu.fstec.ru/vul/2023-06960",
"Impact": "High",
"Public": "20231011"
}
],
"CVEs": [
{
"ID": "CVE-2018-1311",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-416",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-1311",
"Impact": "High",
"Public": "20191218"
},
{
"ID": "CVE-2023-37536",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-190",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-37536",
"Impact": "High",
"Public": "20231011"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:kworkstation:10",
"cpe:/o:alt:workstation:10",
"cpe:/o:alt:server:10",
"cpe:/o:alt:server-v:10",
"cpe:/o:alt:education:10",
"cpe:/o:alt:slinux:10",
"cpe:/o:alt:starterkit:p10",
"cpe:/o:alt:kworkstation:10.1",
"cpe:/o:alt:workstation:10.1",
"cpe:/o:alt:server:10.1",
"cpe:/o:alt:server-v:10.1",
"cpe:/o:alt:education:10.1",
"cpe:/o:alt:slinux:10.1",
"cpe:/o:alt:starterkit:10.1",
"cpe:/o:alt:kworkstation:10.2",
"cpe:/o:alt:workstation:10.2",
"cpe:/o:alt:server:10.2",
"cpe:/o:alt:server-v:10.2",
"cpe:/o:alt:education:10.2",
"cpe:/o:alt:slinux:10.2",
"cpe:/o:alt:starterkit:10.2"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:2001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20248078001",
"Comment": "libxerces-c is earlier than 0:3.2.5-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20248078002",
"Comment": "libxerces-c-devel is earlier than 0:3.2.5-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20248078003",
"Comment": "libxerces-c-doc is earlier than 0:3.2.5-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20248078004",
"Comment": "libxerces-c-utils is earlier than 0:3.2.5-alt1"
}
]
}
]
}
}
]
}

52
oval/p10/ALT-PU-2024-8078/objects.json Normal file
View File

@ -0,0 +1,52 @@
{
"TextFileContent54Objects": [
{
"ID": "oval:org.altlinux.errata:obj:2001",
"Version": "1",
"Comment": "Evaluate `/etc/os-release` file content",
"Path": {
"Datatype": "string",
"Text": "/etc"
},
"Filepath": {
"Datatype": "string",
"Text": "os-release"
},
"Pattern": {
"Datatype": "string",
"Operation": "pattern match",
"Text": "cpe:\\/o:alt:(?!sp)[a-z\\-]+:p?(\\d+)(?:\\.\\d)*"
},
"Instance": {
"Datatype": "int",
"Text": "1"
}
}
],
"RPMInfoObjects": [
{
"ID": "oval:org.altlinux.errata:obj:20248078001",
"Version": "1",
"Comment": "libxerces-c is installed",
"Name": "libxerces-c"
},
{
"ID": "oval:org.altlinux.errata:obj:20248078002",
"Version": "1",
"Comment": "libxerces-c-devel is installed",
"Name": "libxerces-c-devel"
},
{
"ID": "oval:org.altlinux.errata:obj:20248078003",
"Version": "1",
"Comment": "libxerces-c-doc is installed",
"Name": "libxerces-c-doc"
},
{
"ID": "oval:org.altlinux.errata:obj:20248078004",
"Version": "1",
"Comment": "libxerces-c-utils is installed",
"Name": "libxerces-c-utils"
}
]
}

23
oval/p10/ALT-PU-2024-8078/states.json Normal file
View File

@ -0,0 +1,23 @@
{
"TextFileContent54State": [
{
"ID": "oval:org.altlinux.errata:ste:2001",
"Version": "1",
"Text": {}
}
],
"RPMInfoStates": [
{
"ID": "oval:org.altlinux.errata:ste:20248078001",
"Version": "1",
"Comment": "package EVR is earlier than 0:3.2.5-alt1",
"Arch": {},
"EVR": {
"Text": "0:3.2.5-alt1",
"Datatype": "evr_string",
"Operation": "less than"
},
"Subexpression": {}
}
]
}

66
oval/p10/ALT-PU-2024-8078/tests.json Normal file
View File

@ -0,0 +1,66 @@
{
"TextFileContent54Tests": [
{
"ID": "oval:org.altlinux.errata:tst:2001",
"Version": "1",
"Check": "all",
"Comment": "ALT Linux based on branch 'p10' must be installed",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:2001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:2001"
}
}
],
"RPMInfoTests": [
{
"ID": "oval:org.altlinux.errata:tst:20248078001",
"Version": "1",
"Check": "all",
"Comment": "libxerces-c is earlier than 0:3.2.5-alt1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20248078001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20248078001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20248078002",
"Version": "1",
"Check": "all",
"Comment": "libxerces-c-devel is earlier than 0:3.2.5-alt1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20248078002"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20248078001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20248078003",
"Version": "1",
"Check": "all",
"Comment": "libxerces-c-doc is earlier than 0:3.2.5-alt1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20248078003"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20248078001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20248078004",
"Version": "1",
"Check": "all",
"Comment": "libxerces-c-utils is earlier than 0:3.2.5-alt1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20248078004"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20248078001"
}
}
]
}