pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ALT Vulnerability

Browse Source
This commit is contained in:
Иван Пепеляев 2024-02-29 15:02:20 +00:00
parent faa8285b85
commit 9efe8bd907
23 changed files with 1065 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
oval/c10f2/ALT-PU-2024-3011/definitions.json Normal file
View File

@ -0,0 +1,73 @@
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20243011",
"Version": "oval:org.altlinux.errata:def:20243011",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-3011: package `rclone` update to version 1.61.1-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c10f2"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-3011",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-3011",
"Source": "ALTPU"
}
],
"Description": "This update upgrades rclone to version 1.61.1-alt1. \nSecurity Fix(es):\n\n * #45130: Не работает синхронизация с облаком mail.ru",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Low",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-02-29"
},
"Updated": {
"Date": "2024-02-29"
},
"bdu": null,
"Bugzilla": [
{
"Id": "45130",
"Href": "https://bugzilla.altlinux.org/45130",
"Data": "Не работает синхронизация с облаком mail.ru"
}
],
"AffectedCpeList": {
"Cpe": [
"cpe:/o:alt:spworkstation:10",
"cpe:/o:alt:spserver:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:5001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20243011001",
"Comment": "rclone is earlier than 0:1.61.1-alt1"
}
]
}
]
}
}
]
}

34
oval/c10f2/ALT-PU-2024-3011/objects.json Normal file
View File

@ -0,0 +1,34 @@
{
"TextFileContent54Objects": [
{
"ID": "oval:org.altlinux.errata:obj:5001",
"Version": "1",
"comment": "Evaluate `/etc/os-release` file content",
"Path": {
"dataType": "string",
"Text": "/etc"
},
"Filepath": {
"Datatype": "string",
"Text": "os-release"
},
"Pattern": {
"Datatype": "string",
"Operation": "pattern match",
"Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)"
},
"Instance": {
"Datatype": "int",
"Text": "1"
}
}
],
"RpmInfoObjects": [
{
"ID": "oval:org.altlinux.errata:obj:20243011001",
"Version": "1",
"comment": "rclone is installed",
"Name": "rclone"
}
]
}

23
oval/c10f2/ALT-PU-2024-3011/states.json Normal file
View File

@ -0,0 +1,23 @@
{
"TextFileContent54State": [
{
"ID": "oval:org.altlinux.errata:ste:5001",
"Version": "1",
"Text": {}
}
],
"RpmInfoState": [
{
"ID": "oval:org.altlinux.errata:ste:20243011001",
"Version": "1",
"Comment": "package EVR is earlier than 0:1.61.1-alt1",
"Arch": {},
"Evr": {
"Text": "0:1.61.1-alt1",
"Datatype": "evr_string",
"Operation": "less than"
},
"Subexpression": {}
}
]
}

30
oval/c10f2/ALT-PU-2024-3011/tests.json Normal file
View File

@ -0,0 +1,30 @@
{
"TextFileContent54Tests": [
{
"ID": "oval:org.altlinux.errata:tst:5001",
"Version": "1",
"Check": "all",
"Comment": "ALT Linux based on branch 'c10f2' must be installed",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:5001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:5001"
}
}
],
"RPMInfoTests": [
{
"ID": "oval:org.altlinux.errata:tst:20243011001",
"Version": "1",
"Check": "all",
"Comment": "rclone is earlier than 0:1.61.1-alt1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20243011001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20243011001"
}
}
]
}

130
oval/c10f2/ALT-PU-2024-3089/definitions.json Normal file
View File

@ -0,0 +1,130 @@
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20243089",
"Version": "oval:org.altlinux.errata:def:20243089",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-3089: package `ansible-core` update to version 2.15.9-alt0.p10.1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c10f2"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-3089",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-3089",
"Source": "ALTPU"
},
{
"RefID": "BDU:2023-07854",
"RefURL": "https://bdu.fstec.ru/vul/2023-07854",
"Source": "BDU"
},
{
"RefID": "BDU:2024-01561",
"RefURL": "https://bdu.fstec.ru/vul/2024-01561",
"Source": "BDU"
},
{
"RefID": "CVE-2023-5764",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-5764",
"Source": "CVE"
},
{
"RefID": "CVE-2024-0690",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-0690",
"Source": "CVE"
}
],
"Description": "This update upgrades ansible-core to version 2.15.9-alt0.p10.1. \nSecurity Fix(es):\n\n * BDU:2023-07854: Уязвимость системы управления конфигурациями Ansible, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-01561: Уязвимость компонента ansible-core системы управления конфигурациями Red Hat Ansible, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2023-5764: A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce code injection when supplying templating data.\n\n * CVE-2024-0690: An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.\n\n * #48091: apt_rpm не обновляет пакеты",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-02-29"
},
"Updated": {
"Date": "2024-02-29"
},
"bdu": [
{
"Cvss": "AV:L/AC:L/Au:S/C:C/I:C/A:N",
"Cvss3": "AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"Cwe": "CWE-94",
"Href": "https://bdu.fstec.ru/vul/2023-07854",
"Impact": "Low",
"Public": "20231102",
"CveID": "BDU:2023-07854"
},
{
"Cvss": "AV:L/AC:L/Au:S/C:C/I:N/A:N",
"Cvss3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"Cwe": "CWE-116, CWE-117",
"Href": "https://bdu.fstec.ru/vul/2024-01561",
"Impact": "Low",
"Public": "20240118",
"CveID": "BDU:2024-01561"
}
],
"Cves": [
{
"Cvss3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "NVD-CWE-Other",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-5764",
"Impact": "High",
"Public": "20231212",
"CveID": "CVE-2023-5764"
},
{
"Cvss3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"Cwe": "CWE-116",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-0690",
"Impact": "Low",
"Public": "20240206",
"CveID": "CVE-2024-0690"
}
],
"Bugzilla": [
{
"Id": "48091",
"Href": "https://bugzilla.altlinux.org/48091",
"Data": "apt_rpm не обновляет пакеты"
}
],
"AffectedCpeList": {
"Cpe": [
"cpe:/o:alt:spworkstation:10",
"cpe:/o:alt:spserver:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:5001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20243089001",
"Comment": "ansible-core is earlier than 0:2.15.9-alt0.p10.1"
}
]
}
]
}
}
]
}

34
oval/c10f2/ALT-PU-2024-3089/objects.json Normal file
View File

@ -0,0 +1,34 @@
{
"TextFileContent54Objects": [
{
"ID": "oval:org.altlinux.errata:obj:5001",
"Version": "1",
"comment": "Evaluate `/etc/os-release` file content",
"Path": {
"dataType": "string",
"Text": "/etc"
},
"Filepath": {
"Datatype": "string",
"Text": "os-release"
},
"Pattern": {
"Datatype": "string",
"Operation": "pattern match",
"Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)"
},
"Instance": {
"Datatype": "int",
"Text": "1"
}
}
],
"RpmInfoObjects": [
{
"ID": "oval:org.altlinux.errata:obj:20243089001",
"Version": "1",
"comment": "ansible-core is installed",
"Name": "ansible-core"
}
]
}

23
oval/c10f2/ALT-PU-2024-3089/states.json Normal file
View File

@ -0,0 +1,23 @@
{
"TextFileContent54State": [
{
"ID": "oval:org.altlinux.errata:ste:5001",
"Version": "1",
"Text": {}
}
],
"RpmInfoState": [
{
"ID": "oval:org.altlinux.errata:ste:20243089001",
"Version": "1",
"Comment": "package EVR is earlier than 0:2.15.9-alt0.p10.1",
"Arch": {},
"Evr": {
"Text": "0:2.15.9-alt0.p10.1",
"Datatype": "evr_string",
"Operation": "less than"
},
"Subexpression": {}
}
]
}

30
oval/c10f2/ALT-PU-2024-3089/tests.json Normal file
View File

@ -0,0 +1,30 @@
{
"TextFileContent54Tests": [
{
"ID": "oval:org.altlinux.errata:tst:5001",
"Version": "1",
"Check": "all",
"Comment": "ALT Linux based on branch 'c10f2' must be installed",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:5001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:5001"
}
}
],
"RPMInfoTests": [
{
"ID": "oval:org.altlinux.errata:tst:20243089001",
"Version": "1",
"Check": "all",
"Comment": "ansible-core is earlier than 0:2.15.9-alt0.p10.1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20243089001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20243089001"
}
}
]
}

73
oval/c10f2/ALT-PU-2024-3091/definitions.json Normal file
View File

@ -0,0 +1,73 @@
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20243091",
"Version": "oval:org.altlinux.errata:def:20243091",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-3091: package `ansible` update to version 2.9.27-alt3.p10.1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c10f2"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-3091",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-3091",
"Source": "ALTPU"
}
],
"Description": "This update upgrades ansible to version 2.9.27-alt3.p10.1. \nSecurity Fix(es):\n\n * #48091: apt_rpm не обновляет пакеты",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Low",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-02-29"
},
"Updated": {
"Date": "2024-02-29"
},
"bdu": null,
"Bugzilla": [
{
"Id": "48091",
"Href": "https://bugzilla.altlinux.org/48091",
"Data": "apt_rpm не обновляет пакеты"
}
],
"AffectedCpeList": {
"Cpe": [
"cpe:/o:alt:spworkstation:10",
"cpe:/o:alt:spserver:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:5001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20243091001",
"Comment": "ansible is earlier than 0:2.9.27-alt3.p10.1"
}
]
}
]
}
}
]
}

34
oval/c10f2/ALT-PU-2024-3091/objects.json Normal file
View File

@ -0,0 +1,34 @@
{
"TextFileContent54Objects": [
{
"ID": "oval:org.altlinux.errata:obj:5001",
"Version": "1",
"comment": "Evaluate `/etc/os-release` file content",
"Path": {
"dataType": "string",
"Text": "/etc"
},
"Filepath": {
"Datatype": "string",
"Text": "os-release"
},
"Pattern": {
"Datatype": "string",
"Operation": "pattern match",
"Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)"
},
"Instance": {
"Datatype": "int",
"Text": "1"
}
}
],
"RpmInfoObjects": [
{
"ID": "oval:org.altlinux.errata:obj:20243091001",
"Version": "1",
"comment": "ansible is installed",
"Name": "ansible"
}
]
}

23
oval/c10f2/ALT-PU-2024-3091/states.json Normal file
View File

@ -0,0 +1,23 @@
{
"TextFileContent54State": [
{
"ID": "oval:org.altlinux.errata:ste:5001",
"Version": "1",
"Text": {}
}
],
"RpmInfoState": [
{
"ID": "oval:org.altlinux.errata:ste:20243091001",
"Version": "1",
"Comment": "package EVR is earlier than 0:2.9.27-alt3.p10.1",
"Arch": {},
"Evr": {
"Text": "0:2.9.27-alt3.p10.1",
"Datatype": "evr_string",
"Operation": "less than"
},
"Subexpression": {}
}
]
}

30
oval/c10f2/ALT-PU-2024-3091/tests.json Normal file
View File

@ -0,0 +1,30 @@
{
"TextFileContent54Tests": [
{
"ID": "oval:org.altlinux.errata:tst:5001",
"Version": "1",
"Check": "all",
"Comment": "ALT Linux based on branch 'c10f2' must be installed",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:5001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:5001"
}
}
],
"RPMInfoTests": [
{
"ID": "oval:org.altlinux.errata:tst:20243091001",
"Version": "1",
"Check": "all",
"Comment": "ansible is earlier than 0:2.9.27-alt3.p10.1",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20243091001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20243091001"
}
}
]
}

150
oval/c9f2/ALT-PU-2024-2575/definitions.json Normal file
View File

@ -0,0 +1,150 @@
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20242575",
"Version": "oval:org.altlinux.errata:def:20242575",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-2575: package `libvirglrenderer` update to version 1.0.1-alt2",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c9f2"
],
"Products": [
"ALT SPWorkstation",
"ALT SPServer"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-2575",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-2575",
"Source": "ALTPU"
},
{
"RefID": "BDU:2023-00917",
"RefURL": "https://bdu.fstec.ru/vul/2023-00917",
"Source": "BDU"
},
{
"RefID": "BDU:2023-00918",
"RefURL": "https://bdu.fstec.ru/vul/2023-00918",
"Source": "BDU"
},
{
"RefID": "CVE-2020-8002",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-8002",
"Source": "CVE"
},
{
"RefID": "CVE-2020-8003",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-8003",
"Source": "CVE"
},
{
"RefID": "CVE-2022-0135",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-0135",
"Source": "CVE"
}
],
"Description": "This update upgrades libvirglrenderer to version 1.0.1-alt2. \nSecurity Fix(es):\n\n * BDU:2023-00917: Уязвимость компонента vrend_renderer.c виртуального OpenGL рендерера Virglrenderer, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-00918: Уязвимость компонента vrend_renderer.c виртуального OpenGL рендерера Virglrenderer, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2020-8002: A NULL pointer dereference in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service via commands that attempt to launch a grid without previously providing a Compute Shader (CS).\n\n * CVE-2020-8003: A double-free vulnerability in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service by triggering texture allocation failure, because vrend_renderer_resource_allocated_texture is not an appropriate place for a free.\n\n * CVE-2022-0135: An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer (virglrenderer). This flaw allows a malicious guest to create a specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a denial of service or possible code execution.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-02-29"
},
"Updated": {
"Date": "2024-02-29"
},
"bdu": [
{
"Cvss": "AV:L/AC:L/Au:S/C:N/I:N/A:C",
"Cvss3": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"Cwe": "CWE-476",
"Href": "https://bdu.fstec.ru/vul/2023-00917",
"Impact": "Low",
"Public": "20200113",
"CveID": "BDU:2023-00917"
},
{
"Cvss": "AV:L/AC:L/Au:S/C:N/I:N/A:C",
"Cvss3": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"Cwe": "CWE-415",
"Href": "https://bdu.fstec.ru/vul/2023-00918",
"Impact": "Low",
"Public": "20200113",
"CveID": "BDU:2023-00918"
}
],
"Cves": [
{
"Cvss": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"Cwe": "CWE-476",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-8002",
"Impact": "Low",
"Public": "20200127",
"CveID": "CVE-2020-8002"
},
{
"Cvss": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"Cwe": "CWE-415",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-8003",
"Impact": "Low",
"Public": "20200127",
"CveID": "CVE-2020-8003"
},
{
"Cvss3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "CWE-787",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-0135",
"Impact": "High",
"Public": "20220825",
"CveID": "CVE-2022-0135"
}
],
"AffectedCpeList": {
"Cpe": [
"cpe:/o:alt:spworkstation:8.4",
"cpe:/o:alt:spserver:8.4"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20242575001",
"Comment": "libvirglrenderer is earlier than 0:1.0.1-alt2"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20242575002",
"Comment": "libvirglrenderer-devel is earlier than 0:1.0.1-alt2"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20242575003",
"Comment": "libvirglrenderer-test-server is earlier than 0:1.0.1-alt2"
}
]
}
]
}
}
]
}

46
oval/c9f2/ALT-PU-2024-2575/objects.json Normal file
View File

@ -0,0 +1,46 @@
{
"TextFileContent54Objects": [
{
"ID": "oval:org.altlinux.errata:obj:3001",
"Version": "1",
"comment": "Evaluate `/etc/os-release` file content",
"Path": {
"dataType": "string",
"Text": "/etc"
},
"Filepath": {
"Datatype": "string",
"Text": "os-release"
},
"Pattern": {
"Datatype": "string",
"Operation": "pattern match",
"Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d\\.\\d)"
},
"Instance": {
"Datatype": "int",
"Text": "1"
}
}
],
"RpmInfoObjects": [
{
"ID": "oval:org.altlinux.errata:obj:20242575001",
"Version": "1",
"comment": "libvirglrenderer is installed",
"Name": "libvirglrenderer"
},
{
"ID": "oval:org.altlinux.errata:obj:20242575002",
"Version": "1",
"comment": "libvirglrenderer-devel is installed",
"Name": "libvirglrenderer-devel"
},
{
"ID": "oval:org.altlinux.errata:obj:20242575003",
"Version": "1",
"comment": "libvirglrenderer-test-server is installed",
"Name": "libvirglrenderer-test-server"
}
]
}

23
oval/c9f2/ALT-PU-2024-2575/states.json Normal file
View File

@ -0,0 +1,23 @@
{
"TextFileContent54State": [
{
"ID": "oval:org.altlinux.errata:ste:3001",
"Version": "1",
"Text": {}
}
],
"RpmInfoState": [
{
"ID": "oval:org.altlinux.errata:ste:20242575001",
"Version": "1",
"Comment": "package EVR is earlier than 0:1.0.1-alt2",
"Arch": {},
"Evr": {
"Text": "0:1.0.1-alt2",
"Datatype": "evr_string",
"Operation": "less than"
},
"Subexpression": {}
}
]
}

54
oval/c9f2/ALT-PU-2024-2575/tests.json Normal file
View File

@ -0,0 +1,54 @@
{
"TextFileContent54Tests": [
{
"ID": "oval:org.altlinux.errata:tst:3001",
"Version": "1",
"Check": "all",
"Comment": "ALT Linux based on branch 'c9f2' must be installed",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:3001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:3001"
}
}
],
"RPMInfoTests": [
{
"ID": "oval:org.altlinux.errata:tst:20242575001",
"Version": "1",
"Check": "all",
"Comment": "libvirglrenderer is earlier than 0:1.0.1-alt2",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20242575001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20242575001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20242575002",
"Version": "1",
"Check": "all",
"Comment": "libvirglrenderer-devel is earlier than 0:1.0.1-alt2",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20242575002"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20242575001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20242575003",
"Version": "1",
"Check": "all",
"Comment": "libvirglrenderer-test-server is earlier than 0:1.0.1-alt2",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20242575003"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20242575001"
}
}
]
}

16
oval/p10/ALT-PU-2024-1182/definitions.json
View File

@ -60,7 +60,7 @@
"Source": "CVE"
}
],
"Description": "This update upgrades xorg-xwayland to version 23.1.1-alt4. \nSecurity Fix(es):\n\n * BDU:2024-00405: Уязвимость функций DeviceFocusEvent и XIQueryPointer реализации сервера X Window System X.Org Server, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * CVE-2023-6816: A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.\n\n * CVE-2024-0229: An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.\n\n * CVE-2024-0408: A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.\n\n * CVE-2024-21885: description unavailable\n\n * CVE-2024-21886: description unavailable",
"Description": "This update upgrades xorg-xwayland to version 23.1.1-alt4. \nSecurity Fix(es):\n\n * BDU:2024-00405: Уязвимость функций DeviceFocusEvent и XIQueryPointer реализации сервера X Window System X.Org Server, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * CVE-2023-6816: A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.\n\n * CVE-2024-0229: An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.\n\n * CVE-2024-0408: A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.\n\n * CVE-2024-21885: A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.\n\n * CVE-2024-21886: A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Critical",
@ -105,6 +105,20 @@
"Impact": "Low",
"Public": "20240118",
"CveID": "CVE-2024-0408"
},
{
"Cwe": "CWE-122",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-21885",
"Impact": "None",
"Public": "20240228",
"CveID": "CVE-2024-21885"
},
{
"Cwe": "CWE-122",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-21886",
"Impact": "None",
"Public": "20240228",
"CveID": "CVE-2024-21886"
}
],
"AffectedCpeList": {

16
oval/p10/ALT-PU-2024-1183/definitions.json
View File

@ -65,7 +65,7 @@
"Source": "CVE"
}
],
"Description": "This update upgrades xorg-server to version 1.20.14-alt11. \nSecurity Fix(es):\n\n * BDU:2024-00405: Уязвимость функций DeviceFocusEvent и XIQueryPointer реализации сервера X Window System X.Org Server, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * CVE-2023-6816: A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.\n\n * CVE-2024-0229: An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.\n\n * CVE-2024-0408: A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.\n\n * CVE-2024-0409: A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.\n\n * CVE-2024-21885: description unavailable\n\n * CVE-2024-21886: description unavailable",
"Description": "This update upgrades xorg-server to version 1.20.14-alt11. \nSecurity Fix(es):\n\n * BDU:2024-00405: Уязвимость функций DeviceFocusEvent и XIQueryPointer реализации сервера X Window System X.Org Server, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * CVE-2023-6816: A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.\n\n * CVE-2024-0229: An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.\n\n * CVE-2024-0408: A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.\n\n * CVE-2024-0409: A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.\n\n * CVE-2024-21885: A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.\n\n * CVE-2024-21886: A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Critical",
@ -118,6 +118,20 @@
"Impact": "High",
"Public": "20240118",
"CveID": "CVE-2024-0409"
},
{
"Cwe": "CWE-122",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-21885",
"Impact": "None",
"Public": "20240228",
"CveID": "CVE-2024-21885"
},
{
"Cwe": "CWE-122",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-21886",
"Impact": "None",
"Public": "20240228",
"CveID": "CVE-2024-21886"
}
],
"AffectedCpeList": {

105
oval/p10/ALT-PU-2024-2032/definitions.json Normal file
View File

@ -0,0 +1,105 @@
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20242032",
"Version": "oval:org.altlinux.errata:def:20242032",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-2032: package `python-module-six` update to version 1.16.0-alt1.p10",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p10"
],
"Products": [
"ALT Server",
"ALT Virtualization Server",
"ALT Workstation",
"ALT Workstation K",
"ALT Education",
"Simply Linux",
"Starterkit"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-2032",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-2032",
"Source": "ALTPU"
}
],
"Description": "This update upgrades python-module-six to version 1.16.0-alt1.p10. \nSecurity Fix(es):\n\n * #40787: Просьба обновить python3-module-six до 1.16.0",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Low",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-02-29"
},
"Updated": {
"Date": "2024-02-29"
},
"bdu": null,
"Bugzilla": [
{
"Id": "40787",
"Href": "https://bugzilla.altlinux.org/40787",
"Data": "Просьба обновить python3-module-six до 1.16.0"
}
],
"AffectedCpeList": {
"Cpe": [
"cpe:/o:alt:kworkstation:10",
"cpe:/o:alt:workstation:10",
"cpe:/o:alt:server:10",
"cpe:/o:alt:server-v:10",
"cpe:/o:alt:education:10",
"cpe:/o:alt:slinux:10",
"cpe:/o:alt:starterkit:p10",
"cpe:/o:alt:kworkstation:10.1",
"cpe:/o:alt:workstation:10.1",
"cpe:/o:alt:server:10.1",
"cpe:/o:alt:server-v:10.1",
"cpe:/o:alt:education:10.1",
"cpe:/o:alt:slinux:10.1",
"cpe:/o:alt:starterkit:10.1",
"cpe:/o:alt:kworkstation:10.2",
"cpe:/o:alt:workstation:10.2",
"cpe:/o:alt:server:10.2",
"cpe:/o:alt:server-v:10.2",
"cpe:/o:alt:education:10.2",
"cpe:/o:alt:slinux:10.2",
"cpe:/o:alt:starterkit:10.2"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:2001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20242032001",
"Comment": "python-module-six is earlier than 0:1.16.0-alt1.p10"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20242032002",
"Comment": "python3-module-six is earlier than 0:1.16.0-alt1.p10"
}
]
}
]
}
}
]
}

40
oval/p10/ALT-PU-2024-2032/objects.json Normal file
View File

@ -0,0 +1,40 @@
{
"TextFileContent54Objects": [
{
"ID": "oval:org.altlinux.errata:obj:2001",
"Version": "1",
"comment": "Evaluate `/etc/os-release` file content",
"Path": {
"dataType": "string",
"Text": "/etc"
},
"Filepath": {
"Datatype": "string",
"Text": "os-release"
},
"Pattern": {
"Datatype": "string",
"Operation": "pattern match",
"Text": "cpe:\\/o:alt:(?!sp)[a-z\\-]+:p?(\\d+)(?:\\.\\d)*"
},
"Instance": {
"Datatype": "int",
"Text": "1"
}
}
],
"RpmInfoObjects": [
{
"ID": "oval:org.altlinux.errata:obj:20242032001",
"Version": "1",
"comment": "python-module-six is installed",
"Name": "python-module-six"
},
{
"ID": "oval:org.altlinux.errata:obj:20242032002",
"Version": "1",
"comment": "python3-module-six is installed",
"Name": "python3-module-six"
}
]
}

23
oval/p10/ALT-PU-2024-2032/states.json Normal file
View File

@ -0,0 +1,23 @@
{
"TextFileContent54State": [
{
"ID": "oval:org.altlinux.errata:ste:2001",
"Version": "1",
"Text": {}
}
],
"RpmInfoState": [
{
"ID": "oval:org.altlinux.errata:ste:20242032001",
"Version": "1",
"Comment": "package EVR is earlier than 0:1.16.0-alt1.p10",
"Arch": {},
"Evr": {
"Text": "0:1.16.0-alt1.p10",
"Datatype": "evr_string",
"Operation": "less than"
},
"Subexpression": {}
}
]
}

42
oval/p10/ALT-PU-2024-2032/tests.json Normal file
View File

@ -0,0 +1,42 @@
{
"TextFileContent54Tests": [
{
"ID": "oval:org.altlinux.errata:tst:2001",
"Version": "1",
"Check": "all",
"Comment": "ALT Linux based on branch 'p10' must be installed",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:2001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:2001"
}
}
],
"RPMInfoTests": [
{
"ID": "oval:org.altlinux.errata:tst:20242032001",
"Version": "1",
"Check": "all",
"Comment": "python-module-six is earlier than 0:1.16.0-alt1.p10",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20242032001"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20242032001"
}
},
{
"ID": "oval:org.altlinux.errata:tst:20242032002",
"Version": "1",
"Check": "all",
"Comment": "python3-module-six is earlier than 0:1.16.0-alt1.p10",
"Object": {
"ObjectRef": "oval:org.altlinux.errata:obj:20242032002"
},
"State": {
"StateRef": "oval:org.altlinux.errata:ste:20242032001"
}
}
]
}

16
oval/p9/ALT-PU-2024-1181/definitions.json
View File

@ -65,7 +65,7 @@
"Source": "CVE"
}
],
"Description": "This update upgrades xorg-server to version 1.20.8-alt12. \nSecurity Fix(es):\n\n * BDU:2024-00405: Уязвимость функций DeviceFocusEvent и XIQueryPointer реализации сервера X Window System X.Org Server, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * CVE-2023-6816: A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.\n\n * CVE-2024-0229: An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.\n\n * CVE-2024-0408: A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.\n\n * CVE-2024-0409: A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.\n\n * CVE-2024-21885: description unavailable\n\n * CVE-2024-21886: description unavailable",
"Description": "This update upgrades xorg-server to version 1.20.8-alt12. \nSecurity Fix(es):\n\n * BDU:2024-00405: Уязвимость функций DeviceFocusEvent и XIQueryPointer реализации сервера X Window System X.Org Server, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * CVE-2023-6816: A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.\n\n * CVE-2024-0229: An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.\n\n * CVE-2024-0408: A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.\n\n * CVE-2024-0409: A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.\n\n * CVE-2024-21885: A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.\n\n * CVE-2024-21886: A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Critical",
@ -118,6 +118,20 @@
"Impact": "High",
"Public": "20240118",
"CveID": "CVE-2024-0409"
},
{
"Cwe": "CWE-122",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-21885",
"Impact": "None",
"Public": "20240228",
"CveID": "CVE-2024-21885"
},
{
"Cwe": "CWE-122",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-21886",
"Impact": "None",
"Public": "20240228",
"CveID": "CVE-2024-21886"
}
],
"AffectedCpeList": {