diff --git a/oval/c10f1/ALT-PU-2024-3084/definitions.json b/oval/c10f1/ALT-PU-2024-3084/definitions.json new file mode 100644 index 0000000000..5340445bf9 --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-3084/definitions.json @@ -0,0 +1,136 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20243084", + "Version": "oval:org.altlinux.errata:def:20243084", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-3084: package `vim` update to version 9.1.0050-alt2", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch c10f1" + ], + "Products": [ + "ALT SP Workstation", + "ALT SP Server" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-3084", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-3084", + "Source": "ALTPU" + }, + { + "RefID": "CVE-2024-22667", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-22667", + "Source": "CVE" + } + ], + "Description": "This update upgrades vim to version 9.1.0050-alt2. \nSecurity Fix(es):\n\n * CVE-2024-22667: Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions.\n\n * #49180: incorrect output with -i flag", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "High", + "Rights": "Copyright 2024 BaseALT Ltd.", + "Issued": { + "Date": "2024-03-01" + }, + "Updated": { + "Date": "2024-03-01" + }, + "bdu": null, + "Cves": [ + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "Cwe": "CWE-787", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-22667", + "Impact": "High", + "Public": "20240205", + "CveID": "CVE-2024-22667" + } + ], + "Bugzilla": [ + { + "Id": "49180", + "Href": "https://bugzilla.altlinux.org/49180", + "Data": "incorrect output with -i flag" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:spworkstation:10", + "cpe:/o:alt:spserver:10" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:4001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20243084001", + "Comment": "rpm-build-vim is earlier than 4:9.1.0050-alt2" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243084002", + "Comment": "vim-X11 is earlier than 4:9.1.0050-alt2" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243084003", + "Comment": "vim-X11-gnome2 is earlier than 4:9.1.0050-alt2" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243084004", + "Comment": "vim-X11-gtk2 is earlier than 4:9.1.0050-alt2" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243084005", + "Comment": "vim-X11-gtk3 is earlier than 4:9.1.0050-alt2" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243084006", + "Comment": "vim-common is earlier than 4:9.1.0050-alt2" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243084007", + "Comment": "vim-console is earlier than 4:9.1.0050-alt2" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243084008", + "Comment": "vim-enhanced is earlier than 4:9.1.0050-alt2" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243084009", + "Comment": "vim-minimal is earlier than 4:9.1.0050-alt2" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243084010", + "Comment": "vim-spell-source is earlier than 4:9.1.0050-alt2" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243084011", + "Comment": "vimtutor is earlier than 4:9.1.0050-alt2" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243084012", + "Comment": "xxd is earlier than 4:9.1.0050-alt2" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/c10f1/ALT-PU-2024-3084/objects.json b/oval/c10f1/ALT-PU-2024-3084/objects.json new file mode 100644 index 0000000000..164d307f80 --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-3084/objects.json @@ -0,0 +1,100 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:4001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20243084001", + "Version": "1", + "comment": "rpm-build-vim is installed", + "Name": "rpm-build-vim" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243084002", + "Version": "1", + "comment": "vim-X11 is installed", + "Name": "vim-X11" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243084003", + "Version": "1", + "comment": "vim-X11-gnome2 is installed", + "Name": "vim-X11-gnome2" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243084004", + "Version": "1", + "comment": "vim-X11-gtk2 is installed", + "Name": "vim-X11-gtk2" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243084005", + "Version": "1", + "comment": "vim-X11-gtk3 is installed", + "Name": "vim-X11-gtk3" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243084006", + "Version": "1", + "comment": "vim-common is installed", + "Name": "vim-common" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243084007", + "Version": "1", + "comment": "vim-console is installed", + "Name": "vim-console" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243084008", + "Version": "1", + "comment": "vim-enhanced is installed", + "Name": "vim-enhanced" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243084009", + "Version": "1", + "comment": "vim-minimal is installed", + "Name": "vim-minimal" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243084010", + "Version": "1", + "comment": "vim-spell-source is installed", + "Name": "vim-spell-source" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243084011", + "Version": "1", + "comment": "vimtutor is installed", + "Name": "vimtutor" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243084012", + "Version": "1", + "comment": "xxd is installed", + "Name": "xxd" + } + ] +} \ No newline at end of file diff --git a/oval/c10f1/ALT-PU-2024-3084/states.json b/oval/c10f1/ALT-PU-2024-3084/states.json new file mode 100644 index 0000000000..902dcacbd3 --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-3084/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:4001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20243084001", + "Version": "1", + "Comment": "package EVR is earlier than 4:9.1.0050-alt2", + "Arch": {}, + "Evr": { + "Text": "4:9.1.0050-alt2", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/c10f1/ALT-PU-2024-3084/tests.json b/oval/c10f1/ALT-PU-2024-3084/tests.json new file mode 100644 index 0000000000..45bdc29bdd --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-3084/tests.json @@ -0,0 +1,162 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:4001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'c10f1' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:4001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:4001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20243084001", + "Version": "1", + "Check": "all", + "Comment": "rpm-build-vim is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243084002", + "Version": "1", + "Check": "all", + "Comment": "vim-X11 is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084002" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243084003", + "Version": "1", + "Check": "all", + "Comment": "vim-X11-gnome2 is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084003" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243084004", + "Version": "1", + "Check": "all", + "Comment": "vim-X11-gtk2 is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084004" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243084005", + "Version": "1", + "Check": "all", + "Comment": "vim-X11-gtk3 is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084005" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243084006", + "Version": "1", + "Check": "all", + "Comment": "vim-common is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084006" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243084007", + "Version": "1", + "Check": "all", + "Comment": "vim-console is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084007" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243084008", + "Version": "1", + "Check": "all", + "Comment": "vim-enhanced is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084008" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243084009", + "Version": "1", + "Check": "all", + "Comment": "vim-minimal is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084009" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243084010", + "Version": "1", + "Check": "all", + "Comment": "vim-spell-source is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084010" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243084011", + "Version": "1", + "Check": "all", + "Comment": "vimtutor is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084011" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243084012", + "Version": "1", + "Check": "all", + "Comment": "xxd is earlier than 4:9.1.0050-alt2", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243084012" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243084001" + } + } + ] +} \ No newline at end of file diff --git a/oval/c10f1/ALT-PU-2024-3156/definitions.json b/oval/c10f1/ALT-PU-2024-3156/definitions.json new file mode 100644 index 0000000000..0e1518e982 --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-3156/definitions.json @@ -0,0 +1,131 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20243156", + "Version": "oval:org.altlinux.errata:def:20243156", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-3156: package `dnsmasq` update to version 2.90-alt1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch c10f1" + ], + "Products": [ + "ALT SP Workstation", + "ALT SP Server" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-3156", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-3156", + "Source": "ALTPU" + }, + { + "RefID": "BDU:2023-02265", + "RefURL": "https://bdu.fstec.ru/vul/2023-02265", + "Source": "BDU" + }, + { + "RefID": "BDU:2024-01359", + "RefURL": "https://bdu.fstec.ru/vul/2024-01359", + "Source": "BDU" + }, + { + "RefID": "CVE-2023-28450", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-28450", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-50387", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387", + "Source": "CVE" + } + ], + "Description": "This update upgrades dnsmasq to version 2.90-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02265: Уязвимость DNS-сервера Dnsmasq. связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2024-01359: Уязвимость компонента DNSSEC реализации протокола DNS сервера DNS BIND, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-28450: An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.\n\n * CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "High", + "Rights": "Copyright 2024 BaseALT Ltd.", + "Issued": { + "Date": "2024-03-01" + }, + "Updated": { + "Date": "2024-03-01" + }, + "bdu": [ + { + "Cvss": "AV:N/AC:L/Au:S/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400, CWE-770", + "Href": "https://bdu.fstec.ru/vul/2023-02265", + "Impact": "High", + "Public": "20230308", + "CveID": "BDU:2023-02265" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://bdu.fstec.ru/vul/2024-01359", + "Impact": "High", + "Public": "20240213", + "CveID": "BDU:2024-01359" + } + ], + "Cves": [ + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-28450", + "Impact": "High", + "Public": "20230315", + "CveID": "CVE-2023-28450" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-770", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387", + "Impact": "High", + "Public": "20240214", + "CveID": "CVE-2023-50387" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:spworkstation:10", + "cpe:/o:alt:spserver:10" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:4001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20243156001", + "Comment": "dnsmasq is earlier than 0:2.90-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20243156002", + "Comment": "dnsmasq-utils is earlier than 0:2.90-alt1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/c10f1/ALT-PU-2024-3156/objects.json b/oval/c10f1/ALT-PU-2024-3156/objects.json new file mode 100644 index 0000000000..3ab7d6b60b --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-3156/objects.json @@ -0,0 +1,40 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:4001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d+)" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20243156001", + "Version": "1", + "comment": "dnsmasq is installed", + "Name": "dnsmasq" + }, + { + "ID": "oval:org.altlinux.errata:obj:20243156002", + "Version": "1", + "comment": "dnsmasq-utils is installed", + "Name": "dnsmasq-utils" + } + ] +} \ No newline at end of file diff --git a/oval/c10f1/ALT-PU-2024-3156/states.json b/oval/c10f1/ALT-PU-2024-3156/states.json new file mode 100644 index 0000000000..9e323b0d83 --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-3156/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:4001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20243156001", + "Version": "1", + "Comment": "package EVR is earlier than 0:2.90-alt1", + "Arch": {}, + "Evr": { + "Text": "0:2.90-alt1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/c10f1/ALT-PU-2024-3156/tests.json b/oval/c10f1/ALT-PU-2024-3156/tests.json new file mode 100644 index 0000000000..4488a030f0 --- /dev/null +++ b/oval/c10f1/ALT-PU-2024-3156/tests.json @@ -0,0 +1,42 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:4001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'c10f1' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:4001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:4001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20243156001", + "Version": "1", + "Check": "all", + "Comment": "dnsmasq is earlier than 0:2.90-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243156001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243156001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20243156002", + "Version": "1", + "Check": "all", + "Comment": "dnsmasq-utils is earlier than 0:2.90-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20243156002" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20243156001" + } + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-1619/definitions.json b/oval/c9f2/ALT-PU-2024-1619/definitions.json new file mode 100644 index 0000000000..c7b002f41c --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-1619/definitions.json @@ -0,0 +1,138 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20241619", + "Version": "oval:org.altlinux.errata:def:20241619", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-1619: package `libde265` update to version 1.0.15-alt1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch c9f2" + ], + "Products": [ + "ALT SPWorkstation", + "ALT SPServer" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-1619", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-1619", + "Source": "ALTPU" + }, + { + "RefID": "BDU:2023-02130", + "RefURL": "https://bdu.fstec.ru/vul/2023-02130", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-02131", + "RefURL": "https://bdu.fstec.ru/vul/2023-02131", + "Source": "BDU" + }, + { + "RefID": "CVE-2023-27102", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-27102", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-27103", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-27103", + "Source": "CVE" + } + ], + "Description": "This update upgrades libde265 to version 1.0.15-alt1. \nSecurity Fix(es):\n\n * BDU:2023-02130: Уязвимость функции derive_collocated_motion_vectors (motion.cc) реализации видеокодека h.265 Libde265, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * BDU:2023-02131: Уязвимость функции decoder_context::p rocess_slice_segment_header (decctx.cc) реализации видеокодека h.265 Libde265, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * CVE-2023-27102: Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc.\n\n * CVE-2023-27103: Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc.\n\n * #47544: v1.0.12 (security fixes)", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "High", + "Rights": "Copyright 2024 BaseALT Ltd.", + "Issued": { + "Date": "2024-03-01" + }, + "Updated": { + "Date": "2024-03-01" + }, + "bdu": [ + { + "Cvss": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-787", + "Href": "https://bdu.fstec.ru/vul/2023-02130", + "Impact": "High", + "Public": "20230315", + "CveID": "BDU:2023-02130" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-476", + "Href": "https://bdu.fstec.ru/vul/2023-02131", + "Impact": "Low", + "Public": "20230315", + "CveID": "BDU:2023-02131" + } + ], + "Cves": [ + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-476", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-27102", + "Impact": "Low", + "Public": "20230315", + "CveID": "CVE-2023-27102" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-787", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-27103", + "Impact": "High", + "Public": "20230315", + "CveID": "CVE-2023-27103" + } + ], + "Bugzilla": [ + { + "Id": "47544", + "Href": "https://bugzilla.altlinux.org/47544", + "Data": "v1.0.12 (security fixes)" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:spworkstation:8.4", + "cpe:/o:alt:spserver:8.4" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:3001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20241619001", + "Comment": "libde265 is earlier than 0:1.0.15-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20241619002", + "Comment": "libde265-devel is earlier than 0:1.0.15-alt1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-1619/objects.json b/oval/c9f2/ALT-PU-2024-1619/objects.json new file mode 100644 index 0000000000..970320da79 --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-1619/objects.json @@ -0,0 +1,40 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:3001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d\\.\\d)" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20241619001", + "Version": "1", + "comment": "libde265 is installed", + "Name": "libde265" + }, + { + "ID": "oval:org.altlinux.errata:obj:20241619002", + "Version": "1", + "comment": "libde265-devel is installed", + "Name": "libde265-devel" + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-1619/states.json b/oval/c9f2/ALT-PU-2024-1619/states.json new file mode 100644 index 0000000000..5b3bc396f1 --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-1619/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:3001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20241619001", + "Version": "1", + "Comment": "package EVR is earlier than 0:1.0.15-alt1", + "Arch": {}, + "Evr": { + "Text": "0:1.0.15-alt1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-1619/tests.json b/oval/c9f2/ALT-PU-2024-1619/tests.json new file mode 100644 index 0000000000..3e9f71bb8f --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-1619/tests.json @@ -0,0 +1,42 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:3001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'c9f2' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:3001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:3001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20241619001", + "Version": "1", + "Check": "all", + "Comment": "libde265 is earlier than 0:1.0.15-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20241619001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20241619001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20241619002", + "Version": "1", + "Check": "all", + "Comment": "libde265-devel is earlier than 0:1.0.15-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20241619002" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20241619001" + } + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-1621/definitions.json b/oval/c9f2/ALT-PU-2024-1621/definitions.json new file mode 100644 index 0000000000..f8d1b47e6b --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-1621/definitions.json @@ -0,0 +1,90 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20241621", + "Version": "oval:org.altlinux.errata:def:20241621", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-1621: package `libheif` update to version 1.17.6-alt1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch c9f2" + ], + "Products": [ + "ALT SPWorkstation", + "ALT SPServer" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-1621", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-1621", + "Source": "ALTPU" + }, + { + "RefID": "CVE-2020-23109", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-23109", + "Source": "CVE" + } + ], + "Description": "This update upgrades libheif to version 1.17.6-alt1. \nSecurity Fix(es):\n\n * CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file.", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "High", + "Rights": "Copyright 2024 BaseALT Ltd.", + "Issued": { + "Date": "2024-03-01" + }, + "Updated": { + "Date": "2024-03-01" + }, + "bdu": null, + "Cves": [ + { + "Cvss": "AV:N/AC:M/Au:N/C:P/I:N/A:P", + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "Cwe": "CWE-120", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-23109", + "Impact": "High", + "Public": "20211103", + "CveID": "CVE-2020-23109" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:spworkstation:8.4", + "cpe:/o:alt:spserver:8.4" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:3001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20241621001", + "Comment": "libheif is earlier than 0:1.17.6-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20241621002", + "Comment": "libheif-devel is earlier than 0:1.17.6-alt1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-1621/objects.json b/oval/c9f2/ALT-PU-2024-1621/objects.json new file mode 100644 index 0000000000..3aced3ae90 --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-1621/objects.json @@ -0,0 +1,40 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:3001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d\\.\\d)" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20241621001", + "Version": "1", + "comment": "libheif is installed", + "Name": "libheif" + }, + { + "ID": "oval:org.altlinux.errata:obj:20241621002", + "Version": "1", + "comment": "libheif-devel is installed", + "Name": "libheif-devel" + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-1621/states.json b/oval/c9f2/ALT-PU-2024-1621/states.json new file mode 100644 index 0000000000..969b2f9119 --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-1621/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:3001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20241621001", + "Version": "1", + "Comment": "package EVR is earlier than 0:1.17.6-alt1", + "Arch": {}, + "Evr": { + "Text": "0:1.17.6-alt1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-1621/tests.json b/oval/c9f2/ALT-PU-2024-1621/tests.json new file mode 100644 index 0000000000..879f7b8f98 --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-1621/tests.json @@ -0,0 +1,42 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:3001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'c9f2' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:3001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:3001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20241621001", + "Version": "1", + "Check": "all", + "Comment": "libheif is earlier than 0:1.17.6-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20241621001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20241621001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20241621002", + "Version": "1", + "Check": "all", + "Comment": "libheif-devel is earlier than 0:1.17.6-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20241621002" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20241621001" + } + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-2243/definitions.json b/oval/c9f2/ALT-PU-2024-2243/definitions.json new file mode 100644 index 0000000000..69e88893ab --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-2243/definitions.json @@ -0,0 +1,521 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20242243", + "Version": "oval:org.altlinux.errata:def:20242243", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-2243: package `ImageMagick` update to version 6.9.12.93-alt1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch c9f2" + ], + "Products": [ + "ALT SPWorkstation", + "ALT SPServer" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-2243", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-2243", + "Source": "ALTPU" + }, + { + "RefID": "BDU:2021-03651", + "RefURL": "https://bdu.fstec.ru/vul/2021-03651", + "Source": "BDU" + }, + { + "RefID": "BDU:2021-03652", + "RefURL": "https://bdu.fstec.ru/vul/2021-03652", + "Source": "BDU" + }, + { + "RefID": "BDU:2021-03654", + "RefURL": "https://bdu.fstec.ru/vul/2021-03654", + "Source": "BDU" + }, + { + "RefID": "BDU:2021-05183", + "RefURL": "https://bdu.fstec.ru/vul/2021-05183", + "Source": "BDU" + }, + { + "RefID": "BDU:2021-05277", + "RefURL": "https://bdu.fstec.ru/vul/2021-05277", + "Source": "BDU" + }, + { + "RefID": "BDU:2022-06962", + "RefURL": "https://bdu.fstec.ru/vul/2022-06962", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-00579", + "RefURL": "https://bdu.fstec.ru/vul/2023-00579", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-01717", + "RefURL": "https://bdu.fstec.ru/vul/2023-01717", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-01719", + "RefURL": "https://bdu.fstec.ru/vul/2023-01719", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-01721", + "RefURL": "https://bdu.fstec.ru/vul/2023-01721", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-01724", + "RefURL": "https://bdu.fstec.ru/vul/2023-01724", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-02231", + "RefURL": "https://bdu.fstec.ru/vul/2023-02231", + "Source": "BDU" + }, + { + "RefID": "CVE-2021-20176", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20176", + "Source": "CVE" + }, + { + "RefID": "CVE-2021-20224", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20224", + "Source": "CVE" + }, + { + "RefID": "CVE-2021-20241", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20241", + "Source": "CVE" + }, + { + "RefID": "CVE-2021-20245", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20245", + "Source": "CVE" + }, + { + "RefID": "CVE-2021-20246", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20246", + "Source": "CVE" + }, + { + "RefID": "CVE-2021-20309", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20309", + "Source": "CVE" + }, + { + "RefID": "CVE-2021-3610", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3610", + "Source": "CVE" + }, + { + "RefID": "CVE-2021-4219", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-4219", + "Source": "CVE" + }, + { + "RefID": "CVE-2022-1114", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-1114", + "Source": "CVE" + }, + { + "RefID": "CVE-2022-1115", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-1115", + "Source": "CVE" + }, + { + "RefID": "CVE-2022-3213", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-3213", + "Source": "CVE" + }, + { + "RefID": "CVE-2022-32545", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-32545", + "Source": "CVE" + }, + { + "RefID": "CVE-2022-32546", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-32546", + "Source": "CVE" + }, + { + "RefID": "CVE-2022-32547", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-32547", + "Source": "CVE" + }, + { + "RefID": "CVE-2022-44268", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-44268", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-1906", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-1906", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-3195", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-3195", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-39978", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-39978", + "Source": "CVE" + } + ], + "Description": "This update upgrades ImageMagick to version 6.9.12.93-alt1. \nSecurity Fix(es):\n\n * BDU:2021-03651: Уязвимость файла gem.c набора программ для чтения и редактирования файлов ImageMagisk, связанная с отсутствием проверки деления на ноль, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-03652: Уязвимость файла coders/jp2.c. набора программ для чтения и редактирования файлов ImageMagisk, связанная с отсутствием проверки деления на ноль, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-03654: Уязвимость файла MagickCore/resample.c. набора программ для чтения и редактирования файлов ImageMagisk, связанная с отсутствием проверки деления на ноль, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-05183: Уязвимость компонента coders/webp.c консольного графического редактора ImageMagick, связанная с отсутствием проверки деления на ноль, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-05277: Уязвимость функции WaveImage() компонента MagickCore/visual-effects.c консольного графического редактора ImageMagick, связанная с отсутствием проверки деления на ноль, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2022-06962: Уязвимость функции ExportIndexQuantum() графического редактора ImageMagick, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код\n\n * BDU:2023-00579: Уязвимость графического редактора ImageMagick, связанная с ошибками при обработке входных данных, позволяющая нарушителю получить доступ к защищаемой информации\n\n * BDU:2023-01717: Уязвимость компонента coders/pcl.c консольного графического редактора ImageMagick, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2023-01719: Уязвимость функции RelinquishDCMInfo() компонента dcm.c консольного графического редактора ImageMagick, позволяющая нарушителю получить доступ к конфиденциальным данным, а также вызвать отказ в обслуживании\n\n * BDU:2023-01721: Уязвимость компонента coders/psd.c консольного графического редактора ImageMagick, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2023-01724: Уязвимость компонента MagickCore/property.c консольного графического редактора ImageMagick, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2023-02231: Уязвимость функции importmultispectralquantum() консольного графического редактора ImageMagick, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 and 7.0.10-57 in gem.c. This flaw allows an attacker who submits a crafted file that is processed by ImageMagick to trigger undefined behavior through a division by zero. The highest threat from this vulnerability is to system availability.\n\n * CVE-2021-20224: An integer overflow issue was discovered in ImageMagick's ExportIndexQuantum() function in MagickCore/quantum-export.c. Function calls to GetPixelIndex() could result in values outside the range of representable for the 'unsigned char'. When ImageMagick processes a crafted pdf file, this could lead to an undefined behaviour or a crash.\n\n * CVE-2021-20241: A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.\n\n * CVE-2021-20245: A flaw was found in ImageMagick in coders/webp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.\n\n * CVE-2021-20246: A flaw was found in ImageMagick in MagickCore/resample.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.\n\n * CVE-2021-20309: A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to system availability.\n\n * CVE-2021-3610: A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault.\n\n * CVE-2021-4219: A flaw was found in ImageMagick. The vulnerability occurs due to improper use of open functions and leads to a denial of service. This flaw allows an attacker to crash the system.\n\n * CVE-2022-1114: A heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInfo() function of dcm.c file. This vulnerability is triggered when an attacker passes a specially crafted DICOM image file to ImageMagick for conversion, potentially leading to information disclosure and a denial of service.\n\n * CVE-2022-1115: A heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.\n\n * CVE-2022-3213: A heap buffer overflow issue was found in ImageMagick. When an application processes a malformed TIFF file, it could lead to undefined behavior or a crash causing a denial of service.\n\n * CVE-2022-32545: A vulnerability was found in ImageMagick, causing an outside the range of representable values of type 'unsigned char' at coders/psd.c, when crafted or untrusted input is processed. This leads to a negative impact to application availability or other problems related to undefined behavior.\n\n * CVE-2022-32546: A vulnerability was found in ImageMagick, causing an outside the range of representable values of type 'unsigned long' at coders/pcl.c, when crafted or untrusted input is processed. This leads to a negative impact to application availability or other problems related to undefined behavior.\n\n * CVE-2022-32547: In ImageMagick, there is load of misaligned address for type 'double', which requires 8 byte alignment and for type 'float', which requires 4 byte alignment at MagickCore/property.c. Whenever crafted or untrusted input is processed by ImageMagick, this causes a negative impact to application availability or other problems related to undefined behavior.\n\n * CVE-2022-44268: ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).\n\n * CVE-2023-1906: A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.\n\n * CVE-2023-3195: A stack-based buffer overflow issue was found in ImageMagick's coders/tiff.c. This flaw allows an attacker to trick the user into opening a specially crafted malicious tiff file, causing an application to crash, resulting in a denial of service.\n\n * CVE-2023-39978: ImageMagick before 6.9.12-91 allows attackers to cause a denial of service (memory consumption) in Magick::Draw.\n\n * #31789: Лишний пункт меню", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "High", + "Rights": "Copyright 2024 BaseALT Ltd.", + "Issued": { + "Date": "2024-03-01" + }, + "Updated": { + "Date": "2024-03-01" + }, + "bdu": [ + { + "Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-369", + "Href": "https://bdu.fstec.ru/vul/2021-03651", + "Impact": "Low", + "Public": "20210115", + "CveID": "BDU:2021-03651" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-369", + "Href": "https://bdu.fstec.ru/vul/2021-03652", + "Impact": "Low", + "Public": "20210115", + "CveID": "BDU:2021-03652" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-369", + "Href": "https://bdu.fstec.ru/vul/2021-03654", + "Impact": "Low", + "Public": "20210215", + "CveID": "BDU:2021-03654" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-369", + "Href": "https://bdu.fstec.ru/vul/2021-05183", + "Impact": "Low", + "Public": "20210202", + "CveID": "BDU:2021-05183" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-369", + "Href": "https://bdu.fstec.ru/vul/2021-05277", + "Impact": "High", + "Public": "20210225", + "CveID": "BDU:2021-05277" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-190", + "Href": "https://bdu.fstec.ru/vul/2022-06962", + "Impact": "Low", + "Public": "20220825", + "CveID": "BDU:2022-06962" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-200", + "Href": "https://bdu.fstec.ru/vul/2023-00579", + "Impact": "High", + "Public": "20230206", + "CveID": "BDU:2023-00579" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-190", + "Href": "https://bdu.fstec.ru/vul/2023-01717", + "Impact": "High", + "Public": "20220324", + "CveID": "BDU:2023-01717" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:C/I:N/A:C", + "Cvss3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H", + "Cwe": "CWE-416", + "Href": "https://bdu.fstec.ru/vul/2023-01719", + "Impact": "Low", + "Public": "20220314", + "CveID": "BDU:2023-01719" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-190", + "Href": "https://bdu.fstec.ru/vul/2023-01721", + "Impact": "High", + "Public": "20220317", + "CveID": "BDU:2023-01721" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-704", + "Href": "https://bdu.fstec.ru/vul/2023-01724", + "Impact": "High", + "Public": "20220409", + "CveID": "BDU:2023-01724" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-122, CWE-125", + "Href": "https://bdu.fstec.ru/vul/2023-02231", + "Impact": "Low", + "Public": "20230401", + "CveID": "BDU:2023-02231" + } + ], + "Cves": [ + { + "Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-369", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20176", + "Impact": "Low", + "Public": "20210206", + "CveID": "CVE-2021-20176" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-190", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20224", + "Impact": "Low", + "Public": "20220825", + "CveID": "CVE-2021-20224" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-369", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20241", + "Impact": "Low", + "Public": "20210309", + "CveID": "CVE-2021-20241" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-369", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20245", + "Impact": "Low", + "Public": "20210309", + "CveID": "CVE-2021-20245" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-369", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20246", + "Impact": "Low", + "Public": "20210309", + "CveID": "CVE-2021-20246" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-369", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20309", + "Impact": "High", + "Public": "20210511", + "CveID": "CVE-2021-20309" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-787", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3610", + "Impact": "High", + "Public": "20220224", + "CveID": "CVE-2021-3610" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-20", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-4219", + "Impact": "Low", + "Public": "20220323", + "CveID": "CVE-2021-4219" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:P/I:N/A:P", + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "Cwe": "CWE-416", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-1114", + "Impact": "High", + "Public": "20220429", + "CveID": "CVE-2022-1114" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-787", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-1115", + "Impact": "Low", + "Public": "20220829", + "CveID": "CVE-2022-1115" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-787", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-3213", + "Impact": "Low", + "Public": "20220919", + "CveID": "CVE-2022-3213" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-190", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-32545", + "Impact": "High", + "Public": "20220616", + "CveID": "CVE-2022-32545" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-190", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-32546", + "Impact": "High", + "Public": "20220616", + "CveID": "CVE-2022-32546" + }, + { + "Cvss": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-704", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-32547", + "Impact": "High", + "Public": "20220616", + "CveID": "CVE-2022-32547" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-44268", + "Impact": "Low", + "Public": "20230206", + "CveID": "CVE-2022-44268" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-787", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-1906", + "Impact": "Low", + "Public": "20230412", + "CveID": "CVE-2023-1906" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-787", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-3195", + "Impact": "Low", + "Public": "20230616", + "CveID": "CVE-2023-3195" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "Cwe": "CWE-401", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-39978", + "Impact": "Low", + "Public": "20230808", + "CveID": "CVE-2023-39978" + } + ], + "Bugzilla": [ + { + "Id": "31789", + "Href": "https://bugzilla.altlinux.org/31789", + "Data": "Лишний пункт меню" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:spworkstation:8.4", + "cpe:/o:alt:spserver:8.4" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:3001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20242243001", + "Comment": "ImageMagick is earlier than 0:6.9.12.93-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242243002", + "Comment": "ImageMagick-doc is earlier than 0:6.9.12.93-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242243003", + "Comment": "ImageMagick-tools is earlier than 0:6.9.12.93-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242243004", + "Comment": "libImageMagick++6.9 is earlier than 0:6.9.12.93-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242243005", + "Comment": "libImageMagick-devel is earlier than 0:6.9.12.93-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242243006", + "Comment": "libImageMagick6-common is earlier than 0:6.9.12.93-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242243007", + "Comment": "libImageMagick6.7 is earlier than 0:6.9.12.93-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242243008", + "Comment": "perl-Magick is earlier than 0:6.9.12.93-alt1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-2243/objects.json b/oval/c9f2/ALT-PU-2024-2243/objects.json new file mode 100644 index 0000000000..1bcfa8be73 --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-2243/objects.json @@ -0,0 +1,76 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:3001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:sp(?:server|workstation):(\\d\\.\\d)" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20242243001", + "Version": "1", + "comment": "ImageMagick is installed", + "Name": "ImageMagick" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242243002", + "Version": "1", + "comment": "ImageMagick-doc is installed", + "Name": "ImageMagick-doc" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242243003", + "Version": "1", + "comment": "ImageMagick-tools is installed", + "Name": "ImageMagick-tools" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242243004", + "Version": "1", + "comment": "libImageMagick++6.9 is installed", + "Name": "libImageMagick++6.9" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242243005", + "Version": "1", + "comment": "libImageMagick-devel is installed", + "Name": "libImageMagick-devel" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242243006", + "Version": "1", + "comment": "libImageMagick6-common is installed", + "Name": "libImageMagick6-common" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242243007", + "Version": "1", + "comment": "libImageMagick6.7 is installed", + "Name": "libImageMagick6.7" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242243008", + "Version": "1", + "comment": "perl-Magick is installed", + "Name": "perl-Magick" + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-2243/states.json b/oval/c9f2/ALT-PU-2024-2243/states.json new file mode 100644 index 0000000000..7b894cc2a3 --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-2243/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:3001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20242243001", + "Version": "1", + "Comment": "package EVR is earlier than 0:6.9.12.93-alt1", + "Arch": {}, + "Evr": { + "Text": "0:6.9.12.93-alt1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/c9f2/ALT-PU-2024-2243/tests.json b/oval/c9f2/ALT-PU-2024-2243/tests.json new file mode 100644 index 0000000000..dd0fb0eb53 --- /dev/null +++ b/oval/c9f2/ALT-PU-2024-2243/tests.json @@ -0,0 +1,114 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:3001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'c9f2' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:3001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:3001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20242243001", + "Version": "1", + "Check": "all", + "Comment": "ImageMagick is earlier than 0:6.9.12.93-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242243001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242243001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242243002", + "Version": "1", + "Check": "all", + "Comment": "ImageMagick-doc is earlier than 0:6.9.12.93-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242243002" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242243001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242243003", + "Version": "1", + "Check": "all", + "Comment": "ImageMagick-tools is earlier than 0:6.9.12.93-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242243003" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242243001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242243004", + "Version": "1", + "Check": "all", + "Comment": "libImageMagick++6.9 is earlier than 0:6.9.12.93-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242243004" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242243001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242243005", + "Version": "1", + "Check": "all", + "Comment": "libImageMagick-devel is earlier than 0:6.9.12.93-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242243005" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242243001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242243006", + "Version": "1", + "Check": "all", + "Comment": "libImageMagick6-common is earlier than 0:6.9.12.93-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242243006" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242243001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242243007", + "Version": "1", + "Check": "all", + "Comment": "libImageMagick6.7 is earlier than 0:6.9.12.93-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242243007" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242243001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242243008", + "Version": "1", + "Check": "all", + "Comment": "perl-Magick is earlier than 0:6.9.12.93-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242243008" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242243001" + } + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2761/definitions.json b/oval/p10/ALT-PU-2024-2761/definitions.json new file mode 100644 index 0000000000..c0500e81b9 --- /dev/null +++ b/oval/p10/ALT-PU-2024-2761/definitions.json @@ -0,0 +1,406 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20242761", + "Version": "oval:org.altlinux.errata:def:20242761", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-2761: package `dotnet-runtime-6.0` update to version 6.0.25-alt1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch p10" + ], + "Products": [ + "ALT Server", + "ALT Virtualization Server", + "ALT Workstation", + "ALT Workstation K", + "ALT Education", + "Simply Linux", + "Starterkit" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-2761", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-2761", + "Source": "ALTPU" + }, + { + "RefID": "BDU:2023-04540", + "RefURL": "https://bdu.fstec.ru/vul/2023-04540", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-04615", + "RefURL": "https://bdu.fstec.ru/vul/2023-04615", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-04621", + "RefURL": "https://bdu.fstec.ru/vul/2023-04621", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05593", + "RefURL": "https://bdu.fstec.ru/vul/2023-05593", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05594", + "RefURL": "https://bdu.fstec.ru/vul/2023-05594", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05595", + "RefURL": "https://bdu.fstec.ru/vul/2023-05595", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05605", + "RefURL": "https://bdu.fstec.ru/vul/2023-05605", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06110", + "RefURL": "https://bdu.fstec.ru/vul/2023-06110", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06559", + "RefURL": "https://bdu.fstec.ru/vul/2023-06559", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-08244", + "RefURL": "https://bdu.fstec.ru/vul/2023-08244", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-08245", + "RefURL": "https://bdu.fstec.ru/vul/2023-08245", + "Source": "BDU" + }, + { + "RefID": "CVE-2023-35390", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-35390", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-35391", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-35391", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36049", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36049", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36558", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36558", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36792", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36792", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36793", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36793", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36794", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36794", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36796", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36796", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36799", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36799", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-38180", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-38180", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-44487", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "Source": "CVE" + } + ], + "Description": "This update upgrades dotnet-runtime-6.0 to version 6.0.25-alt1. \nSecurity Fix(es):\n\n * BDU:2023-04540: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio и программной платформы Microsoft.NET Framework, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-04615: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, программной платформы Microsoft.NET, и программной платформы ASP.NET Core, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * BDU:2023-04621: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, программной платформы Microsoft.NET, связанная с недостаточной проверкой входных данных, позволяющая нарушителю раскрыть защищаемую информацию\n\n * BDU:2023-05593: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05594: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05595: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05605: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-06110: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06559: Уязвимость реализации протокола HTTP/2, связанная с возможностью формирования потока запросов в рамках уже установленного сетевого соединения, без открытия новых сетевых соединений и без подтверждения получения пакетов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-08244: Уязвимость программной платформы Microsoft .NET Framework, средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2023-08245: Уязвимость программной платформы ASP.NET Core, связанная с ошибками в настройках безопасности, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2023-35390: .NET and Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-35391: ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability\n\n * CVE-2023-36049: .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability\n\n * CVE-2023-36558: ASP.NET Core - Security Feature Bypass Vulnerability\n\n * CVE-2023-36792: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36793: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36794: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36796: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36799: .NET Core and Visual Studio Denial of Service Vulnerability\n\n * CVE-2023-38180: .NET and Visual Studio Denial of Service Vulnerability\n\n * CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "Critical", + "Rights": "Copyright 2024 BaseALT Ltd.", + "Issued": { + "Date": "2024-03-01" + }, + "Updated": { + "Date": "2024-03-01" + }, + "bdu": [ + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://bdu.fstec.ru/vul/2023-04540", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04540" + }, + { + "Cvss": "AV:L/AC:L/Au:S/C:C/I:C/A:N", + "Cvss3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "Cwe": "CWE-200", + "Href": "https://bdu.fstec.ru/vul/2023-04615", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04615" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:N", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-04621", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04621" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05593", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05593" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05594", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05594" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05595", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05595" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05605", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05605" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400, CWE-404", + "Href": "https://bdu.fstec.ru/vul/2023-06110", + "Impact": "Low", + "Public": "20230912", + "CveID": "BDU:2023-06110" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://bdu.fstec.ru/vul/2023-06559", + "Impact": "High", + "Public": "20231010", + "CveID": "BDU:2023-06559" + }, + { + "Cvss": "AV:N/AC:L/Au:S/C:P/I:C/A:P", + "Cvss3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "Cwe": "CWE-264", + "Href": "https://bdu.fstec.ru/vul/2023-08244", + "Impact": "High", + "Public": "20231114", + "CveID": "BDU:2023-08244" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:P/A:P", + "Cvss3": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "CWE-254, CWE-285", + "Href": "https://bdu.fstec.ru/vul/2023-08245", + "Impact": "Low", + "Public": "20231114", + "CveID": "BDU:2023-08245" + } + ], + "Cves": [ + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-35390", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-35390" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-35391", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-35391" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36049", + "Impact": "Critical", + "Public": "20231114", + "CveID": "CVE-2023-36049" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36558", + "Impact": "Low", + "Public": "20231114", + "CveID": "CVE-2023-36558" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36792", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36792" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36793", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36793" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36794", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36794" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36796", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36796" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36799", + "Impact": "Low", + "Public": "20230912", + "CveID": "CVE-2023-36799" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-38180", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-38180" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "Impact": "High", + "Public": "20231010", + "CveID": "CVE-2023-44487" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:kworkstation:10", + "cpe:/o:alt:workstation:10", + "cpe:/o:alt:server:10", + "cpe:/o:alt:server-v:10", + "cpe:/o:alt:education:10", + "cpe:/o:alt:slinux:10", + "cpe:/o:alt:starterkit:p10", + "cpe:/o:alt:kworkstation:10.1", + "cpe:/o:alt:workstation:10.1", + "cpe:/o:alt:server:10.1", + "cpe:/o:alt:server-v:10.1", + "cpe:/o:alt:education:10.1", + "cpe:/o:alt:slinux:10.1", + "cpe:/o:alt:starterkit:10.1", + "cpe:/o:alt:kworkstation:10.2", + "cpe:/o:alt:workstation:10.2", + "cpe:/o:alt:server:10.2", + "cpe:/o:alt:server-v:10.2", + "cpe:/o:alt:education:10.2", + "cpe:/o:alt:slinux:10.2", + "cpe:/o:alt:starterkit:10.2" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:2001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20242761001", + "Comment": "dotnet-6.0 is earlier than 0:6.0.25-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242761002", + "Comment": "dotnet-apphost-pack-6.0 is earlier than 0:6.0.25-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242761003", + "Comment": "dotnet-hostfxr-6.0 is earlier than 0:6.0.25-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242761004", + "Comment": "dotnet-runtime-6.0 is earlier than 0:6.0.25-alt1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2761/objects.json b/oval/p10/ALT-PU-2024-2761/objects.json new file mode 100644 index 0000000000..252817be3a --- /dev/null +++ b/oval/p10/ALT-PU-2024-2761/objects.json @@ -0,0 +1,52 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:2001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:(?!sp)[a-z\\-]+:p?(\\d+)(?:\\.\\d)*" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20242761001", + "Version": "1", + "comment": "dotnet-6.0 is installed", + "Name": "dotnet-6.0" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242761002", + "Version": "1", + "comment": "dotnet-apphost-pack-6.0 is installed", + "Name": "dotnet-apphost-pack-6.0" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242761003", + "Version": "1", + "comment": "dotnet-hostfxr-6.0 is installed", + "Name": "dotnet-hostfxr-6.0" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242761004", + "Version": "1", + "comment": "dotnet-runtime-6.0 is installed", + "Name": "dotnet-runtime-6.0" + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2761/states.json b/oval/p10/ALT-PU-2024-2761/states.json new file mode 100644 index 0000000000..10fe5abb8c --- /dev/null +++ b/oval/p10/ALT-PU-2024-2761/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:2001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20242761001", + "Version": "1", + "Comment": "package EVR is earlier than 0:6.0.25-alt1", + "Arch": {}, + "Evr": { + "Text": "0:6.0.25-alt1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2761/tests.json b/oval/p10/ALT-PU-2024-2761/tests.json new file mode 100644 index 0000000000..9fb6f7a6d5 --- /dev/null +++ b/oval/p10/ALT-PU-2024-2761/tests.json @@ -0,0 +1,66 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:2001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'p10' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:2001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:2001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20242761001", + "Version": "1", + "Check": "all", + "Comment": "dotnet-6.0 is earlier than 0:6.0.25-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242761001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242761001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242761002", + "Version": "1", + "Check": "all", + "Comment": "dotnet-apphost-pack-6.0 is earlier than 0:6.0.25-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242761002" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242761001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242761003", + "Version": "1", + "Check": "all", + "Comment": "dotnet-hostfxr-6.0 is earlier than 0:6.0.25-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242761003" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242761001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242761004", + "Version": "1", + "Check": "all", + "Comment": "dotnet-runtime-6.0 is earlier than 0:6.0.25-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242761004" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242761001" + } + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2763/definitions.json b/oval/p10/ALT-PU-2024-2763/definitions.json new file mode 100644 index 0000000000..c80025cf8e --- /dev/null +++ b/oval/p10/ALT-PU-2024-2763/definitions.json @@ -0,0 +1,394 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20242763", + "Version": "oval:org.altlinux.errata:def:20242763", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-2763: package `dotnet-bootstrap-6.0` update to version 6.0.25-alt1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch p10" + ], + "Products": [ + "ALT Server", + "ALT Virtualization Server", + "ALT Workstation", + "ALT Workstation K", + "ALT Education", + "Simply Linux", + "Starterkit" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-2763", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-2763", + "Source": "ALTPU" + }, + { + "RefID": "BDU:2023-04540", + "RefURL": "https://bdu.fstec.ru/vul/2023-04540", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-04615", + "RefURL": "https://bdu.fstec.ru/vul/2023-04615", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-04621", + "RefURL": "https://bdu.fstec.ru/vul/2023-04621", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05593", + "RefURL": "https://bdu.fstec.ru/vul/2023-05593", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05594", + "RefURL": "https://bdu.fstec.ru/vul/2023-05594", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05595", + "RefURL": "https://bdu.fstec.ru/vul/2023-05595", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05605", + "RefURL": "https://bdu.fstec.ru/vul/2023-05605", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06110", + "RefURL": "https://bdu.fstec.ru/vul/2023-06110", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06559", + "RefURL": "https://bdu.fstec.ru/vul/2023-06559", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-08244", + "RefURL": "https://bdu.fstec.ru/vul/2023-08244", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-08245", + "RefURL": "https://bdu.fstec.ru/vul/2023-08245", + "Source": "BDU" + }, + { + "RefID": "CVE-2023-35390", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-35390", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-35391", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-35391", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36049", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36049", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36558", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36558", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36792", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36792", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36793", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36793", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36794", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36794", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36796", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36796", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36799", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36799", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-38180", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-38180", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-44487", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "Source": "CVE" + } + ], + "Description": "This update upgrades dotnet-bootstrap-6.0 to version 6.0.25-alt1. \nSecurity Fix(es):\n\n * BDU:2023-04540: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio и программной платформы Microsoft.NET Framework, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-04615: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, программной платформы Microsoft.NET, и программной платформы ASP.NET Core, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * BDU:2023-04621: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, программной платформы Microsoft.NET, связанная с недостаточной проверкой входных данных, позволяющая нарушителю раскрыть защищаемую информацию\n\n * BDU:2023-05593: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05594: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05595: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05605: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-06110: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06559: Уязвимость реализации протокола HTTP/2, связанная с возможностью формирования потока запросов в рамках уже установленного сетевого соединения, без открытия новых сетевых соединений и без подтверждения получения пакетов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-08244: Уязвимость программной платформы Microsoft .NET Framework, средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2023-08245: Уязвимость программной платформы ASP.NET Core, связанная с ошибками в настройках безопасности, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2023-35390: .NET and Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-35391: ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability\n\n * CVE-2023-36049: .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability\n\n * CVE-2023-36558: ASP.NET Core - Security Feature Bypass Vulnerability\n\n * CVE-2023-36792: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36793: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36794: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36796: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36799: .NET Core and Visual Studio Denial of Service Vulnerability\n\n * CVE-2023-38180: .NET and Visual Studio Denial of Service Vulnerability\n\n * CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "Critical", + "Rights": "Copyright 2024 BaseALT Ltd.", + "Issued": { + "Date": "2024-03-01" + }, + "Updated": { + "Date": "2024-03-01" + }, + "bdu": [ + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://bdu.fstec.ru/vul/2023-04540", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04540" + }, + { + "Cvss": "AV:L/AC:L/Au:S/C:C/I:C/A:N", + "Cvss3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "Cwe": "CWE-200", + "Href": "https://bdu.fstec.ru/vul/2023-04615", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04615" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:N", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-04621", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04621" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05593", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05593" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05594", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05594" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05595", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05595" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05605", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05605" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400, CWE-404", + "Href": "https://bdu.fstec.ru/vul/2023-06110", + "Impact": "Low", + "Public": "20230912", + "CveID": "BDU:2023-06110" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://bdu.fstec.ru/vul/2023-06559", + "Impact": "High", + "Public": "20231010", + "CveID": "BDU:2023-06559" + }, + { + "Cvss": "AV:N/AC:L/Au:S/C:P/I:C/A:P", + "Cvss3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "Cwe": "CWE-264", + "Href": "https://bdu.fstec.ru/vul/2023-08244", + "Impact": "High", + "Public": "20231114", + "CveID": "BDU:2023-08244" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:P/A:P", + "Cvss3": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "CWE-254, CWE-285", + "Href": "https://bdu.fstec.ru/vul/2023-08245", + "Impact": "Low", + "Public": "20231114", + "CveID": "BDU:2023-08245" + } + ], + "Cves": [ + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-35390", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-35390" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-35391", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-35391" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36049", + "Impact": "Critical", + "Public": "20231114", + "CveID": "CVE-2023-36049" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36558", + "Impact": "Low", + "Public": "20231114", + "CveID": "CVE-2023-36558" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36792", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36792" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36793", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36793" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36794", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36794" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36796", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36796" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36799", + "Impact": "Low", + "Public": "20230912", + "CveID": "CVE-2023-36799" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-38180", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-38180" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "Impact": "High", + "Public": "20231010", + "CveID": "CVE-2023-44487" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:kworkstation:10", + "cpe:/o:alt:workstation:10", + "cpe:/o:alt:server:10", + "cpe:/o:alt:server-v:10", + "cpe:/o:alt:education:10", + "cpe:/o:alt:slinux:10", + "cpe:/o:alt:starterkit:p10", + "cpe:/o:alt:kworkstation:10.1", + "cpe:/o:alt:workstation:10.1", + "cpe:/o:alt:server:10.1", + "cpe:/o:alt:server-v:10.1", + "cpe:/o:alt:education:10.1", + "cpe:/o:alt:slinux:10.1", + "cpe:/o:alt:starterkit:10.1", + "cpe:/o:alt:kworkstation:10.2", + "cpe:/o:alt:workstation:10.2", + "cpe:/o:alt:server:10.2", + "cpe:/o:alt:server-v:10.2", + "cpe:/o:alt:education:10.2", + "cpe:/o:alt:slinux:10.2", + "cpe:/o:alt:starterkit:10.2" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:2001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20242763001", + "Comment": "dotnet-bootstrap-6.0 is earlier than 0:6.0.25-alt1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2763/objects.json b/oval/p10/ALT-PU-2024-2763/objects.json new file mode 100644 index 0000000000..b17812dd8f --- /dev/null +++ b/oval/p10/ALT-PU-2024-2763/objects.json @@ -0,0 +1,34 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:2001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:(?!sp)[a-z\\-]+:p?(\\d+)(?:\\.\\d)*" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20242763001", + "Version": "1", + "comment": "dotnet-bootstrap-6.0 is installed", + "Name": "dotnet-bootstrap-6.0" + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2763/states.json b/oval/p10/ALT-PU-2024-2763/states.json new file mode 100644 index 0000000000..ac5a9f5fea --- /dev/null +++ b/oval/p10/ALT-PU-2024-2763/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:2001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20242763001", + "Version": "1", + "Comment": "package EVR is earlier than 0:6.0.25-alt1", + "Arch": {}, + "Evr": { + "Text": "0:6.0.25-alt1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2763/tests.json b/oval/p10/ALT-PU-2024-2763/tests.json new file mode 100644 index 0000000000..f21a38efab --- /dev/null +++ b/oval/p10/ALT-PU-2024-2763/tests.json @@ -0,0 +1,30 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:2001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'p10' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:2001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:2001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20242763001", + "Version": "1", + "Check": "all", + "Comment": "dotnet-bootstrap-6.0 is earlier than 0:6.0.25-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242763001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242763001" + } + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2765/definitions.json b/oval/p10/ALT-PU-2024-2765/definitions.json new file mode 100644 index 0000000000..f83627ad8d --- /dev/null +++ b/oval/p10/ALT-PU-2024-2765/definitions.json @@ -0,0 +1,477 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20242765", + "Version": "oval:org.altlinux.errata:def:20242765", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-2765: package `dotnet-runtime-7.0` update to version 7.0.14-alt1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch p10" + ], + "Products": [ + "ALT Server", + "ALT Virtualization Server", + "ALT Workstation", + "ALT Workstation K", + "ALT Education", + "Simply Linux", + "Starterkit" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-2765", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-2765", + "Source": "ALTPU" + }, + { + "RefID": "BDU:2023-04540", + "RefURL": "https://bdu.fstec.ru/vul/2023-04540", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-04615", + "RefURL": "https://bdu.fstec.ru/vul/2023-04615", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-04621", + "RefURL": "https://bdu.fstec.ru/vul/2023-04621", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05593", + "RefURL": "https://bdu.fstec.ru/vul/2023-05593", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05594", + "RefURL": "https://bdu.fstec.ru/vul/2023-05594", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05595", + "RefURL": "https://bdu.fstec.ru/vul/2023-05595", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05605", + "RefURL": "https://bdu.fstec.ru/vul/2023-05605", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06110", + "RefURL": "https://bdu.fstec.ru/vul/2023-06110", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06559", + "RefURL": "https://bdu.fstec.ru/vul/2023-06559", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06639", + "RefURL": "https://bdu.fstec.ru/vul/2023-06639", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06839", + "RefURL": "https://bdu.fstec.ru/vul/2023-06839", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-08244", + "RefURL": "https://bdu.fstec.ru/vul/2023-08244", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-08245", + "RefURL": "https://bdu.fstec.ru/vul/2023-08245", + "Source": "BDU" + }, + { + "RefID": "CVE-2023-35390", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-35390", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-35391", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-35391", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36049", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36049", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36435", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36435", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36558", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36558", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36792", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36792", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36793", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36793", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36794", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36794", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36796", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36796", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36799", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36799", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-38171", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-38171", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-38178", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-38178", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-38180", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-38180", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-44487", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "Source": "CVE" + } + ], + "Description": "This update upgrades dotnet-runtime-7.0 to version 7.0.14-alt1. \nSecurity Fix(es):\n\n * BDU:2023-04540: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio и программной платформы Microsoft.NET Framework, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-04615: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, программной платформы Microsoft.NET, и программной платформы ASP.NET Core, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * BDU:2023-04621: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, программной платформы Microsoft.NET, связанная с недостаточной проверкой входных данных, позволяющая нарушителю раскрыть защищаемую информацию\n\n * BDU:2023-05593: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05594: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05595: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05605: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-06110: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06559: Уязвимость реализации протокола HTTP/2, связанная с возможностью формирования потока запросов в рамках уже установленного сетевого соединения, без открытия новых сетевых соединений и без подтверждения получения пакетов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06639: Уязвимость реализации сетевого протокола QUIC операционной системы Windows, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06839: Уязвимость реализации сетевого протокола QUIC операционной системы Windows, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-08244: Уязвимость программной платформы Microsoft .NET Framework, средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2023-08245: Уязвимость программной платформы ASP.NET Core, связанная с ошибками в настройках безопасности, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2023-35390: .NET and Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-35391: ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability\n\n * CVE-2023-36049: .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability\n\n * CVE-2023-36435: Microsoft QUIC Denial of Service Vulnerability\n\n * CVE-2023-36558: ASP.NET Core - Security Feature Bypass Vulnerability\n\n * CVE-2023-36792: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36793: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36794: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36796: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36799: .NET Core and Visual Studio Denial of Service Vulnerability\n\n * CVE-2023-38171: Microsoft QUIC Denial of Service Vulnerability\n\n * CVE-2023-38178: .NET Core and Visual Studio Denial of Service Vulnerability\n\n * CVE-2023-38180: .NET and Visual Studio Denial of Service Vulnerability\n\n * CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "Critical", + "Rights": "Copyright 2024 BaseALT Ltd.", + "Issued": { + "Date": "2024-03-01" + }, + "Updated": { + "Date": "2024-03-01" + }, + "bdu": [ + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://bdu.fstec.ru/vul/2023-04540", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04540" + }, + { + "Cvss": "AV:L/AC:L/Au:S/C:C/I:C/A:N", + "Cvss3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "Cwe": "CWE-200", + "Href": "https://bdu.fstec.ru/vul/2023-04615", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04615" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:N", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-04621", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04621" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05593", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05593" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05594", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05594" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05595", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05595" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05605", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05605" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400, CWE-404", + "Href": "https://bdu.fstec.ru/vul/2023-06110", + "Impact": "Low", + "Public": "20230912", + "CveID": "BDU:2023-06110" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://bdu.fstec.ru/vul/2023-06559", + "Impact": "High", + "Public": "20231010", + "CveID": "BDU:2023-06559" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-06639", + "Impact": "High", + "Public": "20231010", + "CveID": "BDU:2023-06639" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-06839", + "Impact": "High", + "Public": "20231010", + "CveID": "BDU:2023-06839" + }, + { + "Cvss": "AV:N/AC:L/Au:S/C:P/I:C/A:P", + "Cvss3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "Cwe": "CWE-264", + "Href": "https://bdu.fstec.ru/vul/2023-08244", + "Impact": "High", + "Public": "20231114", + "CveID": "BDU:2023-08244" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:P/A:P", + "Cvss3": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "CWE-254, CWE-285", + "Href": "https://bdu.fstec.ru/vul/2023-08245", + "Impact": "Low", + "Public": "20231114", + "CveID": "BDU:2023-08245" + } + ], + "Cves": [ + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-35390", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-35390" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-35391", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-35391" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36049", + "Impact": "Critical", + "Public": "20231114", + "CveID": "CVE-2023-36049" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36435", + "Impact": "High", + "Public": "20231010", + "CveID": "CVE-2023-36435" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36558", + "Impact": "Low", + "Public": "20231114", + "CveID": "CVE-2023-36558" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36792", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36792" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36793", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36793" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36794", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36794" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36796", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36796" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36799", + "Impact": "Low", + "Public": "20230912", + "CveID": "CVE-2023-36799" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-38171", + "Impact": "High", + "Public": "20231010", + "CveID": "CVE-2023-38171" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-38178", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-38178" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-38180", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-38180" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "Impact": "High", + "Public": "20231010", + "CveID": "CVE-2023-44487" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:kworkstation:10", + "cpe:/o:alt:workstation:10", + "cpe:/o:alt:server:10", + "cpe:/o:alt:server-v:10", + "cpe:/o:alt:education:10", + "cpe:/o:alt:slinux:10", + "cpe:/o:alt:starterkit:p10", + "cpe:/o:alt:kworkstation:10.1", + "cpe:/o:alt:workstation:10.1", + "cpe:/o:alt:server:10.1", + "cpe:/o:alt:server-v:10.1", + "cpe:/o:alt:education:10.1", + "cpe:/o:alt:slinux:10.1", + "cpe:/o:alt:starterkit:10.1", + "cpe:/o:alt:kworkstation:10.2", + "cpe:/o:alt:workstation:10.2", + "cpe:/o:alt:server:10.2", + "cpe:/o:alt:server-v:10.2", + "cpe:/o:alt:education:10.2", + "cpe:/o:alt:slinux:10.2", + "cpe:/o:alt:starterkit:10.2" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:2001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20242765001", + "Comment": "dotnet-7.0 is earlier than 0:7.0.14-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242765002", + "Comment": "dotnet-apphost-pack-7.0 is earlier than 0:7.0.14-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242765003", + "Comment": "dotnet-host is earlier than 0:7.0.14-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242765004", + "Comment": "dotnet-hostfxr-7.0 is earlier than 0:7.0.14-alt1" + }, + { + "TestRef": "oval:org.altlinux.errata:tst:20242765005", + "Comment": "dotnet-runtime-7.0 is earlier than 0:7.0.14-alt1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2765/objects.json b/oval/p10/ALT-PU-2024-2765/objects.json new file mode 100644 index 0000000000..9ea6ef6ea2 --- /dev/null +++ b/oval/p10/ALT-PU-2024-2765/objects.json @@ -0,0 +1,58 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:2001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:(?!sp)[a-z\\-]+:p?(\\d+)(?:\\.\\d)*" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20242765001", + "Version": "1", + "comment": "dotnet-7.0 is installed", + "Name": "dotnet-7.0" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242765002", + "Version": "1", + "comment": "dotnet-apphost-pack-7.0 is installed", + "Name": "dotnet-apphost-pack-7.0" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242765003", + "Version": "1", + "comment": "dotnet-host is installed", + "Name": "dotnet-host" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242765004", + "Version": "1", + "comment": "dotnet-hostfxr-7.0 is installed", + "Name": "dotnet-hostfxr-7.0" + }, + { + "ID": "oval:org.altlinux.errata:obj:20242765005", + "Version": "1", + "comment": "dotnet-runtime-7.0 is installed", + "Name": "dotnet-runtime-7.0" + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2765/states.json b/oval/p10/ALT-PU-2024-2765/states.json new file mode 100644 index 0000000000..448ce55998 --- /dev/null +++ b/oval/p10/ALT-PU-2024-2765/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:2001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20242765001", + "Version": "1", + "Comment": "package EVR is earlier than 0:7.0.14-alt1", + "Arch": {}, + "Evr": { + "Text": "0:7.0.14-alt1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2765/tests.json b/oval/p10/ALT-PU-2024-2765/tests.json new file mode 100644 index 0000000000..043ba1a03e --- /dev/null +++ b/oval/p10/ALT-PU-2024-2765/tests.json @@ -0,0 +1,78 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:2001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'p10' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:2001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:2001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20242765001", + "Version": "1", + "Check": "all", + "Comment": "dotnet-7.0 is earlier than 0:7.0.14-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242765001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242765001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242765002", + "Version": "1", + "Check": "all", + "Comment": "dotnet-apphost-pack-7.0 is earlier than 0:7.0.14-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242765002" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242765001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242765003", + "Version": "1", + "Check": "all", + "Comment": "dotnet-host is earlier than 0:7.0.14-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242765003" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242765001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242765004", + "Version": "1", + "Check": "all", + "Comment": "dotnet-hostfxr-7.0 is earlier than 0:7.0.14-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242765004" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242765001" + } + }, + { + "ID": "oval:org.altlinux.errata:tst:20242765005", + "Version": "1", + "Check": "all", + "Comment": "dotnet-runtime-7.0 is earlier than 0:7.0.14-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242765005" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242765001" + } + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2767/definitions.json b/oval/p10/ALT-PU-2024-2767/definitions.json new file mode 100644 index 0000000000..c3a18ff077 --- /dev/null +++ b/oval/p10/ALT-PU-2024-2767/definitions.json @@ -0,0 +1,461 @@ +{ + "Definition": [ + { + "ID": "oval:org.altlinux.errata:def:20242767", + "Version": "oval:org.altlinux.errata:def:20242767", + "Class": "patch", + "Metadata": { + "Title": "ALT-PU-2024-2767: package `dotnet-bootstrap-7.0` update to version 7.0.14-alt1", + "AffectedList": [ + { + "Family": "unix", + "Platforms": [ + "ALT Linux branch p10" + ], + "Products": [ + "ALT Server", + "ALT Virtualization Server", + "ALT Workstation", + "ALT Workstation K", + "ALT Education", + "Simply Linux", + "Starterkit" + ] + } + ], + "References": [ + { + "RefID": "ALT-PU-2024-2767", + "RefURL": "https://errata.altlinux.org/ALT-PU-2024-2767", + "Source": "ALTPU" + }, + { + "RefID": "BDU:2023-04540", + "RefURL": "https://bdu.fstec.ru/vul/2023-04540", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-04615", + "RefURL": "https://bdu.fstec.ru/vul/2023-04615", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-04621", + "RefURL": "https://bdu.fstec.ru/vul/2023-04621", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05593", + "RefURL": "https://bdu.fstec.ru/vul/2023-05593", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05594", + "RefURL": "https://bdu.fstec.ru/vul/2023-05594", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05595", + "RefURL": "https://bdu.fstec.ru/vul/2023-05595", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-05605", + "RefURL": "https://bdu.fstec.ru/vul/2023-05605", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06110", + "RefURL": "https://bdu.fstec.ru/vul/2023-06110", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06559", + "RefURL": "https://bdu.fstec.ru/vul/2023-06559", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06639", + "RefURL": "https://bdu.fstec.ru/vul/2023-06639", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-06839", + "RefURL": "https://bdu.fstec.ru/vul/2023-06839", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-08244", + "RefURL": "https://bdu.fstec.ru/vul/2023-08244", + "Source": "BDU" + }, + { + "RefID": "BDU:2023-08245", + "RefURL": "https://bdu.fstec.ru/vul/2023-08245", + "Source": "BDU" + }, + { + "RefID": "CVE-2023-35390", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-35390", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-35391", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-35391", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36049", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36049", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36435", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36435", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36558", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36558", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36792", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36792", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36793", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36793", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36794", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36794", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36796", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36796", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-36799", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-36799", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-38171", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-38171", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-38178", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-38178", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-38180", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-38180", + "Source": "CVE" + }, + { + "RefID": "CVE-2023-44487", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "Source": "CVE" + } + ], + "Description": "This update upgrades dotnet-bootstrap-7.0 to version 7.0.14-alt1. \nSecurity Fix(es):\n\n * BDU:2023-04540: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio и программной платформы Microsoft.NET Framework, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-04615: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, программной платформы Microsoft.NET, и программной платформы ASP.NET Core, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * BDU:2023-04621: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, программной платформы Microsoft.NET, связанная с недостаточной проверкой входных данных, позволяющая нарушителю раскрыть защищаемую информацию\n\n * BDU:2023-05593: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05594: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05595: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-05605: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостаточной проверкой входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2023-06110: Уязвимость средства разработки программного обеспечения Microsoft Visual Studio, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06559: Уязвимость реализации протокола HTTP/2, связанная с возможностью формирования потока запросов в рамках уже установленного сетевого соединения, без открытия новых сетевых соединений и без подтверждения получения пакетов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06639: Уязвимость реализации сетевого протокола QUIC операционной системы Windows, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-06839: Уязвимость реализации сетевого протокола QUIC операционной системы Windows, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-08244: Уязвимость программной платформы Microsoft .NET Framework, средства разработки программного обеспечения Microsoft Visual Studio, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2023-08245: Уязвимость программной платформы ASP.NET Core, связанная с ошибками в настройках безопасности, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2023-35390: .NET and Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-35391: ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability\n\n * CVE-2023-36049: .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability\n\n * CVE-2023-36435: Microsoft QUIC Denial of Service Vulnerability\n\n * CVE-2023-36558: ASP.NET Core - Security Feature Bypass Vulnerability\n\n * CVE-2023-36792: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36793: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36794: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36796: Visual Studio Remote Code Execution Vulnerability\n\n * CVE-2023-36799: .NET Core and Visual Studio Denial of Service Vulnerability\n\n * CVE-2023-38171: Microsoft QUIC Denial of Service Vulnerability\n\n * CVE-2023-38178: .NET Core and Visual Studio Denial of Service Vulnerability\n\n * CVE-2023-38180: .NET and Visual Studio Denial of Service Vulnerability\n\n * CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "Advisory": { + "From": "errata.altlinux.org", + "Severity": "Critical", + "Rights": "Copyright 2024 BaseALT Ltd.", + "Issued": { + "Date": "2024-03-01" + }, + "Updated": { + "Date": "2024-03-01" + }, + "bdu": [ + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://bdu.fstec.ru/vul/2023-04540", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04540" + }, + { + "Cvss": "AV:L/AC:L/Au:S/C:C/I:C/A:N", + "Cvss3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "Cwe": "CWE-200", + "Href": "https://bdu.fstec.ru/vul/2023-04615", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04615" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:N", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-04621", + "Impact": "High", + "Public": "20230808", + "CveID": "BDU:2023-04621" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05593", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05593" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05594", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05594" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05595", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05595" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:C/A:C", + "Cvss3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-05605", + "Impact": "High", + "Public": "20230912", + "CveID": "BDU:2023-05605" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400, CWE-404", + "Href": "https://bdu.fstec.ru/vul/2023-06110", + "Impact": "Low", + "Public": "20230912", + "CveID": "BDU:2023-06110" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://bdu.fstec.ru/vul/2023-06559", + "Impact": "High", + "Public": "20231010", + "CveID": "BDU:2023-06559" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-06639", + "Impact": "High", + "Public": "20231010", + "CveID": "BDU:2023-06639" + }, + { + "Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-20", + "Href": "https://bdu.fstec.ru/vul/2023-06839", + "Impact": "High", + "Public": "20231010", + "CveID": "BDU:2023-06839" + }, + { + "Cvss": "AV:N/AC:L/Au:S/C:P/I:C/A:P", + "Cvss3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "Cwe": "CWE-264", + "Href": "https://bdu.fstec.ru/vul/2023-08244", + "Impact": "High", + "Public": "20231114", + "CveID": "BDU:2023-08244" + }, + { + "Cvss": "AV:L/AC:L/Au:N/C:C/I:P/A:P", + "Cvss3": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "CWE-254, CWE-285", + "Href": "https://bdu.fstec.ru/vul/2023-08245", + "Impact": "Low", + "Public": "20231114", + "CveID": "BDU:2023-08245" + } + ], + "Cves": [ + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-35390", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-35390" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-35391", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-35391" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36049", + "Impact": "Critical", + "Public": "20231114", + "CveID": "CVE-2023-36049" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36435", + "Impact": "High", + "Public": "20231010", + "CveID": "CVE-2023-36435" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36558", + "Impact": "Low", + "Public": "20231114", + "CveID": "CVE-2023-36558" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36792", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36792" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36793", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36793" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36794", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36794" + }, + { + "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36796", + "Impact": "High", + "Public": "20230912", + "CveID": "CVE-2023-36796" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-36799", + "Impact": "Low", + "Public": "20230912", + "CveID": "CVE-2023-36799" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-38171", + "Impact": "High", + "Public": "20231010", + "CveID": "CVE-2023-38171" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-38178", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-38178" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "NVD-CWE-noinfo", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-38180", + "Impact": "High", + "Public": "20230808", + "CveID": "CVE-2023-38180" + }, + { + "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cwe": "CWE-400", + "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "Impact": "High", + "Public": "20231010", + "CveID": "CVE-2023-44487" + } + ], + "AffectedCpeList": { + "Cpe": [ + "cpe:/o:alt:kworkstation:10", + "cpe:/o:alt:workstation:10", + "cpe:/o:alt:server:10", + "cpe:/o:alt:server-v:10", + "cpe:/o:alt:education:10", + "cpe:/o:alt:slinux:10", + "cpe:/o:alt:starterkit:p10", + "cpe:/o:alt:kworkstation:10.1", + "cpe:/o:alt:workstation:10.1", + "cpe:/o:alt:server:10.1", + "cpe:/o:alt:server-v:10.1", + "cpe:/o:alt:education:10.1", + "cpe:/o:alt:slinux:10.1", + "cpe:/o:alt:starterkit:10.1", + "cpe:/o:alt:kworkstation:10.2", + "cpe:/o:alt:workstation:10.2", + "cpe:/o:alt:server:10.2", + "cpe:/o:alt:server-v:10.2", + "cpe:/o:alt:education:10.2", + "cpe:/o:alt:slinux:10.2", + "cpe:/o:alt:starterkit:10.2" + ] + } + } + }, + "Criteria": { + "Operator": "AND", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:2001", + "Comment": "ALT Linux must be installed" + } + ], + "Criterias": [ + { + "Operator": "OR", + "Criterions": [ + { + "TestRef": "oval:org.altlinux.errata:tst:20242767001", + "Comment": "dotnet-bootstrap-7.0 is earlier than 0:7.0.14-alt1" + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2767/objects.json b/oval/p10/ALT-PU-2024-2767/objects.json new file mode 100644 index 0000000000..3364581c0c --- /dev/null +++ b/oval/p10/ALT-PU-2024-2767/objects.json @@ -0,0 +1,34 @@ +{ + "TextFileContent54Objects": [ + { + "ID": "oval:org.altlinux.errata:obj:2001", + "Version": "1", + "comment": "Evaluate `/etc/os-release` file content", + "Path": { + "dataType": "string", + "Text": "/etc" + }, + "Filepath": { + "Datatype": "string", + "Text": "os-release" + }, + "Pattern": { + "Datatype": "string", + "Operation": "pattern match", + "Text": "cpe:\\/o:alt:(?!sp)[a-z\\-]+:p?(\\d+)(?:\\.\\d)*" + }, + "Instance": { + "Datatype": "int", + "Text": "1" + } + } + ], + "RpmInfoObjects": [ + { + "ID": "oval:org.altlinux.errata:obj:20242767001", + "Version": "1", + "comment": "dotnet-bootstrap-7.0 is installed", + "Name": "dotnet-bootstrap-7.0" + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2767/states.json b/oval/p10/ALT-PU-2024-2767/states.json new file mode 100644 index 0000000000..7235f14fbc --- /dev/null +++ b/oval/p10/ALT-PU-2024-2767/states.json @@ -0,0 +1,23 @@ +{ + "TextFileContent54State": [ + { + "ID": "oval:org.altlinux.errata:ste:2001", + "Version": "1", + "Text": {} + } + ], + "RpmInfoState": [ + { + "ID": "oval:org.altlinux.errata:ste:20242767001", + "Version": "1", + "Comment": "package EVR is earlier than 0:7.0.14-alt1", + "Arch": {}, + "Evr": { + "Text": "0:7.0.14-alt1", + "Datatype": "evr_string", + "Operation": "less than" + }, + "Subexpression": {} + } + ] +} \ No newline at end of file diff --git a/oval/p10/ALT-PU-2024-2767/tests.json b/oval/p10/ALT-PU-2024-2767/tests.json new file mode 100644 index 0000000000..383dd6f45a --- /dev/null +++ b/oval/p10/ALT-PU-2024-2767/tests.json @@ -0,0 +1,30 @@ +{ + "TextFileContent54Tests": [ + { + "ID": "oval:org.altlinux.errata:tst:2001", + "Version": "1", + "Check": "all", + "Comment": "ALT Linux based on branch 'p10' must be installed", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:2001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:2001" + } + } + ], + "RPMInfoTests": [ + { + "ID": "oval:org.altlinux.errata:tst:20242767001", + "Version": "1", + "Check": "all", + "Comment": "dotnet-bootstrap-7.0 is earlier than 0:7.0.14-alt1", + "Object": { + "ObjectRef": "oval:org.altlinux.errata:obj:20242767001" + }, + "State": { + "StateRef": "oval:org.altlinux.errata:ste:20242767001" + } + } + ] +} \ No newline at end of file