209 lines
8.6 KiB
JSON
209 lines
8.6 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20191438",
|
||
"Version": "oval:org.altlinux.errata:def:20191438",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2019-1438: package `ruby-rails` update to version 5.2.2.1-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch c10f1"
|
||
],
|
||
"Products": [
|
||
"ALT SP Workstation",
|
||
"ALT SP Server"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2019-1438",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2019-1438",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2019-01180",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2019-01180",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2019-01506",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2019-01506",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2019-5418",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-5418",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2019-5420",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-5420",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades ruby-rails to version 5.2.2.1-alt1. \nSecurity Fix(es):\n\n * BDU:2019-01180: Уязвимость программной платформы Ruby on Rails, связанная с ошибками в коде генератора псевдослучайных чисел, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2019-01506: Уязвимость компонента Action View программной платформы Ruby on Rails, позволяющая нарушителю читать произвольные файлы\n\n * CVE-2019-5418: There is a File Content Disclosure vulnerability in Action View \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.\n\n * CVE-2019-5420: A remote code execution vulnerability in development mode Rails \u003c5.2.2.1, \u003c6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "Critical",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2019-03-15"
|
||
},
|
||
"Updated": {
|
||
"Date": "2019-03-15"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2019-01180",
|
||
"CVSS": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-338",
|
||
"Href": "https://bdu.fstec.ru/vul/2019-01180",
|
||
"Impact": "High",
|
||
"Public": "20190313"
|
||
},
|
||
{
|
||
"ID": "BDU:2019-01506",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-200",
|
||
"Href": "https://bdu.fstec.ru/vul/2019-01506",
|
||
"Impact": "High",
|
||
"Public": "20190316"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2019-5418",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-5418",
|
||
"Impact": "High",
|
||
"Public": "20190327"
|
||
},
|
||
{
|
||
"ID": "CVE-2019-5420",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-330",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-5420",
|
||
"Impact": "Critical",
|
||
"Public": "20190327"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:spworkstation:10",
|
||
"cpe:/o:alt:spserver:10"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:5001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438001",
|
||
"Comment": "ruby-actioncable is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438002",
|
||
"Comment": "ruby-actioncable-doc is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438003",
|
||
"Comment": "ruby-actionmailer is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438004",
|
||
"Comment": "ruby-actionmailer-doc is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438005",
|
||
"Comment": "ruby-actionpack is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438006",
|
||
"Comment": "ruby-actionpack-doc is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438007",
|
||
"Comment": "ruby-actionview is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438008",
|
||
"Comment": "ruby-actionview-doc is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438009",
|
||
"Comment": "ruby-activejob is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438010",
|
||
"Comment": "ruby-activejob-doc is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438011",
|
||
"Comment": "ruby-activemodel is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438012",
|
||
"Comment": "ruby-activemodel-doc is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438013",
|
||
"Comment": "ruby-activerecord is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438014",
|
||
"Comment": "ruby-activerecord-doc is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438015",
|
||
"Comment": "ruby-activestorage is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438016",
|
||
"Comment": "ruby-activestorage-doc is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438017",
|
||
"Comment": "ruby-activesupport is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438018",
|
||
"Comment": "ruby-activesupport-doc is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438019",
|
||
"Comment": "ruby-rails is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438020",
|
||
"Comment": "ruby-railties is earlier than 0:5.2.2.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191438021",
|
||
"Comment": "ruby-railties-doc is earlier than 0:5.2.2.1-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |