vuln-list-alt/oval/p10/ALT-PU-2020-3502/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20203502",
      "Version": "oval:org.altlinux.errata:def:20203502",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2020-3502: package `mbedtls` update to version 2.25.0-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p10"
            ],
            "Products": [
              "ALT Server",
              "ALT Virtualization Server",
              "ALT Workstation",
              "ALT Workstation K",
              "ALT Education",
              "Simply Linux",
              "Starterkit"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2020-3502",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2020-3502",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2022-01649",
            "RefURL": "https://bdu.fstec.ru/vul/2022-01649",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2022-02039",
            "RefURL": "https://bdu.fstec.ru/vul/2022-02039",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2020-36475",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-36475",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2020-36478",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-36478",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades mbedtls to version 2.25.0-alt1. \nSecurity Fix(es):\n\n * BDU:2022-01649: Уязвимость функции mbedtls_mpi_exp_mod реализации протоколов TLS и SSL Mbed TLS, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2022-02039: Уязвимость реализации протоколов TLS и SSL Mbed TLS, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю оказать воздействие на целостность данных\n\n * CVE-2020-36475: An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large parameters could lead to denial of service when generating Diffie-Hellman key pairs.\n\n * CVE-2020-36478: An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way, then the certificate should be considered invalid.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2020-12-12"
          },
          "Updated": {
            "Date": "2020-12-12"
          },
          "BDUs": [
            {
              "ID": "BDU:2022-01649",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-131",
              "Href": "https://bdu.fstec.ru/vul/2022-01649",
              "Impact": "High",
              "Public": "20201202"
            },
            {
              "ID": "BDU:2022-02039",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:C/A:N",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "CWE": "CWE-295",
              "Href": "https://bdu.fstec.ru/vul/2022-02039",
              "Impact": "High",
              "Public": "20210822"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2020-36475",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-131",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-36475",
              "Impact": "High",
              "Public": "20210823"
            },
            {
              "ID": "CVE-2020-36478",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "CWE": "CWE-295",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-36478",
              "Impact": "High",
              "Public": "20210823"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:kworkstation:10",
              "cpe:/o:alt:workstation:10",
              "cpe:/o:alt:server:10",
              "cpe:/o:alt:server-v:10",
              "cpe:/o:alt:education:10",
              "cpe:/o:alt:slinux:10",
              "cpe:/o:alt:starterkit:p10",
              "cpe:/o:alt:kworkstation:10.1",
              "cpe:/o:alt:workstation:10.1",
              "cpe:/o:alt:server:10.1",
              "cpe:/o:alt:server-v:10.1",
              "cpe:/o:alt:education:10.1",
              "cpe:/o:alt:slinux:10.1",
              "cpe:/o:alt:starterkit:10.1",
              "cpe:/o:alt:kworkstation:10.2",
              "cpe:/o:alt:workstation:10.2",
              "cpe:/o:alt:server:10.2",
              "cpe:/o:alt:server-v:10.2",
              "cpe:/o:alt:education:10.2",
              "cpe:/o:alt:slinux:10.2",
              "cpe:/o:alt:starterkit:10.2"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:2001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20203502001",
                "Comment": "libmbedcrypto6 is earlier than 0:2.25.0-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20203502002",
                "Comment": "libmbedtls-devel is earlier than 0:2.25.0-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20203502003",
                "Comment": "libmbedtls13 is earlier than 0:2.25.0-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20203502004",
                "Comment": "libmbedx509-1 is earlier than 0:2.25.0-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20203502005",
                "Comment": "mbedtls-utils is earlier than 0:2.25.0-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}