128 lines
5.8 KiB
JSON
128 lines
5.8 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20248258",
|
||
"Version": "oval:org.altlinux.errata:def:20248258",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2024-8258: package `mongo5.0` update to version 5.0.25-alt0.c10.1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch c10f1"
|
||
],
|
||
"Products": [
|
||
"ALT SP Workstation",
|
||
"ALT SP Server"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2024-8258",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-8258",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2024-01947",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2024-01947",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-1351",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-1351",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-3372",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-3372",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-3374",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-3374",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades mongo5.0 to version 5.0.25-alt0.c10.1. \nSecurity Fix(es):\n\n * BDU:2024-01947: Уязвимость системы управления базами данных MongoDB, связанная с ошибками процедуры подтверждения подлинности TLS сертификата, позволяющая нарушителю устанавить несанкционированное соединение к серверу MongoDB\n\n * CVE-2024-1351: Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.\n\nRequired Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.\n\n\n\n * CVE-2024-3372: Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25.\n\n\n * CVE-2024-3374: An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5.\n",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "High",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2024-05-26"
|
||
},
|
||
"Updated": {
|
||
"Date": "2024-05-26"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2024-01947",
|
||
"CVSS": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-295",
|
||
"Href": "https://bdu.fstec.ru/vul/2024-01947",
|
||
"Impact": "High",
|
||
"Public": "20240307"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2024-1351",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-1351",
|
||
"Impact": "None",
|
||
"Public": "20240307"
|
||
},
|
||
{
|
||
"ID": "CVE-2024-3372",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-3372",
|
||
"Impact": "None",
|
||
"Public": "20240514"
|
||
},
|
||
{
|
||
"ID": "CVE-2024-3374",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-3374",
|
||
"Impact": "None",
|
||
"Public": "20240514"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:spworkstation:10",
|
||
"cpe:/o:alt:spserver:10"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:4001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20248258001",
|
||
"Comment": "mongo5.0 is earlier than 0:5.0.25-alt0.c10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20248258002",
|
||
"Comment": "mongo5.0-server-mongod is earlier than 0:5.0.25-alt0.c10.1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20248258003",
|
||
"Comment": "mongo5.0-server-mongos is earlier than 0:5.0.25-alt0.c10.1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |