372 lines
19 KiB
JSON
372 lines
19 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20213496",
|
||
"Version": "oval:org.altlinux.errata:def:20213496",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2021-3496: package `firefox` update to version 95.0-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch p11"
|
||
],
|
||
"Products": [
|
||
"ALT Container"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2021-3496",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2021-3496",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-06177",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-06177",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-06178",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-06178",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-06179",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-06179",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-06180",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-06180",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-06181",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-06181",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-06182",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-06182",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-06183",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-06183",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-06191",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-06191",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-06192",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-06192",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-4129",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-4129",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-43536",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43536",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-43537",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43537",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-43538",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43538",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-43539",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43539",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-43540",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43540",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-43541",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43541",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-43542",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43542",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-43543",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43543",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-43544",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43544",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-43545",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43545",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-43546",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43546",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades firefox to version 95.0-alt1. \nSecurity Fix(es):\n\n * BDU:2021-06177: Уязвимость браузера Mozilla Firefox и почтового клиента Mozilla Thunderbird, связанная с ошибками криптографических преобразований, позволяющая нарушителю проводить спуфинг-атаки\n\n * BDU:2021-06178: Уязвимость браузера Mozilla Firefox и почтового клиента Mozilla Thunderbird, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю обойти существующие ограничения безопасности\n\n * BDU:2021-06179: Уязвимость обработки запросов XMLHttpRequest браузера Mozilla Firefox и почтового клиента Mozilla Thunderbird, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * BDU:2021-06180: Уязвимость обработки политик CSP браузера Mozilla Firefox и почтового клиента Mozilla Thunderbird, связанная с ошибками в настройках безопасности, позволяющая нарушителю обойти существующие ограничения безопасности\n\n * BDU:2021-06181: Уязвимость браузера Mozilla Firefox и почтового клиента Mozilla Thunderbird, связанная с ошибками криптографических преобразований, позволяющая нарушителю проводить спуфинг-атаки\n\n * BDU:2021-06182: Уязвимость браузера Mozilla Firefox и почтового клиента Mozilla Thunderbird, связанная с неправильным преобразованием типов, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2021-06183: Уязвимость браузера Mozilla Firefox и почтового клиента Mozilla Thunderbird, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * BDU:2021-06191: Уязвимость браузера Mozilla Firefox и почтового клиента Mozilla Thunderbird, связанная с использованием памяти после ее освобождения, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2021-06192: Уязвимость браузера Mozilla Firefox и почтового клиента Mozilla Thunderbird, связанная с выполнением цикла с недоступным условием выхода, позволяющая нарушителю выполнить отказ в обслуживании\n\n * CVE-2021-4129: Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Firefox 94. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 95, Firefox ESR \u003c 91.4.0, and Thunderbird \u003c 91.4.0.\n\n * CVE-2021-43536: Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. This vulnerability affects Thunderbird \u003c 91.4.0, Firefox ESR \u003c 91.4.0, and Firefox \u003c 95.\n\n * CVE-2021-43537: An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 91.4.0, Firefox ESR \u003c 91.4.0, and Firefox \u003c 95.\n\n * CVE-2021-43538: By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird \u003c 91.4.0, Firefox ESR \u003c 91.4.0, and Firefox \u003c 95.\n\n * CVE-2021-43539: Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 91.4.0, Firefox ESR \u003c 91.4.0, and Firefox \u003c 95.\n\n * CVE-2021-43540: WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. This vulnerability affects Firefox \u003c 95.\n\n * CVE-2021-43541: When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped. This vulnerability affects Thunderbird \u003c 91.4.0, Firefox ESR \u003c 91.4.0, and Firefox \u003c 95.\n\n * CVE-2021-43542: Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols. This vulnerability affects Thunderbird \u003c 91.4.0, Firefox ESR \u003c 91.4.0, and Firefox \u003c 95.\n\n * CVE-2021-43543: Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. This vulnerability affects Thunderbird \u003c 91.4.0, Firefox ESR \u003c 91.4.0, and Firefox \u003c 95.\n\n * CVE-2021-43544: When receiving a URL through a SEND intent, Firefox would have searched for the text, but subsequent usages of the address bar might have caused the URL to load unintentionally, which could lead to XSS and spoofing attacks. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox \u003c 95.\n\n * CVE-2021-43545: Using the Location API in a loop could have caused severe application hangs and crashes. This vulnerability affects Thunderbird \u003c 91.4.0, Firefox ESR \u003c 91.4.0, and Firefox \u003c 95.\n\n * CVE-2021-43546: It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird \u003c 91.4.0, Firefox ESR \u003c 91.4.0, and Firefox \u003c 95.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "Critical",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2021-12-08"
|
||
},
|
||
"Updated": {
|
||
"Date": "2021-12-08"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2021-06177",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
|
||
"CWE": "CWE-451",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-06177",
|
||
"Impact": "Low",
|
||
"Public": "20211207"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-06178",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
|
||
"CWE": "CWE-20",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-06178",
|
||
"Impact": "Low",
|
||
"Public": "20211207"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-06179",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-200",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-06179",
|
||
"Impact": "Low",
|
||
"Public": "20211207"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-06180",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
|
||
"CWE": "CWE-254",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-06180",
|
||
"Impact": "Low",
|
||
"Public": "20211207"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-06181",
|
||
"CVSS": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
|
||
"CWE": "CWE-451",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-06181",
|
||
"Impact": "Low",
|
||
"Public": "20211207"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-06182",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-704",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-06182",
|
||
"Impact": "High",
|
||
"Public": "20211207"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-06183",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-200",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-06183",
|
||
"Impact": "Low",
|
||
"Public": "20211207"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-06191",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-416",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-06191",
|
||
"Impact": "High",
|
||
"Public": "20211207"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-06192",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
|
||
"CWE": "CWE-835",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-06192",
|
||
"Impact": "Low",
|
||
"Public": "20211207"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2021-4129",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-787",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-4129",
|
||
"Impact": "Critical",
|
||
"Public": "20221222"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-43536",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-200",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43536",
|
||
"Impact": "Low",
|
||
"Public": "20211208"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-43537",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-704",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43537",
|
||
"Impact": "High",
|
||
"Public": "20211208"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-43538",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
|
||
"CWE": "CWE-362",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43538",
|
||
"Impact": "Low",
|
||
"Public": "20211208"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-43539",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-416",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43539",
|
||
"Impact": "High",
|
||
"Public": "20211208"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-43540",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43540",
|
||
"Impact": "Low",
|
||
"Public": "20211208"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-43541",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
|
||
"CWE": "NVD-CWE-Other",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43541",
|
||
"Impact": "Low",
|
||
"Public": "20211208"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-43542",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-209",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43542",
|
||
"Impact": "Low",
|
||
"Public": "20211208"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-43543",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||
"CWE": "CWE-79",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43543",
|
||
"Impact": "Low",
|
||
"Public": "20211208"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-43544",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||
"CWE": "CWE-79",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43544",
|
||
"Impact": "Low",
|
||
"Public": "20211208"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-43545",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-834",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43545",
|
||
"Impact": "Low",
|
||
"Public": "20211208"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-43546",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
|
||
"CWE": "CWE-1021",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43546",
|
||
"Impact": "Low",
|
||
"Public": "20211208"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:container:11"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:3001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20213496001",
|
||
"Comment": "firefox is earlier than 0:95.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20213496002",
|
||
"Comment": "firefox-config-privacy is earlier than 0:95.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20213496003",
|
||
"Comment": "firefox-wayland is earlier than 0:95.0-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |