110 lines
4.1 KiB
JSON
110 lines
4.1 KiB
JSON
{
|
|
"Definition": [
|
|
{
|
|
"ID": "oval:org.altlinux.errata:def:20231519",
|
|
"Version": "oval:org.altlinux.errata:def:20231519",
|
|
"Class": "patch",
|
|
"Metadata": {
|
|
"Title": "ALT-PU-2023-1519: package `cri-o` update to version 1.26.2-alt1",
|
|
"AffectedList": [
|
|
{
|
|
"Family": "unix",
|
|
"Platforms": [
|
|
"ALT Linux branch p11"
|
|
],
|
|
"Products": [
|
|
"ALT Container"
|
|
]
|
|
}
|
|
],
|
|
"References": [
|
|
{
|
|
"RefID": "ALT-PU-2023-1519",
|
|
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-1519",
|
|
"Source": "ALTPU"
|
|
},
|
|
{
|
|
"RefID": "CVE-2022-27652",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-27652",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2022-2995",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-2995",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2022-4318",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-4318",
|
|
"Source": "CVE"
|
|
}
|
|
],
|
|
"Description": "This update upgrades cri-o to version 1.26.2-alt1. \nSecurity Fix(es):\n\n * CVE-2022-27652: A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.\n\n * CVE-2022-2995: Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.\n\n * CVE-2022-4318: A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.",
|
|
"Advisory": {
|
|
"From": "errata.altlinux.org",
|
|
"Severity": "High",
|
|
"Rights": "Copyright 2024 BaseALT Ltd.",
|
|
"Issued": {
|
|
"Date": "2023-03-27"
|
|
},
|
|
"Updated": {
|
|
"Date": "2023-03-27"
|
|
},
|
|
"BDUs": null,
|
|
"CVEs": [
|
|
{
|
|
"ID": "CVE-2022-27652",
|
|
"CVSS": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
|
|
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
|
|
"CWE": "CWE-276",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-27652",
|
|
"Impact": "Low",
|
|
"Public": "20220418"
|
|
},
|
|
{
|
|
"ID": "CVE-2022-2995",
|
|
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
|
|
"CWE": "CWE-732",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-2995",
|
|
"Impact": "High",
|
|
"Public": "20220919"
|
|
},
|
|
{
|
|
"ID": "CVE-2022-4318",
|
|
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
|
"CWE": "CWE-913",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-4318",
|
|
"Impact": "High",
|
|
"Public": "20230925"
|
|
}
|
|
],
|
|
"AffectedCPEs": {
|
|
"CPEs": [
|
|
"cpe:/o:alt:container:11"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Criteria": {
|
|
"Operator": "AND",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:3001",
|
|
"Comment": "ALT Linux must be installed"
|
|
}
|
|
],
|
|
"Criterias": [
|
|
{
|
|
"Operator": "OR",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20231519001",
|
|
"Comment": "cri-o is earlier than 0:1.26.2-alt1"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
} |