112 lines
4.2 KiB
JSON
112 lines
4.2 KiB
JSON
{
|
|
"Definition": [
|
|
{
|
|
"ID": "oval:org.altlinux.errata:def:20234417",
|
|
"Version": "oval:org.altlinux.errata:def:20234417",
|
|
"Class": "patch",
|
|
"Metadata": {
|
|
"Title": "ALT-PU-2023-4417: package `pesign` update to version 116-alt1",
|
|
"AffectedList": [
|
|
{
|
|
"Family": "unix",
|
|
"Platforms": [
|
|
"ALT Linux branch p11"
|
|
],
|
|
"Products": [
|
|
"ALT Container"
|
|
]
|
|
}
|
|
],
|
|
"References": [
|
|
{
|
|
"RefID": "ALT-PU-2023-4417",
|
|
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-4417",
|
|
"Source": "ALTPU"
|
|
},
|
|
{
|
|
"RefID": "BDU:2023-00640",
|
|
"RefURL": "https://bdu.fstec.ru/vul/2023-00640",
|
|
"Source": "BDU"
|
|
},
|
|
{
|
|
"RefID": "CVE-2022-1249",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-1249",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2022-3560",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-3560",
|
|
"Source": "CVE"
|
|
}
|
|
],
|
|
"Description": "This update upgrades pesign to version 116-alt1. \nSecurity Fix(es):\n\n * BDU:2023-00640: Уязвимость демона pesign подсистемы инициализации и управления службами systemd, позволяющая нарушителю повысить свои привилегии\n\n * CVE-2022-1249: A NULL pointer dereference flaw was found in pesign's cms_set_pw_data() function of the cms_common.c file. The function fails to handle the NULL pwdata invocation from daemon.c, which leads to an explicit NULL dereference and crash on all attempts to daemonize pesign.\n\n * CVE-2022-3560: A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.",
|
|
"Advisory": {
|
|
"From": "errata.altlinux.org",
|
|
"Severity": "High",
|
|
"Rights": "Copyright 2024 BaseALT Ltd.",
|
|
"Issued": {
|
|
"Date": "2023-08-01"
|
|
},
|
|
"Updated": {
|
|
"Date": "2023-08-01"
|
|
},
|
|
"BDUs": [
|
|
{
|
|
"ID": "BDU:2023-00640",
|
|
"CVSS": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
|
|
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
|
"CWE": "CWE-22, CWE-269",
|
|
"Href": "https://bdu.fstec.ru/vul/2023-00640",
|
|
"Impact": "High",
|
|
"Public": "20230131"
|
|
}
|
|
],
|
|
"CVEs": [
|
|
{
|
|
"ID": "CVE-2022-1249",
|
|
"CVSS": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
|
|
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
|
|
"CWE": "CWE-476",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-1249",
|
|
"Impact": "Low",
|
|
"Public": "20220429"
|
|
},
|
|
{
|
|
"ID": "CVE-2022-3560",
|
|
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
|
"CWE": "CWE-22",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-3560",
|
|
"Impact": "Low",
|
|
"Public": "20230202"
|
|
}
|
|
],
|
|
"AffectedCPEs": {
|
|
"CPEs": [
|
|
"cpe:/o:alt:container:11"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Criteria": {
|
|
"Operator": "AND",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:3001",
|
|
"Comment": "ALT Linux must be installed"
|
|
}
|
|
],
|
|
"Criterias": [
|
|
{
|
|
"Operator": "OR",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20234417001",
|
|
"Comment": "pesign is earlier than 0:116-alt1"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
} |