2024-12-12 21:07:30 +00:00

119 lines
4.4 KiB
JSON
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20246496",
"Version": "oval:org.altlinux.errata:def:20246496",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-6496: package `php8.1` update to version 8.1.28-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p11"
],
"Products": [
"ALT Container"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-6496",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-6496",
"Source": "ALTPU"
},
{
"RefID": "CVE-2024-1874",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-1874",
"Source": "CVE"
},
{
"RefID": "CVE-2024-2756",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-2756",
"Source": "CVE"
},
{
"RefID": "CVE-2024-3096",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-3096",
"Source": "CVE"
}
],
"Description": "This update upgrades php8.1 to version 8.1.28-alt1. \nSecurity Fix(es):\n\n * CVE-2024-1874: In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. \n\n\n\n * CVE-2024-2756: Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications. \n\n\n * CVE-2024-3096: In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.\n\n",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Low",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-04-13"
},
"Updated": {
"Date": "2024-04-13"
},
"BDUs": null,
"CVEs": [
{
"ID": "CVE-2024-1874",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-1874",
"Impact": "None",
"Public": "20240429"
},
{
"ID": "CVE-2024-2756",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-2756",
"Impact": "None",
"Public": "20240429"
},
{
"ID": "CVE-2024-3096",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-3096",
"Impact": "None",
"Public": "20240429"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:container:11"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20246496001",
"Comment": "php8.1 is earlier than 0:8.1.28-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20246496002",
"Comment": "php8.1-devel is earlier than 0:8.1.28-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20246496003",
"Comment": "php8.1-libs is earlier than 0:8.1.28-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20246496004",
"Comment": "php8.1-mysqlnd is earlier than 0:8.1.28-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20246496005",
"Comment": "rpm-build-php8.1-version is earlier than 0:8.1.28-alt1"
}
]
}
]
}
}
]
}