vuln-list-alt/oval/c9f2/ALT-PU-2018-2038/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20182038",
      "Version": "oval:org.altlinux.errata:def:20182038",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2018-2038: package `dovecot` update to version 2.2.36-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch c9f2"
            ],
            "Products": [
              "ALT SPWorkstation",
              "ALT SPServer"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2018-2038",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2018-2038",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2020-00779",
            "RefURL": "https://bdu.fstec.ru/vul/2020-00779",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2020-00780",
            "RefURL": "https://bdu.fstec.ru/vul/2020-00780",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2017-14461",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-14461",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2017-15130",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-15130",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades dovecot to version 2.2.36-alt1. \nSecurity Fix(es):\n\n * BDU:2020-00779: Уязвимость почтового сервера Dovecot, связанная с чтением за границами буфера памяти, позволяющая нарушителю получить доступ к конфиденциальным данным, а также вызвать отказ в обслуживании\n\n * BDU:2020-00780: Уязвимость реализации протоколов TLS почтового сервера Dovecot, связанная с исчерпанием ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2017-14461: A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server.\n\n * CVE-2017-15130: A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2018-07-20"
          },
          "Updated": {
            "Date": "2018-07-20"
          },
          "BDUs": [
            {
              "ID": "BDU:2020-00779",
              "CVSS": "AV:N/AC:L/Au:S/C:P/I:N/A:C",
              "CVSS3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
              "CWE": "CWE-125",
              "Href": "https://bdu.fstec.ru/vul/2020-00779",
              "Impact": "High",
              "Public": "20180302"
            },
            {
              "ID": "BDU:2020-00780",
              "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
              "CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-400",
              "Href": "https://bdu.fstec.ru/vul/2020-00780",
              "Impact": "Low",
              "Public": "20180302"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2017-14461",
              "CVSS": "AV:N/AC:L/Au:S/C:P/I:N/A:P",
              "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
              "CWE": "CWE-200",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-14461",
              "Impact": "High",
              "Public": "20180302"
            },
            {
              "ID": "CVE-2017-15130",
              "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
              "CVSS3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "NVD-CWE-noinfo",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-15130",
              "Impact": "Low",
              "Public": "20180302"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:spworkstation:8.4",
              "cpe:/o:alt:spserver:8.4"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:3001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20182038001",
                "Comment": "dovecot is earlier than 0:2.2.36-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20182038002",
                "Comment": "dovecot-devel is earlier than 0:2.2.36-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}