vuln-list-alt/oval/c10f1/ALT-PU-2023-5129/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20235129",
      "Version": "oval:org.altlinux.errata:def:20235129",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2023-5129: package `stunnel4` update to version 5.70-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch c10f1"
            ],
            "Products": [
              "ALT SP Workstation",
              "ALT SP Server"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2023-5129",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2023-5129",
            "Source": "ALTPU"
          },
          {
            "RefID": "CVE-2021-20230",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-20230",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades stunnel4 to version 5.70-alt1. \nSecurity Fix(es):\n\n * CVE-2021-20230: A flaw was found in stunnel before 5.57, where it improperly validates client certificates when it is configured to use both redirect and verifyChain options. This flaw allows an attacker with a certificate signed by a Certificate Authority, which is not the one accepted by the stunnel server, to access the tunneled service instead of being redirected to the address specified in the redirect option. The highest threat from this vulnerability is to confidentiality.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2023-08-30"
          },
          "Updated": {
            "Date": "2023-08-30"
          },
          "bdu": null,
          "Cves": [
            {
              "Cvss": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "Cwe": "CWE-295",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-20230",
              "Impact": "High",
              "Public": "20210223",
              "CveID": "CVE-2021-20230"
            }
          ],
          "AffectedCpeList": {
            "Cpe": [
              "cpe:/o:alt:spworkstation:10",
              "cpe:/o:alt:spserver:10"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:4001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20235129001",
                "Comment": "bash-completion-stunnel4 is earlier than 0:5.70-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20235129002",
                "Comment": "stunnel4 is earlier than 0:5.70-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20235129003",
                "Comment": "stunnel4-inetd is earlier than 0:5.70-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20235129004",
                "Comment": "stunnel4-standalone is earlier than 0:5.70-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}