pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7221cd8dd9
vuln-list-alt/oval/c9f2/ALT-PU-2024-3833/definitions.json
pepelyaevip ac03c1c203 ALT Vulnerability
2024-03-14 21:03:21 +00:00

110 lines
4.8 KiB
JSON
Raw Blame History

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20243833",
"Version": "oval:org.altlinux.errata:def:20243833",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-3833: package `syncthing` update to version 1.23.5-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c9f2"
],
"Products": [
"ALT SPWorkstation",
"ALT SPServer"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-3833",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-3833",
"Source": "ALTPU"
},
{
"RefID": "CVE-2021-21404",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-21404",
"Source": "CVE"
},
{
"RefID": "CVE-2022-46165",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-46165",
"Source": "CVE"
}
],
"Description": "This update upgrades syncthing to version 1.23.5-alt1. \nSecurity Fix(es):\n\n * CVE-2021-21404: Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.\n\n * CVE-2022-46165: Syncthing is an open source, continuous file synchronization program. In versions prior to 1.23.5 a compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically. Additionally adding a new device with a malicious name could embed HTML or JavaScript inside parts of the page. As a result the webUI may be subject to a stored cross site scripting attack. This issue has been addressed in version 1.23.5. Users are advised to upgrade. Users unable to upgrade should avoid sharing folders with untrusted users.\n\n * #40325: Предлагает обновить версию, хотя установлена самая последняя",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-03-14"
},
"Updated": {
"Date": "2024-03-14"
},
"bdu": null,
"Cves": [
{
"Cvss": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"Cwe": "CWE-20",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-21404",
"Impact": "High",
"Public": "20210406",
"CveID": "CVE-2021-21404"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"Cwe": "CWE-79",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-46165",
"Impact": "Low",
"Public": "20230606",
"CveID": "CVE-2022-46165"
}
],
"Bugzilla": [
{
"Id": "40325",
"Href": "https://bugzilla.altlinux.org/40325",
"Data": "Предлагает обновить версию, хотя установлена самая последняя"
}
],
"AffectedCpeList": {
"Cpe": [
"cpe:/o:alt:spworkstation:8.4",
"cpe:/o:alt:spserver:8.4"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20243833001",
"Comment": "syncthing is earlier than 0:1.23.5-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20243833002",
"Comment": "syncthing-tools is earlier than 0:1.23.5-alt1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink