197 lines
8.6 KiB
JSON
197 lines
8.6 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20211592",
|
||
"Version": "oval:org.altlinux.errata:def:20211592",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2021-1592: package `curl` update to version 7.75.0-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch c9f2"
|
||
],
|
||
"Products": [
|
||
"ALT SPWorkstation",
|
||
"ALT SPServer"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2021-1592",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2021-1592",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-03447",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-03447",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-03503",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-03503",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-03504",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-03504",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-03510",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-03510",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-8231",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-8231",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-8284",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-8285",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-8286",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-8286",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades curl to version 7.75.0-alt1. \nSecurity Fix(es):\n\n * BDU:2021-03447: Уязвимость программного средства для взаимодействия с серверами CURL, связанная с выходом операции за допустимые границы буфера данных, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-03503: Уязвимость программного средства для взаимодействия с серверами CURL, связанная с использованием области памяти после её освобождения, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2021-03504: Уязвимость программного средства для взаимодействия с серверами CURL, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2021-03510: Уязвимость программного средства для взаимодействия с серверами CURL, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю оказать воздействие на целостность данных\n\n * CVE-2020-8231: Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.\n\n * CVE-2020-8284: A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.\n\n * CVE-2020-8285: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.\n\n * CVE-2020-8286: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "High",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2021-04-02"
|
||
},
|
||
"Updated": {
|
||
"Date": "2021-04-02"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2021-03447",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
|
||
"CWE": "CWE-787",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-03447",
|
||
"Impact": "Low",
|
||
"Public": "20201127"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-03503",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-416",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-03503",
|
||
"Impact": "Low",
|
||
"Public": "20200731"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-03504",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-200",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-03504",
|
||
"Impact": "Low",
|
||
"Public": "20201121"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-03510",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
|
||
"CWE": "CWE-295",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-03510",
|
||
"Impact": "Low",
|
||
"Public": "20201201"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2020-8231",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-416",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-8231",
|
||
"Impact": "High",
|
||
"Public": "20201214"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-8284",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284",
|
||
"Impact": "Low",
|
||
"Public": "20201214"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-8285",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-787",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285",
|
||
"Impact": "High",
|
||
"Public": "20201214"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-8286",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
|
||
"CWE": "CWE-295",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-8286",
|
||
"Impact": "High",
|
||
"Public": "20201214"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:spworkstation:8.4",
|
||
"cpe:/o:alt:spserver:8.4"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:3001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211592001",
|
||
"Comment": "curl is earlier than 0:7.75.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211592002",
|
||
"Comment": "libcurl is earlier than 0:7.75.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211592003",
|
||
"Comment": "libcurl-devel is earlier than 0:7.75.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211592004",
|
||
"Comment": "libcurl-devel-static is earlier than 0:7.75.0-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |