vuln-list-alt/oval/p10/ALT-PU-2021-1596/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20211596",
      "Version": "oval:org.altlinux.errata:def:20211596",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2021-1596: package `python3` update to version 3.9.4-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p10"
            ],
            "Products": [
              "ALT Server",
              "ALT Virtualization Server",
              "ALT Workstation",
              "ALT Workstation K",
              "ALT Education",
              "Simply Linux",
              "Starterkit"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2021-1596",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2021-1596",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2021-03708",
            "RefURL": "https://bdu.fstec.ru/vul/2021-03708",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2022-02303",
            "RefURL": "https://bdu.fstec.ru/vul/2022-02303",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2021-3426",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3426",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2021-4189",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-4189",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades python3 to version 3.9.4-alt1. \nSecurity Fix(es):\n\n * BDU:2021-03708: Уязвимость модуля pandoc языка программирования Python, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2022-02303: Уязвимость клиентской библиотеки FTP (File Transfer Protocol) интерпретатора языка программирования Python, позволяющая нарушителю выполнять SSRF-атаки\n\n * CVE-2021-3426: There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.\n\n * CVE-2021-4189: A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.\n\n * #39329: В python3-base задаются флаги сборки, которые потом переопределяются макросом python3_setup",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "Low",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2021-04-05"
          },
          "Updated": {
            "Date": "2021-04-05"
          },
          "BDUs": [
            {
              "ID": "BDU:2021-03708",
              "CVSS": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
              "CVSS3": "AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "CWE": "CWE-200",
              "Href": "https://bdu.fstec.ru/vul/2021-03708",
              "Impact": "Low",
              "Public": "20210520"
            },
            {
              "ID": "BDU:2022-02303",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
              "CVSS3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "CWE": "CWE-918",
              "Href": "https://bdu.fstec.ru/vul/2022-02303",
              "Impact": "Low",
              "Public": "20220209"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2021-3426",
              "CVSS": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
              "CVSS3": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "CWE": "CWE-22",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3426",
              "Impact": "Low",
              "Public": "20210520"
            },
            {
              "ID": "CVE-2021-4189",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "CWE": "CWE-252",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-4189",
              "Impact": "Low",
              "Public": "20220824"
            }
          ],
          "Bugzilla": [
            {
              "ID": "39329",
              "Href": "https://bugzilla.altlinux.org/39329",
              "Data": "В python3-base задаются флаги сборки, которые потом переопределяются макросом python3_setup"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:kworkstation:10",
              "cpe:/o:alt:workstation:10",
              "cpe:/o:alt:server:10",
              "cpe:/o:alt:server-v:10",
              "cpe:/o:alt:education:10",
              "cpe:/o:alt:slinux:10",
              "cpe:/o:alt:starterkit:p10",
              "cpe:/o:alt:kworkstation:10.1",
              "cpe:/o:alt:workstation:10.1",
              "cpe:/o:alt:server:10.1",
              "cpe:/o:alt:server-v:10.1",
              "cpe:/o:alt:education:10.1",
              "cpe:/o:alt:slinux:10.1",
              "cpe:/o:alt:starterkit:10.1",
              "cpe:/o:alt:kworkstation:10.2",
              "cpe:/o:alt:workstation:10.2",
              "cpe:/o:alt:server:10.2",
              "cpe:/o:alt:server-v:10.2",
              "cpe:/o:alt:education:10.2",
              "cpe:/o:alt:slinux:10.2",
              "cpe:/o:alt:starterkit:10.2"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:2001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211596001",
                "Comment": "libpython3 is earlier than 0:3.9.4-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211596002",
                "Comment": "python3 is earlier than 0:3.9.4-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211596003",
                "Comment": "python3-base is earlier than 0:3.9.4-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211596004",
                "Comment": "python3-dev is earlier than 0:3.9.4-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211596005",
                "Comment": "python3-modules-curses is earlier than 0:3.9.4-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211596006",
                "Comment": "python3-modules-sqlite3 is earlier than 0:3.9.4-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211596007",
                "Comment": "python3-modules-tkinter is earlier than 0:3.9.4-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211596008",
                "Comment": "python3-test is earlier than 0:3.9.4-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211596009",
                "Comment": "python3-tools is earlier than 0:3.9.4-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}