vuln-list-alt/oval/c10f2/ALT-PU-2023-7515/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20237515",
      "Version": "oval:org.altlinux.errata:def:20237515",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2023-7515: package `mysql-connector-odbc` update to version 8.0.35-alt2",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch c10f2"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2023-7515",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2023-7515",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2022-01443",
            "RefURL": "https://bdu.fstec.ru/vul/2022-01443",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2022-04284",
            "RefURL": "https://bdu.fstec.ru/vul/2022-04284",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2022-2097",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2022-24407",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-24407",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades mysql-connector-odbc to version 8.0.35-alt2. \nSecurity Fix(es):\n\n * BDU:2022-01443: Уязвимость реализации механизма аутентификации Cyrus SASL, связанная с непринятием мер по защите структуры SQL-запроса, позволяющая нарушителю выполнить произвольный SQL-запрос\n\n * BDU:2022-04284: Уязвимость режима AES OCB библиотеки OpenSSL, позволяющая нарушителю раскрыть защищаемую информацию\n\n * CVE-2022-2097: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).\n\n * CVE-2022-24407: In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "Critical",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2023-11-24"
          },
          "Updated": {
            "Date": "2023-11-24"
          },
          "BDUs": [
            {
              "ID": "BDU:2022-01443",
              "CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:N",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "CWE": "CWE-89",
              "Href": "https://bdu.fstec.ru/vul/2022-01443",
              "Impact": "Critical",
              "Public": "20220302"
            },
            {
              "ID": "BDU:2022-04284",
              "CVSS": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
              "CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "CWE": "CWE-325",
              "Href": "https://bdu.fstec.ru/vul/2022-04284",
              "Impact": "Low",
              "Public": "20220705"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2022-2097",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "CWE": "CWE-327",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097",
              "Impact": "Low",
              "Public": "20220705"
            },
            {
              "ID": "CVE-2022-24407",
              "CVSS": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "CWE": "CWE-89",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-24407",
              "Impact": "High",
              "Public": "20220224"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:spworkstation:10",
              "cpe:/o:alt:spserver:10"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:5001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20237515001",
                "Comment": "mysql-connector-odbc is earlier than 0:8.0.35-alt2"
              }
            ]
          }
        ]
      }
    }
  ]
}