vuln-list-alt/oval/p9/ALT-PU-2021-2381/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20212381",
      "Version": "oval:org.altlinux.errata:def:20212381",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2021-2381: package `libssh` update to version 0.9.5-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p9"
            ],
            "Products": [
              "ALT Server",
              "ALT Virtualization Server",
              "ALT Workstation",
              "ALT Workstation K",
              "ALT Education",
              "Simply Linux",
              "Starterkit"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2021-2381",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2021-2381",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2020-02135",
            "RefURL": "https://bdu.fstec.ru/vul/2020-02135",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2021-03730",
            "RefURL": "https://bdu.fstec.ru/vul/2021-03730",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2020-16135",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-16135",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2020-1730",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-1730",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades libssh to version 0.9.5-alt1. \nSecurity Fix(es):\n\n * BDU:2020-02135: Уязвимость библиотеки libssh, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-03730: Уязвимость компонента tftpserver.c библиотеки для аутентификации клиента libssh, связанная с ошибками разыменования указателя, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2020-16135: libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.\n\n * CVE-2020-1730: A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2021-07-30"
          },
          "Updated": {
            "Date": "2021-07-30"
          },
          "BDUs": [
            {
              "ID": "BDU:2020-02135",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-400",
              "Href": "https://bdu.fstec.ru/vul/2020-02135",
              "Impact": "High",
              "Public": "20200212"
            },
            {
              "ID": "BDU:2021-03730",
              "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
              "CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-476",
              "Href": "https://bdu.fstec.ru/vul/2021-03730",
              "Impact": "Low",
              "Public": "20200730"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2020-16135",
              "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-476",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-16135",
              "Impact": "Low",
              "Public": "20200729"
            },
            {
              "ID": "CVE-2020-1730",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "CWE": "CWE-476",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-1730",
              "Impact": "Low",
              "Public": "20200413"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:kworkstation:9",
              "cpe:/o:alt:workstation:9",
              "cpe:/o:alt:server:9",
              "cpe:/o:alt:server-v:9",
              "cpe:/o:alt:education:9",
              "cpe:/o:alt:slinux:9",
              "cpe:/o:alt:starterkit:p9",
              "cpe:/o:alt:kworkstation:9.1",
              "cpe:/o:alt:workstation:9.1",
              "cpe:/o:alt:server:9.1",
              "cpe:/o:alt:server-v:9.1",
              "cpe:/o:alt:education:9.1",
              "cpe:/o:alt:slinux:9.1",
              "cpe:/o:alt:starterkit:9.1",
              "cpe:/o:alt:kworkstation:9.2",
              "cpe:/o:alt:workstation:9.2",
              "cpe:/o:alt:server:9.2",
              "cpe:/o:alt:server-v:9.2",
              "cpe:/o:alt:education:9.2",
              "cpe:/o:alt:slinux:9.2",
              "cpe:/o:alt:starterkit:9.2"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:1001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20212381001",
                "Comment": "libssh is earlier than 0:0.9.5-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20212381002",
                "Comment": "libssh-devel is earlier than 0:0.9.5-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}