187 lines
8.8 KiB
JSON
187 lines
8.8 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20231291",
|
||
"Version": "oval:org.altlinux.errata:def:20231291",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2023-1291: package `git` update to version 2.33.7-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch c10f1"
|
||
],
|
||
"Products": [
|
||
"ALT SP Workstation",
|
||
"ALT SP Server"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2023-1291",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-1291",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2023-01602",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2023-01602",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2023-01603",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2023-01603",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2023-22490",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-22490",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2023-23946",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-23946",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades git to version 2.33.7-alt1. \nSecurity Fix(es):\n\n * BDU:2023-01602: Уязвимость распределенной системы управления версиями Git, связанная с передачей частных ресурсов в новую сферу, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * BDU:2023-01603: Уязвимость распределенной системы управления версиями Git, связанная с неправильным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю перезаписать произвольные файлы в системе\n\n * CVE-2023-22490: Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.\n\nA fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.\n\n * CVE-2023-23946: Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "High",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2023-02-20"
|
||
},
|
||
"Updated": {
|
||
"Date": "2023-02-20"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2023-01602",
|
||
"CVSS": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
|
||
"CVSS3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-59",
|
||
"Href": "https://bdu.fstec.ru/vul/2023-01602",
|
||
"Impact": "Low",
|
||
"Public": "20230214"
|
||
},
|
||
{
|
||
"ID": "BDU:2023-01603",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:C/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
|
||
"CWE": "CWE-22",
|
||
"Href": "https://bdu.fstec.ru/vul/2023-01603",
|
||
"Impact": "High",
|
||
"Public": "20230214"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2023-22490",
|
||
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-59",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-22490",
|
||
"Impact": "Low",
|
||
"Public": "20230214"
|
||
},
|
||
{
|
||
"ID": "CVE-2023-23946",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
|
||
"CWE": "CWE-22",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-23946",
|
||
"Impact": "High",
|
||
"Public": "20230214"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:spworkstation:10",
|
||
"cpe:/o:alt:spserver:10"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:4001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291001",
|
||
"Comment": "git is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291002",
|
||
"Comment": "git-arch is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291003",
|
||
"Comment": "git-contrib is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291004",
|
||
"Comment": "git-core is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291005",
|
||
"Comment": "git-cvs is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291006",
|
||
"Comment": "git-diff-highlight is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291007",
|
||
"Comment": "git-doc is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291008",
|
||
"Comment": "git-email is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291009",
|
||
"Comment": "git-full is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291010",
|
||
"Comment": "git-gui is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291011",
|
||
"Comment": "git-server is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291012",
|
||
"Comment": "git-subtree is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291013",
|
||
"Comment": "git-svn is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291014",
|
||
"Comment": "gitk is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291015",
|
||
"Comment": "gitweb is earlier than 0:2.33.7-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20231291016",
|
||
"Comment": "perl-Git is earlier than 0:2.33.7-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |