88 lines
3.6 KiB
JSON
88 lines
3.6 KiB
JSON
{
|
|
"Definition": [
|
|
{
|
|
"ID": "oval:org.altlinux.errata:def:20243556",
|
|
"Version": "oval:org.altlinux.errata:def:20243556",
|
|
"Class": "patch",
|
|
"Metadata": {
|
|
"Title": "ALT-PU-2024-3556: package `libuv` update to version 1.48.0-alt1",
|
|
"AffectedList": [
|
|
{
|
|
"Family": "unix",
|
|
"Platforms": [
|
|
"ALT Linux branch c9f2"
|
|
],
|
|
"Products": [
|
|
"ALT SPWorkstation",
|
|
"ALT SPServer"
|
|
]
|
|
}
|
|
],
|
|
"References": [
|
|
{
|
|
"RefID": "ALT-PU-2024-3556",
|
|
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-3556",
|
|
"Source": "ALTPU"
|
|
},
|
|
{
|
|
"RefID": "CVE-2024-24806",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-24806",
|
|
"Source": "CVE"
|
|
}
|
|
],
|
|
"Description": "This update upgrades libuv to version 1.48.0-alt1. \nSecurity Fix(es):\n\n * CVE-2024-24806: libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
|
|
"Advisory": {
|
|
"From": "errata.altlinux.org",
|
|
"Severity": "High",
|
|
"Rights": "Copyright 2024 BaseALT Ltd.",
|
|
"Issued": {
|
|
"Date": "2024-03-11"
|
|
},
|
|
"Updated": {
|
|
"Date": "2024-03-11"
|
|
},
|
|
"BDUs": null,
|
|
"CVEs": [
|
|
{
|
|
"ID": "CVE-2024-24806",
|
|
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-24806",
|
|
"Impact": "High",
|
|
"Public": "20240207"
|
|
}
|
|
],
|
|
"AffectedCPEs": {
|
|
"CPEs": [
|
|
"cpe:/o:alt:spworkstation:8.4",
|
|
"cpe:/o:alt:spserver:8.4"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Criteria": {
|
|
"Operator": "AND",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:4001",
|
|
"Comment": "ALT Linux must be installed"
|
|
}
|
|
],
|
|
"Criterias": [
|
|
{
|
|
"Operator": "OR",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20243556001",
|
|
"Comment": "libuv is earlier than 0:1.48.0-alt1"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20243556002",
|
|
"Comment": "libuv-devel is earlier than 0:1.48.0-alt1"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
} |