vuln-list-alt/oval/p11/ALT-PU-2021-1565/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20211565",
      "Version": "oval:org.altlinux.errata:def:20211565",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2021-1565: package `minio` update to version 2021.03.26-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p11"
            ],
            "Products": [
              "ALT Container"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2021-1565",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2021-1565",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2021-03386",
            "RefURL": "https://bdu.fstec.ru/vul/2021-03386",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2021-21362",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-21362",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2021-21390",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-21390",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades minio to version 2021.03.26-alt1. \nSecurity Fix(es):\n\n * BDU:2021-03386: Уязвимость сервера хранения объектов MinIO, связанная с ошибками авторизации, позволяющая нарушителю обойти политику readOnly и оказать воздействие на целостность защищаемой информации\n\n * CVE-2021-21362: MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO.\n\n * CVE-2021-21390: MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using \"aws-chunked\" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2021-03-27"
          },
          "Updated": {
            "Date": "2021-03-27"
          },
          "BDUs": [
            {
              "ID": "BDU:2021-03386",
              "CVSS": "AV:N/AC:L/Au:S/C:N/I:C/A:N",
              "CVSS3": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
              "CWE": "CWE-285",
              "Href": "https://bdu.fstec.ru/vul/2021-03386",
              "Impact": "High",
              "Public": "20210308"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2021-21362",
              "CVSS": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
              "CWE": "CWE-863",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-21362",
              "Impact": "Low",
              "Public": "20210308"
            },
            {
              "ID": "CVE-2021-21390",
              "CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "CWE": "CWE-924",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-21390",
              "Impact": "Low",
              "Public": "20210319"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:container:11"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:3001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211565001",
                "Comment": "minio is earlier than 0:2021.03.26-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}