pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vuln-list-alt/oval/p11/ALT-PU-2023-1508/definitions.json
pepelyaevip 9d72b75f75 ALT Vulnerability
2024-12-12 21:07:30 +00:00

111 lines
4.5 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20231508",
"Version": "oval:org.altlinux.errata:def:20231508",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2023-1508: package `haproxy` update to version 2.6.11-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p11"
],
"Products": [
"ALT Container"
]
}
],
"References": [
{
"RefID": "ALT-PU-2023-1508",
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-1508",
"Source": "ALTPU"
},
{
"RefID": "BDU:2023-00758",
"RefURL": "https://bdu.fstec.ru/vul/2023-00758",
"Source": "BDU"
},
{
"RefID": "CVE-2023-0836",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-0836",
"Source": "CVE"
},
{
"RefID": "CVE-2023-25725",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725",
"Source": "CVE"
}
],
"Description": "This update upgrades haproxy to version 2.6.11-alt1. \nSecurity Fix(es):\n\n * BDU:2023-00758: Уязвимость серверного программного обеспечения HAProxy, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку «контрабанда HTTP-запросов»\n\n * CVE-2023-0836: An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.\n\n * CVE-2023-25725: HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka \"request smuggling.\" The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Critical",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2023-03-24"
},
"Updated": {
"Date": "2023-03-24"
},
"BDUs": [
{
"ID": "BDU:2023-00758",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:C/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "CWE-444",
"Href": "https://bdu.fstec.ru/vul/2023-00758",
"Impact": "High",
"Public": "20230214"
}
],
"CVEs": [
{
"ID": "CVE-2023-0836",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-459",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-0836",
"Impact": "High",
"Public": "20230329"
},
{
"ID": "CVE-2023-25725",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"CWE": "NVD-CWE-Other",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725",
"Impact": "Critical",
"Public": "20230214"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:container:11"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20231508001",
"Comment": "haproxy is earlier than 0:2.6.11-alt1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink