218 lines
9.8 KiB
JSON
218 lines
9.8 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20202249",
|
||
"Version": "oval:org.altlinux.errata:def:20202249",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2020-2249: package `mediawiki` update to version 1.34.1-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch p9"
|
||
],
|
||
"Products": [
|
||
"ALT Server",
|
||
"ALT Virtualization Server",
|
||
"ALT Workstation",
|
||
"ALT Workstation K",
|
||
"ALT Education",
|
||
"Simply Linux",
|
||
"Starterkit"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2020-2249",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2020-2249",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2020-01890",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2020-01890",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2020-01973",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2020-01973",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2020-02036",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2020-02036",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2019-16738",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-16738",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2019-19709",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-19709",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-10534",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-10534",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-10960",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-10960",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades mediawiki to version 1.34.1-alt1. \nSecurity Fix(es):\n\n * BDU:2020-01890: Уязвимость функции Special:Redirect программного средства для реализации гипертекстовой среды MediaWik, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2020-01973: Уязвимость элементов программного средства для реализации гипертекстовой среды MediaWiki, связанная с переадресацией url на ненадежный сайт, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным и оказать воздействие на целостность данных\n\n * BDU:2020-02036: Уязвимость компонента программного средства для реализации гипертекстовой среды MediaWiki, связанная с недостатком механизма кодирование или экранирование выходных данных, позволяющая нарушителю оказать воздействие на целостность данных\n\n * CVE-2019-16738: In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.\n\n * CVE-2019-19709: MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.\n\n * CVE-2020-10534: In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is locally disabled.\n\n * CVE-2020-10960: In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS).\n\n * #31471: Требуется модуль кеширования для PHP",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "Critical",
|
||
"Rights": "Copyright 2023 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2020-06-29"
|
||
},
|
||
"Updated": {
|
||
"Date": "2020-06-29"
|
||
},
|
||
"bdu": [
|
||
{
|
||
"Cvss": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"Cwe": "CWE-200",
|
||
"Href": "https://bdu.fstec.ru/vul/2020-01890",
|
||
"Impact": "Low",
|
||
"Public": "20190813",
|
||
"CveID": "BDU:2020-01890"
|
||
},
|
||
{
|
||
"Cvss": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
|
||
"Cvss3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||
"Cwe": "CWE-601",
|
||
"Href": "https://bdu.fstec.ru/vul/2020-01973",
|
||
"Impact": "Low",
|
||
"Public": "20191210",
|
||
"CveID": "BDU:2020-01973"
|
||
},
|
||
{
|
||
"Cvss": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
||
"Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
|
||
"Cwe": "CWE-116",
|
||
"Href": "https://bdu.fstec.ru/vul/2020-02036",
|
||
"Impact": "Low",
|
||
"Public": "20200403",
|
||
"CveID": "BDU:2020-02036"
|
||
}
|
||
],
|
||
"Cves": [
|
||
{
|
||
"Cvss": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"Cwe": "CWE-862",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-16738",
|
||
"Impact": "Low",
|
||
"Public": "20190926",
|
||
"CveID": "CVE-2019-16738"
|
||
},
|
||
{
|
||
"Cvss": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
|
||
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||
"Cwe": "CWE-601",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-19709",
|
||
"Impact": "Low",
|
||
"Public": "20191211",
|
||
"CveID": "CVE-2019-19709"
|
||
},
|
||
{
|
||
"Cvss": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"Cwe": "CWE-863",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-10534",
|
||
"Impact": "Critical",
|
||
"Public": "20200312",
|
||
"CveID": "CVE-2020-10534"
|
||
},
|
||
{
|
||
"Cvss": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
||
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
|
||
"Cwe": "CWE-74",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-10960",
|
||
"Impact": "Low",
|
||
"Public": "20200403",
|
||
"CveID": "CVE-2020-10960"
|
||
}
|
||
],
|
||
"Bugzilla": [
|
||
{
|
||
"Id": "31471",
|
||
"Href": "https://bugzilla.altlinux.org/31471",
|
||
"Data": "Требуется модуль кеширования для PHP"
|
||
}
|
||
],
|
||
"AffectedCpeList": {
|
||
"Cpe": [
|
||
"cpe:/o:alt:kworkstation:9",
|
||
"cpe:/o:alt:workstation:9",
|
||
"cpe:/o:alt:server:9",
|
||
"cpe:/o:alt:server-v:9",
|
||
"cpe:/o:alt:education:9",
|
||
"cpe:/o:alt:slinux:9",
|
||
"cpe:/o:alt:starterkit:p9",
|
||
"cpe:/o:alt:kworkstation:9.1",
|
||
"cpe:/o:alt:workstation:9.1",
|
||
"cpe:/o:alt:server:9.1",
|
||
"cpe:/o:alt:server-v:9.1",
|
||
"cpe:/o:alt:education:9.1",
|
||
"cpe:/o:alt:slinux:9.1",
|
||
"cpe:/o:alt:starterkit:9.1",
|
||
"cpe:/o:alt:kworkstation:9.2",
|
||
"cpe:/o:alt:workstation:9.2",
|
||
"cpe:/o:alt:server:9.2",
|
||
"cpe:/o:alt:server-v:9.2",
|
||
"cpe:/o:alt:education:9.2",
|
||
"cpe:/o:alt:slinux:9.2",
|
||
"cpe:/o:alt:starterkit:9.2"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:1001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20202249001",
|
||
"Comment": "mediawiki is earlier than 0:1.34.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20202249002",
|
||
"Comment": "mediawiki-apache2 is earlier than 0:1.34.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20202249003",
|
||
"Comment": "mediawiki-common is earlier than 0:1.34.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20202249004",
|
||
"Comment": "mediawiki-mysql is earlier than 0:1.34.1-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20202249005",
|
||
"Comment": "mediawiki-postgresql is earlier than 0:1.34.1-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |