vuln-list-alt/oval/p11/ALT-PU-2023-5706/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20235706",
      "Version": "oval:org.altlinux.errata:def:20235706",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2023-5706: package `palemoon` update to version 32.4.0-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p11"
            ],
            "Products": [
              "ALT Container"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2023-5706",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2023-5706",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2023-01561",
            "RefURL": "https://bdu.fstec.ru/vul/2023-01561",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2023-01803",
            "RefURL": "https://bdu.fstec.ru/vul/2023-01803",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2023-02692",
            "RefURL": "https://bdu.fstec.ru/vul/2023-02692",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2023-02694",
            "RefURL": "https://bdu.fstec.ru/vul/2023-02694",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2023-25751",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-25751",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2023-28163",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-28163",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2023-29539",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-29539",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2023-29545",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-29545",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades palemoon to version 32.4.0-alt1. \nSecurity Fix(es):\n\n * BDU:2023-01561: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с неверным управлением генерацией кода, позволяющая нарушителю вызвать отказ в обслуживании или, возможно, оказать другое воздействие\n\n * BDU:2023-01803: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird операционных систем Windows, связанная с недостаточной защитой служебных данных, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации\n\n * BDU:2023-02692: Уязвимость браузеров Mozilla Firefox, Focus for Android, Mozilla Firefox ESR и почтового клиента Thunderbird, связанная с недостаточной защитой служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2023-02694: Уязвимость браузеров Mozilla Firefox, Focus for Android, Mozilla Firefox ESR и почтового клиента Thunderbird, связанная с неправильной обработкой директивы заголовка Content-Disposition, позволяющая нарушителю обойти ограничения безопасности и загрузить произвольные файлы\n\n * CVE-2023-25751: Sometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly. This could lead to a potentially exploitable crash. This vulnerability affects Firefox \u003c 111, Firefox ESR \u003c 102.9, and Thunderbird \u003c 102.9.\n\n * CVE-2023-28163: When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the context of the current user. \u003cbr\u003e*This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox \u003c 111, Firefox ESR \u003c 102.9, and Thunderbird \u003c 102.9.\n\n * CVE-2023-29539: When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware. This vulnerability affects Firefox \u003c 112, Focus for Android \u003c 112, Firefox ESR \u003c 102.10, Firefox for Android \u003c 112, and Thunderbird \u003c 102.10.\n\n * CVE-2023-29545: Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user. \n\n*This bug only affects Firefox and Thunderbird on Windows. Other versions of Firefox and Thunderbird are unaffected.* This vulnerability affects Firefox \u003c 112, Firefox ESR \u003c 102.10, and Thunderbird \u003c 102.10.\n\n",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2023-09-17"
          },
          "Updated": {
            "Date": "2023-09-17"
          },
          "BDUs": [
            {
              "ID": "BDU:2023-01561",
              "CVSS": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
              "CVSS3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "CWE": "CWE-94",
              "Href": "https://bdu.fstec.ru/vul/2023-01561",
              "Impact": "High",
              "Public": "20230314"
            },
            {
              "ID": "BDU:2023-01803",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
              "CVSS3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "CWE": "CWE-200",
              "Href": "https://bdu.fstec.ru/vul/2023-01803",
              "Impact": "Low",
              "Public": "20230314"
            },
            {
              "ID": "BDU:2023-02692",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
              "CWE": "CWE-200",
              "Href": "https://bdu.fstec.ru/vul/2023-02692",
              "Impact": "Low",
              "Public": "20230411"
            },
            {
              "ID": "BDU:2023-02694",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
              "CWE": "CWE-254, CWE-476",
              "Href": "https://bdu.fstec.ru/vul/2023-02694",
              "Impact": "Low",
              "Public": "20230411"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2023-25751",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "CWE": "NVD-CWE-noinfo",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-25751",
              "Impact": "Low",
              "Public": "20230602"
            },
            {
              "ID": "CVE-2023-28163",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
              "CWE": "NVD-CWE-noinfo",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-28163",
              "Impact": "Low",
              "Public": "20230602"
            },
            {
              "ID": "CVE-2023-29539",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "CWE": "CWE-476",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-29539",
              "Impact": "High",
              "Public": "20230602"
            },
            {
              "ID": "CVE-2023-29545",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
              "CWE": "NVD-CWE-noinfo",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-29545",
              "Impact": "Low",
              "Public": "20230619"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:container:11"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:3001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20235706001",
                "Comment": "newmoon is earlier than 2:32.4.0-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20235706002",
                "Comment": "rpm-build-palemoon is earlier than 2:32.4.0-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}