185 lines
8.6 KiB
JSON
185 lines
8.6 KiB
JSON
{
|
|
"Definition": [
|
|
{
|
|
"ID": "oval:org.altlinux.errata:def:20172652",
|
|
"Version": "oval:org.altlinux.errata:def:20172652",
|
|
"Class": "patch",
|
|
"Metadata": {
|
|
"Title": "ALT-PU-2017-2652: package `firefox-esr` update to version 52.5.0-alt1",
|
|
"AffectedList": [
|
|
{
|
|
"Family": "unix",
|
|
"Platforms": [
|
|
"ALT Linux branch c9f2"
|
|
],
|
|
"Products": [
|
|
"ALT SPWorkstation",
|
|
"ALT SPServer"
|
|
]
|
|
}
|
|
],
|
|
"References": [
|
|
{
|
|
"RefID": "ALT-PU-2017-2652",
|
|
"RefURL": "https://errata.altlinux.org/ALT-PU-2017-2652",
|
|
"Source": "ALTPU"
|
|
},
|
|
{
|
|
"RefID": "BDU:2018-00159",
|
|
"RefURL": "https://bdu.fstec.ru/vul/2018-00159",
|
|
"Source": "BDU"
|
|
},
|
|
{
|
|
"RefID": "BDU:2021-00023",
|
|
"RefURL": "https://bdu.fstec.ru/vul/2021-00023",
|
|
"Source": "BDU"
|
|
},
|
|
{
|
|
"RefID": "BDU:2021-00024",
|
|
"RefURL": "https://bdu.fstec.ru/vul/2021-00024",
|
|
"Source": "BDU"
|
|
},
|
|
{
|
|
"RefID": "BDU:2021-00051",
|
|
"RefURL": "https://bdu.fstec.ru/vul/2021-00051",
|
|
"Source": "BDU"
|
|
},
|
|
{
|
|
"RefID": "CVE-2017-7805",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7805",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2017-7826",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7826",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2017-7828",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7828",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2017-7830",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7830",
|
|
"Source": "CVE"
|
|
}
|
|
],
|
|
"Description": "This update upgrades firefox-esr to version 52.5.0-alt1. \nSecurity Fix(es):\n\n * BDU:2018-00159: Уязвимость реализации протокола TLS 1.2 браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-00023: Уязвимость интерфейса Resource Timing API браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2021-00024: Уязвимость реализации объекта «PressShell» браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-00051: Уязвимость браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связанная c выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * CVE-2017-7805: During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox \u003c 56, Firefox ESR \u003c 52.4, and Thunderbird \u003c 52.4.\n\n * CVE-2017-7826: Memory safety bugs were reported in Firefox 56 and Firefox ESR 52.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox \u003c 57, Firefox ESR \u003c 52.5, and Thunderbird \u003c 52.5.\n\n * CVE-2017-7828: A use-after-free vulnerability can occur when flushing and resizing layout because the \"PressShell\" object has been freed while still in use. This results in a potentially exploitable crash during these operations. This vulnerability affects Firefox \u003c 57, Firefox ESR \u003c 52.5, and Thunderbird \u003c 52.5.\n\n * CVE-2017-7830: The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox \u003c 57, Firefox ESR \u003c 52.5, and Thunderbird \u003c 52.5.",
|
|
"Advisory": {
|
|
"From": "errata.altlinux.org",
|
|
"Severity": "Critical",
|
|
"Rights": "Copyright 2024 BaseALT Ltd.",
|
|
"Issued": {
|
|
"Date": "2017-11-16"
|
|
},
|
|
"Updated": {
|
|
"Date": "2017-11-16"
|
|
},
|
|
"BDUs": [
|
|
{
|
|
"ID": "BDU:2018-00159",
|
|
"CVSS": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
|
|
"CVSS3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
|
"CWE": "CWE-416",
|
|
"Href": "https://bdu.fstec.ru/vul/2018-00159",
|
|
"Impact": "High",
|
|
"Public": "20170630"
|
|
},
|
|
{
|
|
"ID": "BDU:2021-00023",
|
|
"CVSS": "AV:N/AC:M/Au:N/C:C/I:N/A:N",
|
|
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
|
|
"CWE": "CWE-87, CWE-200",
|
|
"Href": "https://bdu.fstec.ru/vul/2021-00023",
|
|
"Impact": "Low",
|
|
"Public": "20171016"
|
|
},
|
|
{
|
|
"ID": "BDU:2021-00024",
|
|
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
|
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
"CWE": "CWE-416",
|
|
"Href": "https://bdu.fstec.ru/vul/2021-00024",
|
|
"Impact": "Critical",
|
|
"Public": "20171027"
|
|
},
|
|
{
|
|
"ID": "BDU:2021-00051",
|
|
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
|
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
"CWE": "CWE-119",
|
|
"Href": "https://bdu.fstec.ru/vul/2021-00051",
|
|
"Impact": "Critical",
|
|
"Public": "20171115"
|
|
}
|
|
],
|
|
"CVEs": [
|
|
{
|
|
"ID": "CVE-2017-7805",
|
|
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
|
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
|
"CWE": "CWE-416",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7805",
|
|
"Impact": "High",
|
|
"Public": "20180611"
|
|
},
|
|
{
|
|
"ID": "CVE-2017-7826",
|
|
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
|
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
"CWE": "CWE-119",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7826",
|
|
"Impact": "Critical",
|
|
"Public": "20180611"
|
|
},
|
|
{
|
|
"ID": "CVE-2017-7828",
|
|
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
|
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
"CWE": "CWE-416",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7828",
|
|
"Impact": "Critical",
|
|
"Public": "20180611"
|
|
},
|
|
{
|
|
"ID": "CVE-2017-7830",
|
|
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
|
|
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
|
|
"CWE": "NVD-CWE-noinfo",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7830",
|
|
"Impact": "Low",
|
|
"Public": "20180611"
|
|
}
|
|
],
|
|
"AffectedCPEs": {
|
|
"CPEs": [
|
|
"cpe:/o:alt:spworkstation:8.4",
|
|
"cpe:/o:alt:spserver:8.4"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Criteria": {
|
|
"Operator": "AND",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:3001",
|
|
"Comment": "ALT Linux must be installed"
|
|
}
|
|
],
|
|
"Criterias": [
|
|
{
|
|
"Operator": "OR",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20172652001",
|
|
"Comment": "firefox-esr is earlier than 0:52.5.0-alt1"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
} |