pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vuln-list-alt/oval/c9f2/ALT-PU-2022-3071/definitions.json
pepelyaevip 0707cb759b ALT Vulnerability
2024-04-16 14:26:14 +00:00

234 lines
11 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20223071",
"Version": "oval:org.altlinux.errata:def:20223071",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2022-3071: package `c-ares` update to version 1.18.1-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c9f2"
],
"Products": [
"ALT SPWorkstation",
"ALT SPServer"
]
}
],
"References": [
{
"RefID": "ALT-PU-2022-3071",
"RefURL": "https://errata.altlinux.org/ALT-PU-2022-3071",
"Source": "ALTPU"
},
{
"RefID": "BDU:2018-00106",
"RefURL": "https://bdu.fstec.ru/vul/2018-00106",
"Source": "BDU"
},
{
"RefID": "BDU:2021-01024",
"RefURL": "https://bdu.fstec.ru/vul/2021-01024",
"Source": "BDU"
},
{
"RefID": "BDU:2021-04594",
"RefURL": "https://bdu.fstec.ru/vul/2021-04594",
"Source": "BDU"
},
{
"RefID": "BDU:2022-00342",
"RefURL": "https://bdu.fstec.ru/vul/2022-00342",
"Source": "BDU"
},
{
"RefID": "BDU:2023-05898",
"RefURL": "https://bdu.fstec.ru/vul/2023-05898",
"Source": "BDU"
},
{
"RefID": "CVE-2016-5180",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-5180",
"Source": "CVE"
},
{
"RefID": "CVE-2017-1000381",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000381",
"Source": "CVE"
},
{
"RefID": "CVE-2020-14354",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-14354",
"Source": "CVE"
},
{
"RefID": "CVE-2020-22217",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-22217",
"Source": "CVE"
},
{
"RefID": "CVE-2020-8277",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-8277",
"Source": "CVE"
},
{
"RefID": "CVE-2021-3672",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3672",
"Source": "CVE"
}
],
"Description": "This update upgrades c-ares to version 1.18.1-alt1. \nSecurity Fix(es):\n\n * BDU:2018-00106: Уязвимость функции ares_parse_naptr_reply библиотеки асинхронных DNS-запросов c-ares, позволяющая нарушителю выполнить чтение за границами буфера в памяти\n\n * BDU:2021-01024: Уязвимость программной платформы Node.js, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-04594: Уязвимость функций ares_destroy() и ares_getaddrinfo() библиотеки асинхронных DNS-запросов C-ares, связанная с использованием памяти после её освобождения, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2022-00342: Уязвимость библиотеки СИ для асинхронных запросов DNS c-ares, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2023-05898: Уязвимость функции ares_parse_soa_reply() библиотеки асинхронных DNS-запросов C-ares, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * CVE-2016-5180: Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.\n\n * CVE-2017-1000381: The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.\n\n * CVE-2020-14354: A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.\n\n * CVE-2020-22217: Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.\n\n * CVE-2020-8277: A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions \u003c 15.2.1, \u003c 14.15.1, and \u003c 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.\n\n * CVE-2021-3672: A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Critical",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2022-11-14"
},
"Updated": {
"Date": "2024-04-04"
},
"BDUs": [
{
"ID": "BDU:2018-00106",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-125",
"Href": "https://bdu.fstec.ru/vul/2018-00106",
"Impact": "High",
"Public": "20170520"
},
{
"ID": "BDU:2021-01024",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-400",
"Href": "https://bdu.fstec.ru/vul/2021-01024",
"Impact": "High",
"Public": "20201118"
},
{
"ID": "BDU:2021-04594",
"CVSS": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"CWE": "CWE-416",
"Href": "https://bdu.fstec.ru/vul/2021-04594",
"Impact": "Low",
"Public": "20200507"
},
{
"ID": "BDU:2022-00342",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"CWE": "CWE-79",
"Href": "https://bdu.fstec.ru/vul/2022-00342",
"Impact": "Low",
"Public": "20210810"
},
{
"ID": "BDU:2023-05898",
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-120, CWE-787",
"Href": "https://bdu.fstec.ru/vul/2023-05898",
"Impact": "Critical",
"Public": "20200521"
}
],
"CVEs": [
{
"ID": "CVE-2016-5180",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-787",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-5180",
"Impact": "Critical",
"Public": "20161003"
},
{
"ID": "CVE-2017-1000381",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-200",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000381",
"Impact": "High",
"Public": "20170707"
},
{
"ID": "CVE-2020-14354",
"CVSS": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"CWE": "CWE-415",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-14354",
"Impact": "Low",
"Public": "20210513"
},
{
"ID": "CVE-2020-22217",
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-125",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-22217",
"Impact": "Low",
"Public": "20230822"
},
{
"ID": "CVE-2020-8277",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-400",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-8277",
"Impact": "High",
"Public": "20201119"
},
{
"ID": "CVE-2021-3672",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"CWE": "CWE-79",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3672",
"Impact": "Low",
"Public": "20211123"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:spworkstation:8.4",
"cpe:/o:alt:spserver:8.4"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20223071001",
"Comment": "c-ares is earlier than 0:1.18.1-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20223071002",
"Comment": "libcares is earlier than 0:1.18.1-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20223071003",
"Comment": "libcares-devel is earlier than 0:1.18.1-alt1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink