vuln-list-alt/oval/p9/ALT-PU-2019-3259/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20193259",
      "Version": "oval:org.altlinux.errata:def:20193259",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2019-3259: package `git` update to version 2.24.1-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p9"
            ],
            "Products": [
              "ALT Server",
              "ALT Virtualization Server",
              "ALT Workstation",
              "ALT Workstation K",
              "ALT Education",
              "Simply Linux",
              "Starterkit"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2019-3259",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2019-3259",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2020-01458",
            "RefURL": "https://bdu.fstec.ru/vul/2020-01458",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2020-01655",
            "RefURL": "https://bdu.fstec.ru/vul/2020-01655",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2020-01656",
            "RefURL": "https://bdu.fstec.ru/vul/2020-01656",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2020-01657",
            "RefURL": "https://bdu.fstec.ru/vul/2020-01657",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2020-01658",
            "RefURL": "https://bdu.fstec.ru/vul/2020-01658",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2020-01659",
            "RefURL": "https://bdu.fstec.ru/vul/2020-01659",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2019-1348",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-1348",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2019-1349",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-1349",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2019-1350",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-1350",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2019-1351",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-1351",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2019-1352",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-1352",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2019-1353",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-1353",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2019-1354",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-1354",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2019-1387",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-1387",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2019-19604",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-19604",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades git to version 2.24.1-alt1. \nSecurity Fix(es):\n\n * BDU:2020-01458: Уязвимость системы управления версиями GIT, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2020-01655: Уязвимость компонента проверки имени подмодулей распределенной системы управления версиями Git, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным, вызвать отказ в обслуживании и оказать воздействие на целостность данных\n\n * BDU:2020-01656: Уязвимость компонента безопасности подсистемы запуска WSL распределенной системы управления версиями Git, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным, вызвать отказ в обслуживании и оказать воздействие на целостность данных\n\n * BDU:2020-01657: Уязвимость компонента работы с NTFS Alternate Data Streams распределенной системы управления версиями Git, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным, вызвать отказ в обслуживании и оказать воздействие на целостность данных\n\n * BDU:2020-01658: Уязвимость компонента рекурсивного клонирования подмодулей распределенной системы управления версиями Git, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным, вызвать отказ в обслуживании и оказать воздействие на целостность данных\n\n * BDU:2020-01659: Уязвимость опции быстрого импорта --export-marks распределенной системы управления версиями Git, позволяющая нарушителю вызвать отказ в обслуживании и оказать воздействие на целостность данных\n\n * CVE-2019-1348: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths.\n\n * CVE-2019-1349: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.\n\n * CVE-2019-1350: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.\n\n * CVE-2019-1351: A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'.\n\n * CVE-2019-1352: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387.\n\n * CVE-2019-1353: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.\n\n * CVE-2019-1354: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387.\n\n * CVE-2019-1387: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.\n\n * CVE-2019-19604: Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a \"git submodule update\" operation can run commands found in the .gitmodules file of a malicious repository.\n\n * #37426: git completion location\n\n * #37432: git не подхватывает git-subtree из пакета git-contrib",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "Critical",
          "Rights": "Copyright 2023 BaseALT Ltd.",
          "Issued": {
            "Date": "2019-12-11"
          },
          "Updated": {
            "Date": "2019-12-11"
          },
          "bdu": [
            {
              "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
              "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-20",
              "Href": "https://bdu.fstec.ru/vul/2020-01458",
              "Impact": "High",
              "Public": "20191210",
              "CveID": "BDU:2020-01458"
            },
            {
              "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
              "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-20",
              "Href": "https://bdu.fstec.ru/vul/2020-01655",
              "Impact": "High",
              "Public": "20191213",
              "CveID": "BDU:2020-01655"
            },
            {
              "Cvss": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
              "Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-693",
              "Href": "https://bdu.fstec.ru/vul/2020-01656",
              "Impact": "Critical",
              "Public": "20191213",
              "CveID": "BDU:2020-01656"
            },
            {
              "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
              "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-20",
              "Href": "https://bdu.fstec.ru/vul/2020-01657",
              "Impact": "High",
              "Public": "20191213",
              "CveID": "BDU:2020-01657"
            },
            {
              "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
              "Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-20",
              "Href": "https://bdu.fstec.ru/vul/2020-01658",
              "Impact": "High",
              "Public": "20191213",
              "CveID": "BDU:2020-01658"
            },
            {
              "Cvss": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
              "Cvss3": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
              "Cwe": "CWE-20",
              "Href": "https://bdu.fstec.ru/vul/2020-01659",
              "Impact": "Low",
              "Public": "20191213",
              "CveID": "BDU:2020-01659"
            }
          ],
          "Cves": [
            {
              "Cvss": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
              "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
              "Cwe": "NVD-CWE-noinfo",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-1348",
              "Impact": "Low",
              "Public": "20200124",
              "CveID": "CVE-2019-1348"
            },
            {
              "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
              "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-20",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-1349",
              "Impact": "High",
              "Public": "20200124",
              "CveID": "CVE-2019-1349"
            },
            {
              "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
              "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-20",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-1350",
              "Impact": "High",
              "Public": "20200124",
              "CveID": "CVE-2019-1350"
            },
            {
              "Cvss": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
              "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "Cwe": "CWE-706",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-1351",
              "Impact": "High",
              "Public": "20200124",
              "CveID": "CVE-2019-1351"
            },
            {
              "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
              "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-20",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-1352",
              "Impact": "High",
              "Public": "20200124",
              "CveID": "CVE-2019-1352"
            },
            {
              "Cvss": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "Cwe": "NVD-CWE-Other",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-1353",
              "Impact": "Critical",
              "Public": "20200124",
              "CveID": "CVE-2019-1353"
            },
            {
              "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
              "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-20",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-1354",
              "Impact": "High",
              "Public": "20200124",
              "CveID": "CVE-2019-1354"
            },
            {
              "Cvss": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
              "Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "Cwe": "NVD-CWE-noinfo",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-1387",
              "Impact": "High",
              "Public": "20191218",
              "CveID": "CVE-2019-1387"
            },
            {
              "Cvss": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
              "Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "Cwe": "CWE-78",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-19604",
              "Impact": "High",
              "Public": "20191211",
              "CveID": "CVE-2019-19604"
            }
          ],
          "Bugzilla": [
            {
              "Id": "37426",
              "Href": "https://bugzilla.altlinux.org/37426",
              "Data": "git completion location"
            },
            {
              "Id": "37432",
              "Href": "https://bugzilla.altlinux.org/37432",
              "Data": "git не подхватывает git-subtree из пакета git-contrib"
            }
          ],
          "AffectedCpeList": {
            "Cpe": [
              "cpe:/o:alt:kworkstation:9",
              "cpe:/o:alt:workstation:9",
              "cpe:/o:alt:server:9",
              "cpe:/o:alt:server-v:9",
              "cpe:/o:alt:education:9",
              "cpe:/o:alt:slinux:9",
              "cpe:/o:alt:starterkit:p9",
              "cpe:/o:alt:kworkstation:9.1",
              "cpe:/o:alt:workstation:9.1",
              "cpe:/o:alt:server:9.1",
              "cpe:/o:alt:server-v:9.1",
              "cpe:/o:alt:education:9.1",
              "cpe:/o:alt:slinux:9.1",
              "cpe:/o:alt:starterkit:9.1",
              "cpe:/o:alt:kworkstation:9.2",
              "cpe:/o:alt:workstation:9.2",
              "cpe:/o:alt:server:9.2",
              "cpe:/o:alt:server-v:9.2",
              "cpe:/o:alt:education:9.2",
              "cpe:/o:alt:slinux:9.2",
              "cpe:/o:alt:starterkit:9.2"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:1001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259001",
                "Comment": "git is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259002",
                "Comment": "git-arch is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259003",
                "Comment": "git-contrib is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259004",
                "Comment": "git-core is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259005",
                "Comment": "git-cvs is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259006",
                "Comment": "git-diff-highlight is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259007",
                "Comment": "git-doc is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259008",
                "Comment": "git-email is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259009",
                "Comment": "git-full is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259010",
                "Comment": "git-gui is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259011",
                "Comment": "git-server is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259012",
                "Comment": "git-subtree is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259013",
                "Comment": "git-svn is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259014",
                "Comment": "gitk is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259015",
                "Comment": "gitweb is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259016",
                "Comment": "libgit-devel is earlier than 0:2.24.1-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20193259017",
                "Comment": "perl-Git is earlier than 0:2.24.1-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}