vuln-list-alt/oval/p10/ALT-PU-2023-5843/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20235843",
      "Version": "oval:org.altlinux.errata:def:20235843",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2023-5843: package `squid` update to version 6.3-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p10"
            ],
            "Products": [
              "ALT Server",
              "ALT Virtualization Server",
              "ALT Workstation",
              "ALT Workstation K",
              "ALT Education",
              "Simply Linux",
              "Starterkit"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2023-5843",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2023-5843",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2022-04051",
            "RefURL": "https://bdu.fstec.ru/vul/2022-04051",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2023-00066",
            "RefURL": "https://bdu.fstec.ru/vul/2023-00066",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2023-01309",
            "RefURL": "https://bdu.fstec.ru/vul/2023-01309",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2021-46784",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-46784",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2022-41317",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-41317",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2022-41318",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-41318",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades squid to version 6.3-alt1. \nSecurity Fix(es):\n\n * BDU:2022-04051: Уязвимость реализации сетевого протокола Gopher прокси-сервера Squid, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2023-00066: Уязвимость кэширующего прокси-сервера Squid, связанная с неправильным контролем доступа, позволяющая нарушителю получить доступ к конфиденциальной информации\n\n * BDU:2023-01309: Уязвимость интерфейса Security Support Provider Interface (SSPI) и реализации  сетевого протокола Server Message Block (SMB) прокси-сервера Squid, позволяющая нарушителю раскрыть защищаемую информацию или вызвать отказ в обслуживании\n\n * CVE-2021-46784: In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.\n\n * CVE-2022-41317: An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.\n\n * CVE-2022-41318: A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7.\n\n * #47423: Невозможно получить доступ к cache manager из под squidclient",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2023-09-26"
          },
          "Updated": {
            "Date": "2023-09-26"
          },
          "BDUs": [
            {
              "ID": "BDU:2022-04051",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
              "CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "CWE": "CWE-617",
              "Href": "https://bdu.fstec.ru/vul/2022-04051",
              "Impact": "Low",
              "Public": "20210220"
            },
            {
              "ID": "BDU:2023-00066",
              "CVSS": "AV:N/AC:L/Au:S/C:C/I:N/A:N",
              "CVSS3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "CWE": "CWE-284",
              "Href": "https://bdu.fstec.ru/vul/2023-00066",
              "Impact": "Low",
              "Public": "20221225"
            },
            {
              "ID": "BDU:2023-01309",
              "CVSS": "AV:N/AC:H/Au:N/C:C/I:P/A:C",
              "CVSS3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H",
              "CWE": "CWE-125, CWE-126",
              "Href": "https://bdu.fstec.ru/vul/2023-01309",
              "Impact": "High",
              "Public": "20220923"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2021-46784",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-617",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-46784",
              "Impact": "Low",
              "Public": "20220717"
            },
            {
              "ID": "CVE-2022-41317",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "CWE": "CWE-697",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-41317",
              "Impact": "Low",
              "Public": "20221225"
            },
            {
              "ID": "CVE-2022-41318",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
              "CWE": "CWE-190",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-41318",
              "Impact": "High",
              "Public": "20221225"
            }
          ],
          "Bugzilla": [
            {
              "ID": "47423",
              "Href": "https://bugzilla.altlinux.org/47423",
              "Data": "Невозможно получить доступ к cache manager из под squidclient"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:kworkstation:10",
              "cpe:/o:alt:workstation:10",
              "cpe:/o:alt:server:10",
              "cpe:/o:alt:server-v:10",
              "cpe:/o:alt:education:10",
              "cpe:/o:alt:slinux:10",
              "cpe:/o:alt:starterkit:p10",
              "cpe:/o:alt:kworkstation:10.1",
              "cpe:/o:alt:workstation:10.1",
              "cpe:/o:alt:server:10.1",
              "cpe:/o:alt:server-v:10.1",
              "cpe:/o:alt:education:10.1",
              "cpe:/o:alt:slinux:10.1",
              "cpe:/o:alt:starterkit:10.1",
              "cpe:/o:alt:kworkstation:10.2",
              "cpe:/o:alt:workstation:10.2",
              "cpe:/o:alt:server:10.2",
              "cpe:/o:alt:server-v:10.2",
              "cpe:/o:alt:education:10.2",
              "cpe:/o:alt:slinux:10.2",
              "cpe:/o:alt:starterkit:10.2"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:2001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20235843001",
                "Comment": "squid is earlier than 0:6.3-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20235843002",
                "Comment": "squid-doc is earlier than 0:6.3-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20235843003",
                "Comment": "squid-helpers is earlier than 0:6.3-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}