pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vuln-list-alt/oval/p10/ALT-PU-2023-8071/definitions.json
pepelyaevip 9d72b75f75 ALT Vulnerability
2024-12-12 21:07:30 +00:00

228 lines
10 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20238071",
"Version": "oval:org.altlinux.errata:def:20238071",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2023-8071: package `python3-module-cryptography` update to version 41.0.7-alt0.p10.1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p10"
],
"Products": [
"ALT Server",
"ALT Virtualization Server",
"ALT Workstation",
"ALT Workstation K",
"ALT Education",
"Simply Linux",
"Starterkit",
"ALT Container"
]
}
],
"References": [
{
"RefID": "ALT-PU-2023-8071",
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-8071",
"Source": "ALTPU"
},
{
"RefID": "BDU:2022-05229",
"RefURL": "https://bdu.fstec.ru/vul/2022-05229",
"Source": "BDU"
},
{
"RefID": "BDU:2022-05647",
"RefURL": "https://bdu.fstec.ru/vul/2022-05647",
"Source": "BDU"
},
{
"RefID": "BDU:2023-02656",
"RefURL": "https://bdu.fstec.ru/vul/2023-02656",
"Source": "BDU"
},
{
"RefID": "BDU:2023-05436",
"RefURL": "https://bdu.fstec.ru/vul/2023-05436",
"Source": "BDU"
},
{
"RefID": "CVE-2016-9243",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-9243",
"Source": "CVE"
},
{
"RefID": "CVE-2020-25659",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-25659",
"Source": "CVE"
},
{
"RefID": "CVE-2020-36242",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-36242",
"Source": "CVE"
},
{
"RefID": "CVE-2023-23931",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-23931",
"Source": "CVE"
},
{
"RefID": "CVE-2023-38325",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-38325",
"Source": "CVE"
},
{
"RefID": "CVE-2023-49083",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-49083",
"Source": "CVE"
}
],
"Description": "This update upgrades python3-module-cryptography to version 41.0.7-alt0.p10.1. \nSecurity Fix(es):\n\n * BDU:2022-05229: Уязвимость пакета cryptography интерпретатора языка программирования Python, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2022-05647: Уязвимость пакета python-cryptography интерпретатора языка программирования Python, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2023-02656: Уязвимость функции Cipher.update_into пакета cryptography интерпретатора языка программирования Python, позволяющая нарушителю оказать воздействие на целостность и доступность выходных данных\n\n * BDU:2023-05436: Уязвимость пакета cryptography интерпретатора языка программирования Python, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю выполнить атаку типа \u0026quot;человек посередине\u0026quot;\n\n * CVE-2016-9243: HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.\n\n * CVE-2020-25659: python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.\n\n * CVE-2020-36242: In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.\n\n * CVE-2023-23931: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.\n\n * CVE-2023-38325: The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.\n\n * CVE-2023-49083: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.\n\n * #48610: Оставляет мусор",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Critical",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-01-29"
},
"Updated": {
"Date": "2024-09-18"
},
"BDUs": [
{
"ID": "BDU:2022-05229",
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"CWE": "CWE-190, CWE-787",
"Href": "https://bdu.fstec.ru/vul/2022-05229",
"Impact": "Critical",
"Public": "20210207"
},
{
"ID": "BDU:2022-05647",
"CVSS": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-385",
"Href": "https://bdu.fstec.ru/vul/2022-05647",
"Impact": "Low",
"Public": "20210111"
},
{
"ID": "BDU:2023-02656",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"CWE": "CWE-754",
"Href": "https://bdu.fstec.ru/vul/2023-02656",
"Impact": "Low",
"Public": "20230208"
},
{
"ID": "BDU:2023-05436",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:C/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "CWE-295",
"Href": "https://bdu.fstec.ru/vul/2023-05436",
"Impact": "High",
"Public": "20230714"
}
],
"CVEs": [
{
"ID": "CVE-2016-9243",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-9243",
"Impact": "High",
"Public": "20170327"
},
{
"ID": "CVE-2020-25659",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "NVD-CWE-Other",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-25659",
"Impact": "Low",
"Public": "20210111"
},
{
"ID": "CVE-2020-36242",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"CWE": "CWE-787",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-36242",
"Impact": "Critical",
"Public": "20210207"
},
{
"ID": "CVE-2023-23931",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-23931",
"Impact": "Low",
"Public": "20230207"
},
{
"ID": "CVE-2023-38325",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "CWE-295",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-38325",
"Impact": "High",
"Public": "20230714"
},
{
"ID": "CVE-2023-49083",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-49083",
"Impact": "High",
"Public": "20231129"
}
],
"Bugzilla": [
{
"ID": "48610",
"Href": "https://bugzilla.altlinux.org/48610",
"Data": "Оставляет мусор"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:kworkstation:10",
"cpe:/o:alt:workstation:10",
"cpe:/o:alt:server:10",
"cpe:/o:alt:server-v:10",
"cpe:/o:alt:education:10",
"cpe:/o:alt:slinux:10",
"cpe:/o:alt:starterkit:10",
"cpe:/o:alt:starterkit:p10",
"cpe:/o:alt:container:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:2001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20238071001",
"Comment": "python3-module-cryptography is earlier than 0:41.0.7-alt0.p10.1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink