332 lines
17 KiB
JSON
332 lines
17 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20245117",
|
||
"Version": "oval:org.altlinux.errata:def:20245117",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2024-5117: package `thunderbird` update to version 115.9.0-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch p10"
|
||
],
|
||
"Products": [
|
||
"ALT Server",
|
||
"ALT Virtualization Server",
|
||
"ALT Workstation",
|
||
"ALT Workstation K",
|
||
"ALT Education",
|
||
"Simply Linux",
|
||
"Starterkit",
|
||
"ALT Container"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2024-5117",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-5117",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2023-06938",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2023-06938",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2024-00804",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2024-00804",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2024-02315",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2024-02315",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2024-02316",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2024-02316",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2024-02323",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2024-02323",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2024-02327",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2024-02327",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2024-02329",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2024-02329",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2024-02333",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2024-02333",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2024-02334",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2024-02334",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2023-5388",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-5388",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-0743",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-0743",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-2605",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-2605",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-2607",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-2607",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-2608",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-2608",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-2610",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-2610",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-2611",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-2611",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-2612",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-2612",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-2614",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-2614",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2024-2616",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-2616",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades thunderbird to version 115.9.0-alt1. \nSecurity Fix(es):\n\n * BDU:2023-06938: Уязвимость реализации стандартов PKCS#1 v1.5, OAEP и RSASVP набора библиотек NSS (Network Security Services), позволяющая нарушителю реализовать атаку Блейхенбахера (Bleichenbacher) или атаку Марвина (Marvin)\n\n * BDU:2024-00804: Уязвимость браузера Mozilla Firefox, связанная с непроверенным возвращаемым значением, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2024-02315: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-02316: Уязвимость функций AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding() и AppendEncodedCharacters() браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-02323: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, существующая из-за непринятия мер по защите структуры веб-страницы, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2024-02327: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с копированием буфера без проверки размера входных данных, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-02329: Уязвимость службы регистрации ошибок Windows Error Reporter браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird операционных систем Windows, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-02333: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с использованием памяти после ее освобождения, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2024-02334: Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с ошибками представления информации пользовательским интерфейсом, позволяющая нарушителю получить разрешения от пользователя\n\n * CVE-2023-5388: NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox \u003c 124, Firefox ESR \u003c 115.9, and Thunderbird \u003c 115.9.\n\n * CVE-2024-0743: An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox \u003c 122, Firefox ESR \u003c 115.9, and Thunderbird \u003c 115.9.\n\n * CVE-2024-2605: An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. *Note:* This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox \u003c 124, Firefox ESR \u003c 115.9, and Thunderbird \u003c 115.9.\n\n * CVE-2024-2607: Return registers were overwritten which could have allowed an attacker to execute arbitrary code. *Note:* This issue only affected Armv7-A systems. Other operating systems are unaffected. This vulnerability affects Firefox \u003c 124, Firefox ESR \u003c 115.9, and Thunderbird \u003c 115.9.\n\n * CVE-2024-2608: `AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding()` and `AppendEncodedCharacters()` could have experienced integer overflows, causing underallocation of an output buffer leading to an out of bounds write. This vulnerability affects Firefox \u003c 124, Firefox ESR \u003c 115.9, and Thunderbird \u003c 115.9.\n\n * CVE-2024-2610: Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies. This vulnerability affects Firefox \u003c 124, Firefox ESR \u003c 115.9, and Thunderbird \u003c 115.9.\n\n * CVE-2024-2611: A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. This vulnerability affects Firefox \u003c 124, Firefox ESR \u003c 115.9, and Thunderbird \u003c 115.9.\n\n * CVE-2024-2612: If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox \u003c 124, Firefox ESR \u003c 115.9, and Thunderbird \u003c 115.9.\n\n * CVE-2024-2614: Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 124, Firefox ESR \u003c 115.9, and Thunderbird \u003c 115.9.\n\n * CVE-2024-2616: To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. This vulnerability affects Firefox ESR \u003c 115.9 and Thunderbird \u003c 115.9.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "High",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2024-04-08"
|
||
},
|
||
"Updated": {
|
||
"Date": "2024-04-08"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2023-06938",
|
||
"CVSS": "AV:N/AC:L/Au:S/C:C/I:C/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-208",
|
||
"Href": "https://bdu.fstec.ru/vul/2023-06938",
|
||
"Impact": "Low",
|
||
"Public": "20231004"
|
||
},
|
||
{
|
||
"ID": "BDU:2024-00804",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-252",
|
||
"Href": "https://bdu.fstec.ru/vul/2024-00804",
|
||
"Impact": "High",
|
||
"Public": "20240123"
|
||
},
|
||
{
|
||
"ID": "BDU:2024-02315",
|
||
"CVSS": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-119, CWE-1262",
|
||
"Href": "https://bdu.fstec.ru/vul/2024-02315",
|
||
"Impact": "High",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "BDU:2024-02316",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-190, CWE-787",
|
||
"Href": "https://bdu.fstec.ru/vul/2024-02316",
|
||
"Impact": "High",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "BDU:2024-02323",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||
"CWE": "CWE-79, CWE-254",
|
||
"Href": "https://bdu.fstec.ru/vul/2024-02323",
|
||
"Impact": "Low",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "BDU:2024-02327",
|
||
"CVSS": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-119, CWE-120",
|
||
"Href": "https://bdu.fstec.ru/vul/2024-02327",
|
||
"Impact": "High",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "BDU:2024-02329",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-254",
|
||
"Href": "https://bdu.fstec.ru/vul/2024-02329",
|
||
"Impact": "High",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "BDU:2024-02333",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||
"CWE": "CWE-416",
|
||
"Href": "https://bdu.fstec.ru/vul/2024-02333",
|
||
"Impact": "Low",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "BDU:2024-02334",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||
"CWE": "CWE-449, CWE-450",
|
||
"Href": "https://bdu.fstec.ru/vul/2024-02334",
|
||
"Impact": "Low",
|
||
"Public": "20240319"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2023-5388",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-5388",
|
||
"Impact": "None",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "CVE-2024-0743",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-252",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-0743",
|
||
"Impact": "High",
|
||
"Public": "20240123"
|
||
},
|
||
{
|
||
"ID": "CVE-2024-2605",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-2605",
|
||
"Impact": "None",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "CVE-2024-2607",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-2607",
|
||
"Impact": "None",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "CVE-2024-2608",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-2608",
|
||
"Impact": "None",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "CVE-2024-2610",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-2610",
|
||
"Impact": "None",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "CVE-2024-2611",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-2611",
|
||
"Impact": "None",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "CVE-2024-2612",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-2612",
|
||
"Impact": "None",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "CVE-2024-2614",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-2614",
|
||
"Impact": "None",
|
||
"Public": "20240319"
|
||
},
|
||
{
|
||
"ID": "CVE-2024-2616",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-2616",
|
||
"Impact": "None",
|
||
"Public": "20240319"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:kworkstation:10",
|
||
"cpe:/o:alt:workstation:10",
|
||
"cpe:/o:alt:server:10",
|
||
"cpe:/o:alt:server-v:10",
|
||
"cpe:/o:alt:education:10",
|
||
"cpe:/o:alt:slinux:10",
|
||
"cpe:/o:alt:starterkit:10",
|
||
"cpe:/o:alt:starterkit:p10",
|
||
"cpe:/o:alt:container:10"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:2001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20245117001",
|
||
"Comment": "rpm-build-thunderbird is earlier than 0:115.9.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20245117002",
|
||
"Comment": "thunderbird is earlier than 0:115.9.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20245117003",
|
||
"Comment": "thunderbird-wayland is earlier than 0:115.9.0-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |