vuln-list-alt/oval/p10/ALT-PU-2021-1784/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20211784",
      "Version": "oval:org.altlinux.errata:def:20211784",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2021-1784: package `python3` update to version 3.9.5-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p10"
            ],
            "Products": [
              "ALT Server",
              "ALT Virtualization Server",
              "ALT Workstation",
              "ALT Workstation K",
              "ALT Education",
              "Simply Linux",
              "Starterkit"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2021-1784",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2021-1784",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2021-04696",
            "RefURL": "https://bdu.fstec.ru/vul/2021-04696",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2022-02302",
            "RefURL": "https://bdu.fstec.ru/vul/2022-02302",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2022-05838",
            "RefURL": "https://bdu.fstec.ru/vul/2022-05838",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2021-29921",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-29921",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2021-3733",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2022-0391",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-0391",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades python3 to version 3.9.5-alt1. \nSecurity Fix(es):\n\n * BDU:2021-04696: Уязвимость библиотеки ipaddress интерпретатора языка программирования Python, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * BDU:2022-02302: Уязвимость модуля urllib.parse интерпретатора языка программирования Python, позволяющая нарушителю внедрить произвольные данные в ответ сервера\n\n * BDU:2022-05838: Уязвимость класса AbstractBasicAuthHandler компонента urllib.request интерпретатора языка программирования Python, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2021-29921: In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.\n\n * CVE-2021-3733: There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.\n\n * CVE-2022-0391: A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "Critical",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2021-05-11"
          },
          "Updated": {
            "Date": "2021-05-11"
          },
          "BDUs": [
            {
              "ID": "BDU:2021-04696",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "CWE": "CWE-20",
              "Href": "https://bdu.fstec.ru/vul/2021-04696",
              "Impact": "Critical",
              "Public": "20190320"
            },
            {
              "ID": "BDU:2022-02302",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:C/A:N",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "CWE": "CWE-74, CWE-93",
              "Href": "https://bdu.fstec.ru/vul/2022-02302",
              "Impact": "High",
              "Public": "20220209"
            },
            {
              "ID": "BDU:2022-05838",
              "CVSS": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
              "CVSS3": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-400",
              "Href": "https://bdu.fstec.ru/vul/2022-05838",
              "Impact": "Low",
              "Public": "20210130"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2021-29921",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "CWE": "NVD-CWE-Other",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-29921",
              "Impact": "Critical",
              "Public": "20210506"
            },
            {
              "ID": "CVE-2021-3733",
              "CVSS": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-400",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733",
              "Impact": "Low",
              "Public": "20220310"
            },
            {
              "ID": "CVE-2022-0391",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "CWE": "CWE-74",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-0391",
              "Impact": "High",
              "Public": "20220209"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:kworkstation:10",
              "cpe:/o:alt:workstation:10",
              "cpe:/o:alt:server:10",
              "cpe:/o:alt:server-v:10",
              "cpe:/o:alt:education:10",
              "cpe:/o:alt:slinux:10",
              "cpe:/o:alt:starterkit:p10",
              "cpe:/o:alt:kworkstation:10.1",
              "cpe:/o:alt:workstation:10.1",
              "cpe:/o:alt:server:10.1",
              "cpe:/o:alt:server-v:10.1",
              "cpe:/o:alt:education:10.1",
              "cpe:/o:alt:slinux:10.1",
              "cpe:/o:alt:starterkit:10.1",
              "cpe:/o:alt:kworkstation:10.2",
              "cpe:/o:alt:workstation:10.2",
              "cpe:/o:alt:server:10.2",
              "cpe:/o:alt:server-v:10.2",
              "cpe:/o:alt:education:10.2",
              "cpe:/o:alt:slinux:10.2",
              "cpe:/o:alt:starterkit:10.2"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:2001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211784001",
                "Comment": "libpython3 is earlier than 0:3.9.5-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211784002",
                "Comment": "python3 is earlier than 0:3.9.5-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211784003",
                "Comment": "python3-base is earlier than 0:3.9.5-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211784004",
                "Comment": "python3-dev is earlier than 0:3.9.5-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211784005",
                "Comment": "python3-modules-curses is earlier than 0:3.9.5-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211784006",
                "Comment": "python3-modules-sqlite3 is earlier than 0:3.9.5-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211784007",
                "Comment": "python3-modules-tkinter is earlier than 0:3.9.5-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211784008",
                "Comment": "python3-test is earlier than 0:3.9.5-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20211784009",
                "Comment": "python3-tools is earlier than 0:3.9.5-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}