release v0.1.2

Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cvrf2cusa"
-version = "0.1.1"
+version = "0.1.2"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

README.md

@@ -1,4 +1,6 @@
-这个应用于 CULinux VAT 系统中，将 openEuler 的 cvrf 格式的安全公告转换为 cusa。
+# 这个应用于 CULinux VAT 系统中，将 openEuler 的 cvrf 格式的安全公告转换为 cusa。
+
+## 使用方法
 
 ```
 $ cvrf2cusa -h
@@ -15,3 +17,7 @@ Options:
   -h, --help     Print help
   -V, --version  Print version
 ```
+
+## 变更日志
+
+- *v0.1.2*：更新目录结构，以组件的小写首字母作二级目录。

cusa/3/three-eight-nine-ds-base/389-ds-base-1.4.3.20-1_openEuler-SA-2022-2056.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-2056",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2056",
   "title": "An update for three-eight-nine-ds-base is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "389-ds-base is an LDAPv3 compliant server which includes the LDAP server and command line utilities for server administration.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.(CVE-2020-35518)",
   "cves": [
     {
       "id": "CVE-2020-35518",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35518",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/3/three-eight-nine-ds-base/389-ds-base-1.4.3.36-5_openEuler-SA-2024-1148.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1148",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1148",
   "title": "An update for three-eight-nine-ds-base is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "389-ds-base is an LDAPv3 compliant server which includes the LDAP server and command line utilities for server administration.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.(CVE-2024-1062)",
   "cves": [
     {
       "id": "CVE-2024-1062",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1062",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.0.28-1_openEuler-SA-2022-1670.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1670",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1670",
   "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInfo() function of dcm.c file. This vulnerability is triggered when an attacker passes a specially crafted DICOM image file to ImageMagick for conversion, potentially leading to information disclosure and a denial of service.(CVE-2022-1114)",
   "cves": [
     {
       "id": "CVE-2022-1114",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1114",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.0.28-3_openEuler-SA-2022-1896.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1896",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1896",
   "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn ImageMagick, a crafted file could trigger an assertion failure when a call to WriteImages was made in MagickWand/operation.c, due to a NULL image list. This could potentially cause a denial of service. This was fixed in upstream ImageMagick version 7.1.0-30.(CVE-2022-2719)",
   "cves": [
     {
       "id": "CVE-2022-2719",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2719",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.0.28-3_openEuler-SA-2022-1903.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1903",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1903",
   "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.(CVE-2022-1115)",
   "cves": [
     {
       "id": "CVE-2022-1115",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1115",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.0.28-4_openEuler-SA-2022-1998.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1998",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1998",
   "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap buffer overflow issue was found in ImageMagick. When an application processes a malformed TIFF file, it could lead to undefined behavior or a crash causing a denial of service.(CVE-2022-3213)",
   "cves": [
     {
       "id": "CVE-2022-3213",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3213",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.0.28-4_openEuler-SA-2022-2091.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-2091",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2091",
   "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain=\"module\" rights=\"none\" pattern=\"PS\" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain=\"coder\" rights=\"none\" pattern=\"{PS,EPI,EPS,EPSF,EPSI}\" />.(CVE-2021-39212)\r\n\r\nA NULL pointer dereference flaw was found in ImageMagick in versions prior to 7.0.10-31 in ReadSVGImage() in coders/svg.c. This issue is due to not checking the return value from libxml2's xmlCreatePushParserCtxt() and uses the value directly, which leads to a crash and segmentation fault.(CVE-2021-3596)",
   "cves": [
     {
       "id": "CVE-2021-3596",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3596",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.0.28-5_openEuler-SA-2022-2109.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-2109",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2109",
   "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR,WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ImageMagick, there is load of misaligned address for type 'double', which requires 8 byte alignment and for type 'float', which requires 4 byte alignment at MagickCore/property.c. Whenever crafted or untrusted input is processed by ImageMagick, this causes a negative impact to application availability or other problems related to undefined behavior.(CVE-2022-32547)",
   "cves": [
     {
       "id": "CVE-2022-32547",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32547",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.0.28-6_openEuler-SA-2023-1065.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1065",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1065",
   "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Important",
+  "severity": "High",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR,WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input.(CVE-2022-44267)\r\n\r\nImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).(CVE-2022-44268)",
   "cves": [
     {
       "id": "CVE-2022-44268",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44268",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.1.8-1_openEuler-SA-2023-1259.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1259",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1259",
   "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in \"/tmp,\" resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.(CVE-2023-1289)\r\n\r\nA heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.(CVE-2023-1906)",
   "cves": [
     {
       "id": "CVE-2023-1906",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1906",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.1.8-1_openEuler-SA-2023-1332.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1332",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1332",
   "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow vulnerability was found in the ImageMagick package that can lead to the application crashing.(CVE-2023-2157)",
   "cves": [
     {
       "id": "CVE-2023-2157",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2157",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.1.8-2_openEuler-SA-2023-1349.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1349",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1349",
   "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546).(CVE-2023-34151)\n\nA vulnerability was found in ImageMagick. This security flaw causes a shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding.(CVE-2023-34153)",
   "cves": [
     {
       "id": "CVE-2023-34153",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34153",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.1.8-3_openEuler-SA-2023-1407.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1407",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1407",
   "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA heap-based buffer overflow issue was discovered in ImageMagick's ReadTIM2ImageData() function in coders/tim2.c. A local attacker could trick the user in opening specially crafted file, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.(CVE-2023-34474)\n\nA heap use after free issue was discovered in ImageMagick's ReplaceXmpValue() function in MagickCore/profile.c. An attacker could trick user to open a specially crafted file to convert, triggering an heap-use-after-free write error, allowing an application to crash, resulting in a denial of service.(CVE-2023-34475)",
   "cves": [
     {
       "id": "CVE-2023-34475",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34475",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.1.8-4_openEuler-SA-2023-1442.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1442",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1442",
   "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA vulnerability was found in ImageMagick <=7.1.1, where heap-based buffer overflow was found in coders/tiff.c.\n\nReferences:\nhttps://github.com/ImageMagick/ImageMagick/commit/a531d28e31309676ce8168c3b6dbbb5374b78790(CVE-2023-3428)",
   "cves": [
     {
       "id": "CVE-2023-3428",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3428",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/ImageMagick/ImageMagick-7.1.1.8-5_openEuler-SA-2023-1733.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1733",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1733",
   "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in ImageMagick <=7.1.1, where heap use-after-free was found in coders/bmp.c.\r\n\r\nReferences:\nhttps://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1(CVE-2023-5341)",
   "cves": [
     {
       "id": "CVE-2023-5341",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5341",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/iSulad/iSulad-2.0.18-16_openEuler-SA-2024-1287.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1287",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1287",
   "title": "An update for iSulad is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "This is a umbrella project for gRPC-services based Lightweight Container Runtime Daemon, written by C.\r\n\r\nSecurity Fix(es):\r\n\r\n在isulad服务初始化阶段，会进行临时文件的正确性检查，如果检查不通过则重新创建文件，在检查与创建之间，存在一个条件竞争问题，攻击者可以通过利用该漏洞进行提权。(CVE-2021-33632)",
   "cves": [
     {
       "id": "CVE-2021-33632",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33632",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/I/indent/indent-2.2.11-29_openEuler-SA-2023-1552.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1552",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1552",
   "title": "An update for indent is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "The indent program can be used to make code easier to read. It can also convert from one style of writing C to another. indent understands a substantial amount about the syntax of C, but it also attempts to cope with incomplete and misformed syntax.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU indent 2.2.13 has a heap-based buffer overflow in search_brace in indent.c via a crafted file.(CVE-2023-40305)",
   "cves": [
     {
       "id": "CVE-2023-40305",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40305",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/I/indent/indent-2.2.11-30_openEuler-SA-2024-1199.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1199",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1199",
   "title": "An update for indent is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "The indent program can be used to make code easier to read. It can also convert from one style of writing C to another. indent understands a substantial amount about the syntax of C, but it also attempts to cope with incomplete and misformed syntax.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in indent, a program for formatting C code. This issue may allow an attacker to trick a user into processing a specially crafted file to trigger a heap-based buffer overflow, causing the application to crash.(CVE-2024-0911)",
   "cves": [
     {
       "id": "CVE-2024-0911",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0911",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/infinispan/infinispan-8.2.4-13_openEuler-SA-2024-1667.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1667",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1667",
   "title": "An update for infinispan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Important",
+  "severity": "High",
   "description": "Infinispan is an extremely scalable, highly available data grid platform - 100% open source, and written in Java. The purpose of Infinispan is to expose a data structure that is highly concurrent, designed ground-up to make the most of modern multi-processor/multi-core architectures while at the same time providing distributed cache capabilities.  At its core Infinispan exposes a Cache interface which extends java.util.Map. It is also optionally is backed by a peer-to-peer network architecture to distribute state efficiently around a data grid.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.(CVE-2019-10174)",
   "cves": [
     {
       "id": "CVE-2019-10174",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/I/iniparser/iniparser-4.1-4_openEuler-SA-2023-1388.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1388",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1388",
   "title": "An update for iniparser is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "This modules offers parsing of ini files from the C level. See a complete documentation in HTML format, from this directory open the file html/index.html with any HTML-capable browser.\r\n\r\nSecurity Fix(es):\r\n\r\niniparser v4.1 is vulnerable to NULL Pointer Dereference in function iniparser_getlongint which misses check NULL for function iniparser_getstring's return.(CVE-2023-33461)",
   "cves": [
     {
       "id": "CVE-2023-33461",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33461",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/intel-sgx-ssl/intel-sgx-ssl-2.15.1-2_openEuler-SA-2022-1898.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1898",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1898",
   "title": "An update for intel-sgx-ssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "The Intel® Software Guard Extensions SSL (Intel® SGX SSL) cryptographic library is intended to provide cryptographic services for Intel® Software Guard Extensions (SGX) enclave applications. The Intel® SGX SSL cryptographic library is based on the underlying OpenSSL* Open Source project, providing a full-strength general purpose cryptography library. Supported OpenSSL version is 1.1.1l.\r\n\r\nSecurity Fix(es):\r\n\r\nThe c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).(CVE-2022-1292)\r\n\r\nIn addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).(CVE-2022-2068)\r\n\r\nAES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).(CVE-2022-2097)\r\n\r\nThe BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).(CVE-2022-0778)",
   "cves": [
     {
       "id": "CVE-2022-0778",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/iperf3/iperf3-3.10.1-2_openEuler-SA-2023-1497.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1497",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1497",
   "title": "An update for iperf3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Iperf is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers.\r\n\r\nSecurity Fix(es):\r\n\r\niperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field.(CVE-2023-38403)",
   "cves": [
     {
       "id": "CVE-2023-38403",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38403",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/I/iperf3/iperf3-3.16-1_openEuler-SA-2024-1418.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1418",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1418",
   "title": "An update for iperf3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Iperf is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection gets closed. This will prevent other connections to the server, leading to a denial of service.(CVE-2023-7250)",
   "cves": [
     {
       "id": "CVE-2023-7250",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7250",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/OpenEXR/OpenEXR-3.1.5-1_openEuler-SA-2022-1639.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1639",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1639",
   "title": "An update for OpenEXR is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light and Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\nOpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.(CVE-2021-45942)",
   "cves": [
     {
       "id": "CVE-2021-45942",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45942",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/OpenEXR/OpenEXR-3.1.5-3_openEuler-SA-2024-1549.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1549",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1549",
   "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS and openEuler-22.03-LTS-SP2",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp.(CVE-2024-31047)",
   "cves": [
     {
       "id": "CVE-2024-31047",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31047",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/open-vm-tools/open-vm-tools-12.0.5-3_openEuler-SA-2023-1629.json

@@ -2,7 +2,7 @@
   "id": "openEuler-SA-2023-1629",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1629",
   "title": "An update for open-vm-tools is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "The  project is an open source implementation of VMware Tools. It is a suite of open source virtualization utilities and drivers to improve the functionality, user experience and administration of VMware virtual machines. This package contains only the core user-space programs and libraries of .\r\n\r\nSecurity Fix(es):\r\n\r\nA fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.(CVE-2023-20867)\r\n\r\nA malicious actor that has been granted  Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged  Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .(CVE-2023-20900)",
   "cves": [
     {

cusa/O/open-vm-tools/open-vm-tools-12.0.5-4_openEuler-SA-2023-1831.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1831",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1831",
   "title": "An update for open-vm-tools is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "The  project is an open source implementation of VMware Tools. It is a suite of open source virtualization utilities and drivers to improve the functionality, user experience and administration of VMware virtual machines. This package contains only the core user-space programs and libraries of .\r\n\r\nSecurity Fix(es):\r\n\r\nVMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted  Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged  Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .(CVE-2023-34058)\r\n\r\nopen-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the \n/dev/uinput file descriptor allowing them to simulate user inputs.(CVE-2023-34059)",
   "cves": [
     {
       "id": "CVE-2023-34059",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34059",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/openjpeg2/openjpeg2-2.4.0-6_openEuler-SA-2022-1678.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1678",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1678",
   "title": "An update for openjpeg2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic Experts Group (JPEG). Since April 2015, it is officially recognized by ISO/IEC and ITU-T as a JPEG 2000 Reference Software.\r\n\nSecurity Fix(es):\r\n\r\nA flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service.(CVE-2022-1122)",
   "cves": [
     {
       "id": "CVE-2022-1122",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1122",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/openldap/openldap-2.6.0-5_openEuler-SA-2023-1334.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1334",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1334",
   "title": "An update for openldap is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Important",
+  "severity": "High",
   "description": "OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.(CVE-2023-2953)",
   "cves": [
     {
       "id": "CVE-2023-2953",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2953",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/opensc/opensc-0.21.0-6_openEuler-SA-2022-1664.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1664",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1664",
   "title": "An update for opensc is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver and macOS Tokend.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.(CVE-2021-42778)\n\nA use after return issue was found in Opensc before version 0.22.0 in insert_pin function that could potentially crash programs using the library.(CVE-2021-42780)\n\nStack buffer overflow issues were found in Opensc before version 0.22.0 in various places that could potentially crash programs using the library.(CVE-2021-42782)",
   "cves": [
     {
       "id": "CVE-2021-42782",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42782",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/openssh/openssh-8.8p1-17_openEuler-SA-2023-1063.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1063",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1063",
   "title": "An update for openssh is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nOpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration. One third-party report states \"remote code execution is theoretically possible.\"(CVE-2023-25136)",
   "cves": [
     {
       "id": "CVE-2023-25136",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25136",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/openssh/openssh-8.8p1-22_openEuler-SA-2023-1480.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1480",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1480",
   "title": "An update for openssh is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol.\r\n\r\nSecurity Fix(es):\r\n\r\nThe PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.(CVE-2023-38408)",
   "cves": [
     {
       "id": "CVE-2023-38408",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38408",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/openssh/openssh-8.8p1-23_openEuler-SA-2023-1977.json

@@ -8,7 +8,7 @@
     {
       "id": "CVE-2023-51385",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51385",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/openssl/openssl-1.1.1m-19_openEuler-SA-2023-1207.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1207",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1207",
   "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Important",
+  "severity": "High",
   "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)\r\n\r\nApplications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)\r\n\r\nThe function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.(CVE-2023-0466)",
   "cves": [
     {
       "id": "CVE-2023-0466",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/openssl/openssl-1.1.1m-20_openEuler-SA-2023-1356.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1356",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1356",
   "title": "An update for openssl is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\n\nSecurity Fix(es):\n\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)",
   "cves": [
     {
       "id": "CVE-2023-2650",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/openssl/openssl-1.1.1m-21_openEuler-SA-2023-1466.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1466",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1466",
   "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\n\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\r\n\r\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446)",
   "cves": [
     {
       "id": "CVE-2023-3446",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/openssl/openssl-1.1.1m-22_openEuler-SA-2023-1481.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1481",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1481",
   "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\r\n\r\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3817)",
   "cves": [
     {
       "id": "CVE-2023-3817",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/openssl/openssl-1.1.1m-24_openEuler-SA-2023-1821.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1821",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1821",
   "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays.  Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\r\n\r\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\r\n\r\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\r\n\r\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\r\n\r\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions.  An application calling any of those other\nfunctions may similarly be affected.  The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\r\n\r\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\r\n\r\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\r\n\r\n(CVE-2023-5678)",
   "cves": [
     {
       "id": "CVE-2023-5678",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/openssl/openssl-1.1.1m-26_openEuler-SA-2024-1147.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1147",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1147",
   "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\r\n\r\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\r\n\r\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\r\n\r\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\r\n\r\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.(CVE-2024-0727)",
   "cves": [
     {
       "id": "CVE-2024-0727",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/openssl/openssl-1.1.1m-28_openEuler-SA-2024-1531.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1531",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1531",
   "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\r\n\r\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\r\n\r\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\r\n\r\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.(CVE-2024-2511)",
   "cves": [
     {
       "id": "CVE-2024-2511",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/openssl/openssl-1.1.1m-8_openEuler-SA-2022-1833.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1833",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1833",
   "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nAES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn t written. In the special case of in place encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).(CVE-2022-2097)",
   "cves": [
     {
       "id": "CVE-2022-2097",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/openvswitch/openvswitch-2.12.0-22_openEuler-SA-2022-1778.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1778",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1778",
   "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing. An attacker could use this flaw to potentially exhaust available memory by keeping sending packet fragments.(CVE-2021-3905)",
   "cves": [
     {
       "id": "CVE-2021-3905",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3905",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/openvswitch/openvswitch-2.12.4-2_openEuler-SA-2023-1025.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1025",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1025",
   "title": "An update for openvswitch is now available for openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer underflow in Organization Specific TLV was found in various versions of OpenvSwitch.(CVE-2022-4338)",
   "cves": [
     {
       "id": "CVE-2022-4338",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4338",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/O/openvswitch/openvswitch-2.12.4-4_openEuler-SA-2023-1234.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1234",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1234",
   "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Important",
+  "severity": "High",
   "description": "Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.(CVE-2023-1668)",
   "cves": [
     {
       "id": "CVE-2023-1668",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1668",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/openvswitch/openvswitch-2.12.4-5_openEuler-SA-2023-1732.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1732",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1732",
   "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses.(CVE-2023-5366)",
   "cves": [
     {
       "id": "CVE-2023-5366",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5366",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/openvswitch/openvswitch-2.12.4-7_openEuler-SA-2024-1207.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1207",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1207",
   "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Important",
+  "severity": "High",
   "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled.(CVE-2023-3966)",
   "cves": [
     {
       "id": "CVE-2023-3966",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3966",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/openvswitch/openvswitch-2.12.4-8_openEuler-SA-2024-1384.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1384",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1384",
   "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Important",
+  "severity": "High",
   "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-2639)",
   "cves": [
     {
       "id": "CVE-2022-2639",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2639",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/optipng/optipng-0.7.8-1_openEuler-SA-2023-1873.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1873",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1873",
   "title": "An update for optipng is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "OptiPNG is a PNG optimizer that recompresses image files to a smaller size, without losing any information. This program also converts external formats (BMP, GIF, PNM and TIFF) to optimized PNG, and performs PNG integrity checks and corrections.\r\n\r\nSecurity Fix(es):\r\n\r\nOptiPNG v0.7.7 was discovered to contain a global buffer overflow via the 'buffer' variable at gifread.c.(CVE-2023-43907)",
   "cves": [
     {
       "id": "CVE-2023-43907",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43907",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/O/opusfile/opusfile-0.11-5_openEuler-SA-2023-1062.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1062",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1062",
   "title": "An update for opusfile is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Important",
+  "severity": "High",
   "description": "The opusfile library provides seeking, decode, and playback of Opus streams in the Ogg container (.opus files) including over http(s) on posix and windows systems. opusfile depends on libopus and libogg.The included opusurl library for http(s) access depends on opusfile and openssl.\r\n\r\nSecurity Fix(es):\r\n\r\nA null pointer dereference issue was discovered in functions op_get_data and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows attackers to cause denial of service or other unspecified impacts.(CVE-2022-47021)",
   "cves": [
     {
       "id": "CVE-2022-47021",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47021",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/a/A-Tune-Collector/atune-collector-1.1.0-8_openEuler-SA-2024-1273.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1273",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1273",
   "title": "An update for A-Tune-Collector is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "A-Tune-Collector is used to collect various system resources.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen the get method in the sched.py file in the A-Tune-Collector software package is used to obtain the process ID, shell command combination and injection risks exist. This flaw could lead to remote arbitrary command execution.(CVE-2024-24897)",
   "cves": [
     {
       "id": "CVE-2024-24897",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24897",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/a/activemq/activemq-5.16.7-1_openEuler-SA-2023-1925.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1925",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1925",
   "title": "An update for activemq is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "The most popular and powerful open source messaging and Integration Patterns server.\r\n\r\nSecurity Fix(es):\r\n\r\nOnce an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. \r\n\r\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\r\n\r\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\r\n\r\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest is able to invoke\nthrough refection.\r\n\r\nAnd then, RCE is able to be achieved via\njdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\r\n\r\n1 Call newRecording.\r\n\r\n2 Call setConfiguration. And a webshell data hides in it.\r\n\r\n3 Call startRecording.\r\n\r\n4 Call copyTo method. The webshell will be written to a .jsp file.\r\n\r\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n(CVE-2022-41678)",
   "cves": [
     {
       "id": "CVE-2022-41678",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41678",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/a/amanda/amanda-3.5.1-21_openEuler-SA-2023-1149.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1149",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1149",
   "title": "An update for amanda is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that allows the administrator of a LAN to set up a single master backup server to back up multiple hosts to a single large capacity tape or disk drive. Amanda uses native tools (such as GNUtar, dump) for backup and can back up a large number of workstations running multiple versions of Unix/Mac OS X/Linux/Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Amanda. The `runtar` SUID binary executes /usr/bin/tar as root without properly validating its arguments, possibly leading to escalation of privileges from the regular user \"amandabackup\" to root.(CVE-2022-37705)\r\n\r\nA flaw was found in Amanda. The `rundump` SUID binary executes /usr/sbin/dump as root without properly validating its arguments, possibly leading to escalation of privileges from the regular user \"amandabackup\" to root.(CVE-2022-37704)",
   "cves": [
     {
       "id": "CVE-2022-37704",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37704",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/a/amanda/amanda-3.5.4-1_openEuler-SA-2023-1507.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1507",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1507",
   "title": "An update for amanda is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that allows the administrator of a LAN to set up a single master backup server to back up multiple hosts to a single large capacity tape or disk drive. Amanda uses native tools (such as GNUtar, dump) for backup and can back up a large number of workstations running multiple versions of Unix/Mac OS X/Linux/Windows.\n\nSecurity Fix(es):\n\nAMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag-community-3.5.4 mishandles argument checking for runtar.c, a different vulnerability than CVE-2022-37705.(CVE-2023-30577)",
   "cves": [
     {
       "id": "CVE-2023-30577",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30577",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/a/ansible/ansible-2.9.27-4_openEuler-SA-2024-1190.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1190",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1190",
   "title": "An update for ansible is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. %if 0 Provides:            ansible-python3 = - Obsoletes:           ansible-python3 < - BuildRequires:       python3-devel python3-setuptools BuildRequires:       python3-PyYAML python3-paramiko python3-crypto python3-packaging BuildRequires:       python3-pexpect python3-winrm BuildRequires:       git-core %if %with_docs BuildRequires:       python3-sphinx python3-sphinx-theme-alabaster asciidoc %endif BuildRequires:       python3-six python3-nose python3-pytest python3-pytest-xdist BuildRequires:       python3-pytest-mock python3-requests python3-coverage python3-mock BuildRequires:       python3-boto3 python3-botocore python3-passlib python3-jinja2 Requires:            python3-PyYAML python3-paramiko python3-crypto python3-setuptools python3-six Requires:            python3-jinja2 sshpass python3-jmespath %description Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. This package installs versions of ansible that execute on Python3. %endif\r\n\r\nSecurity Fix(es):\r\n\r\nAn information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.(CVE-2024-0690)",
   "cves": [
     {
       "id": "CVE-2024-0690",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0690",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/a/apache-commons-fileupload/apache-commons-fileupload-1.4-2_openEuler-SA-2023-1155.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1155",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1155",
   "title": "An update for apache-commons-fileupload is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Important",
+  "severity": "High",
   "description": "The javax.servlet package lacks support for RFC-1867, HTML file upload.  This package provides a simple to use API for working with such data.  The scope of this package is to create a package of Java utility classes to read multipart/form-data within a javax.servlet.http.HttpServletRequest.\r\n\r\nSecurity Fix(es):\r\n\r\nApache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.(CVE-2023-24998)",
   "cves": [
     {
       "id": "CVE-2023-24998",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/a/apache-commons-net/apache-commons-net-3.6-7_openEuler-SA-2023-1882.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1882",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1882",
   "title": "An update for apache-commons-net is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Apache Commons Net library contains a collection of network utilities and protocol implementations. Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois\r\n\r\nSecurity Fix(es):\r\n\r\nPrior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.(CVE-2021-37533)",
   "cves": [
     {
       "id": "CVE-2021-37533",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37533",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/a/apache-mime4j/apache-mime4j-0.8.1-3_openEuler-SA-2024-1475.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1475",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1475",
   "title": "An update for apache-mime4j is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Java stream based MIME message parser.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message.\nThis can be exploited by an attacker to add unintended headers to MIME messages.\n(CVE-2024-21742)",
   "cves": [
     {
       "id": "CVE-2024-21742",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21742",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/a/apache-sshd/apache-sshd-2.9.2-2_openEuler-SA-2024-1079.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1079",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1079",
   "title": "An update for apache-sshd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side.\r\n\r\nSecurity Fix(es):\r\n\r\nExposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.\r\n\r\nIn SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover \"exists/does not exist\" information about items outside the rooted tree via paths including parent navigation (\"..\") beyond the root, or involving symlinks.\r\n\r\nThis issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10\n(CVE-2023-35887)",
   "cves": [
     {
       "id": "CVE-2023-35887",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35887",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/a/apache-sshd/apache-sshd-2.9.2-3_openEuler-SA-2024-1101.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1101",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1101",
   "title": "An update for apache-sshd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
   "cves": [
     {
       "id": "CVE-2023-48795",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/a/arm-trusted-firmware/arm-trusted-firmware-2.3-2_openEuler-SA-2023-1899.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1899",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1899",
   "title": "An update for arm-trusted-firmware is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\r\n\r\nSecurity Fix(es):\r\n\r\nTrusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state.(CVE-2022-47630)",
   "cves": [
     {
       "id": "CVE-2022-47630",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47630",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/a/arm-trusted-firmware/arm-trusted-firmware-2.3-4_openEuler-SA-2024-1264.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1264",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1264",
   "title": "An update for arm-trusted-firmware is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Important",
+  "severity": "High",
   "description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\r\n\r\nSecurity Fix(es):\r\n\r\nTrusted Firmware-A (TF-A) before 2.10 has a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei_interrupt_bind. The parameter is passed to a call to plat_ic_get_interrupt_type. It can be any arbitrary value passing checks in the function plat_ic_is_sgi. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls. Using this primitive, he can control the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3). Because the read value is never returned to non-secure memory or in registers, no leak is possible. An attacker can still crash TF-A, however.(CVE-2023-49100)",
   "cves": [
     {
       "id": "CVE-2023-49100",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49100",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/a/assimp/config.json

@@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}

cusa/a/atril/atril-1.22.3-3_openEuler-SA-2024-1247.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1247",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1247",
   "title": "An update for atril is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.(CVE-2023-52076)",
   "cves": [
     {
       "id": "CVE-2023-52076",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52076",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/a/atril/atril-1.22.3-4_openEuler-SA-2024-1493.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1493",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1493",
   "title": "An update for atril is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.\n(CVE-2023-51698)",
   "cves": [
     {
       "id": "CVE-2023-51698",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51698",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/a/avahi/avahi-0.8-15_openEuler-SA-2023-1240.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1240",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1240",
   "title": "An update for avahi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.\r\n\r\nSecurity Fix(es):\r\n\r\nIt was discovered that the avahi deamon can be locally crashed by a dbus call made by an unprivileged user, causing a denial of service.\r\n\r\nReferences:\r\n\r\nhttps://github.com/lathiat/avahi/issues/375(CVE-2023-1981)",
   "cves": [
     {
       "id": "CVE-2023-1981",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1981",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/a/avahi/avahi-0.8-16_openEuler-SA-2023-1758.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1758",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1758",
   "title": "An update for avahi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.\r\n\r\nSecurity Fix(es):\r\n\r\nA reachable assertion was found in avahi_escape_label.\r\n\r\nReferences:\r\n\r\nhttps://github.com/lathiat/avahi/issues/454(CVE-2023-38470)",
   "cves": [
     {
       "id": "CVE-2023-38470",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38470",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/a/avahi/avahi-0.8-17_openEuler-SA-2023-1793.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1793",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1793",
   "title": "An update for avahi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.(CVE-2023-38471)\r\n\r\nA vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.(CVE-2023-38472)\r\n\r\nA vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.(CVE-2023-38473)",
   "cves": [
     {
       "id": "CVE-2023-38473",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38473",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/a/avahi/avahi-0.8-17_openEuler-SA-2023-1812.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1812",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1812",
   "title": "An update for avahi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.(CVE-2023-38469)",
   "cves": [
     {
       "id": "CVE-2023-38469",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38469",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/a/avro/avro-1.10.2-4_openEuler-SA-2023-1950.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1950",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1950",
   "title": "An update for avro is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "Apache Avro is a data serialization system.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.(CVE-2021-43045)",
   "cves": [
     {
       "id": "CVE-2021-43045",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43045",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/batik/batik-1.10-7_openEuler-SA-2023-1051.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1051",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1051",
   "title": "An update for batik is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup,  that lets you write your template directly as a CoffeeScript function.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.(CVE-2022-41704)\r\n\r\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.(CVE-2022-42890)",
   "cves": [
     {
       "id": "CVE-2022-42890",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42890",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/batik/batik-1.17-1_openEuler-SA-2023-1651.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1651",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1651",
   "title": "An update for batik is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup,  that lets you write your template directly as a CoffeeScript function.\r\n\r\nSecurity Fix(es):\r\n\r\nServer-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-38398)\r\n\r\nServer-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-38648)\r\n\r\nServer-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-40146)\r\n\r\nServer-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\r\n\r\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.\r\n\r\n(CVE-2022-44729)\r\n\r\nServer-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\r\n\r\nA malicious SVG can probe user profile / data and send it directly as parameter to a URL.\r\n\r\n(CVE-2022-44730)",
   "cves": [
     {
       "id": "CVE-2022-44730",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44730",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/b/bcel/bcel-6.4.1-2_openEuler-SA-2022-1977.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1977",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1977",
   "title": "An update for bcel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "The Byte Code Engineering Library (formerly known as JavaClass) is intended to give users a convenient possibility to analyze, create, and manipulate (binary) Java class files (those ending with .class).\r\n\r\nSecurity Fix(es):\r\n\r\nThe Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.(CVE-2022-34169)",
   "cves": [
     {
       "id": "CVE-2022-34169",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/bind/bind-9.16.23-11_openEuler-SA-2022-1983.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1983",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1983",
   "title": "An update for bind is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.\r\n\r\nSecurity Fix(es):\r\n\r\nBy sending specific queries to the resolver, an attacker can cause named to crash.(CVE-2022-3080)\r\n\r\nBy spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38177)\r\n\r\nBy spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38178)\r\n\r\nBy flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.(CVE-2022-2795)\r\n\r\nThe underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.(CVE-2022-2881)\r\n\r\nAn attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.(CVE-2022-2906)",
   "cves": [
     {
       "id": "CVE-2022-2906",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2906",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/bind/bind-9.16.23-14_openEuler-SA-2023-1067.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1067",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1067",
   "title": "An update for bind is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.\r\n\r\nSecurity Fix(es):\r\n\r\nSending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.(CVE-2022-3094)\r\n\r\nBIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.(CVE-2022-3736)\r\n\r\nThis issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM `recursive-clients` limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.(CVE-2022-3924)",
   "cves": [
     {
       "id": "CVE-2022-3924",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3924",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/bind/bind-9.16.23-18_openEuler-SA-2023-1384.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1384",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1384",
   "title": "An update for bind is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Important",
+  "severity": "High",
   "description": "The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server\r\n\r\nSecurity Fix(es):\r\n\r\nEvery `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.\r\n\r\nIt has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded.\nThis issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.(CVE-2023-2828)",
   "cves": [
     {
       "id": "CVE-2023-2828",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2828",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/bind/bind-9.16.23-20_openEuler-SA-2023-1689.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1689",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1689",
   "title": "An update for bind is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server.\r\n\r\nSecurity Fix(es):\r\n\r\nThe code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary.\nThis issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.(CVE-2023-3341)",
   "cves": [
     {
       "id": "CVE-2023-3341",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3341",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/bind/bind-9.16.23-21_openEuler-SA-2024-1323.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1323",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1323",
   "title": "An update for bind is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server.\r\n\r\nSecurity Fix(es):\r\n\r\nThe DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers.\nThis issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-4408)\r\n\r\nCertain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.(CVE-2023-50387)\r\n\r\nA flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when:\r\n\r\n  - `nxdomain-redirect <domain>;` is configured, and\n  - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response.\nThis issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-5517)\r\n\r\nA bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled.\nThis issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-5679)\r\n\r\nTo keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded.\nThis issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.(CVE-2023-6516)",
   "cves": [
     {
       "id": "CVE-2023-6516",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6516",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/bind/bind-9.16.23-8_openEuler-SA-2022-1615.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1615",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1615",
   "title": "An update for bind is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.\r\n\r\nSecurity Fix(es):\r\n\r\nBIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.(CVE-2021-25220)\n\n\nBIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.(CVE-2022-0396)",
   "cves": [
     {
       "id": "CVE-2022-0396",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0396",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/b/binutils/binutils-2.37-22_openEuler-SA-2023-1570.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1570",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1570",
   "title": "An update for binutils is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "The GNU Binutils are a collection of binary tools.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.(CVE-2021-46174)\r\n\r\nAn issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.(CVE-2022-47008)\r\n\r\nAn issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.(CVE-2022-47011)",
   "cves": [
     {
       "id": "CVE-2022-47011",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47011",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/binutils/binutils-2.37-25_openEuler-SA-2023-1592.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1592",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1592",
   "title": "An update for binutils is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "The GNU Binutils are a collection of binary tools. The main ones are: ld - the GNU linker. as - the GNU assembler. addr2line - Converts addresses into filenames and line numbers. ar - A utility for creating, modifying and extracting from archives. c++filt - Filter to demangle encoded C++ symbols. dlltool - Creates files for building and using DLLs. gold - A new, faster, ELF only linker, still in beta test. gprof - Displays profiling information. nlmconv - Converts object code into an NLM. nm - Lists symbols from object files. objcopy - Copies and translates object files. objdump - Displays information from object files. ranlib - Generates an index to the contents of an archive. readelf - Displays information from any ELF format object file. size - Lists the section sizes of an object or archive file. strings - Lists printable strings from files. trip - Discards symbols. windmc - A Windows compatible message compiler. windres - A compiler for Windows resource files.\r\n\r\nSecurity Fix(es):\r\n\r\nAn illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.(CVE-2022-4285)\r\n\r\nGNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.(CVE-2022-48064)\r\n\r\nA potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.(CVE-2023-1972)",
   "cves": [
     {
       "id": "CVE-2023-1972",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1972",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/b/bluez/bluez-5.54-14_openEuler-SA-2022-1763.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1763",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1763",
   "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nBlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.(CVE-2021-41229)",
   "cves": [
     {
       "id": "CVE-2021-41229",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41229",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/b/bluez/bluez-5.54-15_openEuler-SA-2022-1922.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1922",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1922",
   "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nBlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c.(CVE-2022-39177)\r\n\r\nBlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.(CVE-2022-39176)",
   "cves": [
     {
       "id": "CVE-2022-39176",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39176",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/b/bluez/bluez-5.54-17_openEuler-SA-2023-1249.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1249",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1249",
   "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Important",
+  "severity": "High",
   "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\n(CVE-2023-27349)",
   "cves": [
     {
       "id": "CVE-2023-27349",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27349",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/bluez/bluez-5.54-18_openEuler-SA-2023-1948.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1948",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1948",
   "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nBluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.(CVE-2023-45866)",
   "cves": [
     {
       "id": "CVE-2023-45866",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45866",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/bluez/bluez-5.54-19_openEuler-SA-2024-1019.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1019",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1019",
   "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nVUL-0: CVE-2023-50230: bluez: BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability(CVE-2023-50230)",
   "cves": [
     {
       "id": "CVE-2023-50230",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50230",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/bluez/bluez-5.54-19_openEuler-SA-2024-1029.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2024-1029",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1029",
   "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
-  "severity": "Important",
+  "severity": "High",
   "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nVUL-0: CVE-2023-50229: bluez: BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability(CVE-2023-50229)",
   "cves": [
     {
       "id": "CVE-2023-50229",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50229",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/busybox/busybox-1.34.1-16_openEuler-SA-2022-1859.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1859",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1859",
   "title": "An update for busybox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It provides a fairly complete environment for any small or embedded system.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.(CVE-2022-30065)",
   "cves": [
     {
       "id": "CVE-2022-30065",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30065",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/b/byacc/byacc-2.0.20210808-4_openEuler-SA-2023-1033.json

@@ -2,7 +2,7 @@
   "id": "openEuler-SA-2023-1033",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1033",
   "title": "An update for byacc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "Berkeley Yacc is an LALR(1) parser generator.  Berkeley Yacc has been made as compatible as possible with AT&T Yacc.  Berkeley Yacc can accept any input specification that conforms to the AT&T Yacc documentation.  Specifications that take advantage of undocumented features of AT&T Yacc will probably be rejected.\r\n\r\nSecurity Fix(es):\r\n\r\nNo description is available for this CVE.(CVE-2021-33641)\r\n\r\nNo description is available for this CVE.(CVE-2021-33642)",
   "cves": [
     {

cusa/c/c-ares/c-ares-1.18.1-4_openEuler-SA-2023-1091.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1091",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1091",
   "title": "An update for c-ares is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\r\n\r\nSecurity Fix(es):\r\n\r\nIn ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse the input str and initialize a sortlist configuration. However, ares_set_sortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked memcpy(ipbuf, str, q-str); and memcpy(ipbufpfx, str, q-str); statements in the config_sortlist call, which could potentially cause severe security impact in practical programs.(CVE-2022-4904)",
   "cves": [
     {
       "id": "CVE-2022-4904",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4904",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/c/c-ares/c-ares-1.18.1-5_openEuler-SA-2023-1312.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1312",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1312",
   "title": "An update for c-ares is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\r\n\r\nSecurity Fix(es):\r\n\r\nc-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.(CVE-2023-32067)",
   "cves": [
     {
       "id": "CVE-2023-32067",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32067",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/c/c-ares/c-ares-1.18.1-6_openEuler-SA-2023-1339.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1339",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1339",
   "title": "An update for c-ares is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\r\n\r\nSecurity Fix(es):\r\n\r\nc-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.(CVE-2023-31147)",
   "cves": [
     {
       "id": "CVE-2023-31147",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31147",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/c/c-ares/c-ares-1.18.1-6_openEuler-SA-2023-1359.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1359",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1359",
   "title": "An update for c-ares is now available for openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\n\nSecurity Fix(es):\n\nc-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.\n(CVE-2023-31130)",
   "cves": [
     {
       "id": "CVE-2023-31130",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31130",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/c/cfitsio/cfitsio-3.490-1_openEuler-SA-2022-1848.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1848",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1848",
   "title": "An update for cfitsio is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn the ffghtb function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.(CVE-2018-3849)\r\n\r\nIn the ffghbn function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.(CVE-2018-3848)",
   "cves": [
     {
       "id": "CVE-2018-3848",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3848",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/c/cifs-utils/cifs-utils-6.14-3_openEuler-SA-2022-1626.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1626",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1626",
   "title": "An update for cifs-utils is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Moderate",
+  "severity": "Medium",
   "description": "The in-kernel CIFS filesystem is generally the preferred method for mounting SMB/CIFS shares on Linux. The in-kernel CIFS filesystem relies on a set of user-space tools. That package of tools is called cifs-utils.Although not really part of Samba proper, these tools were originally part of the Samba package. For several reasons, shipping these tools as part of Samba was problematic and it was deemed better to split them off into their own package.\r\n\r\nSecurity Fix(es):\r\n\r\ncifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file.(CVE-2022-29869)\n\nIn cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.(CVE-2022-27239)",
   "cves": [
     {
       "id": "CVE-2022-27239",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27239",
-      "severity": "Moderate"
+      "severity": "Medium"
     }
   ]
 }

cusa/c/cjose/cjose-0.6.2.2-1_openEuler-SA-2023-1441.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1441",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1441",
   "title": "An update for cjose is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
-  "severity": "Important",
+  "severity": "High",
   "description": "Implementation of JOSE for C/C++\n\nSecurity Fix(es):\n\nOpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec  says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).(CVE-2023-37464)",
   "cves": [
     {
       "id": "CVE-2023-37464",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37464",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/c/clamav/clamav-0.103.6-3_openEuler-SA-2022-1683.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2022-1683",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1683",
   "title": "An update for clamav is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "Clam AntiVirus (clamav) is an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. he virus database is based on the virus database from OpenAntiVirus, but contains additional signatures and is KEPT UP TO DATE.\n\nSecurity Fix(es):\n\nOn April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in CHM file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.(CVE-2022-20770)\n\nOn April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in the TIFF file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.(CVE-2022-20771)\n\nOn April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in HTML file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.(CVE-2022-20785)\n\nFixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.(CVE-2022-20792)",
   "cves": [
     {
       "id": "CVE-2022-20792",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20792",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }

cusa/c/clamav/clamav-0.103.9-1_openEuler-SA-2023-1559.json

@@ -2,13 +2,13 @@
   "id": "openEuler-SA-2023-1559",
   "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1559",
   "title": "An update for clamav is now available for openEuler-22.03-LTS",
-  "severity": "Important",
+  "severity": "High",
   "description": "Clam AntiVirus (clamav) is an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. he virus database is based on the virus database from OpenAntiVirus, but contains additional signatures and is KEPT UP TO DATE.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\r\n\r This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources.\r\n\r For a description of this vulnerability, see the ClamAV blog .(CVE-2023-20197)",
   "cves": [
     {
       "id": "CVE-2023-20197",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20197",
-      "severity": "Important"
+      "severity": "High"
     }
   ]
 }