jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
cvrf2cusa/cvrf/2022/cvrf-openEuler-SA-2022-1928.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

126 lines
9.2 KiB
XML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for libconfuse is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2022-1928</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2022-09-23</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2022-09-23</InitialReleaseDate>
<CurrentReleaseDate>2022-09-23</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2022-09-23</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">libconfuse security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for libconfuse is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">libConfuse is a configuration file parser library, licensed under the terms of the ISC license, and written in C. It supports sections and (lists of) values (strings, integers, floats, booleans or other sections), as well as some other features (such as single/double-quoted strings, environment variable expansion, functions and nested include statements). It makes it very easy to add configuration file capability to a program using a simple API. The goal of libConfuse is not to be the configuration file parser library with a gazillion of features. Instead, it aims to be easy to use and quick to integrate with your code.
Security Fix(es):
cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.(CVE-2022-40320)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for libconfuse is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">libconfuse</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1928</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-40320</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-40320</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="aarch64">
<FullProductName ProductID="libconfuse-debugsource-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libconfuse-debugsource-3.3-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-devel-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libconfuse-devel-3.3-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-debuginfo-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libconfuse-debuginfo-3.3-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libconfuse-3.3-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-debugsource-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libconfuse-debugsource-3.3-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-debuginfo-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libconfuse-debuginfo-3.3-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-devel-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libconfuse-devel-3.3-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libconfuse-3.3-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-devel-3.3-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libconfuse-devel-3.3-2.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-debuginfo-3.3-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libconfuse-debuginfo-3.3-2.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-debugsource-3.3-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libconfuse-debugsource-3.3-2.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-3.3-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libconfuse-3.3-2.oe2203.aarch64.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="libconfuse-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libconfuse-3.3-2.oe1.src.rpm</FullProductName>
<FullProductName ProductID="libconfuse-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libconfuse-3.3-2.oe1.src.rpm</FullProductName>
<FullProductName ProductID="libconfuse-3.3-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libconfuse-3.3-2.oe2203.src.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="x86_64">
<FullProductName ProductID="libconfuse-devel-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libconfuse-devel-3.3-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-debuginfo-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libconfuse-debuginfo-3.3-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-debugsource-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libconfuse-debugsource-3.3-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libconfuse-3.3-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-debugsource-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libconfuse-debugsource-3.3-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libconfuse-3.3-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-debuginfo-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libconfuse-debuginfo-3.3-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-devel-3.3-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libconfuse-devel-3.3-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-devel-3.3-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libconfuse-devel-3.3-2.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-debugsource-3.3-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libconfuse-debugsource-3.3-2.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-3.3-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libconfuse-3.3-2.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="libconfuse-debuginfo-3.3-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libconfuse-debuginfo-3.3-2.oe2203.x86_64.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.</Note>
</Notes>
<ReleaseDate>2022-09-23</ReleaseDate>
<CVE>CVE-2022-40320</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
<ProductID>openEuler-22.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>8.8</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>libconfuse security update</Description>
<DATE>2022-09-23</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1928</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink