diff --git a/setup.cfg b/setup.cfg index 629eb215f..588400a2c 100644 --- a/setup.cfg +++ b/setup.cfg @@ -101,6 +101,7 @@ install_requires = #vulntotal python-dotenv texttable + extractcode[full]==31.0.0 [options.extras_require] diff --git a/vulnerabilities/importer.py b/vulnerabilities/importer.py index da7f743da..850587ca7 100644 --- a/vulnerabilities/importer.py +++ b/vulnerabilities/importer.py @@ -187,6 +187,8 @@ def from_url(cls, url): reference_id = get_reference_id(url) if "GHSA-" in reference_id.upper(): return cls(reference_id=reference_id, url=url) + if reference_id.startswith(("RHSA-", "RHEA-", "RHBA-")): + return cls(reference_id=reference_id, url=url) if is_cve(reference_id): return cls(url=url, reference_id=reference_id.upper()) return cls(url=url) @@ -458,6 +460,24 @@ def clean_summary(self, summary): return summary def to_dict(self): + is_adv_v2 = ( + self.advisory_id + or self.severities + or self.references_v2 + or (self.affected_packages and isinstance(self.affected_packages[0], AffectedPackageV2)) + ) + if is_adv_v2: + return { + "advisory_id": self.advisory_id, + "aliases": self.aliases, + "summary": self.summary, + "affected_packages": [pkg.to_dict() for pkg in self.affected_packages], + "references_v2": [ref.to_dict() for ref in self.references_v2], + "severities": [sev.to_dict() for sev in self.severities], + "date_published": self.date_published.isoformat() if self.date_published else None, + "weaknesses": self.weaknesses, + "url": self.url if self.url else "", + } return { "aliases": self.aliases, "summary": self.summary, diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index 174dc3e13..82ee4525a 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -57,6 +57,7 @@ from vulnerabilities.pipelines.v2_importers import postgresql_importer as postgresql_importer_v2 from vulnerabilities.pipelines.v2_importers import pypa_importer as pypa_importer_v2 from vulnerabilities.pipelines.v2_importers import pysec_importer as pysec_importer_v2 +from vulnerabilities.pipelines.v2_importers import redhat_importer as redhat_importer_v2 from vulnerabilities.pipelines.v2_importers import vulnrichment_importer as vulnrichment_importer_v2 from vulnerabilities.pipelines.v2_importers import xen_importer as xen_importer_v2 from vulnerabilities.utils import create_registry @@ -79,6 +80,7 @@ postgresql_importer_v2.PostgreSQLImporterPipeline, mozilla_importer_v2.MozillaImporterPipeline, github_osv_importer_v2.GithubOSVImporterPipeline, + redhat_importer_v2.RedHatImporterPipeline, nvd_importer.NVDImporterPipeline, github_importer.GitHubAPIImporterPipeline, gitlab_importer.GitLabImporterPipeline, diff --git a/vulnerabilities/models.py b/vulnerabilities/models.py index 60c20d5b9..f404d7d17 100644 --- a/vulnerabilities/models.py +++ b/vulnerabilities/models.py @@ -2890,6 +2890,7 @@ def to_advisory_data(self) -> "AdvisoryData": from vulnerabilities.importer import AdvisoryData return AdvisoryData( + advisory_id=self.advisory_id, aliases=[item.alias for item in self.aliases.all()], summary=self.summary, affected_packages=[ diff --git a/vulnerabilities/pipelines/v2_importers/archlinux_importer.py b/vulnerabilities/pipelines/v2_importers/archlinux_importer.py index 8d555987c..24a8924de 100644 --- a/vulnerabilities/pipelines/v2_importers/archlinux_importer.py +++ b/vulnerabilities/pipelines/v2_importers/archlinux_importer.py @@ -7,6 +7,7 @@ # See https://aboutcode.org for more information about nexB OSS projects. # +import json from typing import Iterable from typing import Mapping @@ -97,4 +98,5 @@ def parse_advisory(self, record) -> AdvisoryData: affected_packages=affected_packages, weaknesses=[], url=f"https://security.archlinux.org/{avg_name}.json", + original_advisory_text=json.dumps(record), ) diff --git a/vulnerabilities/pipelines/v2_importers/redhat_importer.py b/vulnerabilities/pipelines/v2_importers/redhat_importer.py new file mode 100644 index 000000000..b9dc6bde8 --- /dev/null +++ b/vulnerabilities/pipelines/v2_importers/redhat_importer.py @@ -0,0 +1,195 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import json +import logging +import shutil +import tempfile +from io import DEFAULT_BUFFER_SIZE +from pathlib import Path +from typing import Iterable +from urllib.parse import urljoin + +import dateparser +import requests +from extractcode import ExtractError +from packageurl import PackageURL +from univers.version_range import RpmVersionRange +from univers.version_range import VersionRange + +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importer import AffectedPackageV2 +from vulnerabilities.importer import ReferenceV2 +from vulnerabilities.importer import VulnerabilitySeverity +from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2 +from vulnerabilities.pipes import extractcode_utils +from vulnerabilities.severity_systems import REDHAT_AGGREGATE +from vulnerabilities.utils import load_json +from vulntotal import vulntotal_utils + + +class RedHatImporterPipeline(VulnerableCodeBaseImporterPipelineV2): + """Import RedHat Advisories (RHSA, RHEA and RHBA) + + Ingest CSAF advisories published by RedHat, including Red Hat Security Advisory (RHSA), + Red Hat Enhancement Advisory (RHEA), and Red Hat Bug Fix Advisory (RHBA). + """ + + pipeline_id = "redhat_importer_v2" + spdx_license_expression = "CC-BY-4.0" + license_url = "https://access.redhat.com/security/data/" + url = "https://security.access.redhat.com/data/csaf/v2/advisories/" + + @classmethod + def steps(cls): + return ( + cls.fetch, + cls.collect_and_store_advisories, + cls.clean_download, + ) + + def fetch(self): + archive_latest_url = urljoin(self.url, "archive_latest.txt") + response = requests.get(archive_latest_url) + response.raise_for_status() + self.latest_archive_name = response.text.strip() + + self.location = self.cleanup_location = Path(tempfile.mkdtemp()) + archive_path = self.location / self.latest_archive_name + archive_url = urljoin(self.url, self.latest_archive_name) + + response = requests.get(archive_url, stream=True) + response.raise_for_status() + + with open(archive_path, "wb") as f: + for chunk in response.iter_content(chunk_size=DEFAULT_BUFFER_SIZE): + f.write(chunk) + + if errors := extractcode_utils.extract_archive( + source=archive_path, + destination=self.location, + ): + self.log( + f"Error while extracting archive {archive_path}: {errors}", + level=logging.ERROR, + ) + raise ExtractError(errors) + + def advisories_count(self) -> int: + return sum(1 for _ in self.location.rglob("*.json")) + + def collect_advisories(self) -> Iterable[AdvisoryData]: + for record in self.location.rglob("*.json"): + yield self.parse_advisory(record) + + def parse_advisory(self, record): + advisory = load_json(record) + document = advisory.get("document", {}) + if (csaf_version := document.get("csaf_version")) and not csaf_version == "2.0": + self.log(f"Unsupported CSAF version: {csaf_version}.", level=logging.ERROR) + return + + severities = [] + references = [] + impacts = [] + affected_packages = [] + notes = document.get("notes", []) + adv_sub_path = f"{record.parent.name}/{record.name}" + url = urljoin(self.url, adv_sub_path) + advisory_id = get_item(document, "tracking", "id") + release_date = get_item(document, "tracking", "initial_release_date") + + summary = "\n\n".join( + note["text"] for note in notes if note["category"] != "legal_disclaimer" + ) + aliases = [vul["cve"] for vul in advisory.get("vulnerabilities", [])] + + for ref in document.get("references", []): + ref_url = ref.get("url") + if ref_url.startswith("https://bugzilla.redhat.com/"): + references.append( + ReferenceV2( + reference_id=ref.get("summary"), + reference_type="bug", + url=ref_url, + ) + ) + continue + references.append(ReferenceV2.from_url(url=ref_url)) + + if aggregate_severity := document.get("aggregate_severity"): + severities.append( + VulnerabilitySeverity( + system=REDHAT_AGGREGATE, + value=aggregate_severity["text"], + url=url, + ) + ) + + impacts = get_item(advisory, "product_tree", "branches", 0, "branches", default=[]) + for impact in impacts: + if impact["category"] == "product_family": + continue + for branch in impact.get("branches", []): + if purl := get_item( + branch, + "product", + "product_identification_helper", + "purl", + default=None, + ): + if not purl.startswith("pkg:rpm/"): + continue + package_purl = PackageURL.from_string(purl=purl) + fixed_version = package_purl.version + if not fixed_version: + continue + + fixed_version_range = RpmVersionRange.from_versions([fixed_version]) + affected_version_range = VersionRange.from_string(f"vers:rpm/<{fixed_version}") + purl_dict = package_purl.to_dict() + del purl_dict["version"] + base_purl = PackageURL(**purl_dict) + + affected_packages.append( + AffectedPackageV2( + package=base_purl, + affected_version_range=affected_version_range, + fixed_version_range=fixed_version_range, + ) + ) + + return AdvisoryData( + advisory_id=advisory_id, + aliases=aliases, + summary=summary, + references_v2=references, + affected_packages=affected_packages, + severities=severities, + weaknesses=[], + date_published=dateparser.parse(release_date) if release_date else None, + url=url, + original_advisory_text=json.dumps(advisory), + ) + + def clean_download(self): + if hasattr(self, "cleanup_location") and self.cleanup_location.exists(): + self.log(f"Removing downloaded archive: {self.latest_archive_name}") + shutil.rmtree(self.cleanup_location) + + def on_failure(self): + self.clean_download() + + +def get_item(entity, *attributes, default=None): + try: + result = vulntotal_utils.get_item(entity, *attributes) + except (KeyError, IndexError, TypeError) as e: + result = default + return result diff --git a/vulnerabilities/pipes/extractcode_utils.py b/vulnerabilities/pipes/extractcode_utils.py new file mode 100644 index 000000000..037564c30 --- /dev/null +++ b/vulnerabilities/pipes/extractcode_utils.py @@ -0,0 +1,20 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +from extractcode import api + + +def extract_archive(source, destination): + """Extract an archive at `source` to `destination`directory.""" + errors = {} + for event in api.extract_archive(source, destination): + if event.done and event.errors: + errors[str(event.source)] = event.errors + + return errors diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_redhat_importer_v2.py b/vulnerabilities/tests/pipelines/v2_importers/test_redhat_importer_v2.py new file mode 100644 index 000000000..0908034b4 --- /dev/null +++ b/vulnerabilities/tests/pipelines/v2_importers/test_redhat_importer_v2.py @@ -0,0 +1,37 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import json +import os +from pathlib import Path +from unittest.mock import Mock +from unittest.mock import patch + +from django.test import TestCase + +from vulnerabilities.models import AdvisoryV2 +from vulnerabilities.models import PackageV2 +from vulnerabilities.pipelines.v2_importers.redhat_importer import RedHatImporterPipeline +from vulnerabilities.tests import util_tests + +TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "redhat" / "csaf_2_0" + + +class TestArchLinuxImporterPipeline(TestCase): + @patch("vulnerabilities.pipelines.v2_importers.redhat_importer.RedHatImporterPipeline.fetch") + def test_redhat_advisories_v2(self, mock_fetch): + mock_fetch.__name__ = "fetch" + pipeline = RedHatImporterPipeline() + pipeline.location = TEST_DATA + pipeline.execute() + self.assertEqual(6, AdvisoryV2.objects.count()) + self.assertEqual(93, PackageV2.objects.count()) + expected_file = TEST_DATA.parent / "redhat_advisoryv2-expected.json" + result = [adv.to_advisory_data().to_dict() for adv in AdvisoryV2.objects.all()] + util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_data/archlinux/archlinux_advisoryv2-expected.json b/vulnerabilities/tests/test_data/archlinux/archlinux_advisoryv2-expected.json index 7a117bd95..53923a03d 100644 --- a/vulnerabilities/tests/test_data/archlinux/archlinux_advisoryv2-expected.json +++ b/vulnerabilities/tests/test_data/archlinux/archlinux_advisoryv2-expected.json @@ -1,5 +1,6 @@ [ { + "advisory_id": "AVG-2781", "aliases": [ "CVE-2022-29217" ], @@ -18,12 +19,20 @@ "fixed_version_range": "vers:alpm/2.4.0-1" } ], - "references": [], + "references_v2": [ + { + "reference_id": "AVG-2781", + "reference_type": "", + "url": "https://security.archlinux.org/AVG-2781" + } + ], + "severities": [], "date_published": null, "weaknesses": [], "url": "https://security.archlinux.org/AVG-2781.json" }, { + "advisory_id": "AVG-2780", "aliases": [ "CVE-2022-26710", "CVE-2022-22677", @@ -44,12 +53,20 @@ "fixed_version_range": "vers:alpm/2.36.4-1" } ], - "references": [], + "references_v2": [ + { + "reference_id": "AVG-2780", + "reference_type": "", + "url": "https://security.archlinux.org/AVG-2780" + } + ], + "severities": [], "date_published": null, "weaknesses": [], "url": "https://security.archlinux.org/AVG-2780.json" }, { + "advisory_id": "AVG-4", "aliases": [ "CVE-2016-3189", "ASA-201702-19" @@ -69,7 +86,19 @@ "fixed_version_range": "vers:alpm/1.0.6-6" } ], - "references": [], + "references_v2": [ + { + "reference_id": "AVG-4", + "reference_type": "", + "url": "https://security.archlinux.org/AVG-4" + }, + { + "reference_id": "ASA-201702-19", + "reference_type": "", + "url": "https://security.archlinux.org/ASA-201702-19" + } + ], + "severities": [], "date_published": null, "weaknesses": [], "url": "https://security.archlinux.org/AVG-4.json" diff --git a/vulnerabilities/tests/test_data/redhat/csaf_2_0/2010/rhsa-2010_0002.json b/vulnerabilities/tests/test_data/redhat/csaf_2_0/2010/rhsa-2010_0002.json new file mode 100644 index 000000000..340697c5b --- /dev/null +++ b/vulnerabilities/tests/test_data/redhat/csaf_2_0/2010/rhsa-2010_0002.json @@ -0,0 +1,1467 @@ +{ + "document": { + "aggregate_severity": { + "namespace": "https://access.redhat.com/security/updates/classification/", + "text": "Moderate" + }, + "category": "csaf_security_advisory", + "csaf_version": "2.0", + "distribution": { + "text": "Copyright © Red Hat, Inc. All rights reserved.", + "tlp": { + "label": "WHITE", + "url": "https://www.first.org/tlp/" + } + }, + "lang": "en", + "notes": [ + { + "category": "summary", + "text": "An updated PyXML package that fixes one security issue is now available for\nRed Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red\nHat Security Response Team.", + "title": "Topic" + }, + { + "category": "general", + "text": "PyXML provides XML libraries for Python. The distribution contains a\nvalidating XML parser, an implementation of the SAX and DOM programming\ninterfaces, and an interface to the Expat parser.\n\nA buffer over-read flaw was found in the way PyXML's Expat parser handled\nmalformed UTF-8 sequences when processing XML files. A specially-crafted\nXML file could cause Python applications using PyXML's Expat parser to\ncrash while parsing the file. (CVE-2009-3720)\n\nThis update makes PyXML use the system Expat library rather than its own\ninternal copy; therefore, users must install the RHSA-2009:1625 expat\nupdate together with this PyXML update to resolve the CVE-2009-3720 issue.\n\nAll PyXML users should upgrade to this updated package, which changes PyXML\nto use the system Expat library. After installing this update along with\nRHSA-2009:1625, applications using the PyXML library must be restarted for\nthe update to take effect.", + "title": "Details" + }, + { + "category": "legal_disclaimer", + "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", + "title": "Terms of Use" + } + ], + "publisher": { + "category": "vendor", + "contact_details": "https://access.redhat.com/security/team/contact/", + "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", + "name": "Red Hat Product Security", + "namespace": "https://www.redhat.com" + }, + "references": [ + { + "category": "self", + "summary": "https://access.redhat.com/errata/RHSA-2010:0002", + "url": "https://access.redhat.com/errata/RHSA-2010:0002" + }, + { + "category": "external", + "summary": "https://access.redhat.com/security/updates/classification/#moderate", + "url": "https://access.redhat.com/security/updates/classification/#moderate" + }, + { + "category": "external", + "summary": "531697", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=531697" + }, + { + "category": "self", + "summary": "Canonical URL", + "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2010/rhsa-2010_0002.json" + } + ], + "title": "Red Hat Security Advisory: PyXML security update", + "tracking": { + "current_release_date": "2024-11-22T03:06:43+00:00", + "generator": { + "date": "2024-11-22T03:06:43+00:00", + "engine": { + "name": "Red Hat SDEngine", + "version": "4.2.1" + } + }, + "id": "RHSA-2010:0002", + "initial_release_date": "2010-01-04T17:58:00+00:00", + "revision_history": [ + { + "date": "2010-01-04T17:58:00+00:00", + "number": "1", + "summary": "Initial version" + }, + { + "date": "2010-01-04T13:02:56+00:00", + "number": "2", + "summary": "Last updated version" + }, + { + "date": "2024-11-22T03:06:43+00:00", + "number": "3", + "summary": "Last generated version" + } + ], + "status": "final", + "version": "3" + } + }, + "product_tree": { + "branches": [ + { + "branches": [ + { + "branches": [ + { + "category": "product_name", + "name": "Red Hat Enterprise Linux AS version 4", + "product": { + "name": "Red Hat Enterprise Linux AS version 4", + "product_id": "4AS", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:4::as" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux Desktop version 4", + "product": { + "name": "Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:4::desktop" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux ES version 4", + "product": { + "name": "Red Hat Enterprise Linux ES version 4", + "product_id": "4ES", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:4::es" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux WS version 4", + "product": { + "name": "Red Hat Enterprise Linux WS version 4", + "product_id": "4WS", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:4::ws" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux Desktop (v. 5 client)", + "product": { + "name": "Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:5::client" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux (v. 5 server)", + "product": { + "name": "Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:5::server" + } + } + } + ], + "category": "product_family", + "name": "Red Hat Enterprise Linux" + }, + { + "branches": [ + { + "category": "product_version", + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "product": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "product_id": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML-debuginfo@0.8.3-6.el4_8.2?arch=ia64" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.3-6.el4_8.2.ia64", + "product": { + "name": "PyXML-0:0.8.3-6.el4_8.2.ia64", + "product_id": "PyXML-0:0.8.3-6.el4_8.2.ia64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.3-6.el4_8.2?arch=ia64" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.4-4.el5_4.2.ia64", + "product": { + "name": "PyXML-0:0.8.4-4.el5_4.2.ia64", + "product_id": "PyXML-0:0.8.4-4.el5_4.2.ia64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.4-4.el5_4.2?arch=ia64" + } + } + }, + { + "category": "product_version", + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64", + "product": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64", + "product_id": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML-debuginfo@0.8.4-4.el5_4.2?arch=ia64" + } + } + } + ], + "category": "architecture", + "name": "ia64" + }, + { + "branches": [ + { + "category": "product_version", + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "product": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "product_id": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML-debuginfo@0.8.3-6.el4_8.2?arch=x86_64" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.3-6.el4_8.2.x86_64", + "product": { + "name": "PyXML-0:0.8.3-6.el4_8.2.x86_64", + "product_id": "PyXML-0:0.8.3-6.el4_8.2.x86_64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.3-6.el4_8.2?arch=x86_64" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.4-4.el5_4.2.x86_64", + "product": { + "name": "PyXML-0:0.8.4-4.el5_4.2.x86_64", + "product_id": "PyXML-0:0.8.4-4.el5_4.2.x86_64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.4-4.el5_4.2?arch=x86_64" + } + } + }, + { + "category": "product_version", + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64", + "product": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64", + "product_id": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML-debuginfo@0.8.4-4.el5_4.2?arch=x86_64" + } + } + } + ], + "category": "architecture", + "name": "x86_64" + }, + { + "branches": [ + { + "category": "product_version", + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "product": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "product_id": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML-debuginfo@0.8.3-6.el4_8.2?arch=i386" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.3-6.el4_8.2.i386", + "product": { + "name": "PyXML-0:0.8.3-6.el4_8.2.i386", + "product_id": "PyXML-0:0.8.3-6.el4_8.2.i386", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.3-6.el4_8.2?arch=i386" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.4-4.el5_4.2.i386", + "product": { + "name": "PyXML-0:0.8.4-4.el5_4.2.i386", + "product_id": "PyXML-0:0.8.4-4.el5_4.2.i386", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.4-4.el5_4.2?arch=i386" + } + } + }, + { + "category": "product_version", + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386", + "product": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386", + "product_id": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML-debuginfo@0.8.4-4.el5_4.2?arch=i386" + } + } + } + ], + "category": "architecture", + "name": "i386" + }, + { + "branches": [ + { + "category": "product_version", + "name": "PyXML-0:0.8.3-6.el4_8.2.src", + "product": { + "name": "PyXML-0:0.8.3-6.el4_8.2.src", + "product_id": "PyXML-0:0.8.3-6.el4_8.2.src", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.3-6.el4_8.2?arch=src" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.4-4.el5_4.2.src", + "product": { + "name": "PyXML-0:0.8.4-4.el5_4.2.src", + "product_id": "PyXML-0:0.8.4-4.el5_4.2.src", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.4-4.el5_4.2?arch=src" + } + } + } + ], + "category": "architecture", + "name": "src" + }, + { + "branches": [ + { + "category": "product_version", + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "product": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "product_id": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML-debuginfo@0.8.3-6.el4_8.2?arch=ppc" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.3-6.el4_8.2.ppc", + "product": { + "name": "PyXML-0:0.8.3-6.el4_8.2.ppc", + "product_id": "PyXML-0:0.8.3-6.el4_8.2.ppc", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.3-6.el4_8.2?arch=ppc" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.4-4.el5_4.2.ppc", + "product": { + "name": "PyXML-0:0.8.4-4.el5_4.2.ppc", + "product_id": "PyXML-0:0.8.4-4.el5_4.2.ppc", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.4-4.el5_4.2?arch=ppc" + } + } + }, + { + "category": "product_version", + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc", + "product": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc", + "product_id": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML-debuginfo@0.8.4-4.el5_4.2?arch=ppc" + } + } + } + ], + "category": "architecture", + "name": "ppc" + }, + { + "branches": [ + { + "category": "product_version", + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "product": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "product_id": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML-debuginfo@0.8.3-6.el4_8.2?arch=s390x" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.3-6.el4_8.2.s390x", + "product": { + "name": "PyXML-0:0.8.3-6.el4_8.2.s390x", + "product_id": "PyXML-0:0.8.3-6.el4_8.2.s390x", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.3-6.el4_8.2?arch=s390x" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.4-4.el5_4.2.s390x", + "product": { + "name": "PyXML-0:0.8.4-4.el5_4.2.s390x", + "product_id": "PyXML-0:0.8.4-4.el5_4.2.s390x", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.4-4.el5_4.2?arch=s390x" + } + } + }, + { + "category": "product_version", + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x", + "product": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x", + "product_id": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML-debuginfo@0.8.4-4.el5_4.2?arch=s390x" + } + } + } + ], + "category": "architecture", + "name": "s390x" + }, + { + "branches": [ + { + "category": "product_version", + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "product": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "product_id": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML-debuginfo@0.8.3-6.el4_8.2?arch=s390" + } + } + }, + { + "category": "product_version", + "name": "PyXML-0:0.8.3-6.el4_8.2.s390", + "product": { + "name": "PyXML-0:0.8.3-6.el4_8.2.s390", + "product_id": "PyXML-0:0.8.3-6.el4_8.2.s390", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/PyXML@0.8.3-6.el4_8.2?arch=s390" + } + } + } + ], + "category": "architecture", + "name": "s390" + } + ], + "category": "vendor", + "name": "Red Hat" + } + ], + "relationships": [ + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.i386 as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-0:0.8.3-6.el4_8.2.i386" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.i386", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.ia64 as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-0:0.8.3-6.el4_8.2.ia64" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.ia64", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.ppc as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-0:0.8.3-6.el4_8.2.ppc" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.ppc", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.s390 as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-0:0.8.3-6.el4_8.2.s390" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.s390", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.s390x as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-0:0.8.3-6.el4_8.2.s390x" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.s390x", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.src as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-0:0.8.3-6.el4_8.2.src" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.src", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.x86_64 as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-0:0.8.3-6.el4_8.2.x86_64" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.x86_64", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386 as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64 as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390 as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64 as a component of Red Hat Enterprise Linux AS version 4", + "product_id": "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "relates_to_product_reference": "4AS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.i386 as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-0:0.8.3-6.el4_8.2.i386" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.i386", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.ia64 as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-0:0.8.3-6.el4_8.2.ia64" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.ia64", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.ppc as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-0:0.8.3-6.el4_8.2.ppc" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.ppc", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.s390 as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-0:0.8.3-6.el4_8.2.s390" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.s390", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.s390x as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-0:0.8.3-6.el4_8.2.s390x" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.s390x", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.src as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-0:0.8.3-6.el4_8.2.src" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.src", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.x86_64 as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-0:0.8.3-6.el4_8.2.x86_64" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.x86_64", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386 as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64 as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390 as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64 as a component of Red Hat Enterprise Linux Desktop version 4", + "product_id": "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "relates_to_product_reference": "4Desktop" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.i386 as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-0:0.8.3-6.el4_8.2.i386" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.i386", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.ia64 as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-0:0.8.3-6.el4_8.2.ia64" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.ia64", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.ppc as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-0:0.8.3-6.el4_8.2.ppc" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.ppc", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.s390 as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-0:0.8.3-6.el4_8.2.s390" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.s390", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.s390x as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-0:0.8.3-6.el4_8.2.s390x" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.s390x", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.src as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-0:0.8.3-6.el4_8.2.src" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.src", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.x86_64 as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-0:0.8.3-6.el4_8.2.x86_64" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.x86_64", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386 as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64 as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390 as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64 as a component of Red Hat Enterprise Linux ES version 4", + "product_id": "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "relates_to_product_reference": "4ES" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.i386 as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-0:0.8.3-6.el4_8.2.i386" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.i386", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.ia64 as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-0:0.8.3-6.el4_8.2.ia64" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.ia64", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.ppc as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-0:0.8.3-6.el4_8.2.ppc" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.ppc", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.s390 as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-0:0.8.3-6.el4_8.2.s390" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.s390", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.s390x as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-0:0.8.3-6.el4_8.2.s390x" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.s390x", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.src as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-0:0.8.3-6.el4_8.2.src" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.src", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.3-6.el4_8.2.x86_64 as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-0:0.8.3-6.el4_8.2.x86_64" + }, + "product_reference": "PyXML-0:0.8.3-6.el4_8.2.x86_64", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386 as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64 as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390 as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64 as a component of Red Hat Enterprise Linux WS version 4", + "product_id": "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "relates_to_product_reference": "4WS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.i386 as a component of Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client:PyXML-0:0.8.4-4.el5_4.2.i386" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.i386", + "relates_to_product_reference": "5Client" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.ia64 as a component of Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client:PyXML-0:0.8.4-4.el5_4.2.ia64" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.ia64", + "relates_to_product_reference": "5Client" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.ppc as a component of Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client:PyXML-0:0.8.4-4.el5_4.2.ppc" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.ppc", + "relates_to_product_reference": "5Client" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.s390x as a component of Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client:PyXML-0:0.8.4-4.el5_4.2.s390x" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.s390x", + "relates_to_product_reference": "5Client" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.src as a component of Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client:PyXML-0:0.8.4-4.el5_4.2.src" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.src", + "relates_to_product_reference": "5Client" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.x86_64 as a component of Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client:PyXML-0:0.8.4-4.el5_4.2.x86_64" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.x86_64", + "relates_to_product_reference": "5Client" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386 as a component of Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386" + }, + "product_reference": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386", + "relates_to_product_reference": "5Client" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64 as a component of Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64", + "relates_to_product_reference": "5Client" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc as a component of Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc" + }, + "product_reference": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc", + "relates_to_product_reference": "5Client" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x as a component of Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x" + }, + "product_reference": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x", + "relates_to_product_reference": "5Client" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64 as a component of Red Hat Enterprise Linux Desktop (v. 5 client)", + "product_id": "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64", + "relates_to_product_reference": "5Client" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server:PyXML-0:0.8.4-4.el5_4.2.i386" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.i386", + "relates_to_product_reference": "5Server" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server:PyXML-0:0.8.4-4.el5_4.2.ia64" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.ia64", + "relates_to_product_reference": "5Server" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server:PyXML-0:0.8.4-4.el5_4.2.ppc" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.ppc", + "relates_to_product_reference": "5Server" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server:PyXML-0:0.8.4-4.el5_4.2.s390x" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.s390x", + "relates_to_product_reference": "5Server" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.src as a component of Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server:PyXML-0:0.8.4-4.el5_4.2.src" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.src", + "relates_to_product_reference": "5Server" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-0:0.8.4-4.el5_4.2.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server:PyXML-0:0.8.4-4.el5_4.2.x86_64" + }, + "product_reference": "PyXML-0:0.8.4-4.el5_4.2.x86_64", + "relates_to_product_reference": "5Server" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386" + }, + "product_reference": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386", + "relates_to_product_reference": "5Server" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64", + "relates_to_product_reference": "5Server" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc" + }, + "product_reference": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc", + "relates_to_product_reference": "5Server" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x" + }, + "product_reference": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x", + "relates_to_product_reference": "5Server" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", + "product_id": "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64" + }, + "product_reference": "PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64", + "relates_to_product_reference": "5Server" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-2009-3720", + "discovery_date": "2009-08-21T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "531697" + } + ], + "notes": [ + { + "category": "description", + "text": "The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "expat: buffer over-read and crash on XML with malformed UTF-8 sequences", + "title": "Vulnerability summary" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "4AS:PyXML-0:0.8.3-6.el4_8.2.i386", + "4AS:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4AS:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4AS:PyXML-0:0.8.3-6.el4_8.2.s390", + "4AS:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4AS:PyXML-0:0.8.3-6.el4_8.2.src", + "4AS:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.i386", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.s390", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.src", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "4ES:PyXML-0:0.8.3-6.el4_8.2.i386", + "4ES:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4ES:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4ES:PyXML-0:0.8.3-6.el4_8.2.s390", + "4ES:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4ES:PyXML-0:0.8.3-6.el4_8.2.src", + "4ES:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "4WS:PyXML-0:0.8.3-6.el4_8.2.i386", + "4WS:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4WS:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4WS:PyXML-0:0.8.3-6.el4_8.2.s390", + "4WS:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4WS:PyXML-0:0.8.3-6.el4_8.2.src", + "4WS:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "5Client:PyXML-0:0.8.4-4.el5_4.2.i386", + "5Client:PyXML-0:0.8.4-4.el5_4.2.ia64", + "5Client:PyXML-0:0.8.4-4.el5_4.2.ppc", + "5Client:PyXML-0:0.8.4-4.el5_4.2.s390x", + "5Client:PyXML-0:0.8.4-4.el5_4.2.src", + "5Client:PyXML-0:0.8.4-4.el5_4.2.x86_64", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64", + "5Server:PyXML-0:0.8.4-4.el5_4.2.i386", + "5Server:PyXML-0:0.8.4-4.el5_4.2.ia64", + "5Server:PyXML-0:0.8.4-4.el5_4.2.ppc", + "5Server:PyXML-0:0.8.4-4.el5_4.2.s390x", + "5Server:PyXML-0:0.8.4-4.el5_4.2.src", + "5Server:PyXML-0:0.8.4-4.el5_4.2.x86_64", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2009-3720" + }, + { + "category": "external", + "summary": "RHBZ#531697", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=531697" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2009-3720", + "url": "https://www.cve.org/CVERecord?id=CVE-2009-3720" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-3720", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3720" + } + ], + "release_date": "2009-01-17T00:00:00+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2010-01-04T17:58:00+00:00", + "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", + "product_ids": [ + "4AS:PyXML-0:0.8.3-6.el4_8.2.i386", + "4AS:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4AS:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4AS:PyXML-0:0.8.3-6.el4_8.2.s390", + "4AS:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4AS:PyXML-0:0.8.3-6.el4_8.2.src", + "4AS:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.i386", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.s390", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.src", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "4ES:PyXML-0:0.8.3-6.el4_8.2.i386", + "4ES:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4ES:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4ES:PyXML-0:0.8.3-6.el4_8.2.s390", + "4ES:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4ES:PyXML-0:0.8.3-6.el4_8.2.src", + "4ES:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "4WS:PyXML-0:0.8.3-6.el4_8.2.i386", + "4WS:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4WS:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4WS:PyXML-0:0.8.3-6.el4_8.2.s390", + "4WS:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4WS:PyXML-0:0.8.3-6.el4_8.2.src", + "4WS:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "5Client:PyXML-0:0.8.4-4.el5_4.2.i386", + "5Client:PyXML-0:0.8.4-4.el5_4.2.ia64", + "5Client:PyXML-0:0.8.4-4.el5_4.2.ppc", + "5Client:PyXML-0:0.8.4-4.el5_4.2.s390x", + "5Client:PyXML-0:0.8.4-4.el5_4.2.src", + "5Client:PyXML-0:0.8.4-4.el5_4.2.x86_64", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64", + "5Server:PyXML-0:0.8.4-4.el5_4.2.i386", + "5Server:PyXML-0:0.8.4-4.el5_4.2.ia64", + "5Server:PyXML-0:0.8.4-4.el5_4.2.ppc", + "5Server:PyXML-0:0.8.4-4.el5_4.2.s390x", + "5Server:PyXML-0:0.8.4-4.el5_4.2.src", + "5Server:PyXML-0:0.8.4-4.el5_4.2.x86_64", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHSA-2010:0002" + } + ], + "scores": [ + { + "cvss_v2": { + "accessComplexity": "LOW", + "accessVector": "NETWORK", + "authentication": "NONE", + "availabilityImpact": "PARTIAL", + "baseScore": 5.0, + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "version": "2.0" + }, + "products": [ + "4AS:PyXML-0:0.8.3-6.el4_8.2.i386", + "4AS:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4AS:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4AS:PyXML-0:0.8.3-6.el4_8.2.s390", + "4AS:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4AS:PyXML-0:0.8.3-6.el4_8.2.src", + "4AS:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4AS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.i386", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.s390", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.src", + "4Desktop:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4Desktop:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "4ES:PyXML-0:0.8.3-6.el4_8.2.i386", + "4ES:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4ES:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4ES:PyXML-0:0.8.3-6.el4_8.2.s390", + "4ES:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4ES:PyXML-0:0.8.3-6.el4_8.2.src", + "4ES:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4ES:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "4WS:PyXML-0:0.8.3-6.el4_8.2.i386", + "4WS:PyXML-0:0.8.3-6.el4_8.2.ia64", + "4WS:PyXML-0:0.8.3-6.el4_8.2.ppc", + "4WS:PyXML-0:0.8.3-6.el4_8.2.s390", + "4WS:PyXML-0:0.8.3-6.el4_8.2.s390x", + "4WS:PyXML-0:0.8.3-6.el4_8.2.src", + "4WS:PyXML-0:0.8.3-6.el4_8.2.x86_64", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.i386", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ia64", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.ppc", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.s390x", + "4WS:PyXML-debuginfo-0:0.8.3-6.el4_8.2.x86_64", + "5Client:PyXML-0:0.8.4-4.el5_4.2.i386", + "5Client:PyXML-0:0.8.4-4.el5_4.2.ia64", + "5Client:PyXML-0:0.8.4-4.el5_4.2.ppc", + "5Client:PyXML-0:0.8.4-4.el5_4.2.s390x", + "5Client:PyXML-0:0.8.4-4.el5_4.2.src", + "5Client:PyXML-0:0.8.4-4.el5_4.2.x86_64", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x", + "5Client:PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64", + "5Server:PyXML-0:0.8.4-4.el5_4.2.i386", + "5Server:PyXML-0:0.8.4-4.el5_4.2.ia64", + "5Server:PyXML-0:0.8.4-4.el5_4.2.ppc", + "5Server:PyXML-0:0.8.4-4.el5_4.2.s390x", + "5Server:PyXML-0:0.8.4-4.el5_4.2.src", + "5Server:PyXML-0:0.8.4-4.el5_4.2.x86_64", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.i386", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ia64", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.ppc", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.s390x", + "5Server:PyXML-debuginfo-0:0.8.4-4.el5_4.2.x86_64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Moderate" + } + ], + "title": "expat: buffer over-read and crash on XML with malformed UTF-8 sequences" + } + ] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/redhat/csaf_2_0/2025/rhba-2024_11505.json b/vulnerabilities/tests/test_data/redhat/csaf_2_0/2025/rhba-2024_11505.json new file mode 100644 index 000000000..2c3a86007 --- /dev/null +++ b/vulnerabilities/tests/test_data/redhat/csaf_2_0/2025/rhba-2024_11505.json @@ -0,0 +1,1645 @@ +{ + "document": { + "aggregate_severity": { + "namespace": "https://access.redhat.com/security/updates/classification/", + "text": "Important" + }, + "category": "csaf_security_advisory", + "csaf_version": "2.0", + "distribution": { + "text": "Copyright © Red Hat, Inc. All rights reserved.", + "tlp": { + "label": "WHITE", + "url": "https://www.first.org/tlp/" + } + }, + "lang": "en", + "notes": [ + { + "category": "summary", + "text": "Red Hat OpenShift Container Platform release 4.16.28 is now available with updates to packages and images that fix several bugs.", + "title": "Topic" + }, + { + "category": "general", + "text": "Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.16.28. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHBA-2024:11502\n\nAll OpenShift Container Platform 4.16 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at\nhttps://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html", + "title": "Details" + }, + { + "category": "legal_disclaimer", + "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", + "title": "Terms of Use" + } + ], + "publisher": { + "category": "vendor", + "contact_details": "https://access.redhat.com/security/team/contact/", + "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", + "name": "Red Hat Product Security", + "namespace": "https://www.redhat.com" + }, + "references": [ + { + "category": "self", + "summary": "https://access.redhat.com/errata/RHBA-2024:11505", + "url": "https://access.redhat.com/errata/RHBA-2024:11505" + }, + { + "category": "self", + "summary": "Canonical URL", + "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhba-2024_11505.json" + } + ], + "title": "Red Hat Bug Fix Advisory: OpenShift Container Platform 4.16.28 packages and security update", + "tracking": { + "current_release_date": "2025-05-30T13:09:52+00:00", + "generator": { + "date": "2025-05-30T13:09:52+00:00", + "engine": { + "name": "Red Hat SDEngine", + "version": "4.6.1" + } + }, + "id": "RHBA-2024:11505", + "initial_release_date": "2025-01-02T20:02:49+00:00", + "revision_history": [ + { + "date": "2025-01-02T20:02:49+00:00", + "number": "1", + "summary": "Initial version" + }, + { + "date": "2025-01-02T20:02:49+00:00", + "number": "2", + "summary": "Last updated version" + }, + { + "date": "2025-05-30T13:09:52+00:00", + "number": "3", + "summary": "Last generated version" + } + ], + "status": "final", + "version": "3" + } + }, + "product_tree": { + "branches": [ + { + "branches": [ + { + "branches": [ + { + "category": "product_name", + "name": "Red Hat OpenShift Container Platform 4.16", + "product": { + "name": "Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:openshift:4.16::el9" + } + } + } + ], + "category": "product_family", + "name": "Red Hat OpenShift Enterprise" + }, + { + "branches": [ + { + "category": "product_version", + "name": "libreswan-0:4.6-3.el9_0.3.src", + "product": { + "name": "libreswan-0:4.6-3.el9_0.3.src", + "product_id": "libreswan-0:4.6-3.el9_0.3.src", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan@4.6-3.el9_0.3?arch=src" + } + } + } + ], + "category": "architecture", + "name": "src" + }, + { + "branches": [ + { + "category": "product_version", + "name": "libreswan-0:4.6-3.el9_0.3.aarch64", + "product": { + "name": "libreswan-0:4.6-3.el9_0.3.aarch64", + "product_id": "libreswan-0:4.6-3.el9_0.3.aarch64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan@4.6-3.el9_0.3?arch=aarch64" + } + } + }, + { + "category": "product_version", + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "product": { + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "product_id": "libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan-debugsource@4.6-3.el9_0.3?arch=aarch64" + } + } + }, + { + "category": "product_version", + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "product": { + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "product_id": "libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan-debuginfo@4.6-3.el9_0.3?arch=aarch64" + } + } + } + ], + "category": "architecture", + "name": "aarch64" + }, + { + "branches": [ + { + "category": "product_version", + "name": "libreswan-0:4.6-3.el9_0.3.ppc64le", + "product": { + "name": "libreswan-0:4.6-3.el9_0.3.ppc64le", + "product_id": "libreswan-0:4.6-3.el9_0.3.ppc64le", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan@4.6-3.el9_0.3?arch=ppc64le" + } + } + }, + { + "category": "product_version", + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "product": { + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "product_id": "libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan-debugsource@4.6-3.el9_0.3?arch=ppc64le" + } + } + }, + { + "category": "product_version", + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "product": { + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "product_id": "libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan-debuginfo@4.6-3.el9_0.3?arch=ppc64le" + } + } + } + ], + "category": "architecture", + "name": "ppc64le" + }, + { + "branches": [ + { + "category": "product_version", + "name": "libreswan-0:4.6-3.el9_0.3.x86_64", + "product": { + "name": "libreswan-0:4.6-3.el9_0.3.x86_64", + "product_id": "libreswan-0:4.6-3.el9_0.3.x86_64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan@4.6-3.el9_0.3?arch=x86_64" + } + } + }, + { + "category": "product_version", + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.x86_64", + "product": { + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.x86_64", + "product_id": "libreswan-debugsource-0:4.6-3.el9_0.3.x86_64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan-debugsource@4.6-3.el9_0.3?arch=x86_64" + } + } + }, + { + "category": "product_version", + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "product": { + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "product_id": "libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan-debuginfo@4.6-3.el9_0.3?arch=x86_64" + } + } + } + ], + "category": "architecture", + "name": "x86_64" + }, + { + "branches": [ + { + "category": "product_version", + "name": "libreswan-0:4.6-3.el9_0.3.s390x", + "product": { + "name": "libreswan-0:4.6-3.el9_0.3.s390x", + "product_id": "libreswan-0:4.6-3.el9_0.3.s390x", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan@4.6-3.el9_0.3?arch=s390x" + } + } + }, + { + "category": "product_version", + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "product": { + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "product_id": "libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan-debugsource@4.6-3.el9_0.3?arch=s390x" + } + } + }, + { + "category": "product_version", + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "product": { + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "product_id": "libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/libreswan-debuginfo@4.6-3.el9_0.3?arch=s390x" + } + } + } + ], + "category": "architecture", + "name": "s390x" + } + ], + "category": "vendor", + "name": "Red Hat" + } + ], + "relationships": [ + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-0:4.6-3.el9_0.3.aarch64 as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64" + }, + "product_reference": "libreswan-0:4.6-3.el9_0.3.aarch64", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-0:4.6-3.el9_0.3.ppc64le as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le" + }, + "product_reference": "libreswan-0:4.6-3.el9_0.3.ppc64le", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-0:4.6-3.el9_0.3.s390x as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x" + }, + "product_reference": "libreswan-0:4.6-3.el9_0.3.s390x", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-0:4.6-3.el9_0.3.src as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src" + }, + "product_reference": "libreswan-0:4.6-3.el9_0.3.src", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-0:4.6-3.el9_0.3.x86_64 as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64" + }, + "product_reference": "libreswan-0:4.6-3.el9_0.3.x86_64", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64 as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64" + }, + "product_reference": "libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le" + }, + "product_reference": "libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.s390x as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x" + }, + "product_reference": "libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64 as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64" + }, + "product_reference": "libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.aarch64 as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64" + }, + "product_reference": "libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le" + }, + "product_reference": "libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.s390x as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x" + }, + "product_reference": "libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "relates_to_product_reference": "9Base-RHOSE-4.16" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "libreswan-debugsource-0:4.6-3.el9_0.3.x86_64 as a component of Red Hat OpenShift Container Platform 4.16", + "product_id": "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + }, + "product_reference": "libreswan-debugsource-0:4.6-3.el9_0.3.x86_64", + "relates_to_product_reference": "9Base-RHOSE-4.16" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-2023-2295", + "cwe": { + "id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + }, + "discovery_date": "2023-04-26T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2189777" + } + ], + "notes": [ + { + "category": "description", + "text": "A vulnerability was found in the libreswan library. This security issue occurs when an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, and the response packet is not sent with a zero responder SPI. When a subsequent packet is received where the sender reuses the libreswan responder SPI as its own initiator SPI, the pluto daemon state machine crashes. No remote code execution is possible. This CVE exists because of a CVE-2023-30570 security regression for libreswan package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "libreswan: Regression of CVE-2023-30570 fixes in the Red Hat Enterprise Linux", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "This issue only affects Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2, which introduced this regression via the following errata:\n\nhttps://access.redhat.com/errata/RHBA-2023:2865 (Red Hat Enterprise Linux 8.8)\nhttps://access.redhat.com/errata/RHBA-2023:2355 (Red Hat Enterprise Linux 9.2)\n\nThese errata provided updates for libreswan package, but did not include fixes for CVE-2023-30570.\n\nA user who installs or updates to Red Hat Enterprise Linux 8.8 or Red Hat Enterprise Linux 9.2 would be vulnerable to the CVE-2023-30570, even if they were properly fixed in Red Hat Enterprise Linux 8.7 and Red Hat Enterprise Linux 9.1. The CVE-2023-2295 was assigned to that Red Hat specific security regression and it is not applicable to any upstream libreswan version or libreswan packages of any other vendor that are not directly based on Red Hat Enterprise Linux packages.\n\nFor more details about the original security issue CVE-2023-30570, refer to the CVE page: https://access.redhat.com/security/cve/CVE-2023-30570.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2023-2295" + }, + { + "category": "external", + "summary": "RHBZ#2189777", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2189777" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2023-2295", + "url": "https://www.cve.org/CVERecord?id=CVE-2023-2295" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-2295", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2295" + } + ], + "release_date": "2023-05-09T00:00:00+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-02T20:02:49+00:00", + "details": "See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.16/updating/updating-cluster-cli.html", + "product_ids": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2024:11505" + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + }, + "products": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Important" + } + ], + "title": "libreswan: Regression of CVE-2023-30570 fixes in the Red Hat Enterprise Linux" + }, + { + "cve": "CVE-2023-23009", + "cwe": { + "id": "CWE-20", + "name": "Improper Input Validation" + }, + "discovery_date": "2023-02-21T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2173610" + } + ], + "notes": [ + { + "category": "description", + "text": "A flaw was found in the Libreswan package. A crafted TS payload with an incorrect selector length may allow a remote attacker to cause a denial of service.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "libreswan: remote DoS via crafted TS payload with an incorrect selector length", + "title": "Vulnerability summary" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2023-23009" + }, + { + "category": "external", + "summary": "RHBZ#2173610", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2173610" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2023-23009", + "url": "https://www.cve.org/CVERecord?id=CVE-2023-23009" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-23009", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23009" + }, + { + "category": "external", + "summary": "https://github.com/libreswan/libreswan/issues/954", + "url": "https://github.com/libreswan/libreswan/issues/954" + } + ], + "release_date": "2023-02-21T00:00:00+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-02T20:02:49+00:00", + "details": "See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.16/updating/updating-cluster-cli.html", + "product_ids": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2024:11505" + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + }, + "products": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Moderate" + } + ], + "title": "libreswan: remote DoS via crafted TS payload with an incorrect selector length" + }, + { + "cve": "CVE-2023-30570", + "cwe": { + "id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + }, + "discovery_date": "2023-04-17T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2187165" + } + ], + "notes": [ + { + "category": "description", + "text": "A vulnerability was found in the libreswan library. This security issue occurs when an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, and the response packet is not sent with a zero responder SPI. When a subsequent packet is received where the sender reuses the libreswan responder SPI as its own initiator SPI, the pluto daemon state machine crashes. No remote code execution is possible.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "libreswan: Malicious IKEv1 Aggressive Mode packets can crash libreswan", + "title": "Vulnerability summary" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2023-30570" + }, + { + "category": "external", + "summary": "RHBZ#2187165", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187165" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2023-30570", + "url": "https://www.cve.org/CVERecord?id=CVE-2023-30570" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-30570", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30570" + }, + { + "category": "external", + "summary": "https://libreswan.org/security/", + "url": "https://libreswan.org/security/" + }, + { + "category": "external", + "summary": "https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt", + "url": "https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt" + } + ], + "release_date": "2023-05-03T00:00:00+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-02T20:02:49+00:00", + "details": "See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.16/updating/updating-cluster-cli.html", + "product_ids": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2024:11505" + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + }, + "products": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Important" + } + ], + "title": "libreswan: Malicious IKEv1 Aggressive Mode packets can crash libreswan" + }, + { + "acknowledgments": [ + { + "names": [ + "X1AOxiang" + ] + } + ], + "cve": "CVE-2023-38710", + "cwe": { + "id": "CWE-617", + "name": "Reachable Assertion" + }, + "discovery_date": "2023-07-25T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2225368" + } + ], + "notes": [ + { + "category": "description", + "text": "An assertion failure flaw was found in the Libreswan package that occurs when processing IKEv2 REKEY requests. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notification INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3). This flaw allows a malicious client or attacker to send a malformed IKEv2 REKEY packet, causing a crash and restarting the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "libreswan: Invalid IKEv2 REKEY proposal causes restart", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "IKEv2 REKEY requests are only processed when received from authenticated peers, limiting the scope of possible attackers to peers who have successfully authenticated.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2023-38710" + }, + { + "category": "external", + "summary": "RHBZ#2225368", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2225368" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2023-38710", + "url": "https://www.cve.org/CVERecord?id=CVE-2023-38710" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-38710", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38710" + }, + { + "category": "external", + "summary": "https://github.com/libreswan/libreswan/releases/tag/v4.12", + "url": "https://github.com/libreswan/libreswan/releases/tag/v4.12" + }, + { + "category": "external", + "summary": "https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt", + "url": "https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt" + } + ], + "release_date": "2023-08-08T00:00:00+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-02T20:02:49+00:00", + "details": "See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.16/updating/updating-cluster-cli.html", + "product_ids": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2024:11505" + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + }, + "products": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Moderate" + } + ], + "title": "libreswan: Invalid IKEv2 REKEY proposal causes restart" + }, + { + "cve": "CVE-2023-38711", + "cwe": { + "id": "CWE-476", + "name": "NULL Pointer Dereference" + }, + "discovery_date": "2023-06-19T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2215952" + } + ], + "notes": [ + { + "category": "description", + "text": "A NULL pointer dereference flaw was found in Libreswan when processing IKEv1 Quick Mode requests. When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR receives an IDcr payload with ID_FQDN, it triggers a NULL pointer dereference error. This flaw allows a malicious client or attacker to send a malformed IKEv1 Quick Mode packet, causing a crash and restart of the libreswan pluto daemon. When sent continuously, this issue leads to a denial of service attack.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "libreswan: Invalid IKEv1 Quick Mode ID causes restart", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "IKEv1 Quick Mode requests are only processed when received from authenticated peers, limiting the scope of possible attackers to peers who have successfully authenticated.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-476: NULL Pointer Dereference vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform incorporates secure engineering principles and controls to enforce secure coding practices, including proper memory handling and error checking, reducing the likelihood of null pointer dereference vulnerabilities. Coding standards, tools, and processes support early detection and prevention of memory-related flaws. Static code analysis identifies null dereference and related issues during development, while system monitoring detects memory errors and anomalous behavior in the event of exploitation. Additionally, the platform leverages memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to strengthen resilience against memory-related vulnerabilities.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2023-38711" + }, + { + "category": "external", + "summary": "RHBZ#2215952", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215952" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2023-38711", + "url": "https://www.cve.org/CVERecord?id=CVE-2023-38711" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-38711", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38711" + }, + { + "category": "external", + "summary": "https://github.com/libreswan/libreswan/releases/tag/v4.12", + "url": "https://github.com/libreswan/libreswan/releases/tag/v4.12" + }, + { + "category": "external", + "summary": "https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt", + "url": "https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt" + } + ], + "release_date": "2023-08-08T00:00:00+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-02T20:02:49+00:00", + "details": "See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.16/updating/updating-cluster-cli.html", + "product_ids": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2024:11505" + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + }, + "products": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Moderate" + } + ], + "title": "libreswan: Invalid IKEv1 Quick Mode ID causes restart" + }, + { + "cve": "CVE-2023-38712", + "cwe": { + "id": "CWE-476", + "name": "NULL Pointer Dereference" + }, + "discovery_date": "2023-07-25T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2225369" + } + ], + "notes": [ + { + "category": "description", + "text": "A NULL pointer dereference vulnerability was found in the Libreswan package. When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state occurs. This flaw allows a malicious client or attacker to send a malformed IKEv1 Delete/Notify packet, causing a crash and restarting the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "libreswan: Invalid IKEv1 repeat IKE SA delete causes crash and restart", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "IKEv1 Delete/Notify requests are only processed when received from authenticated peers, limiting the scope of possible attackers to peers who have successfully authenticated.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-476: NULL Pointer Dereference vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform incorporates secure engineering principles and controls to enforce secure coding practices, including proper memory handling and error checking, reducing the likelihood of null pointer dereference vulnerabilities. Coding standards, tools, and processes support early detection and prevention of memory-related flaws. Static code analysis identifies null dereference and related issues during development, while system monitoring detects memory errors and anomalous behavior in the event of exploitation. Additionally, the platform leverages memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to strengthen resilience against memory-related vulnerabilities.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2023-38712" + }, + { + "category": "external", + "summary": "RHBZ#2225369", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2225369" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2023-38712", + "url": "https://www.cve.org/CVERecord?id=CVE-2023-38712" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-38712", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38712" + }, + { + "category": "external", + "summary": "https://github.com/libreswan/libreswan/releases/tag/v4.12", + "url": "https://github.com/libreswan/libreswan/releases/tag/v4.12" + }, + { + "category": "external", + "summary": "https://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt", + "url": "https://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt" + } + ], + "release_date": "2023-08-08T00:00:00+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-02T20:02:49+00:00", + "details": "See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.16/updating/updating-cluster-cli.html", + "product_ids": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2024:11505" + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + }, + "products": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Moderate" + } + ], + "title": "libreswan: Invalid IKEv1 repeat IKE SA delete causes crash and restart" + }, + { + "acknowledgments": [ + { + "names": [ + "Andrew Vaughn" + ] + } + ], + "cve": "CVE-2024-2357", + "cwe": { + "id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + }, + "discovery_date": "2024-03-11T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2268952" + } + ], + "notes": [ + { + "category": "description", + "text": "A flaw was found in Libreswan. This issue causes Libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret), and the connection cannot find a matching configured secret. When automatically added on startup using the auto= keyword, it can cause repeated crashes, leading to a denial of service.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "libreswan: Missing PreSharedKey for connection can cause crash", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "Libreswan may restart repeatedly under certain IKEv2 retransmission scenarios when using PreSharedKeys (authby=secret) if the connection cannot find a matching configured secret. If such a connection is added automatically on startup using the auto= keyword, it can lead to repeated crashes, causing a denial of service. The vulnerability arises when IKEv2 fails to find its PreSharedKey for the AUTH payload in the IKE_AUTH Exchange, resulting in assertion failure and daemon crashes. This vulnerability is triggered by local misconfiguration, and there is no known exploitation by external peers.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2024-2357" + }, + { + "category": "external", + "summary": "RHBZ#2268952", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268952" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2024-2357", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2357" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-2357", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2357" + }, + { + "category": "external", + "summary": "https://github.com/libreswan/libreswan/commit/cb9e1047d33fde695d63a95854c2bc2470a476c8.patch", + "url": "https://github.com/libreswan/libreswan/commit/cb9e1047d33fde695d63a95854c2bc2470a476c8.patch" + }, + { + "category": "external", + "summary": "https://libreswan.org/security/CVE-2024-2357", + "url": "https://libreswan.org/security/CVE-2024-2357" + } + ], + "release_date": "2024-03-11T00:00:00+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-02T20:02:49+00:00", + "details": "See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.16/updating/updating-cluster-cli.html", + "product_ids": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2024:11505" + }, + { + "category": "workaround", + "details": "As a workaround to prevent the misconfiguration from causing the crash, place an unguessable long random \"catch-all\" secret in /etc/ipsec.secrets, for example, using the following command:\n\necho -e \"# CVE-2024-2357 workaround\\n: PSK \\\"$(openssl rand -hex 32)\\\"\" >> /etc/ipsec.secrets\n\nThis will ensure a PSK secret is always found, but it will always be wrong, and thus authentication will still properly fail.", + "product_ids": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 5.0, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", + "version": "3.1" + }, + "products": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Moderate" + } + ], + "title": "libreswan: Missing PreSharedKey for connection can cause crash" + }, + { + "cve": "CVE-2024-3652", + "cwe": { + "id": "CWE-617", + "name": "Reachable Assertion" + }, + "discovery_date": "2024-04-11T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2274448" + } + ], + "notes": [ + { + "category": "description", + "text": "A flaw was found in Libreswan, where it was identified to contain an assertion failure issue in the compute_proto_keymat() function. The vulnerability can be exploited when an IKEv1 connection is loaded with an AH/ESP default setting when no esp= line is present in the connection. This flaw allows an authenticated attacker to send the bogus AES-GMAC proposal request, triggering the issue and causing Libreswan to crash and restart. When this connection is automatically added on startup using the auto= keyword, it can cause repeated crashes, leading to a denial of service. No remote code execution is possible.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "libreswan: IKEv1 default AH/ESP responder can crash and restart", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "The CVE-2024-3652 vulnerability in Libreswan is classified as a moderate severity issue due to its limited scope and impact. While the vulnerability can lead to Denial of Service (DoS) by causing the Libreswan service to crash and restart, it does not allow for Remote Code Execution or expose sensitive data. Additionally, the exploitation of this vulnerability requires specific conditions to be met: an IKEv1 connection loaded without an esp= line and the peer to have authenticated itself. Furthermore, IKEv2 connections are not vulnerable to this issue.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2024-3652" + }, + { + "category": "external", + "summary": "RHBZ#2274448", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274448" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2024-3652", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-3652" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-3652", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3652" + }, + { + "category": "external", + "summary": "https://libreswan.org/security/CVE-2024-3652", + "url": "https://libreswan.org/security/CVE-2024-3652" + } + ], + "release_date": "2024-04-15T00:00:00+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-02T20:02:49+00:00", + "details": "See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.16/updating/updating-cluster-cli.html", + "product_ids": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2024:11505" + }, + { + "category": "workaround", + "details": "An esp= line using a common IKEv1 algorithm list can be added to all IKEv1 based connections. An example of such an esp= line could be:\n~~~\nesp=aes-sha2_512,aes-sha1,aes-sha2_256,aes-md5,3des-sha1,3des-md5\n~~~", + "product_ids": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + }, + "products": [ + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.src", + "9Base-RHOSE-4.16:libreswan-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debuginfo-0:4.6-3.el9_0.3.x86_64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.aarch64", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.ppc64le", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.s390x", + "9Base-RHOSE-4.16:libreswan-debugsource-0:4.6-3.el9_0.3.x86_64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Moderate" + } + ], + "title": "libreswan: IKEv1 default AH/ESP responder can crash and restart" + } + ] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/redhat/csaf_2_0/2025/rhba-2025_0409.json b/vulnerabilities/tests/test_data/redhat/csaf_2_0/2025/rhba-2025_0409.json new file mode 100644 index 000000000..8693b110b --- /dev/null +++ b/vulnerabilities/tests/test_data/redhat/csaf_2_0/2025/rhba-2025_0409.json @@ -0,0 +1,1066 @@ +{ + "document": { + "aggregate_severity": { + "namespace": "https://access.redhat.com/security/updates/classification/", + "text": "Important" + }, + "category": "csaf_security_advisory", + "csaf_version": "2.0", + "distribution": { + "text": "Copyright © Red Hat, Inc. All rights reserved.", + "tlp": { + "label": "WHITE", + "url": "https://www.first.org/tlp/" + } + }, + "lang": "en", + "notes": [ + { + "category": "summary", + "text": "Red Hat Developer Hub 1.4 has been released.", + "title": "Topic" + }, + { + "category": "general", + "text": "Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.", + "title": "Details" + }, + { + "category": "legal_disclaimer", + "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", + "title": "Terms of Use" + } + ], + "publisher": { + "category": "vendor", + "contact_details": "https://access.redhat.com/security/team/contact/", + "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", + "name": "Red Hat Product Security", + "namespace": "https://www.redhat.com" + }, + "references": [ + { + "category": "self", + "summary": "https://access.redhat.com/errata/RHBA-2025:0409", + "url": "https://access.redhat.com/errata/RHBA-2025:0409" + }, + { + "category": "external", + "summary": "https://developers.redhat.com/rhdh/overview", + "url": "https://developers.redhat.com/rhdh/overview" + }, + { + "category": "external", + "summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub", + "url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub" + }, + { + "category": "external", + "summary": "https://catalog.redhat.com/search?gs&searchType=containers&q=rhdh", + "url": "https://catalog.redhat.com/search?gs&searchType=containers&q=rhdh" + }, + { + "category": "external", + "summary": "https://access.redhat.com/security/cve/CVE-2024-45338", + "url": "https://access.redhat.com/security/cve/CVE-2024-45338" + }, + { + "category": "external", + "summary": "https://access.redhat.com/security/cve/CVE-2024-52798", + "url": "https://access.redhat.com/security/cve/CVE-2024-52798" + }, + { + "category": "external", + "summary": "https://access.redhat.com/security/cve/CVE-2024-55565", + "url": "https://access.redhat.com/security/cve/CVE-2024-55565" + }, + { + "category": "external", + "summary": "https://access.redhat.com/security/cve/CVE-2024-56201", + "url": "https://access.redhat.com/security/cve/CVE-2024-56201" + }, + { + "category": "external", + "summary": "https://access.redhat.com/security/cve/CVE-2024-56326", + "url": "https://access.redhat.com/security/cve/CVE-2024-56326" + }, + { + "category": "external", + "summary": "https://access.redhat.com/security/cve/CVE-2024-56334", + "url": "https://access.redhat.com/security/cve/CVE-2024-56334" + }, + { + "category": "self", + "summary": "Canonical URL", + "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhba-2025_0409.json" + } + ], + "title": "Red Hat Bug Fix Advisory: Red Hat Developer Hub 1.4.1 release.", + "tracking": { + "current_release_date": "2025-07-31T10:36:28+00:00", + "generator": { + "date": "2025-07-31T10:36:28+00:00", + "engine": { + "name": "Red Hat SDEngine", + "version": "4.6.6" + } + }, + "id": "RHBA-2025:0409", + "initial_release_date": "2025-01-20T12:54:15+00:00", + "revision_history": [ + { + "date": "2025-01-20T12:54:15+00:00", + "number": "1", + "summary": "Initial version" + }, + { + "date": "2025-02-12T12:54:15+00:00", + "number": "2", + "summary": "Last updated version" + }, + { + "date": "2025-07-31T10:36:28+00:00", + "number": "3", + "summary": "Last generated version" + } + ], + "status": "final", + "version": "3" + } + }, + "product_tree": { + "branches": [ + { + "branches": [ + { + "branches": [ + { + "category": "product_name", + "name": "Red Hat Developer Hub (RHDH) 1.4", + "product": { + "name": "Red Hat Developer Hub (RHDH) 1.4", + "product_id": "Red Hat Developer Hub (RHDH) 1.4", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:rhdh:1.4::el9" + } + } + } + ], + "category": "product_family", + "name": "Red Hat Developer Hub (RHDH)" + }, + { + "branches": [ + { + "category": "product_version", + "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "product": { + "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "product_id": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "product_identification_helper": { + "purl": "pkg:oci/rhdh-hub-rhel9@sha256%3Ad8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572?arch=amd64&repository_url=registry.redhat.io/rhdh&tag=1.4-1737055846" + } + } + }, + { + "category": "product_version", + "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64", + "product": { + "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64", + "product_id": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64", + "product_identification_helper": { + "purl": "pkg:oci/rhdh-rhel9-operator@sha256%3A9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60?arch=amd64&repository_url=registry.redhat.io/rhdh&tag=1.4-1737054925" + } + } + }, + { + "category": "product_version", + "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "product": { + "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "product_id": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "product_identification_helper": { + "purl": "pkg:oci/rhdh-operator-bundle@sha256%3Aa91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303?arch=amd64&repository_url=registry.redhat.io/rhdh&tag=1.4-1737079124" + } + } + } + ], + "category": "architecture", + "name": "amd64" + } + ], + "category": "vendor", + "name": "Red Hat" + } + ], + "relationships": [ + { + "category": "default_component_of", + "full_product_name": { + "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64 as a component of Red Hat Developer Hub (RHDH) 1.4", + "product_id": "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64" + }, + "product_reference": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "relates_to_product_reference": "Red Hat Developer Hub (RHDH) 1.4" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64 as a component of Red Hat Developer Hub (RHDH) 1.4", + "product_id": "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64" + }, + "product_reference": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "relates_to_product_reference": "Red Hat Developer Hub (RHDH) 1.4" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64 as a component of Red Hat Developer Hub (RHDH) 1.4", + "product_id": "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + }, + "product_reference": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64", + "relates_to_product_reference": "Red Hat Developer Hub (RHDH) 1.4" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-2024-45338", + "cwe": { + "id": "CWE-770", + "name": "Allocation of Resources Without Limits or Throttling" + }, + "discovery_date": "2024-12-18T21:00:59.938173+00:00", + "flags": [ + { + "label": "vulnerable_code_not_present", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64" + ] + } + ], + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2333122" + } + ], + "notes": [ + { + "category": "description", + "text": "A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "This vulnerability is rated as an Important severity because an attacker can craft malicious input that causes the parsing functions to process data non-linearly, resulting in significant delays which leads to a denial of service by exhausting system resources.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ], + "known_not_affected": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2024-45338" + }, + { + "category": "external", + "summary": "RHBZ#2333122", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333122" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2024-45338", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-45338" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45338", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45338" + }, + { + "category": "external", + "summary": "https://go.dev/cl/637536", + "url": "https://go.dev/cl/637536" + }, + { + "category": "external", + "summary": "https://go.dev/issue/70906", + "url": "https://go.dev/issue/70906" + }, + { + "category": "external", + "summary": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ", + "url": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ" + }, + { + "category": "external", + "summary": "https://pkg.go.dev/vuln/GO-2024-3333", + "url": "https://pkg.go.dev/vuln/GO-2024-3333" + } + ], + "release_date": "2024-12-18T20:38:22.660000+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-20T12:54:15+00:00", + "details": "For more about Red Hat Developer Hub, see References links", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2025:0409" + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + }, + "products": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Important" + } + ], + "title": "golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html" + }, + { + "cve": "CVE-2024-52798", + "cwe": { + "id": "CWE-1333", + "name": "Inefficient Regular Expression Complexity" + }, + "discovery_date": "2024-12-05T23:00:59.020167+00:00", + "flags": [ + { + "label": "vulnerable_code_not_present", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2330689" + } + ], + "notes": [ + { + "category": "description", + "text": "A flaw was found in path-to-regexp. A path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "path-to-regexp: path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "This vulnerability exists because of an incomplete fix for CVE-2024-45296.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64" + ], + "known_not_affected": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2024-52798" + }, + { + "category": "external", + "summary": "RHBZ#2330689", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2330689" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2024-52798", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-52798" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-52798", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52798" + }, + { + "category": "external", + "summary": "https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4", + "url": "https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4" + }, + { + "category": "external", + "summary": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w", + "url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w" + } + ], + "release_date": "2024-12-05T22:45:42.774000+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-20T12:54:15+00:00", + "details": "For more about Red Hat Developer Hub, see References links", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2025:0409" + }, + { + "category": "workaround", + "details": "Avoid using two parameters within a single path segment when the separator is not, for example, /:a-:b. Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + }, + "products": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Moderate" + } + ], + "title": "path-to-regexp: path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x" + }, + { + "cve": "CVE-2024-55565", + "cwe": { + "id": "CWE-835", + "name": "Loop with Unreachable Exit Condition ('Infinite Loop')" + }, + "discovery_date": "2024-12-09T02:00:45.255738+00:00", + "flags": [ + { + "label": "vulnerable_code_not_present", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2331063" + } + ], + "notes": [ + { + "category": "description", + "text": "nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "nanoid: nanoid mishandles non-integer values", + "title": "Vulnerability summary" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64" + ], + "known_not_affected": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2024-55565" + }, + { + "category": "external", + "summary": "RHBZ#2331063", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331063" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2024-55565", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-55565" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-55565", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55565" + }, + { + "category": "external", + "summary": "https://github.com/ai/nanoid/compare/3.3.7...3.3.8", + "url": "https://github.com/ai/nanoid/compare/3.3.7...3.3.8" + }, + { + "category": "external", + "summary": "https://github.com/ai/nanoid/pull/510", + "url": "https://github.com/ai/nanoid/pull/510" + }, + { + "category": "external", + "summary": "https://github.com/ai/nanoid/releases/tag/5.0.9", + "url": "https://github.com/ai/nanoid/releases/tag/5.0.9" + } + ], + "release_date": "2024-12-09T00:00:00+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-20T12:54:15+00:00", + "details": "For more about Red Hat Developer Hub, see References links", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2025:0409" + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + }, + "products": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Moderate" + } + ], + "title": "nanoid: nanoid mishandles non-integer values" + }, + { + "cve": "CVE-2024-56201", + "cwe": { + "id": "CWE-150", + "name": "Improper Neutralization of Escape, Meta, or Control Sequences" + }, + "discovery_date": "2024-12-23T16:00:38.768252+00:00", + "flags": [ + { + "label": "vulnerable_code_not_present", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2333854" + } + ], + "notes": [ + { + "category": "description", + "text": "A flaw was found in the Jinja2 package. A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of Jinja's sandbox being used. An attacker needs to be able to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates where the template author can also choose the template filename.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "jinja2: Jinja has a sandbox breakout through malicious filenames", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "This vulnerability has rated as a IMPORTANT flaw because an attacker controlling both the template content and filename to execute arbitrary Python code, bypassing the sandbox.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64" + ], + "known_not_affected": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2024-56201" + }, + { + "category": "external", + "summary": "RHBZ#2333854", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333854" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2024-56201", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-56201" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-56201", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56201" + }, + { + "category": "external", + "summary": "https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f", + "url": "https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f" + }, + { + "category": "external", + "summary": "https://github.com/pallets/jinja/issues/1792", + "url": "https://github.com/pallets/jinja/issues/1792" + }, + { + "category": "external", + "summary": "https://github.com/pallets/jinja/releases/tag/3.1.5", + "url": "https://github.com/pallets/jinja/releases/tag/3.1.5" + }, + { + "category": "external", + "summary": "https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699", + "url": "https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699" + } + ], + "release_date": "2024-12-23T15:37:36.110000+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-20T12:54:15+00:00", + "details": "For more about Red Hat Developer Hub, see References links", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2025:0409" + }, + { + "category": "workaround", + "details": "To mitigate this vulnerabilty restrict user-controlled template filenames, ensuring they follow a predefined templates.", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + "products": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Important" + } + ], + "title": "jinja2: Jinja has a sandbox breakout through malicious filenames" + }, + { + "cve": "CVE-2024-56326", + "cwe": { + "id": "CWE-693", + "name": "Protection Mechanism Failure" + }, + "discovery_date": "2024-12-23T16:00:46.619763+00:00", + "flags": [ + { + "label": "vulnerable_code_not_present", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2333856" + } + ], + "notes": [ + { + "category": "description", + "text": "A flaw was found in the Jinja package. In affected versions of Jinja, an oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, storing a reference to a malicious string's format method is possible, then passing that to a filter that calls it. No such filters are built into Jinja but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "jinja2: Jinja has a sandbox breakout through indirect reference to format method", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "This vulnerability is rated as Moderate due to an oversight in Jinja's sandbox environment, allowing attackers to execute arbitrary Python code through controlled template content. This requires control over template content, making exploitation possible only in specific applications, thus limiting its overall impact.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64" + ], + "known_not_affected": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2024-56326" + }, + { + "category": "external", + "summary": "RHBZ#2333856", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333856" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2024-56326", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-56326" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-56326", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56326" + }, + { + "category": "external", + "summary": "https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4", + "url": "https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4" + }, + { + "category": "external", + "summary": "https://github.com/pallets/jinja/releases/tag/3.1.5", + "url": "https://github.com/pallets/jinja/releases/tag/3.1.5" + }, + { + "category": "external", + "summary": "https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h", + "url": "https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h" + } + ], + "release_date": "2024-12-23T15:43:49.400000+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-20T12:54:15+00:00", + "details": "For more about Red Hat Developer Hub, see References links", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2025:0409" + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + "products": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Moderate" + } + ], + "title": "jinja2: Jinja has a sandbox breakout through indirect reference to format method" + }, + { + "cve": "CVE-2024-56334", + "cwe": { + "id": "CWE-94", + "name": "Improper Control of Generation of Code ('Code Injection')" + }, + "discovery_date": "2024-12-20T21:00:48.166699+00:00", + "flags": [ + { + "label": "vulnerable_code_not_present", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2333587" + } + ], + "notes": [ + { + "category": "description", + "text": "A flaw was found in the systeminformation library for Node.js. In Windows systems, the SSID parameter of the `getWindowsIEEE8021x` function is not sanitized before it is passed to cmd.exe. This may allow a remote attacker to execute arbitrary commands on the target system.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "systeminformation: Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "This vulnerability in the systeminformation library is marked as a high-severity issue because it allows for the execution of arbitrary commands via an unsanitized SSID input passed to `cmd.exe`. Since this flaw can lead to remote code execution (RCE) or local privilege escalation, it provides an attacker with the potential to execute malicious scripts on the affected system.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64" + ], + "known_not_affected": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2024-56334" + }, + { + "category": "external", + "summary": "RHBZ#2333587", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333587" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2024-56334", + "url": "https://www.cve.org/CVERecord?id=CVE-2024-56334" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-56334", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56334" + }, + { + "category": "external", + "summary": "https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41", + "url": "https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41" + }, + { + "category": "external", + "summary": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m", + "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m" + } + ], + "release_date": "2024-12-20T20:10:12.578000+00:00", + "remediations": [ + { + "category": "vendor_fix", + "date": "2025-01-20T12:54:15+00:00", + "details": "For more about Red Hat Developer Hub, see References links", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64" + ], + "restart_required": { + "category": "none" + }, + "url": "https://access.redhat.com/errata/RHBA-2025:0409" + }, + { + "category": "workaround", + "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", + "product_ids": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.0, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + "products": [ + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:a91c4931ef5111c555ec5cc8128c3148c94fe2983d2e4fa7babe843e9292b303_amd64", + "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e1e2fac9519bd480c9629f5a9cf69be0169715483b7e662eaac61a48b37eb60_amd64" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Important" + } + ], + "title": "systeminformation: Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation" + } + ] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/redhat/csaf_2_0/2025/rhba-2025_1079.json b/vulnerabilities/tests/test_data/redhat/csaf_2_0/2025/rhba-2025_1079.json new file mode 100644 index 000000000..37be36e34 --- /dev/null +++ b/vulnerabilities/tests/test_data/redhat/csaf_2_0/2025/rhba-2025_1079.json @@ -0,0 +1,984 @@ +{ + "document": { + "aggregate_severity": { + "namespace": "https://access.redhat.com/security/updates/classification/", + "text": "Moderate" + }, + "category": "csaf_security_advisory", + "csaf_version": "2.0", + "distribution": { + "text": "Copyright © Red Hat, Inc. All rights reserved.", + "tlp": { + "label": "WHITE", + "url": "https://www.first.org/tlp/" + } + }, + "lang": "en", + "notes": [ + { + "category": "summary", + "text": "Red Hat Quay 3.13.4 is now available with bug fixes.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", + "title": "Topic" + }, + { + "category": "general", + "text": "Quay 3.13.4", + "title": "Details" + }, + { + "category": "legal_disclaimer", + "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", + "title": "Terms of Use" + } + ], + "publisher": { + "category": "vendor", + "contact_details": "https://access.redhat.com/security/team/contact/", + "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", + "name": "Red Hat Product Security", + "namespace": "https://www.redhat.com" + }, + "references": [ + { + "category": "self", + "summary": "https://access.redhat.com/errata/RHBA-2025:1079", + "url": "https://access.redhat.com/errata/RHBA-2025:1079" + }, + { + "category": "external", + "summary": "PROJQUAY-8577", + "url": "https://issues.redhat.com/browse/PROJQUAY-8577" + }, + { + "category": "self", + "summary": "Canonical URL", + "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhba-2025_1079.json" + } + ], + "title": "Red Hat Bug Fix Advisory: Red Hat Quay v3.13.4 bug fix release", + "tracking": { + "current_release_date": "2025-07-31T11:46:03+00:00", + "generator": { + "date": "2025-07-31T11:46:03+00:00", + "engine": { + "name": "Red Hat SDEngine", + "version": "4.6.6" + } + }, + "id": "RHBA-2025:1079", + "initial_release_date": "2025-02-24T03:42:46+00:00", + "revision_history": [ + { + "date": "2025-02-24T03:42:46+00:00", + "number": "1", + "summary": "Initial version" + }, + { + "date": "2025-02-24T03:42:46+00:00", + "number": "2", + "summary": "Last updated version" + }, + { + "date": "2025-07-31T11:46:03+00:00", + "number": "3", + "summary": "Last generated version" + } + ], + "status": "final", + "version": "3" + } + }, + "product_tree": { + "branches": [ + { + "branches": [ + { + "branches": [ + { + "category": "product_name", + "name": "Quay v3", + "product": { + "name": "Quay v3", + "product_id": "8Base-Quay-3", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:quay:3::el8" + } + } + } + ], + "category": "product_family", + "name": "Red Hat Quay" + }, + { + "branches": [ + { + "category": "product_version", + "name": "quay/quay-bridge-operator-bundle@sha256:8c2d03c9b14aa2d9bbcffade943c94237523f52ddce814caaf6b0578aae6b1ab_amd64", + "product": { + "name": "quay/quay-bridge-operator-bundle@sha256:8c2d03c9b14aa2d9bbcffade943c94237523f52ddce814caaf6b0578aae6b1ab_amd64", + "product_id": "quay/quay-bridge-operator-bundle@sha256:8c2d03c9b14aa2d9bbcffade943c94237523f52ddce814caaf6b0578aae6b1ab_amd64", + "product_identification_helper": { + "purl": "pkg:oci/quay-bridge-operator-bundle@sha256:8c2d03c9b14aa2d9bbcffade943c94237523f52ddce814caaf6b0578aae6b1ab?arch=amd64&repository_url=registry.redhat.io/quay/quay-bridge-operator-bundle&tag=v3.13.4-2" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-bridge-operator-rhel8@sha256:8f3941a45070ffdf9a9d6c12588bf4c33346fb600333dddb719ee0e435210a68_amd64", + "product": { + "name": "quay/quay-bridge-operator-rhel8@sha256:8f3941a45070ffdf9a9d6c12588bf4c33346fb600333dddb719ee0e435210a68_amd64", + "product_id": "quay/quay-bridge-operator-rhel8@sha256:8f3941a45070ffdf9a9d6c12588bf4c33346fb600333dddb719ee0e435210a68_amd64", + "product_identification_helper": { + "purl": "pkg:oci/quay-bridge-operator-rhel8@sha256:8f3941a45070ffdf9a9d6c12588bf4c33346fb600333dddb719ee0e435210a68?arch=amd64&repository_url=registry.redhat.io/quay/quay-bridge-operator-rhel8&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-builder-rhel8@sha256:7f9c67dbaa841f3a96c70e020f341141f046955b575cff3f9070a45eefddf12f_amd64", + "product": { + "name": "quay/quay-builder-rhel8@sha256:7f9c67dbaa841f3a96c70e020f341141f046955b575cff3f9070a45eefddf12f_amd64", + "product_id": "quay/quay-builder-rhel8@sha256:7f9c67dbaa841f3a96c70e020f341141f046955b575cff3f9070a45eefddf12f_amd64", + "product_identification_helper": { + "purl": "pkg:oci/quay-builder-rhel8@sha256:7f9c67dbaa841f3a96c70e020f341141f046955b575cff3f9070a45eefddf12f?arch=amd64&repository_url=registry.redhat.io/quay/quay-builder-rhel8&tag=v3.13.4-2" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:d45694397744073aaeb9e79e381b3dc3c13f163adf58cc16cfddebe033db80e2_amd64", + "product": { + "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:d45694397744073aaeb9e79e381b3dc3c13f163adf58cc16cfddebe033db80e2_amd64", + "product_id": "quay/quay-builder-qemu-rhcos-rhel8@sha256:d45694397744073aaeb9e79e381b3dc3c13f163adf58cc16cfddebe033db80e2_amd64", + "product_identification_helper": { + "purl": "pkg:oci/quay-builder-qemu-rhcos-rhel8@sha256:d45694397744073aaeb9e79e381b3dc3c13f163adf58cc16cfddebe033db80e2?arch=amd64&repository_url=registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/clair-rhel8@sha256:0204fd4290da6989e8b28b57e99f4f92466b1f60b77b00347850f3b8c176d524_amd64", + "product": { + "name": "quay/clair-rhel8@sha256:0204fd4290da6989e8b28b57e99f4f92466b1f60b77b00347850f3b8c176d524_amd64", + "product_id": "quay/clair-rhel8@sha256:0204fd4290da6989e8b28b57e99f4f92466b1f60b77b00347850f3b8c176d524_amd64", + "product_identification_helper": { + "purl": "pkg:oci/clair-rhel8@sha256:0204fd4290da6989e8b28b57e99f4f92466b1f60b77b00347850f3b8c176d524?arch=amd64&repository_url=registry.redhat.io/quay/clair-rhel8&tag=v3.13.4-2" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-container-security-operator-bundle@sha256:af4f196e63cc1e47a081d9f9f70f41b91983d86bdf1a4d5a0b9f2d8e573e2d5f_amd64", + "product": { + "name": "quay/quay-container-security-operator-bundle@sha256:af4f196e63cc1e47a081d9f9f70f41b91983d86bdf1a4d5a0b9f2d8e573e2d5f_amd64", + "product_id": "quay/quay-container-security-operator-bundle@sha256:af4f196e63cc1e47a081d9f9f70f41b91983d86bdf1a4d5a0b9f2d8e573e2d5f_amd64", + "product_identification_helper": { + "purl": "pkg:oci/quay-container-security-operator-bundle@sha256:af4f196e63cc1e47a081d9f9f70f41b91983d86bdf1a4d5a0b9f2d8e573e2d5f?arch=amd64&repository_url=registry.redhat.io/quay/quay-container-security-operator-bundle&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-container-security-operator-rhel8@sha256:468820f558c151257ef219a0a38a21436817f6393767b22617dfc8a0f3276f7c_amd64", + "product": { + "name": "quay/quay-container-security-operator-rhel8@sha256:468820f558c151257ef219a0a38a21436817f6393767b22617dfc8a0f3276f7c_amd64", + "product_id": "quay/quay-container-security-operator-rhel8@sha256:468820f558c151257ef219a0a38a21436817f6393767b22617dfc8a0f3276f7c_amd64", + "product_identification_helper": { + "purl": "pkg:oci/quay-container-security-operator-rhel8@sha256:468820f558c151257ef219a0a38a21436817f6393767b22617dfc8a0f3276f7c?arch=amd64&repository_url=registry.redhat.io/quay/quay-container-security-operator-rhel8&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-operator-bundle@sha256:6cc8cf175183a488c50d0f2bb2aff91180d70722ea6cf39967e53092adac69ff_amd64", + "product": { + "name": "quay/quay-operator-bundle@sha256:6cc8cf175183a488c50d0f2bb2aff91180d70722ea6cf39967e53092adac69ff_amd64", + "product_id": "quay/quay-operator-bundle@sha256:6cc8cf175183a488c50d0f2bb2aff91180d70722ea6cf39967e53092adac69ff_amd64", + "product_identification_helper": { + "purl": "pkg:oci/quay-operator-bundle@sha256:6cc8cf175183a488c50d0f2bb2aff91180d70722ea6cf39967e53092adac69ff?arch=amd64&repository_url=registry.redhat.io/quay/quay-operator-bundle&tag=v3.13.4-9" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-operator-rhel8@sha256:6ebb2498e2e9d70852e258739b8676d9928c68049c93318f2178eebac38b0ba5_amd64", + "product": { + "name": "quay/quay-operator-rhel8@sha256:6ebb2498e2e9d70852e258739b8676d9928c68049c93318f2178eebac38b0ba5_amd64", + "product_id": "quay/quay-operator-rhel8@sha256:6ebb2498e2e9d70852e258739b8676d9928c68049c93318f2178eebac38b0ba5_amd64", + "product_identification_helper": { + "purl": "pkg:oci/quay-operator-rhel8@sha256:6ebb2498e2e9d70852e258739b8676d9928c68049c93318f2178eebac38b0ba5?arch=amd64&repository_url=registry.redhat.io/quay/quay-operator-rhel8&tag=v3.13.4-3" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-rhel8@sha256:906688d8356f1931370d1f864b88ba53a6755a9c82de6134846907ad0bae48e4_amd64", + "product": { + "name": "quay/quay-rhel8@sha256:906688d8356f1931370d1f864b88ba53a6755a9c82de6134846907ad0bae48e4_amd64", + "product_id": "quay/quay-rhel8@sha256:906688d8356f1931370d1f864b88ba53a6755a9c82de6134846907ad0bae48e4_amd64", + "product_identification_helper": { + "purl": "pkg:oci/quay-rhel8@sha256:906688d8356f1931370d1f864b88ba53a6755a9c82de6134846907ad0bae48e4?arch=amd64&repository_url=registry.redhat.io/quay/quay-rhel8&tag=v3.13.4-6" + } + } + } + ], + "category": "architecture", + "name": "amd64" + }, + { + "branches": [ + { + "category": "product_version", + "name": "quay/quay-bridge-operator-bundle@sha256:97beaa8ac6dc90529ded16c9dcf9c3362d42efaa95d84ed50b7be9dd59a9e578_ppc64le", + "product": { + "name": "quay/quay-bridge-operator-bundle@sha256:97beaa8ac6dc90529ded16c9dcf9c3362d42efaa95d84ed50b7be9dd59a9e578_ppc64le", + "product_id": "quay/quay-bridge-operator-bundle@sha256:97beaa8ac6dc90529ded16c9dcf9c3362d42efaa95d84ed50b7be9dd59a9e578_ppc64le", + "product_identification_helper": { + "purl": "pkg:oci/quay-bridge-operator-bundle@sha256:97beaa8ac6dc90529ded16c9dcf9c3362d42efaa95d84ed50b7be9dd59a9e578?arch=ppc64le&repository_url=registry.redhat.io/quay/quay-bridge-operator-bundle&tag=v3.13.4-2" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-bridge-operator-rhel8@sha256:db7c6a49d4150957f0cfb10ce3902722d7d901f41962bf4b960fb7ddf93a9a98_ppc64le", + "product": { + "name": "quay/quay-bridge-operator-rhel8@sha256:db7c6a49d4150957f0cfb10ce3902722d7d901f41962bf4b960fb7ddf93a9a98_ppc64le", + "product_id": "quay/quay-bridge-operator-rhel8@sha256:db7c6a49d4150957f0cfb10ce3902722d7d901f41962bf4b960fb7ddf93a9a98_ppc64le", + "product_identification_helper": { + "purl": "pkg:oci/quay-bridge-operator-rhel8@sha256:db7c6a49d4150957f0cfb10ce3902722d7d901f41962bf4b960fb7ddf93a9a98?arch=ppc64le&repository_url=registry.redhat.io/quay/quay-bridge-operator-rhel8&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-builder-rhel8@sha256:a27c1809b007085e59e8b9e15ec5fc55b5cfbdfcc23f5bba8ccf9ebd12a29562_ppc64le", + "product": { + "name": "quay/quay-builder-rhel8@sha256:a27c1809b007085e59e8b9e15ec5fc55b5cfbdfcc23f5bba8ccf9ebd12a29562_ppc64le", + "product_id": "quay/quay-builder-rhel8@sha256:a27c1809b007085e59e8b9e15ec5fc55b5cfbdfcc23f5bba8ccf9ebd12a29562_ppc64le", + "product_identification_helper": { + "purl": "pkg:oci/quay-builder-rhel8@sha256:a27c1809b007085e59e8b9e15ec5fc55b5cfbdfcc23f5bba8ccf9ebd12a29562?arch=ppc64le&repository_url=registry.redhat.io/quay/quay-builder-rhel8&tag=v3.13.4-2" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:8338e1d9da6ebcfa8ac9e93709d44d2c6b3052cec3c1c316d6c50fc85a73f1cb_ppc64le", + "product": { + "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:8338e1d9da6ebcfa8ac9e93709d44d2c6b3052cec3c1c316d6c50fc85a73f1cb_ppc64le", + "product_id": "quay/quay-builder-qemu-rhcos-rhel8@sha256:8338e1d9da6ebcfa8ac9e93709d44d2c6b3052cec3c1c316d6c50fc85a73f1cb_ppc64le", + "product_identification_helper": { + "purl": "pkg:oci/quay-builder-qemu-rhcos-rhel8@sha256:8338e1d9da6ebcfa8ac9e93709d44d2c6b3052cec3c1c316d6c50fc85a73f1cb?arch=ppc64le&repository_url=registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/clair-rhel8@sha256:2966a2534f8c4613495d73cd864f92c9d94ec173c57d955708f37e888fac23f6_ppc64le", + "product": { + "name": "quay/clair-rhel8@sha256:2966a2534f8c4613495d73cd864f92c9d94ec173c57d955708f37e888fac23f6_ppc64le", + "product_id": "quay/clair-rhel8@sha256:2966a2534f8c4613495d73cd864f92c9d94ec173c57d955708f37e888fac23f6_ppc64le", + "product_identification_helper": { + "purl": "pkg:oci/clair-rhel8@sha256:2966a2534f8c4613495d73cd864f92c9d94ec173c57d955708f37e888fac23f6?arch=ppc64le&repository_url=registry.redhat.io/quay/clair-rhel8&tag=v3.13.4-2" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-container-security-operator-bundle@sha256:77a5960828a06b16f9ac13e70778b6d0b310a9087b793a05c95bd57474b77238_ppc64le", + "product": { + "name": "quay/quay-container-security-operator-bundle@sha256:77a5960828a06b16f9ac13e70778b6d0b310a9087b793a05c95bd57474b77238_ppc64le", + "product_id": "quay/quay-container-security-operator-bundle@sha256:77a5960828a06b16f9ac13e70778b6d0b310a9087b793a05c95bd57474b77238_ppc64le", + "product_identification_helper": { + "purl": "pkg:oci/quay-container-security-operator-bundle@sha256:77a5960828a06b16f9ac13e70778b6d0b310a9087b793a05c95bd57474b77238?arch=ppc64le&repository_url=registry.redhat.io/quay/quay-container-security-operator-bundle&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-container-security-operator-rhel8@sha256:44c2dd325e8f0ca3e6bc60566a573c70a7b6a086aaa7c34c059bb527e5b1d926_ppc64le", + "product": { + "name": "quay/quay-container-security-operator-rhel8@sha256:44c2dd325e8f0ca3e6bc60566a573c70a7b6a086aaa7c34c059bb527e5b1d926_ppc64le", + "product_id": "quay/quay-container-security-operator-rhel8@sha256:44c2dd325e8f0ca3e6bc60566a573c70a7b6a086aaa7c34c059bb527e5b1d926_ppc64le", + "product_identification_helper": { + "purl": "pkg:oci/quay-container-security-operator-rhel8@sha256:44c2dd325e8f0ca3e6bc60566a573c70a7b6a086aaa7c34c059bb527e5b1d926?arch=ppc64le&repository_url=registry.redhat.io/quay/quay-container-security-operator-rhel8&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-operator-bundle@sha256:551ae88034a4ccd9051fd8e4c4ad26b3fc3b91a9794cd1d08bd8758eba4e7121_ppc64le", + "product": { + "name": "quay/quay-operator-bundle@sha256:551ae88034a4ccd9051fd8e4c4ad26b3fc3b91a9794cd1d08bd8758eba4e7121_ppc64le", + "product_id": "quay/quay-operator-bundle@sha256:551ae88034a4ccd9051fd8e4c4ad26b3fc3b91a9794cd1d08bd8758eba4e7121_ppc64le", + "product_identification_helper": { + "purl": "pkg:oci/quay-operator-bundle@sha256:551ae88034a4ccd9051fd8e4c4ad26b3fc3b91a9794cd1d08bd8758eba4e7121?arch=ppc64le&repository_url=registry.redhat.io/quay/quay-operator-bundle&tag=v3.13.4-9" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-operator-rhel8@sha256:647fcb8dd13bd96aac49f07e5535b369347665bf53a0a9491245ec2f8c531935_ppc64le", + "product": { + "name": "quay/quay-operator-rhel8@sha256:647fcb8dd13bd96aac49f07e5535b369347665bf53a0a9491245ec2f8c531935_ppc64le", + "product_id": "quay/quay-operator-rhel8@sha256:647fcb8dd13bd96aac49f07e5535b369347665bf53a0a9491245ec2f8c531935_ppc64le", + "product_identification_helper": { + "purl": "pkg:oci/quay-operator-rhel8@sha256:647fcb8dd13bd96aac49f07e5535b369347665bf53a0a9491245ec2f8c531935?arch=ppc64le&repository_url=registry.redhat.io/quay/quay-operator-rhel8&tag=v3.13.4-3" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-rhel8@sha256:c66007a0049286bdd251715f40d13ea331c6778f3a089749746be26dc7dba334_ppc64le", + "product": { + "name": "quay/quay-rhel8@sha256:c66007a0049286bdd251715f40d13ea331c6778f3a089749746be26dc7dba334_ppc64le", + "product_id": "quay/quay-rhel8@sha256:c66007a0049286bdd251715f40d13ea331c6778f3a089749746be26dc7dba334_ppc64le", + "product_identification_helper": { + "purl": "pkg:oci/quay-rhel8@sha256:c66007a0049286bdd251715f40d13ea331c6778f3a089749746be26dc7dba334?arch=ppc64le&repository_url=registry.redhat.io/quay/quay-rhel8&tag=v3.13.4-6" + } + } + } + ], + "category": "architecture", + "name": "ppc64le" + }, + { + "branches": [ + { + "category": "product_version", + "name": "quay/quay-bridge-operator-bundle@sha256:b44cb8d8e099f31ee358f19574d54b449086ab1617c03cb41616dbd6e11994c5_s390x", + "product": { + "name": "quay/quay-bridge-operator-bundle@sha256:b44cb8d8e099f31ee358f19574d54b449086ab1617c03cb41616dbd6e11994c5_s390x", + "product_id": "quay/quay-bridge-operator-bundle@sha256:b44cb8d8e099f31ee358f19574d54b449086ab1617c03cb41616dbd6e11994c5_s390x", + "product_identification_helper": { + "purl": "pkg:oci/quay-bridge-operator-bundle@sha256:b44cb8d8e099f31ee358f19574d54b449086ab1617c03cb41616dbd6e11994c5?arch=s390x&repository_url=registry.redhat.io/quay/quay-bridge-operator-bundle&tag=v3.13.4-2" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-bridge-operator-rhel8@sha256:1fa7b9904402ac996d9534351e784a25f27f08fc1e089a44c85d47431f368012_s390x", + "product": { + "name": "quay/quay-bridge-operator-rhel8@sha256:1fa7b9904402ac996d9534351e784a25f27f08fc1e089a44c85d47431f368012_s390x", + "product_id": "quay/quay-bridge-operator-rhel8@sha256:1fa7b9904402ac996d9534351e784a25f27f08fc1e089a44c85d47431f368012_s390x", + "product_identification_helper": { + "purl": "pkg:oci/quay-bridge-operator-rhel8@sha256:1fa7b9904402ac996d9534351e784a25f27f08fc1e089a44c85d47431f368012?arch=s390x&repository_url=registry.redhat.io/quay/quay-bridge-operator-rhel8&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-builder-rhel8@sha256:c2e2addc62e0627fc82915fd59081a03773caae50c682f9169f9dcf131ae16e5_s390x", + "product": { + "name": "quay/quay-builder-rhel8@sha256:c2e2addc62e0627fc82915fd59081a03773caae50c682f9169f9dcf131ae16e5_s390x", + "product_id": "quay/quay-builder-rhel8@sha256:c2e2addc62e0627fc82915fd59081a03773caae50c682f9169f9dcf131ae16e5_s390x", + "product_identification_helper": { + "purl": "pkg:oci/quay-builder-rhel8@sha256:c2e2addc62e0627fc82915fd59081a03773caae50c682f9169f9dcf131ae16e5?arch=s390x&repository_url=registry.redhat.io/quay/quay-builder-rhel8&tag=v3.13.4-2" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:b14253a941535ea6b1a6fd060b3482f74dda955cd0afa1d86421ae6b2e1ff3d9_s390x", + "product": { + "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:b14253a941535ea6b1a6fd060b3482f74dda955cd0afa1d86421ae6b2e1ff3d9_s390x", + "product_id": "quay/quay-builder-qemu-rhcos-rhel8@sha256:b14253a941535ea6b1a6fd060b3482f74dda955cd0afa1d86421ae6b2e1ff3d9_s390x", + "product_identification_helper": { + "purl": "pkg:oci/quay-builder-qemu-rhcos-rhel8@sha256:b14253a941535ea6b1a6fd060b3482f74dda955cd0afa1d86421ae6b2e1ff3d9?arch=s390x&repository_url=registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/clair-rhel8@sha256:1341e9d89f30bb9e12e43563078c4fb7ef1319b00958f4d22985e0cbb519d50c_s390x", + "product": { + "name": "quay/clair-rhel8@sha256:1341e9d89f30bb9e12e43563078c4fb7ef1319b00958f4d22985e0cbb519d50c_s390x", + "product_id": "quay/clair-rhel8@sha256:1341e9d89f30bb9e12e43563078c4fb7ef1319b00958f4d22985e0cbb519d50c_s390x", + "product_identification_helper": { + "purl": "pkg:oci/clair-rhel8@sha256:1341e9d89f30bb9e12e43563078c4fb7ef1319b00958f4d22985e0cbb519d50c?arch=s390x&repository_url=registry.redhat.io/quay/clair-rhel8&tag=v3.13.4-2" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-container-security-operator-bundle@sha256:b5f8b35092db7d025a90613f3da0f7a72529181de54a08d7447bac24cb1e546d_s390x", + "product": { + "name": "quay/quay-container-security-operator-bundle@sha256:b5f8b35092db7d025a90613f3da0f7a72529181de54a08d7447bac24cb1e546d_s390x", + "product_id": "quay/quay-container-security-operator-bundle@sha256:b5f8b35092db7d025a90613f3da0f7a72529181de54a08d7447bac24cb1e546d_s390x", + "product_identification_helper": { + "purl": "pkg:oci/quay-container-security-operator-bundle@sha256:b5f8b35092db7d025a90613f3da0f7a72529181de54a08d7447bac24cb1e546d?arch=s390x&repository_url=registry.redhat.io/quay/quay-container-security-operator-bundle&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-container-security-operator-rhel8@sha256:f08bbd7efc1137c3a3ff6f38488574b2a63c88f9071344eee43f5789babd2e1d_s390x", + "product": { + "name": "quay/quay-container-security-operator-rhel8@sha256:f08bbd7efc1137c3a3ff6f38488574b2a63c88f9071344eee43f5789babd2e1d_s390x", + "product_id": "quay/quay-container-security-operator-rhel8@sha256:f08bbd7efc1137c3a3ff6f38488574b2a63c88f9071344eee43f5789babd2e1d_s390x", + "product_identification_helper": { + "purl": "pkg:oci/quay-container-security-operator-rhel8@sha256:f08bbd7efc1137c3a3ff6f38488574b2a63c88f9071344eee43f5789babd2e1d?arch=s390x&repository_url=registry.redhat.io/quay/quay-container-security-operator-rhel8&tag=v3.13.4-1" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-operator-bundle@sha256:d449ed97c243dcc9fa61b8e4fa818f108017c03da9ced0520ac356eee7e669c4_s390x", + "product": { + "name": "quay/quay-operator-bundle@sha256:d449ed97c243dcc9fa61b8e4fa818f108017c03da9ced0520ac356eee7e669c4_s390x", + "product_id": "quay/quay-operator-bundle@sha256:d449ed97c243dcc9fa61b8e4fa818f108017c03da9ced0520ac356eee7e669c4_s390x", + "product_identification_helper": { + "purl": "pkg:oci/quay-operator-bundle@sha256:d449ed97c243dcc9fa61b8e4fa818f108017c03da9ced0520ac356eee7e669c4?arch=s390x&repository_url=registry.redhat.io/quay/quay-operator-bundle&tag=v3.13.4-9" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-operator-rhel8@sha256:7c6d2001422a4a1e76aabc0d8f71e9fbe896bcbe22c55d3c3a6d6eb738065553_s390x", + "product": { + "name": "quay/quay-operator-rhel8@sha256:7c6d2001422a4a1e76aabc0d8f71e9fbe896bcbe22c55d3c3a6d6eb738065553_s390x", + "product_id": "quay/quay-operator-rhel8@sha256:7c6d2001422a4a1e76aabc0d8f71e9fbe896bcbe22c55d3c3a6d6eb738065553_s390x", + "product_identification_helper": { + "purl": "pkg:oci/quay-operator-rhel8@sha256:7c6d2001422a4a1e76aabc0d8f71e9fbe896bcbe22c55d3c3a6d6eb738065553?arch=s390x&repository_url=registry.redhat.io/quay/quay-operator-rhel8&tag=v3.13.4-3" + } + } + }, + { + "category": "product_version", + "name": "quay/quay-rhel8@sha256:26f0ef7faca0671bfac32eea1a1b0036df90c9c41bbf49a7efab6c633a928091_s390x", + "product": { + "name": "quay/quay-rhel8@sha256:26f0ef7faca0671bfac32eea1a1b0036df90c9c41bbf49a7efab6c633a928091_s390x", + "product_id": "quay/quay-rhel8@sha256:26f0ef7faca0671bfac32eea1a1b0036df90c9c41bbf49a7efab6c633a928091_s390x", + "product_identification_helper": { + "purl": "pkg:oci/quay-rhel8@sha256:26f0ef7faca0671bfac32eea1a1b0036df90c9c41bbf49a7efab6c633a928091?arch=s390x&repository_url=registry.redhat.io/quay/quay-rhel8&tag=v3.13.4-6" + } + } + } + ], + "category": "architecture", + "name": "s390x" + } + ], + "category": "vendor", + "name": "Red Hat" + } + ], + "relationships": [ + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/clair-rhel8@sha256:0204fd4290da6989e8b28b57e99f4f92466b1f60b77b00347850f3b8c176d524_amd64 as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/clair-rhel8@sha256:0204fd4290da6989e8b28b57e99f4f92466b1f60b77b00347850f3b8c176d524_amd64" + }, + "product_reference": "quay/clair-rhel8@sha256:0204fd4290da6989e8b28b57e99f4f92466b1f60b77b00347850f3b8c176d524_amd64", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/clair-rhel8@sha256:1341e9d89f30bb9e12e43563078c4fb7ef1319b00958f4d22985e0cbb519d50c_s390x as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/clair-rhel8@sha256:1341e9d89f30bb9e12e43563078c4fb7ef1319b00958f4d22985e0cbb519d50c_s390x" + }, + "product_reference": "quay/clair-rhel8@sha256:1341e9d89f30bb9e12e43563078c4fb7ef1319b00958f4d22985e0cbb519d50c_s390x", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/clair-rhel8@sha256:2966a2534f8c4613495d73cd864f92c9d94ec173c57d955708f37e888fac23f6_ppc64le as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/clair-rhel8@sha256:2966a2534f8c4613495d73cd864f92c9d94ec173c57d955708f37e888fac23f6_ppc64le" + }, + "product_reference": "quay/clair-rhel8@sha256:2966a2534f8c4613495d73cd864f92c9d94ec173c57d955708f37e888fac23f6_ppc64le", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-bridge-operator-bundle@sha256:8c2d03c9b14aa2d9bbcffade943c94237523f52ddce814caaf6b0578aae6b1ab_amd64 as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:8c2d03c9b14aa2d9bbcffade943c94237523f52ddce814caaf6b0578aae6b1ab_amd64" + }, + "product_reference": "quay/quay-bridge-operator-bundle@sha256:8c2d03c9b14aa2d9bbcffade943c94237523f52ddce814caaf6b0578aae6b1ab_amd64", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-bridge-operator-bundle@sha256:97beaa8ac6dc90529ded16c9dcf9c3362d42efaa95d84ed50b7be9dd59a9e578_ppc64le as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:97beaa8ac6dc90529ded16c9dcf9c3362d42efaa95d84ed50b7be9dd59a9e578_ppc64le" + }, + "product_reference": "quay/quay-bridge-operator-bundle@sha256:97beaa8ac6dc90529ded16c9dcf9c3362d42efaa95d84ed50b7be9dd59a9e578_ppc64le", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-bridge-operator-bundle@sha256:b44cb8d8e099f31ee358f19574d54b449086ab1617c03cb41616dbd6e11994c5_s390x as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:b44cb8d8e099f31ee358f19574d54b449086ab1617c03cb41616dbd6e11994c5_s390x" + }, + "product_reference": "quay/quay-bridge-operator-bundle@sha256:b44cb8d8e099f31ee358f19574d54b449086ab1617c03cb41616dbd6e11994c5_s390x", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-bridge-operator-rhel8@sha256:1fa7b9904402ac996d9534351e784a25f27f08fc1e089a44c85d47431f368012_s390x as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:1fa7b9904402ac996d9534351e784a25f27f08fc1e089a44c85d47431f368012_s390x" + }, + "product_reference": "quay/quay-bridge-operator-rhel8@sha256:1fa7b9904402ac996d9534351e784a25f27f08fc1e089a44c85d47431f368012_s390x", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-bridge-operator-rhel8@sha256:8f3941a45070ffdf9a9d6c12588bf4c33346fb600333dddb719ee0e435210a68_amd64 as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8f3941a45070ffdf9a9d6c12588bf4c33346fb600333dddb719ee0e435210a68_amd64" + }, + "product_reference": "quay/quay-bridge-operator-rhel8@sha256:8f3941a45070ffdf9a9d6c12588bf4c33346fb600333dddb719ee0e435210a68_amd64", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-bridge-operator-rhel8@sha256:db7c6a49d4150957f0cfb10ce3902722d7d901f41962bf4b960fb7ddf93a9a98_ppc64le as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:db7c6a49d4150957f0cfb10ce3902722d7d901f41962bf4b960fb7ddf93a9a98_ppc64le" + }, + "product_reference": "quay/quay-bridge-operator-rhel8@sha256:db7c6a49d4150957f0cfb10ce3902722d7d901f41962bf4b960fb7ddf93a9a98_ppc64le", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:8338e1d9da6ebcfa8ac9e93709d44d2c6b3052cec3c1c316d6c50fc85a73f1cb_ppc64le as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:8338e1d9da6ebcfa8ac9e93709d44d2c6b3052cec3c1c316d6c50fc85a73f1cb_ppc64le" + }, + "product_reference": "quay/quay-builder-qemu-rhcos-rhel8@sha256:8338e1d9da6ebcfa8ac9e93709d44d2c6b3052cec3c1c316d6c50fc85a73f1cb_ppc64le", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:b14253a941535ea6b1a6fd060b3482f74dda955cd0afa1d86421ae6b2e1ff3d9_s390x as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:b14253a941535ea6b1a6fd060b3482f74dda955cd0afa1d86421ae6b2e1ff3d9_s390x" + }, + "product_reference": "quay/quay-builder-qemu-rhcos-rhel8@sha256:b14253a941535ea6b1a6fd060b3482f74dda955cd0afa1d86421ae6b2e1ff3d9_s390x", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:d45694397744073aaeb9e79e381b3dc3c13f163adf58cc16cfddebe033db80e2_amd64 as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:d45694397744073aaeb9e79e381b3dc3c13f163adf58cc16cfddebe033db80e2_amd64" + }, + "product_reference": "quay/quay-builder-qemu-rhcos-rhel8@sha256:d45694397744073aaeb9e79e381b3dc3c13f163adf58cc16cfddebe033db80e2_amd64", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-builder-rhel8@sha256:7f9c67dbaa841f3a96c70e020f341141f046955b575cff3f9070a45eefddf12f_amd64 as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-builder-rhel8@sha256:7f9c67dbaa841f3a96c70e020f341141f046955b575cff3f9070a45eefddf12f_amd64" + }, + "product_reference": "quay/quay-builder-rhel8@sha256:7f9c67dbaa841f3a96c70e020f341141f046955b575cff3f9070a45eefddf12f_amd64", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-builder-rhel8@sha256:a27c1809b007085e59e8b9e15ec5fc55b5cfbdfcc23f5bba8ccf9ebd12a29562_ppc64le as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-builder-rhel8@sha256:a27c1809b007085e59e8b9e15ec5fc55b5cfbdfcc23f5bba8ccf9ebd12a29562_ppc64le" + }, + "product_reference": "quay/quay-builder-rhel8@sha256:a27c1809b007085e59e8b9e15ec5fc55b5cfbdfcc23f5bba8ccf9ebd12a29562_ppc64le", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-builder-rhel8@sha256:c2e2addc62e0627fc82915fd59081a03773caae50c682f9169f9dcf131ae16e5_s390x as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-builder-rhel8@sha256:c2e2addc62e0627fc82915fd59081a03773caae50c682f9169f9dcf131ae16e5_s390x" + }, + "product_reference": "quay/quay-builder-rhel8@sha256:c2e2addc62e0627fc82915fd59081a03773caae50c682f9169f9dcf131ae16e5_s390x", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-container-security-operator-bundle@sha256:77a5960828a06b16f9ac13e70778b6d0b310a9087b793a05c95bd57474b77238_ppc64le as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:77a5960828a06b16f9ac13e70778b6d0b310a9087b793a05c95bd57474b77238_ppc64le" + }, + "product_reference": "quay/quay-container-security-operator-bundle@sha256:77a5960828a06b16f9ac13e70778b6d0b310a9087b793a05c95bd57474b77238_ppc64le", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-container-security-operator-bundle@sha256:af4f196e63cc1e47a081d9f9f70f41b91983d86bdf1a4d5a0b9f2d8e573e2d5f_amd64 as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:af4f196e63cc1e47a081d9f9f70f41b91983d86bdf1a4d5a0b9f2d8e573e2d5f_amd64" + }, + "product_reference": "quay/quay-container-security-operator-bundle@sha256:af4f196e63cc1e47a081d9f9f70f41b91983d86bdf1a4d5a0b9f2d8e573e2d5f_amd64", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-container-security-operator-bundle@sha256:b5f8b35092db7d025a90613f3da0f7a72529181de54a08d7447bac24cb1e546d_s390x as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:b5f8b35092db7d025a90613f3da0f7a72529181de54a08d7447bac24cb1e546d_s390x" + }, + "product_reference": "quay/quay-container-security-operator-bundle@sha256:b5f8b35092db7d025a90613f3da0f7a72529181de54a08d7447bac24cb1e546d_s390x", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-container-security-operator-rhel8@sha256:44c2dd325e8f0ca3e6bc60566a573c70a7b6a086aaa7c34c059bb527e5b1d926_ppc64le as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:44c2dd325e8f0ca3e6bc60566a573c70a7b6a086aaa7c34c059bb527e5b1d926_ppc64le" + }, + "product_reference": "quay/quay-container-security-operator-rhel8@sha256:44c2dd325e8f0ca3e6bc60566a573c70a7b6a086aaa7c34c059bb527e5b1d926_ppc64le", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-container-security-operator-rhel8@sha256:468820f558c151257ef219a0a38a21436817f6393767b22617dfc8a0f3276f7c_amd64 as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:468820f558c151257ef219a0a38a21436817f6393767b22617dfc8a0f3276f7c_amd64" + }, + "product_reference": "quay/quay-container-security-operator-rhel8@sha256:468820f558c151257ef219a0a38a21436817f6393767b22617dfc8a0f3276f7c_amd64", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-container-security-operator-rhel8@sha256:f08bbd7efc1137c3a3ff6f38488574b2a63c88f9071344eee43f5789babd2e1d_s390x as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:f08bbd7efc1137c3a3ff6f38488574b2a63c88f9071344eee43f5789babd2e1d_s390x" + }, + "product_reference": "quay/quay-container-security-operator-rhel8@sha256:f08bbd7efc1137c3a3ff6f38488574b2a63c88f9071344eee43f5789babd2e1d_s390x", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-operator-bundle@sha256:551ae88034a4ccd9051fd8e4c4ad26b3fc3b91a9794cd1d08bd8758eba4e7121_ppc64le as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-operator-bundle@sha256:551ae88034a4ccd9051fd8e4c4ad26b3fc3b91a9794cd1d08bd8758eba4e7121_ppc64le" + }, + "product_reference": "quay/quay-operator-bundle@sha256:551ae88034a4ccd9051fd8e4c4ad26b3fc3b91a9794cd1d08bd8758eba4e7121_ppc64le", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-operator-bundle@sha256:6cc8cf175183a488c50d0f2bb2aff91180d70722ea6cf39967e53092adac69ff_amd64 as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-operator-bundle@sha256:6cc8cf175183a488c50d0f2bb2aff91180d70722ea6cf39967e53092adac69ff_amd64" + }, + "product_reference": "quay/quay-operator-bundle@sha256:6cc8cf175183a488c50d0f2bb2aff91180d70722ea6cf39967e53092adac69ff_amd64", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-operator-bundle@sha256:d449ed97c243dcc9fa61b8e4fa818f108017c03da9ced0520ac356eee7e669c4_s390x as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-operator-bundle@sha256:d449ed97c243dcc9fa61b8e4fa818f108017c03da9ced0520ac356eee7e669c4_s390x" + }, + "product_reference": "quay/quay-operator-bundle@sha256:d449ed97c243dcc9fa61b8e4fa818f108017c03da9ced0520ac356eee7e669c4_s390x", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-operator-rhel8@sha256:647fcb8dd13bd96aac49f07e5535b369347665bf53a0a9491245ec2f8c531935_ppc64le as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-operator-rhel8@sha256:647fcb8dd13bd96aac49f07e5535b369347665bf53a0a9491245ec2f8c531935_ppc64le" + }, + "product_reference": "quay/quay-operator-rhel8@sha256:647fcb8dd13bd96aac49f07e5535b369347665bf53a0a9491245ec2f8c531935_ppc64le", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-operator-rhel8@sha256:6ebb2498e2e9d70852e258739b8676d9928c68049c93318f2178eebac38b0ba5_amd64 as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-operator-rhel8@sha256:6ebb2498e2e9d70852e258739b8676d9928c68049c93318f2178eebac38b0ba5_amd64" + }, + "product_reference": "quay/quay-operator-rhel8@sha256:6ebb2498e2e9d70852e258739b8676d9928c68049c93318f2178eebac38b0ba5_amd64", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-operator-rhel8@sha256:7c6d2001422a4a1e76aabc0d8f71e9fbe896bcbe22c55d3c3a6d6eb738065553_s390x as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-operator-rhel8@sha256:7c6d2001422a4a1e76aabc0d8f71e9fbe896bcbe22c55d3c3a6d6eb738065553_s390x" + }, + "product_reference": "quay/quay-operator-rhel8@sha256:7c6d2001422a4a1e76aabc0d8f71e9fbe896bcbe22c55d3c3a6d6eb738065553_s390x", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-rhel8@sha256:26f0ef7faca0671bfac32eea1a1b0036df90c9c41bbf49a7efab6c633a928091_s390x as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-rhel8@sha256:26f0ef7faca0671bfac32eea1a1b0036df90c9c41bbf49a7efab6c633a928091_s390x" + }, + "product_reference": "quay/quay-rhel8@sha256:26f0ef7faca0671bfac32eea1a1b0036df90c9c41bbf49a7efab6c633a928091_s390x", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-rhel8@sha256:906688d8356f1931370d1f864b88ba53a6755a9c82de6134846907ad0bae48e4_amd64 as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-rhel8@sha256:906688d8356f1931370d1f864b88ba53a6755a9c82de6134846907ad0bae48e4_amd64" + }, + "product_reference": "quay/quay-rhel8@sha256:906688d8356f1931370d1f864b88ba53a6755a9c82de6134846907ad0bae48e4_amd64", + "relates_to_product_reference": "8Base-Quay-3" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quay/quay-rhel8@sha256:c66007a0049286bdd251715f40d13ea331c6778f3a089749746be26dc7dba334_ppc64le as a component of Quay v3", + "product_id": "8Base-Quay-3:quay/quay-rhel8@sha256:c66007a0049286bdd251715f40d13ea331c6778f3a089749746be26dc7dba334_ppc64le" + }, + "product_reference": "quay/quay-rhel8@sha256:c66007a0049286bdd251715f40d13ea331c6778f3a089749746be26dc7dba334_ppc64le", + "relates_to_product_reference": "8Base-Quay-3" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-2020-11023", + "cwe": { + "id": "CWE-79", + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "discovery_date": "2020-06-23T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "1850004" + } + ], + "notes": [ + { + "category": "description", + "text": "A flaw was found in jQuery. HTML containing \\ elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "jquery: Untrusted code execution via