diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2022-11-22 07:05:54 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2022-11-22 07:05:54 +0000 |
| commit | 13ec12ad28bc2ce6e2902be1d571befcca2b3f60 (patch) | |
| tree | 7c606c326ffa4095258ba77370fe2cad7aff49a8 /metadata/glsa | |
| parent | b7819d03d7312d3d8d12b49738aa417f35f6e18a (diff) | |
gentoo auto-resync : 22:11:2022 - 07:05:54
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 536244 -> 537675 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-202211-03.xml | 65 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202211-04.xml | 87 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202211-05.xml | 65 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202211-06.xml | 89 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202211-07.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202211-08.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202211-09.xml | 44 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202211-10.xml | 54 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202211-11.xml | 44 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
13 files changed, 549 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 5621c490ca51..cc7196e78e48 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 536244 BLAKE2B 47908e9e54099299278f14e5112b789aac78178d7406b6880e3986163e8e2aeec411757dbe131202da7291c508ea72a7d158f7fe08facf6e36a23a28a992a7d8 SHA512 ef16d73b0d889ec01efae4d55e398ba1b384a7b46066c129d82b336f46e8804d0dd1765c65c49d93842dc829696efc67759ac790655f316a70359fb8847d9e4e -TIMESTAMP 2022-11-22T00:10:05Z +MANIFEST Manifest.files.gz 537675 BLAKE2B 920e8afd5076bd0b0cdc4b21f592f49b91bbfc5cd35a94863cffbeddf95c33b8cfa3b57b92eb6cb354a0f6b5d3d95712be50f4206d5d745982929e0523ffcf57 SHA512 b57f0c4473d079d8ddd01c5c21f2196c3359382e6f03dacfc2f8f7484775994807c2f998f659cdcb495b95326de503b7834f47ee0f334256cc0077fc813618d3 +TIMESTAMP 2022-11-22T06:10:05Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmN8E11fFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmN8Z71fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klDo4RAAhTWVZvS2pKSLahHtV+/w6AgkuwJlaxLNzEbAQnG9piOGk/TASCOtWJ2R -ayJ5VoScFaKUTUmh2BrtyBwOc08Rmf6hqYd5CxqNR8YgpULBKBRF4jQdzH5TYUOT -5w8P2Jgu/0hDvyUaMQ0hvkWCws2iSPK7M0BNUTMHGIZgHs1UoBIERvjBV8tfT+9K -WxHY3XWHAlq9cWAt/IRhrVsyXO+zB961GK5kC2yJ76ysljzSpUxaHXqaWJpX1ELR -5wPqEY8IAXKQEwe98gmAzZC10Q49hjvM8rZ9spP07unhWxcM7Nc6rVMlZsbcmyC4 -1EN5eIMJVHzHKVMet5gn+dY79fhII4VZYAqx8exnXNZggOwK/miR3qyc5kLdb3Uw -TT0e5DPpK3nj8GZgg5M3y5diMD7y8gRZ3MmgqIgm4fBMTWOHnyuQJm9Bw8xsFul8 -D4yjDaZFz+6jeW1vFCCoIOBxZt6TXQVrfKz80GfjASo8otRCd3TrJjxfbxI2/RMg -KgtwMnzqy7pUMr61Uiw3lkSuyzdZkuJpsIhMAexCej98RmWANTcyPjfR7onWRQ3i -eRlj4X6pSq5L+5X7o6tdhi494MuMmW7eH93sXl+26t0skJdJp0FXkHvsdct2pMjj -DP0pwd42B0L33+z7KH76WXwByBm2T9nxAwgVwwpgNGEufUxITu8= -=o1wz +klAenA//Q22kP00Uh6U12C3C++4rP/u88dbO1az9KRsbhT4y3dSjR2KVwVzq1pm4 +LFObdEYCqyqabfSKhwdcQZAceGYYIwY/VNTZzXWBzLfCb24in/znXeS3DHOul/Xr +fl6SexpOCJ+1J/xoytnIB+DB7KV7Z3K3W0s/Nx9dTcRLKaBuzBgg2vEOff3BPjQZ +bqqFtHBNCWxY9jLAucxvnISMlcPsAQYLu/HHOFywK+bx2bwmCpz0TMbKuukI/U+v +D5RgAv5Bb2/FWgkg8mMKfANIZIpHHX1OASeabsaeoM8t6FGa6xVO2Bu2HySy6jLI +MNqkGkgjU0VuWw4/+cSW1XCzchF3hweyUH2meYexU0l7c07siTtZYKnSiAXms/sH +gdMMRbfZumTsY4YGMS6q+6VPeOH0kecvIECAwFzH6CWFYpol6FhNUd2v7OlD6mmq +nLmJIV5N9bvy8p+XaB8c1erlPqk13gkDCqRs3Iw+MPPlac0J81xlzKlNVS5eWEXD +u/VHsrenMl1RiZlvJbM4wSMHE8AVwbVDD19foie9dLf02chHWwbqG5vcucelYzRt +NEaBj+XuaZROgqhxKNCgyLjXwXKftLEciWGwibxY51amF28mocqTQtyU1og7j2Xk +WswOebW6N66lwv+sc7d5tST1O/83Pbx9q9UocsAD8KMAGNmbpUM= +=n04N -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 1a4f9ff8d224..157dfac057ab 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202211-03.xml b/metadata/glsa/glsa-202211-03.xml new file mode 100644 index 000000000000..237aa0d806c8 --- /dev/null +++ b/metadata/glsa/glsa-202211-03.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202211-03"> + <title>PHP: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in PHP, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">php</product> + <announced>2022-11-19</announced> + <revised count="1">2022-11-19</revised> + <bug>867913</bug> + <bug>873376</bug> + <bug>877853</bug> + <access>remote</access> + <affected> + <package name="dev-lang/php" auto="yes" arch="*"> + <unaffected range="ge" slot="8.1">8.1.12</unaffected> + <unaffected range="ge" slot="8.0">8.0.25</unaffected> + <unaffected range="ge" slot="7.4">7.4.33</unaffected> + <vulnerable range="lt" slot="8.1">8.1.12</vulnerable> + <vulnerable range="lt" slot="8.0">8.0.25</vulnerable> + <vulnerable range="lt" slot="7.4">7.4.33</vulnerable> + </package> + </affected> + <background> + <p>PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PHP 7.4 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.33" + </code> + + <p>All PHP 8.0 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-8.0.25" + </code> + + <p>All PHP 8.1 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-8.1.12" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31628">CVE-2022-31628</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31629">CVE-2022-31629</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31630">CVE-2022-31630</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-37454">CVE-2022-37454</uri> + </references> + <metadata tag="requester" timestamp="2022-11-19T03:32:18.817744Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-11-19T03:32:18.825295Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202211-04.xml b/metadata/glsa/glsa-202211-04.xml new file mode 100644 index 000000000000..ba61adcd9ec4 --- /dev/null +++ b/metadata/glsa/glsa-202211-04.xml @@ -0,0 +1,87 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202211-04"> + <title>PostgreSQL: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in PostgreSQL, the worst of which could result in remote code execution.</synopsis> + <product type="ebuild">postgresql</product> + <announced>2022-11-19</announced> + <revised count="1">2022-11-19</revised> + <bug>793734</bug> + <bug>808984</bug> + <bug>823125</bug> + <bug>865255</bug> + <access>remote</access> + <affected> + <package name="dev-db/postgresql" auto="yes" arch="*"> + <unaffected range="ge">14.5</unaffected> + <unaffected range="ge" slot="13">13.8</unaffected> + <unaffected range="ge" slot="12">12.12</unaffected> + <unaffected range="ge" slot="11">11.17</unaffected> + <unaffected range="ge" slot="10">10.22</unaffected> + <vulnerable range="lt" slot="14">14.5</vulnerable> + <vulnerable range="lt" slot="13">13.8</vulnerable> + <vulnerable range="lt" slot="12">12.12</vulnerable> + <vulnerable range="lt" slot="11">11.17</vulnerable> + <vulnerable range="lt">10.22</vulnerable> + </package> + </affected> + <background> + <p>PostgreSQL is an open source object-relational database management system.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PostgreSQL 10.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.22:10" + </code> + + <p>All PostgreSQL 11.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.17:11" + </code> + + <p>All PostgreSQL 12.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.12:12" + </code> + + <p>All PostgreSQL 13.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.8:13" + </code> + + <p>All PostgreSQL 14.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.5:14" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3677">CVE-2021-3677</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23214">CVE-2021-23214</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23222">CVE-2021-23222</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32027">CVE-2021-32027</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32028">CVE-2021-32028</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1552">CVE-2022-1552</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2625">CVE-2022-2625</uri> + </references> + <metadata tag="requester" timestamp="2022-11-19T03:33:10.915978Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-11-19T03:33:10.920639Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202211-05.xml b/metadata/glsa/glsa-202211-05.xml new file mode 100644 index 000000000000..b1b775bd9e81 --- /dev/null +++ b/metadata/glsa/glsa-202211-05.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202211-05"> + <title>Mozilla Thunderbird: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">thunderbird,thunderbird-bin</product> + <announced>2022-11-22</announced> + <revised count="1">2022-11-22</revised> + <bug>881407</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">102.5.0</unaffected> + <vulnerable range="lt">102.5.0</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">102.5.0</unaffected> + <vulnerable range="lt">102.5.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the Mozilla project.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.5.0" + </code> + + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.5.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45403">CVE-2022-45403</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45404">CVE-2022-45404</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45405">CVE-2022-45405</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45406">CVE-2022-45406</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45408">CVE-2022-45408</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45409">CVE-2022-45409</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45410">CVE-2022-45410</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45411">CVE-2022-45411</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45412">CVE-2022-45412</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45416">CVE-2022-45416</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45418">CVE-2022-45418</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45420">CVE-2022-45420</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45421">CVE-2022-45421</uri> + </references> + <metadata tag="requester" timestamp="2022-11-22T03:50:21.079709Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-11-22T03:50:21.087736Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202211-06.xml b/metadata/glsa/glsa-202211-06.xml new file mode 100644 index 000000000000..1fbd73ac2901 --- /dev/null +++ b/metadata/glsa/glsa-202211-06.xml @@ -0,0 +1,89 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202211-06"> + <title>Mozilla Firefox: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">firefox,firefox-bin</product> + <announced>2022-11-22</announced> + <revised count="1">2022-11-22</revised> + <bug>881403</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">107.0</unaffected> + <unaffected range="ge" slot="esr">102.5.0</unaffected> + <vulnerable range="lt" slot="rapid">107.0</vulnerable> + <vulnerable range="lt" slot="esr">102.5.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">107.0</unaffected> + <unaffected range="ge" slot="esr">102.5.0</unaffected> + <vulnerable range="lt" slot="rapid">107.0</vulnerable> + <vulnerable range="lt" slot="esr">102.5.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox ESR binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.5.0" + </code> + + <p>All Mozilla Firefox ESR users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-102.5.0" + </code> + + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-107.0" + </code> + + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-107.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40674">CVE-2022-40674</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45403">CVE-2022-45403</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45404">CVE-2022-45404</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45405">CVE-2022-45405</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45406">CVE-2022-45406</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45407">CVE-2022-45407</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45408">CVE-2022-45408</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45409">CVE-2022-45409</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45410">CVE-2022-45410</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45411">CVE-2022-45411</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45412">CVE-2022-45412</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45413">CVE-2022-45413</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45415">CVE-2022-45415</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45416">CVE-2022-45416</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45417">CVE-2022-45417</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45418">CVE-2022-45418</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45419">CVE-2022-45419</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45420">CVE-2022-45420</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45421">CVE-2022-45421</uri> + </references> + <metadata tag="requester" timestamp="2022-11-22T03:51:05.820873Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-11-22T03:51:05.825843Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202211-07.xml b/metadata/glsa/glsa-202211-07.xml new file mode 100644 index 000000000000..045ffe019c9a --- /dev/null +++ b/metadata/glsa/glsa-202211-07.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202211-07"> + <title>sysstat: Arbitrary Code Execution</title> + <synopsis>An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution.</synopsis> + <product type="ebuild">sysstat</product> + <announced>2022-11-22</announced> + <revised count="1">2022-11-22</revised> + <bug>880543</bug> + <access>local</access> + <affected> + <package name="app-admin/sysstat" auto="yes" arch="*"> + <unaffected range="ge">12.7.1</unaffected> + <vulnerable range="lt">12.7.1</vulnerable> + </package> + </affected> + <background> + <p>sysstat is a package containing a number of performance monitoring utilities for Linux, including sar, mpstat, iostat and sa tools.</p> + </background> + <description> + <p>On 32 bit systems, an integer overflow can be triggered when displaying activity data files.</p> + </description> + <impact type="normal"> + <p>Arbitrary code execution can be achieved via sufficiently crafted malicious input.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All sysstat users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.7.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39377">CVE-2022-39377</uri> + </references> + <metadata tag="requester" timestamp="2022-11-22T03:51:28.943709Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-11-22T03:51:28.948154Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202211-08.xml b/metadata/glsa/glsa-202211-08.xml new file mode 100644 index 000000000000..ef6062360272 --- /dev/null +++ b/metadata/glsa/glsa-202211-08.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202211-08"> + <title>sudo: Heap-Based Buffer Overread</title> + <synopsis>A vulnerability has been discovered in sudo which could result in denial of service.</synopsis> + <product type="ebuild">sudo</product> + <announced>2022-11-22</announced> + <revised count="1">2022-11-22</revised> + <bug>879209</bug> + <access>remote</access> + <affected> + <package name="app-admin/sudo" auto="yes" arch="*"> + <unaffected range="ge">1.9.12-r1</unaffected> + <vulnerable range="lt">1.9.12-r1</vulnerable> + </package> + </affected> + <background> + <p>sudo allows a system administrator to give users the ability to run commands as other users.</p> + </background> + <description> + <p>In certain password input handling, sudo incorrectly assumes the password input is at least nine bytes in size, leading to a heap buffer overread.</p> + </description> + <impact type="normal"> + <p>In the worst case, the heap buffer overread can result in the denial of service of the sudo process.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All sudo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.12-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43995">CVE-2022-43995</uri> + </references> + <metadata tag="requester" timestamp="2022-11-22T03:52:48.652373Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-11-22T03:52:48.657000Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202211-09.xml b/metadata/glsa/glsa-202211-09.xml new file mode 100644 index 000000000000..d17ced80428d --- /dev/null +++ b/metadata/glsa/glsa-202211-09.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202211-09"> + <title>xterm: Arbitrary Code Execution</title> + <synopsis>A vulnerability has been found in xterm which could allow for arbitrary code execution.</synopsis> + <product type="ebuild">xterm</product> + <announced>2022-11-22</announced> + <revised count="1">2022-11-22</revised> + <bug>880747</bug> + <access>remote</access> + <affected> + <package name="x11-terms/xterm" auto="yes" arch="*"> + <unaffected range="ge">375</unaffected> + <vulnerable range="lt">375</vulnerable> + </package> + </affected> + <background> + <p>xterm is a terminal emulator for the X Window system.</p> + </background> + <description> + <p>xterm does not correctly handle control characters related to OSC 50 font ops sequence handling.</p> + </description> + <impact type="normal"> + <p>The vulnerability allows text written to the terminal to write text to the terminal's command line. If the terminal's shell is zsh running with vi line editing mode, text written to the terminal can also trigger the execution of arbitrary commands via writing ^G to the terminal.</p> + </impact> + <workaround> + <p>As a workaround, users can disable xterm's usage of OSC 50 sequences by adding the following to the XResources configuration:
+
+XTerm*allowFontOps: false</p> + </workaround> + <resolution> + <p>All xterm users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/xterm-375" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45063">CVE-2022-45063</uri> + </references> + <metadata tag="requester" timestamp="2022-11-22T03:53:08.351235Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-11-22T03:53:08.356875Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202211-10.xml b/metadata/glsa/glsa-202211-10.xml new file mode 100644 index 000000000000..2f53a15436f9 --- /dev/null +++ b/metadata/glsa/glsa-202211-10.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202211-10"> + <title>Pillow: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Pillow, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">pillow</product> + <announced>2022-11-22</announced> + <revised count="1">2022-11-22</revised> + <bug>855683</bug> + <bug>878769</bug> + <bug>832598</bug> + <bug>830934</bug> + <bug>811450</bug> + <bug>802090</bug> + <access>remote</access> + <affected> + <package name="dev-python/pillow" auto="yes" arch="*"> + <unaffected range="ge">9.3.0</unaffected> + <vulnerable range="lt">9.3.0</vulnerable> + </package> + </affected> + <background> + <p>The friendly PIL fork.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Pillow. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Pillow users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/pillow-9.3.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23437">CVE-2021-23437</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-34552">CVE-2021-34552</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22815">CVE-2022-22815</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22816">CVE-2022-22816</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22817">CVE-2022-22817</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24303">CVE-2022-24303</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45198">CVE-2022-45198</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45199">CVE-2022-45199</uri> + </references> + <metadata tag="requester" timestamp="2022-11-22T03:53:25.971741Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-11-22T03:53:25.978803Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202211-11.xml b/metadata/glsa/glsa-202211-11.xml new file mode 100644 index 000000000000..4c3adcd09665 --- /dev/null +++ b/metadata/glsa/glsa-202211-11.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202211-11"> + <title>GPL Ghostscript: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in GPL Ghostscript, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">ghostscript-gpl</product> + <announced>2022-11-22</announced> + <revised count="1">2022-11-22</revised> + <bug>852944</bug> + <bug>812509</bug> + <access>remote</access> + <affected> + <package name="app-text/ghostscript-gpl" auto="yes" arch="*"> + <unaffected range="ge">9.56.1</unaffected> + <vulnerable range="lt">9.56.1</vulnerable> + </package> + </affected> + <background> + <p>Ghostscript is an interpreter for the PostScript language and for PDF.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GPL Ghostscript users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-9.56.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3781">CVE-2021-3781</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2085">CVE-2022-2085</uri> + </references> + <metadata tag="requester" timestamp="2022-11-22T03:53:57.184664Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-11-22T03:53:57.190013Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index f5298ba72e3b..069229801596 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Tue, 22 Nov 2022 00:10:02 +0000 +Tue, 22 Nov 2022 06:10:02 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 856b1311a2d5..0a79ca2c1dba 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -d2caa7d73160aa5b9c9cda07665068a8b25fa730 1668098162 2022-11-10T16:36:02+00:00 +ae2df9a36eb30967fc9dd392f63bc7af60249272 1669089580 2022-11-22T03:59:40+00:00 |