gentoo auto-resync : 25:11:2023 - 10:31:10

author: V3n3RiX <venerix@koprulu.sector> 2023-11-25 10:31:10 +0000
committer: V3n3RiX <venerix@koprulu.sector> 2023-11-25 10:31:10 +0000
commit: 2900e684ae4bdce1f20652587728095cd01a30a1 (patch)
tree: db7b5054b7d0de362a2960a0a7268ffc37b8e1f9 /metadata/glsa
parent: ff8c6e4babf1a2911b8d61b6bb7e80290355cb70 (diff)
9 files changed, 263 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 4f43cc8df617..08d54edfe502 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 553434 BLAKE2B d28f022152aeaa3165582bfaf999cec857b2bf16990bd2a3cf925ffc73039f3fe49b92d5ac37eb0294a1dffe3d289493f6cd3e45fc608dcd7156a6d499a7a1e0 SHA512 35c586f941eef43c8a0c0f04027e3292ab00d1e5abc4862a3a8ed71bad94807b472aadb345bae98a96693b331b4a6dd0a0afa55cbc3c9cb52cb53a369c0b44bf
-TIMESTAMP 2023-11-25T04:10:19Z
+MANIFEST Manifest.files.gz 554222 BLAKE2B b8192c6cad8673128665e2bcbb263867375167b8afc7ec64afb228ca9734dad609b4a10892b93d53ecd9a822183ad7710567ea683d170512fc5f59563b03fdd8 SHA512 63c6723626955aea81134aa0309f9b28ef8b6ca57a101b31bec5f87c28cea30cdba4707ba9e12ac8b8de39ad140c58c903503402942317608f0f149c5429a7f4
+TIMESTAMP 2023-11-25T09:40:27Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmVhc6tfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmVhwQtfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klBGCg/+LFVdPaIdIOvbUMu3WDhLEdzK7pDJa1ujJX12cTGnMifsmEZsbBqOvHSr
-cfgx0QMtdVW/e5jFiMvKP93SYgDene0TC3CRIWBkiIQEN/5YC8XqcEuF9wKyar1q
-t81DyBiori2sdjccbxHJdmihIuBTrQQSPxao/i8z/4+x2oKOx0zY8lG9WvoIyHD4
-a69uZW0XLnx2AXtZVfW1TFXP89/puS0Z3RtJueMhIQwIHwpfTjZoyVhSFtBBkt9m
-AF5okjoKMUyyKXGPyaLqjE9XMIBUXlvsWmMx/Rp6bBHN87e7M1JNulSQW0hn+Hbr
-kChhGabyslWCAn7Rw0637LZ6OEAZcjUailTKfp+04W71y89nCePKOY5Teq7dAH71
-PQUjFlKPXlMOU29n3PpGcDc9k5nb/n/jA2r2tojIPmY9r5vhM1/ArGSbJ6ZrbOJW
-TQp2TsskZjpuKigUieYd+HO0SDXAWLnb6CnB98qGxjBuyM6OGppoGf+nhBdJa1Og
-QXmWM2PFhr0LCaaTtdkUSxt9XCN4EZX2bVYlQyzobpskZ++zFFZL24yVwght2Yy2
-f+jq+w3VYnRqsSQjam7D0cgsGyvOxjup9V7J+toZMea+1gll8C2OXASCjMKjwf0V
-BRKSTCBQVTIdlAnwQEg+C5zhHhXrJ03+dza+nxgBUhKfD0a/PtQ=
-=NEY1
+klAQwA//YMJDdyE6powEFs/y6EHECnXgvNpCNAFmYBwzIoe5gtpNbkGoJFGUuq8N
+FxRwAFFk0oVcpDjh6mpqdyaUeYa2qIKcY3RyIU6eBc33Zd3fcaF1ZSqz8W2A/HE1
+/YtIUIeUMM3tM76UII2jj8oVJoZjfO+dEoJSIBZLdpQgwQIwcGsnnBNn3v8oQMzF
+g07GAMkrrXyGUasL9vPMJ0nldx6CbkXIMXp3c4gEgMrAlBr10eeatlAX3aEv21Oh
+apEGi62WRixw2XSSGYakTb6N8/gOkg44K4UrqYsgMFAIsECdKfbCUQhgoDqAOs5Q
+APgP8RGcmtMp2ulitGpjW3i3w3SeqpxyMeuLQs5BOCZuISC9VNV6ZcbQmP5qFsXu
+RwIT9LSUFHVsApO1Xd8c/kzy97eWcxPQrn87QVCaxmibZK5kJD5OHsesG547aCBa
+HDPp7b4S4+ij0eOYXEriin3rtIsV/6YKiUEnEk0TiV01cVTQZlfmD6Z0PACFfio5
+8MEVx9vJUtbQFWHqW2C40PpE19B9cOrTAGOe5u0GWRVl8QKyfL/x+oPg5k1kFehD
+dP5xotAQ2nV9umk9AdR3czFv0CnZcH4QxsJuVx+1Z3gb7zj65B2pb91/cUhAIs9b
+add6x5KuWHY2/Ugb00Ng2gEC0GEdpFVXi9ibGlSt3xtBz2OLeGw=
+=voLI
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 0e166af9b4a6..795869fbb09f 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202311-06.xml b/metadata/glsa/glsa-202311-06.xml
new file mode 100644
index 000000000000..d82781e10ed3
--- /dev/null
+++ b/metadata/glsa/glsa-202311-06.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-06">
+    <title>multipath-tools: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in multipath-tools, the worst of which can lead to root privilege escalation.</synopsis>
+    <product type="ebuild">multipath-tools</product>
+    <announced>2023-11-25</announced>
+    <revised count="1">2023-11-25</revised>
+    <bug>878763</bug>
+    <access>local</access>
+    <affected>
+        <package name="sys-fs/multipath-tools" auto="yes" arch="*">
+            <unaffected range="ge">0.9.3</unaffected>
+            <vulnerable range="lt">0.9.3</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>multipath-tools are used to drive the Device Mapper multipathing driver.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in multipath-tools. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All multipath-tools users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-fs/multipath-tools-0.9.3"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41973">CVE-2022-41973</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41974">CVE-2022-41974</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-25T08:13:29.146678Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-25T08:13:29.148791Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202311-07.xml b/metadata/glsa/glsa-202311-07.xml
new file mode 100644
index 000000000000..bec70a2e5a3d
--- /dev/null
+++ b/metadata/glsa/glsa-202311-07.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-07">
+    <title>AIDE: Root Privilege Escalation</title>
+    <synopsis>A vulnerability has been found in AIDE which can lead to root privilege escalation.</synopsis>
+    <product type="ebuild">aide</product>
+    <announced>2023-11-25</announced>
+    <revised count="1">2023-11-25</revised>
+    <bug>831658</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-forensics/aide" auto="yes" arch="*">
+            <unaffected range="ge">0.17.4</unaffected>
+            <vulnerable range="lt">0.17.4</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker.
+
+It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in AIDE. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All AIDE users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-forensics/aide-0.17.4"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45417">CVE-2021-45417</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-25T08:24:47.076936Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-25T08:24:47.079410Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202311-08.xml b/metadata/glsa/glsa-202311-08.xml
new file mode 100644
index 000000000000..1ca40cbb7b0c
--- /dev/null
+++ b/metadata/glsa/glsa-202311-08.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-08">
+    <title>GNU Libmicrohttpd: Buffer Overflow Vulnerability</title>
+    <synopsis>A buffer overflow vulnerability has been discovered in GNU Libmicrohttpd.</synopsis>
+    <product type="ebuild">libmicrohttpd</product>
+    <announced>2023-11-25</announced>
+    <revised count="1">2023-11-25</revised>
+    <bug>778296</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-libs/libmicrohttpd" auto="yes" arch="*">
+            <unaffected range="gt">0.9.70</unaffected>
+            <vulnerable range="eq">0.9.70</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>GNU libmicrohttpd is a small C library that makes it easy to run an HTTP server as part of another application. GNU Libmicrohttpd is free software and part of the GNU project.</p>
+    </background>
+    <description>
+        <p>A buffer overflow vulnerability has been discovered in GNU Libmicrohttpd. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All GNU Libmicrohttpd users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">net-libs/libmicrohttpd-0.9.70"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3466">CVE-2021-3466</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-25T08:29:39.007233Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-25T08:29:39.010725Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202311-09.xml b/metadata/glsa/glsa-202311-09.xml
new file mode 100644
index 000000000000..61f2712fceda
--- /dev/null
+++ b/metadata/glsa/glsa-202311-09.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-09">
+    <title>Go: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution.</synopsis>
+    <product type="ebuild">go</product>
+    <announced>2023-11-25</announced>
+    <revised count="1">2023-11-25</revised>
+    <bug>873637</bug>
+    <bug>883783</bug>
+    <bug>894478</bug>
+    <bug>903979</bug>
+    <bug>908255</bug>
+    <bug>915555</bug>
+    <bug>916494</bug>
+    <access>local and remote</access>
+    <affected>
+        <package name="dev-lang/go" auto="yes" arch="*">
+            <unaffected range="ge">1.20.10</unaffected>
+            <vulnerable range="lt">1.20.10</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Go. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Go users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-lang/go-1.20.10"
+          # emerge --ask --oneshot --verbose @golang-rebuild
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2879">CVE-2022-2879</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2880">CVE-2022-2880</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41715">CVE-2022-41715</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41717">CVE-2022-41717</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41723">CVE-2022-41723</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41724">CVE-2022-41724</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41725">CVE-2022-41725</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24534">CVE-2023-24534</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24536">CVE-2023-24536</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24537">CVE-2023-24537</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24538">CVE-2023-24538</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29402">CVE-2023-29402</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29403">CVE-2023-29403</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29404">CVE-2023-29404</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29405">CVE-2023-29405</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29406">CVE-2023-29406</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29409">CVE-2023-29409</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39318">CVE-2023-39318</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39319">CVE-2023-39319</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39320">CVE-2023-39320</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39321">CVE-2023-39321</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39322">CVE-2023-39322</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39323">CVE-2023-39323</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39325">CVE-2023-39325</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44487">CVE-2023-44487</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-25T08:56:49.846635Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-25T08:56:49.848867Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202311-10.xml b/metadata/glsa/glsa-202311-10.xml
new file mode 100644
index 000000000000..dd4ac274cb36
--- /dev/null
+++ b/metadata/glsa/glsa-202311-10.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-10">
+    <title>RenderDoc: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in RenderDoc, the worst of which leads to remote code execution.</synopsis>
+    <product type="ebuild">renderdoc</product>
+    <announced>2023-11-25</announced>
+    <revised count="1">2023-11-25</revised>
+    <bug>908031</bug>
+    <access>remote</access>
+    <affected>
+        <package name="media-gfx/renderdoc" auto="yes" arch="*">
+            <unaffected range="ge">1.27</unaffected>
+            <vulnerable range="lt">1.27</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>RenderDoc is a free MIT licensed stand-alone graphics debugger that allows quick and easy single-frame capture and detailed introspection of any application using Vulkan, D3D11, OpenGL &amp; OpenGL ES or D3D12 across Windows, Linux, Android, or Nintendo Switch™.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in GRUB. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All RenderDoc users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=media-gfx/renderdoc-1.27"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-33863">CVE-2023-33863</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-33864">CVE-2023-33864</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-33865">CVE-2023-33865</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-25T09:36:29.923016Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-25T09:36:29.925676Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 32b7848fc277..4ca135130255 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sat, 25 Nov 2023 04:10:16 +0000
+Sat, 25 Nov 2023 09:40:24 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 07716573eb8d..65ba52468ad7 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-c99aedd76d916c7d282282c93b43664f35bccf07 1700835611 2023-11-24T14:20:11+00:00
+335f69a9cbc971132afe551e722b25032997f1b5 1700905015 2023-11-25T09:36:55+00:00
author	V3n3RiX <venerix@koprulu.sector>	2023-11-25 10:31:10 +0000
committer	V3n3RiX <venerix@koprulu.sector>	2023-11-25 10:31:10 +0000
commit	2900e684ae4bdce1f20652587728095cd01a30a1 (patch)
tree	db7b5054b7d0de362a2960a0a7268ffc37b8e1f9 /metadata/glsa
parent	ff8c6e4babf1a2911b8d61b6bb7e80290355cb70 (diff)