gentoo resync : 13.01.2018

author: V3n3RiX <venerix@redcorelinux.org> 2018-01-13 06:19:51 +0000
committer: V3n3RiX <venerix@redcorelinux.org> 2018-01-13 06:19:51 +0000
commit: 8be70107efbb417f839292165ee39d07a062046f (patch)
tree: 013918887ec4a00f0cefdb4b4d1313cbc3054305 /metadata/glsa
parent: 343a7272d559a21a0e0ed13cb743fabb2bfcc479 (diff)
7 files changed, 206 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index dcea53f6af9a..0730e81f1a2f 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 414446 BLAKE2B 5b433dfd85097ead79bccfcdc5ac71450a49f0cd04217ea95a0da4d9b3a14d6a0df186361cf5d3a4ff24547968a8bdb79ea1e31d21aa21b86708e0885a152525 SHA512 2410eac2ebdd40b883f4296ea6c8ebefb16545c125c9ecb039ba9a79dc2d32f43aaaa01673cb98557d5d7aa414d7d0c72e688610d9b127a0d56cb1584e16cf5c
-TIMESTAMP 2018-01-11T08:09:31Z
+MANIFEST Manifest.files.gz 414930 BLAKE2B 54c8bec7c47b900f490e4e34024351be14f456a48cacf2b39c9c543980f7b457877607be1b1a2619bba3921e272569dddbe7cbe408004596209bfaef3ad1f30e SHA512 fe8b5b4b09d48323bfe7f07a9b7216c4b61eb0986f2508a393f9a5266ae4d6f5c8fb70ea146fd1e2823a5d5995190c0817a11d4bedf5624b5eaaddf74d3af007
+TIMESTAMP 2018-01-13T05:38:57Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlpXG7tfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlpZm3FfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klAWchAAkB06ilg+f0cQJjuO8Gb102XQO7rjETlzbaTbzsDHJL1ObwHr5CAFOZI2
-iQ/wEqnaUNd7pylDCnUK8JKKZi9CFe9Y2jSqqYqHmQx61+hveE+QO5b94JFT4PeT
-lkiWD2/4jObDBG9T1k5S0vV8upozJ7rrthv9T7/XEs3KhByVQawpsYFL5dfqw40q
-rO32paCDMkC5jPBPN7w98KODysNscMYS8hePUz+INe4xC82/I8cM2yaUXMUAlcKw
-r1JfVrWMg0C+H7X/zLo5HFiB4Dzufsv494IQb+MKlHLAdt8e+QqJSS6EHiC9pBvw
-sp1fn7FNDheP8HCuMeahKzafwWEZ9/4M+3HLelQsUA4YWIOF7isIn/rPhEWqJW8f
-hcHQQb31Kv6SwWqlw+VuczhbMae3hbSGD0l3v9lICyNIjlQL+ULoQSqpiDYeGB2p
-ZlHbw8AxN5x2kNZBFjr8PEPs/MDMXWUVEo01Ya3kzl5AZosUgNc2IygQDNLGEK2E
-jXYtzKnDMXnygiR+vOttiAA5SIv7uRnGsvGPeqj8GyuMOBj+z6h55EoQY2I1g0MD
-ZCL/jOJ466DxuCPamT5ZmVzlsNrphx1Z1TJhyRi0ErMm+Wq5mPSkQQHhdnSRmG5O
-Mz8wV+6hQ5QLOeib14lHYflx84husK67qiNj/fVbTMJRvVGWPaU=
-=xCMV
+klAWuA//UdGefSrX8EJ+MKit+CCilc7b1s9qwlwbJ4TwQvOzzLI3+pZaEZCJLLD9
+eLUiUCuegKbXF55yMd1LWK72NZKeKgdeMLYn7rLFJq6kxJ5HQG12MsA0Gt5QrToj
+CsKHhlOuhDwZGSpa8ppwF4XJeZ8uUif+xaW14dYaRnBQ7nyEGRSPnXhwKd5S/fqN
+m4g6kfaHp6uORmLGD2Aag5Iqz+kX1jQo2DWF5yuxpHd2qSgO3n4Lzl/eA7IqkWHC
+xNLTI1fBrBtsvAZEqNy7IbFbAEDXPnyMaA4wuTpdX6E56GHJkJTK6OVYD3UNxe8O
+loz+Y03NfslKDmchp74781fcC8VRpW4X+G/em0fwLlc8r6WrJPGYG845PFdcfmIX
+G8FN7Vx5i4QuWNWynR/TGOyFyIxGblle1mEytDq3r+9NRxDKfBeDOgzaM/Vb/+kA
+bq+DgI8WwuF3L5WzCXO3Mkx41BmjTHakPLJK8pHRDfoCxnTtfvHo+aoxPzYdBg8c
+VTzy0gkNof7xId25g2MhxISej/bqQZRfmgQocqIVj2IBFSfMSHf+lxUpLP0AmWp/
+jnoniFokq39Mta8+jp22agt1pKk0+u5PncdkdrFvPVWK4oBsHwWZIO7oV+gBTZVF
+lUjvrkO1F8xfoVUSJlEgMbE7ifK1VHxts3mcu2vpbuqIMP4Q4b4=
+=RuEd
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 895c44865813..8ea3f1eb83d4 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-201801-11.xml b/metadata/glsa/glsa-201801-11.xml
new file mode 100644
index 000000000000..7359c3c04a81
--- /dev/null
+++ b/metadata/glsa/glsa-201801-11.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-11">
+  <title>PySAML2: Security bypass</title>
+  <synopsis>A vulnerability in PySAML2 might allow remote attackers to bypass
+    authentication.
+  </synopsis>
+  <product type="ebuild">PySAML2</product>
+  <announced>2018-01-11</announced>
+  <revised>2018-01-12: 2</revised>
+  <bug>644016</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-python/pysaml2" auto="yes" arch="*">
+      <unaffected range="ge">4.0.2-r3</unaffected>
+      <unaffected range="ge">4.5.0</unaffected>
+      <vulnerable range="lt">4.0.2-r3</vulnerable>
+      <vulnerable range="lt">4.5.0</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>PySAML2 is a pure python implementation of SAML2</p>
+  </background>
+  <description>
+    <p>It was found that the PySAML2 relies on an assert statement to check the
+      user’s password. A python optimizations might remove this assertion.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could bypass security restrictions and access any
+      application which is using PySAML2 for authentication.
+    </p>
+  </impact>
+  <workaround>
+    <p>Disable python optimizations.</p>
+  </workaround>
+  <resolution>
+    <p>All PySAML2 4.0 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-python/pysaml2-4.0.2-r3"
+    </code>
+    
+    <p>All PySAML2 4.5 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-python/pysaml2-4.5.0"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000433">
+      CVE-2017-1000433
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-09T14:46:58Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2018-01-12T01:23:24Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-12.xml b/metadata/glsa/glsa-201801-12.xml
new file mode 100644
index 000000000000..f97629b7f436
--- /dev/null
+++ b/metadata/glsa/glsa-201801-12.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-12">
+  <title>icoutils: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in icoutils, the worst of
+    which may lead to arbitrary code execution.
+  </synopsis>
+  <product type="ebuild">icoutils</product>
+  <announced>2018-01-11</announced>
+  <revised>2018-01-11: 1</revised>
+  <bug>605138</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="media-gfx/icoutils" auto="yes" arch="*">
+      <unaffected range="ge">0.32.0</unaffected>
+      <vulnerable range="lt">0.32.0</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>A set of command-line programs for extracting and converting images in
+      Microsoft Windows(R) icon and cursor files.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in icoutils. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to process a specially crafted
+      file, possibly resulting in execution of arbitrary code with the
+      privileges of the process or a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All icoutils users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-gfx/icoutils-0.32.0"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5208">
+      CVE-2017-5208
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6009">
+      CVE-2017-6009
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6010">
+      CVE-2017-6010
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6011">
+      CVE-2017-6011
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T06:04:02Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-11T22:41:52Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-13.xml b/metadata/glsa/glsa-201801-13.xml
new file mode 100644
index 000000000000..e744cfc54c4c
--- /dev/null
+++ b/metadata/glsa/glsa-201801-13.xml
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-13">
+  <title>TigerVNC: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in TigerVNC, the worst of
+    which may lead to arbitrary code execution.
+  </synopsis>
+  <product type="ebuild">tigervnc</product>
+  <announced>2018-01-11</announced>
+  <revised>2018-01-11: 1</revised>
+  <bug>614742</bug>
+  <bug>636396</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="net-misc/tigervnc" auto="yes" arch="*">
+      <unaffected range="ge">1.8.0</unaffected>
+      <vulnerable range="lt">1.8.0</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>TigerVNC is a high-performance VNC server/client.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in TigerVNC. Please review
+      the referenced CVE Identifiers for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>An attacker could execute arbitrary code or cause a Denial of Service
+      condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All TigerVNC users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-misc/tigervnc-1.8.0"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10207">
+      CVE-2016-10207
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7392">
+      CVE-2017-7392
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7393">
+      CVE-2017-7393
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7394">
+      CVE-2017-7394
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7395">
+      CVE-2017-7395
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7396">
+      CVE-2017-7396
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-11-24T22:29:53Z">chrisadr</metadata>
+  <metadata tag="submitter" timestamp="2018-01-11T22:42:09Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index b9a5d670b0ce..749c873f8b58 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Thu, 11 Jan 2018 08:09:27 +0000
+Sat, 13 Jan 2018 05:38:53 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index aaca69940ebb..bad538a8fc07 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-83b03abfd2cbeb32bafb0df4d1a742e9717c33a3 1515417463 2018-01-08T13:17:43+00:00
+8dca4027f96f539f3d11cd618e9a606c9597dbca 1515720256 2018-01-12T01:24:16+00:00
author	V3n3RiX <venerix@redcorelinux.org>	2018-01-13 06:19:51 +0000
committer	V3n3RiX <venerix@redcorelinux.org>	2018-01-13 06:19:51 +0000
commit	8be70107efbb417f839292165ee39d07a062046f (patch)
tree	013918887ec4a00f0cefdb4b4d1313cbc3054305 /metadata/glsa
parent	343a7272d559a21a0e0ed13cb743fabb2bfcc479 (diff)