gentoo auto-resync : 05:01:2024 - 14:04:25

author: V3n3RiX <venerix@koprulu.sector> 2024-01-05 14:04:26 +0000
committer: V3n3RiX <venerix@koprulu.sector> 2024-01-05 14:04:26 +0000
commit: 8fd9d385e5bc3c01115ec2ddcb2227607eb90861 (patch)
tree: aba1e6ef6b95e94172c009394cd1fcbc383e7d6e /metadata/glsa
parent: 1ddcee0bd115d2f843f82061cb0d1741bf90151d (diff)
8 files changed, 219 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 29908f95092a..2d1addbbb2a7 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 558359 BLAKE2B 6ff1dd9354455ed7f338ae06c477ce7dac2990bd3eb84868668c9a4fbd7666355ff69ec8cc4598c2a46dd5fe56b3f952413e3b68af3b33b6da19c6f37d97ca70 SHA512 a6deeae40717b5176fe6030ff10537898379202450dfebbf026b789aa8ed1701f446b152e2bf3cf3f8b391bac2576b9612ea9a4cf4d35ad7cc3d262e8dfa0010
-TIMESTAMP 2024-01-05T07:40:08Z
+MANIFEST Manifest.files.gz 558999 BLAKE2B f0c255a4e931f6e5af7a60afe1dd2a2134f94e6fdb52bdcaf5c4c3919a59809263aa708951de0a4a6138329cd50ff30e21be7208e33dfdde8f09c4b83d1a1de1 SHA512 824cc6b813cbd1a1b2bde4676c1222a5e50c277df9746acfacc3a65ea993f00b1e7a47e6250173eeec46ef4fb8ee9e86fbf6ae53f464be92ed08d25cd9fcd208
+TIMESTAMP 2024-01-05T13:40:09Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmWXslhfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmWYBrlfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klAcEw/9H8apo2lwCD/w2zSten/Zsreh+P6VC3CYQMlHZWjpGmXGimTHKUAYNuk9
-MpfiDB07h7HgY+qshYrHc6AKevgdmjUfRV+3sAkk8cbnaICDhrhCYrHzLT/GES5M
-WXXfRAX0tGffTTIqikUOZm2BHkoXMJd1HSZ2H4edCH8UllIUOzFERt8/YijhLKuF
-B+t0EiMEk5YXlmAXBH5F9zs2fLfFFFI9ujIywsgWpO9nPovWeCljuQLh/JEW6+SH
-GnKLw2ZM7nD9RY4jhz1HVB+aEnCbfUjM29Cm2ZzwwovDqdkTfVrTjo28OmapS/TR
-w4nmoVr2b9VRQuSUEoM0sVlgc8cETtdv9oIMwj6erH567PrjTtpWZwG00lyU/eBh
-OWEtDywMe3TVs2r/3k59RQUmuiukqRA6b+6opJUUWLR73EHubOdkucZyaAdHD4ZX
-ydMJvCqAvgQlZJWIoxzBBMw41xZ+LKTlY2mDg5jdlVF76MfMzXcv+mjH6eT+5ddM
-t3UMOiVpBWsnnUMji08/H/7mexx/i34gPZ8tKFsoRoJLfF6dknbL6UcvBgEydsa1
-eyzqYBXDNGrS6jzloGkL/xzeVHznjH3Z4s1Oq8esRZn/YOdYPvJKMHgCDkSASefQ
-tAtpmhmjlkUpDIO5pYolgZFDtxE+7ksMDt2FnZb0qCRVAOV8cDQ=
-=kw0k
+klBn2Q//UGhYDlIZEfkSj2Ehx93sDXslta/ePc2p09IZZM5wQOX0ofom+l3sXi+U
+oAuP0FvnYJ902vm2P/dj23Hkeh8Wuag3PI47f+pTyRTDPe6oJViIlwYLCeF9nArb
+G87jcJCKJ33QWdlKKnULWp40NBEmtYOGTiQTT56GUYJgzpnLwgBeLRvPzKcZe3IP
+qNyRGssB5hzeCmpMkQ7+tlWcDUjGxliWohW13nBRY0lQHQIf2Mpw2ASzrS1JJJpr
+upOejssDxynCouiQu9jXU7EdWt9OHC7gyuMvEPHiUlAL/0upUKIAQh9AG2ju28X+
+toM7AhF2WlpsNni38J2yvgW0+67OAO+OqSXYlALweI5jcy9zlKxG1JOJ5yIZljTN
+xwFUauGiKPlcUtoBDWrXafY5uC29GBPvhMxoEzeOIRP75L2l10ipuTbhw3OEpxBd
+ik6TcVprq5SjEDSMmjpZOYYd6qZVai13iDlnR1G1UAHiX8CS3aU7VFPAIYtZMIPK
+WOZ8paoawNt8bS613sfW1GGtQZa6AMD5SIsu+1yfQsvJOGi3Jk7Pv3jQakD9bLbL
+HNrca2+rEb6TLQEkyA2QWu0r3W6XAUQaGd8TJ7mt+p/13nG9ewA3wMjgXTtIM3MV
+00ZzElDHIcJN3oVM6oWQ+m83VkmGqMdl+acy+KZE582xNfXJvpg=
+=oxCS
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index e9d3a995cb72..73ff6dfcb9b5 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202401-02.xml b/metadata/glsa/glsa-202401-02.xml
new file mode 100644
index 000000000000..ff38eed4e5a6
--- /dev/null
+++ b/metadata/glsa/glsa-202401-02.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202401-02">
+    <title>c-ares: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity.</synopsis>
+    <product type="ebuild">c-ares</product>
+    <announced>2024-01-05</announced>
+    <revised count="1">2024-01-05</revised>
+    <bug>807604</bug>
+    <bug>807775</bug>
+    <bug>892489</bug>
+    <bug>905341</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-dns/c-ares" auto="yes" arch="*">
+            <unaffected range="ge">1.19.0</unaffected>
+            <vulnerable range="lt">1.19.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>c-ares is a C library for asynchronous DNS requests (including name resolves).</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in c-ares. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All c-ares users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-dns/c-ares-1.19.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3672">CVE-2021-3672</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22930">CVE-2021-22930</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22931">CVE-2021-22931</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22939">CVE-2021-22939</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22940">CVE-2021-22940</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4904">CVE-2022-4904</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-01-05T09:27:33.033646Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-01-05T09:27:33.037404Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202401-03.xml b/metadata/glsa/glsa-202401-03.xml
new file mode 100644
index 000000000000..e9e5d7550560
--- /dev/null
+++ b/metadata/glsa/glsa-202401-03.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202401-03">
+    <title>BlueZ: Privilege Escalation</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Bluez, the worst of which can lead to privilege escalation.</synopsis>
+    <product type="ebuild">bluez</product>
+    <announced>2024-01-05</announced>
+    <revised count="1">2024-01-05</revised>
+    <bug>919383</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-wireless/bluez" auto="yes" arch="*">
+            <unaffected range="ge">5.70-r1</unaffected>
+            <vulnerable range="lt">5.70-r1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>BlueZ is the canonical bluetooth tools and system daemons package for Linux.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in BlueZ. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>An attacker may inject unauthenticated keystrokes via Bluetooth, leading to privilege escalation or denial of service.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All BlueZ users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-wireless/bluez-5.70-r1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45866">CVE-2023-45866</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-01-05T12:09:52.619298Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-01-05T12:09:52.622390Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202401-04.xml b/metadata/glsa/glsa-202401-04.xml
new file mode 100644
index 000000000000..e900d7658607
--- /dev/null
+++ b/metadata/glsa/glsa-202401-04.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202401-04">
+    <title>WebKitGTK+: Multiple Vulnerabilities</title>
+    <synopsis>Several vulnerabilities have been found in WebKitGTK+, the worst of which can lead to remote code execution.</synopsis>
+    <product type="ebuild">webkit-gtk</product>
+    <announced>2024-01-05</announced>
+    <revised count="1">2024-01-05</revised>
+    <bug>907818</bug>
+    <bug>909663</bug>
+    <bug>910656</bug>
+    <bug>918087</bug>
+    <bug>918099</bug>
+    <bug>919290</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-libs/webkit-gtk" auto="yes" arch="*">
+            <unaffected range="ge" slot="4">2.42.3</unaffected>
+            <unaffected range="ge" slot="4.1">2.42.3</unaffected>
+            <unaffected range="ge" slot="6">2.42.3</unaffected>
+            <vulnerable range="lt" slot="4">2.42.3</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All WebKitGTK+ users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.42.3"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28198">CVE-2023-28198</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28204">CVE-2023-28204</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32370">CVE-2023-32370</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32373">CVE-2023-32373</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32393">CVE-2023-32393</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32439">CVE-2023-32439</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37450">CVE-2023-37450</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38133">CVE-2023-38133</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38572">CVE-2023-38572</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38592">CVE-2023-38592</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38594">CVE-2023-38594</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38595">CVE-2023-38595</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38597">CVE-2023-38597</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38599">CVE-2023-38599</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38600">CVE-2023-38600</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38611">CVE-2023-38611</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40397">CVE-2023-40397</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42916">CVE-2023-42916</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42917">CVE-2023-42917</uri>
+        <uri link="https://webkitgtk.org/security/WSA-2023-0006.html">WSA-2023-0006</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-01-05T13:00:45.321572Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-01-05T13:00:45.323961Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202401-05.xml b/metadata/glsa/glsa-202401-05.xml
new file mode 100644
index 000000000000..b1ce5562b5ba
--- /dev/null
+++ b/metadata/glsa/glsa-202401-05.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202401-05">
+    <title>RDoc: Command Injection</title>
+    <synopsis>A vulnerability has been found in RDoc which allows for command injection.</synopsis>
+    <product type="ebuild">rdoc</product>
+    <announced>2024-01-05</announced>
+    <revised count="1">2024-01-05</revised>
+    <bug>801301</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-ruby/rdoc" auto="yes" arch="*">
+            <unaffected range="ge">6.3.2</unaffected>
+            <vulnerable range="lt">6.3.2</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>RDoc produces HTML and command-line documentation for Ruby projects.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in RDoc. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All RDoc users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-ruby/rdoc-6.3.2"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31799">CVE-2021-31799</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-01-05T13:34:12.712050Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-01-05T13:34:12.715693Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 7d11ff57b05f..4bf5a1d534b2 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Fri, 05 Jan 2024 07:40:03 +0000
+Fri, 05 Jan 2024 13:40:06 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 4f7a75657ddb..0200e3e095e8 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-086ee91647926ad5550f1443e004b5f5d1bda7fc 1704206331 2024-01-02T14:38:51+00:00
+18540d77b43283bbeb478e2efd181954f507ac07 1704461679 2024-01-05T13:34:39+00:00
author	V3n3RiX <venerix@koprulu.sector>	2024-01-05 14:04:26 +0000
committer	V3n3RiX <venerix@koprulu.sector>	2024-01-05 14:04:26 +0000
commit	8fd9d385e5bc3c01115ec2ddcb2227607eb90861 (patch)
tree	aba1e6ef6b95e94172c009394cd1fcbc383e7d6e /metadata/glsa
parent	1ddcee0bd115d2f843f82061cb0d1741bf90151d (diff)