gentoo auto-resync : 18:02:2024 - 11:39:02

author: V3n3RiX <venerix@koprulu.sector> 2024-02-18 11:39:03 +0000
committer: V3n3RiX <venerix@koprulu.sector> 2024-02-18 11:39:03 +0000
commit: 08f1ae6b8bd1202a10c5f0d07ee0adc846e0308c (patch)
tree: 030000b4df6e90b84380b6c0471fd05dd547bb0f /metadata/glsa
parent: 3e4b97f04e1561890eb4b0bcb3a411b931c08d02 (diff)
14 files changed, 497 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 6eff93cfa799..5d47b3cc95cb 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 565345 BLAKE2B 035c94a1830ba463996232986c49dcd03fc870b29b8c6a344a1885e15dc6be466f63c23bf6fb094ccea3a10ce2b016d268036d87c3af39617dbd4edc9733f056 SHA512 fb101c85b61c3d9c1ecba68339c93d5df7ea3506c031fff5e471bdba764a75888b0625bb6fc8267971325404a07516896eea1753bd79c12291bad17c30ad1cee
-TIMESTAMP 2024-02-18T04:10:04Z
+MANIFEST Manifest.files.gz 566926 BLAKE2B b7a1adbe2f9cc217d0d6a19ad7d50076d9a2a18907efa7043063186ec1c91b0434475f094906f65b929eee44f595c72e886c02438845112bc168ac0d1c2ade71 SHA512 c32dfd004c660519965b2ccf195b2e0dabb6512b8ed6e5cb6bb0acfd9d36c8008ad284f9c14e850f1f30b20e2413591b084c30d96a5ad33fad2285e45c413faf
+TIMESTAMP 2024-02-18T11:10:04Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmXRgxxfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmXR5Y1fFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klAwXA/8C+v85KXcwdzZl/V6LefoSKFLGM/cqxmlulIot4UuBTxT+uirkNLFOCsR
-pzz/6qIOv46+Q5HGyOHGdKNJw6k+CsvBrXRlmWP0i44p/W8DAevGjWNxhn8V+13O
-t+XC6AE15sNsYFaQmcU5XVWdt1TOIh9rhyO0g4+Q3dD4i5VqfSrbvTT67vZHdsrv
-Hxj0BgWytJEUrwA/OTWcJCYFNucCOSuSoED+ulnWT3O1Czqh0dEvorFOD/XtY5Ru
-bL65Mu6zxWg0XZ0H6Q6kZtizzm9kTxqLwyXjcUqhXg6dKzI7lcZF63GqtLvptWoM
-XI2pl68pMHtNxwNptcgKH+mIatsd+Jsivz4utZs/IKPS8H01R2aFOnhAze1BNx3z
-7rFWSMjy4g4J44tucGQfSiJa0KPE4cW+gwW34Xq7h0js1m7Akp+D3fxhSOGxlSle
-tw9TvydcfRAORJObIlPSAbhQd7CmSmpXIeTTUawmeL7jI0HXgOTL6x7IMboYoywB
-RgP3bJMyVBPDtE75cvCPK/ASqSQNEpdIF9X7/Jp9EfeZ7YyE8whCYCvUyAbANwJQ
-Kc+cfqT/NfEYZdZ8WdZjfgbNHh6pkpJySlOM8xgPvdutbmhccIjBYNSMPnOB89AO
-t5OoGUgTWKdwvoh/XXH9/zdiDEHkqSYa6EnnZaNamgaVHkyQTIo=
-=e7lK
+klBGKQ/+M3R9gpJvm3yANYxfJ/oYUARFVGgJ7lFPZ+81TE/RClaPtSIKvUkR5Wzd
+IYVcreopcaBkhgZ8OxB4mCg6x1iv9ob0o+UASx907bSiXLDqbI2hfc5xreAGvgEd
+AhDXk+Q+e2ZVuC7OArh263fyEW34cfLkznSA0Ngw1BEgkhlQa2SYoUWA9YCD1A9D
+TaxxVPcK2dovCg/lOyqcXne64mVpgtVoRPWhT9+OgwFQEP6BUsnlUFl/4+TYV0By
+bt2AQIfqEH+DYyDdHN9RMX8KjDDlpP0lLAOI6I5jpTFwfHBRovhWEiuSW2HLgQ2S
+nZd36Bs4GPIW3EUE+zICG/b9oDl9Ztwa+fdILWUI+yhGoX0sABiVhdj88iiP2+Bs
+dE87gLVvSuq8aIVA6WYTK36vVLGygRMZzPg8cOpt/yFORTVED/EiPGmkfMakVg00
+BtXa73Cj1u20stm/KoNUwhBvwwagsi4kspsnwswfCROs2QKxoKVHuMTjXE2qzNGS
+6J2FVgklcpshpp/83H1MENfdU3nHYkZV4ohvSKyOHR70qryKt7sPNN6szHayh6Eb
+IWEYC99r7aP2tJByoY60DOmSw0yavq+ktnqEqlbgt06ayW/mb5K4ZalU8DK/06HJ
+HJZadbHfqGpg11l8Bkp/30Oj5ujoeACCAm+rzi6RY6MqRKyvkdQ=
+=5mrQ
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 7b39ba6cc6df..b8689b447734 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202402-12.xml b/metadata/glsa/glsa-202402-12.xml
new file mode 100644
index 000000000000..d89aba3114fc
--- /dev/null
+++ b/metadata/glsa/glsa-202402-12.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-12">
+    <title>GNU Tar: Out of Bounds Read</title>
+    <synopsis>A vulnerability has been discovered in GNU Tar which may lead to an out of bounds read.</synopsis>
+    <product type="ebuild">tar</product>
+    <announced>2024-02-18</announced>
+    <revised count="1">2024-02-18</revised>
+    <bug>898176</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-arch/tar" auto="yes" arch="*">
+            <unaffected range="ge">1.34-r3</unaffected>
+            <vulnerable range="lt">1.34-r3</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>The GNU Tar program provides the ability to create tar archives, as well as various other kinds of manipulation.</p>
+    </background>
+    <description>
+        <p>A vulnerability have been discovered in GNU Tar. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>GNU Tar has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs via a V7 archive in which mtime has approximately 11 whitespace characters.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All GNU Tar users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-arch/tar-1.34-r3"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-48303">CVE-2022-48303</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-18T07:18:24.316864Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-18T07:18:24.319114Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-13.xml b/metadata/glsa/glsa-202402-13.xml
new file mode 100644
index 000000000000..40fbcc08b3c2
--- /dev/null
+++ b/metadata/glsa/glsa-202402-13.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-13">
+    <title>TACACS+: Remote Code Execution</title>
+    <synopsis>A vulnerability has been discovered in TACACS+ which could lead to remote code execution.</synopsis>
+    <product type="ebuild">tac_plus</product>
+    <announced>2024-02-18</announced>
+    <revised count="1">2024-02-18</revised>
+    <bug>918536</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-nds/tac_plus" auto="yes" arch="*">
+            <vulnerable range="le">4.0.4.27a-r3</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>An updated version of Cisco&#39;s TACACS+ server.</p>
+    </background>
+    <description>
+        <p>A vulnerabilitiy has been discovered in TACACS+. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>A lack of input validation exists in tac_plus which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>Gentoo has discontinued support for TACACS+. We recommend that users unmerge it:</p>
+        
+        <code>
+          # emerge --ask --depclean "net-nds/tac_plus"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45239">CVE-2023-45239</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-18T07:32:10.393499Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-18T07:32:10.395789Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-14.xml b/metadata/glsa/glsa-202402-14.xml
new file mode 100644
index 000000000000..654226d9c411
--- /dev/null
+++ b/metadata/glsa/glsa-202402-14.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-14">
+    <title>QtWebEngine: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution.</synopsis>
+    <product type="ebuild">qtwebengine</product>
+    <announced>2024-02-18</announced>
+    <revised count="1">2024-02-18</revised>
+    <bug>922189</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-qt/qtwebengine" auto="yes" arch="*">
+            <unaffected range="ge">5.15.12_p20240122</unaffected>
+            <vulnerable range="lt">5.15.12_p20240122</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>QtWebEngine is a library for rendering dynamic web content in Qt5 and Qt6 C++ and QML applications.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in QtWebEngine. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All QtWebEngine users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.12_p20240122"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5997">CVE-2023-5997</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6112">CVE-2023-6112</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6345">CVE-2023-6345</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6346">CVE-2023-6346</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6347">CVE-2023-6347</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6348">CVE-2023-6348</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6350">CVE-2023-6350</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6351">CVE-2023-6351</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6508">CVE-2023-6508</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6509">CVE-2023-6509</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6510">CVE-2023-6510</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6511">CVE-2023-6511</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6512">CVE-2023-6512</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6702">CVE-2023-6702</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6703">CVE-2023-6703</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6704">CVE-2023-6704</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6705">CVE-2023-6705</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6706">CVE-2023-6706</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6707">CVE-2023-6707</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-7024">CVE-2023-7024</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0222">CVE-2024-0222</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0223">CVE-2024-0223</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0224">CVE-2024-0224</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0225">CVE-2024-0225</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0333">CVE-2024-0333</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0517">CVE-2024-0517</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0518">CVE-2024-0518</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0519">CVE-2024-0519</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-18T07:37:49.729326Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-18T07:37:49.731886Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-15.xml b/metadata/glsa/glsa-202402-15.xml
new file mode 100644
index 000000000000..8dc685cdf461
--- /dev/null
+++ b/metadata/glsa/glsa-202402-15.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-15">
+    <title>e2fsprogs: Arbitrary Code Execution</title>
+    <synopsis>A vulnerability has been discovered in e2fsprogs which can lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">e2fsprogs</product>
+    <announced>2024-02-18</announced>
+    <revised count="1">2024-02-18</revised>
+    <bug>838388</bug>
+    <access>local</access>
+    <affected>
+        <package name="sys-fs/e2fsprogs" auto="yes" arch="*">
+            <unaffected range="ge">1.46.6</unaffected>
+            <vulnerable range="lt">1.46.6</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>e2fsprogs is a set of utilities for maintaining the ext2, ext3 and ext4 file systems.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in e2fsprogs. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>An out-of-bounds read/write vulnerability was found in e2fsprogs. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All e2fsprogs users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-fs/e2fsprogs-1.46.6"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1304">CVE-2022-1304</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-18T07:59:58.426596Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-18T07:59:58.430463Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-16.xml b/metadata/glsa/glsa-202402-16.xml
new file mode 100644
index 000000000000..30c11b549f02
--- /dev/null
+++ b/metadata/glsa/glsa-202402-16.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-16">
+    <title>Apache Log4j: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Apache Log4j, the worst of which can lead to remote code execution.</synopsis>
+    <product type="ebuild">log4j</product>
+    <announced>2024-02-18</announced>
+    <revised count="1">2024-02-18</revised>
+    <bug>719146</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-java/log4j" auto="yes" arch="*">
+            <vulnerable range="le">1.2.17</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Log4j is a Java logging framework that supports various use cases with a rich set of components, a separate API, and a performance-optimized implementation.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities hav been discovered in Apache Log4j. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>Gentoo has discontinued support for log4j. We recommend that users unmerge it:</p>
+        
+        <code>
+          # emerge --ask --depclean "dev-java/log4j"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17571">CVE-2019-17571</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9488">CVE-2020-9488</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9493">CVE-2020-9493</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23302">CVE-2022-23302</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23305">CVE-2022-23305</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-18T08:32:34.454522Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-18T08:32:34.456886Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-17.xml b/metadata/glsa/glsa-202402-17.xml
new file mode 100644
index 000000000000..76cd78a60dd2
--- /dev/null
+++ b/metadata/glsa/glsa-202402-17.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-17">
+    <title>CUPS: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in CUPS, the worst of which can lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">cups</product>
+    <announced>2024-02-18</announced>
+    <revised count="1">2024-02-18</revised>
+    <bug>847625</bug>
+    <bug>907675</bug>
+    <bug>909018</bug>
+    <bug>914781</bug>
+    <access>local</access>
+    <affected>
+        <package name="net-print/cups" auto="yes" arch="*">
+            <unaffected range="ge">2.4.7</unaffected>
+            <vulnerable range="lt">2.4.7</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>CUPS, the Common Unix Printing System, is a full-featured print server.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in CUPS. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All CUPS users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-print/cups-2.4.7"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26691">CVE-2022-26691</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4504">CVE-2023-4504</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32324">CVE-2023-32324</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34241">CVE-2023-34241</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-18T08:55:48.218414Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-18T08:55:48.221198Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-18.xml b/metadata/glsa/glsa-202402-18.xml
new file mode 100644
index 000000000000..a30f61f476bd
--- /dev/null
+++ b/metadata/glsa/glsa-202402-18.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-18">
+    <title>Exim: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Exim, the worst of which can lead to remote code execution.</synopsis>
+    <product type="ebuild">exim</product>
+    <announced>2024-02-18</announced>
+    <revised count="1">2024-02-18</revised>
+    <bug>914923</bug>
+    <bug>921520</bug>
+    <access>remote</access>
+    <affected>
+        <package name="mail-mta/exim" auto="yes" arch="*">
+            <unaffected range="ge">4.97.1</unaffected>
+            <vulnerable range="lt">4.97.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Exim is a message transfer agent (MTA) designed to be a a highly configurable, drop-in replacement for sendmail.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Exim users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=mail-mta/exim-4.97.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42114">CVE-2023-42114</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42115">CVE-2023-42115</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42116">CVE-2023-42116</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42117">CVE-2023-42117</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42119">CVE-2023-42119</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-51766">CVE-2023-51766</uri>
+        <uri>ZDI-CAN-17433</uri>
+        <uri>ZDI-CAN-17434</uri>
+        <uri>ZDI-CAN-17515</uri>
+        <uri>ZDI-CAN-17554</uri>
+        <uri>ZDI-CAN-17643</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-18T09:29:14.312588Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-18T09:29:14.315063Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-19.xml b/metadata/glsa/glsa-202402-19.xml
new file mode 100644
index 000000000000..b1f1e58a0e61
--- /dev/null
+++ b/metadata/glsa/glsa-202402-19.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-19">
+    <title>libcaca: Arbitary Code Execution</title>
+    <synopsis>A vulnerability has been discovered in libcaca which can lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">libcaca</product>
+    <announced>2024-02-18</announced>
+    <revised count="1">2024-02-18</revised>
+    <bug>772317</bug>
+    <access>remote</access>
+    <affected>
+        <package name="media-libs/libcaca" auto="yes" arch="*">
+            <unaffected range="ge">0.99_beta19-r4</unaffected>
+            <vulnerable range="lt">0.99_beta19-r4</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>libcaca is a library that creates colored ASCII-art graphics.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in libcaca. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All libcaca users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=media-libs/libcaca-0.99_beta19-r4"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3410">CVE-2021-3410</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-18T10:22:11.346423Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-18T10:22:11.349349Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-20.xml b/metadata/glsa/glsa-202402-20.xml
new file mode 100644
index 000000000000..c6349dc4272b
--- /dev/null
+++ b/metadata/glsa/glsa-202402-20.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-20">
+    <title>Thunar: Arbitrary Code Execution</title>
+    <synopsis>A vulnerability has been discovered in Thunar which may lead to arbitrary code execution</synopsis>
+    <product type="ebuild">thunar</product>
+    <announced>2024-02-18</announced>
+    <revised count="1">2024-02-18</revised>
+    <bug>789396</bug>
+    <access>local</access>
+    <affected>
+        <package name="xfce-base/thunar" auto="yes" arch="*">
+            <unaffected range="ge">4.17.3</unaffected>
+            <vulnerable range="lt">4.17.3</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Thunar is a modern file manager for the Xfce Desktop Environment. Thunar has been designed from the ground up to be fast and easy to use. Its user interface is clean and intuitive and does not include any confusing or useless options by default. Thunar starts up quickly and navigating through files and folders is fast and responsive.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in Thunar. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>When called with a regular file as command line argument, Thunar
+would delegate to some other program without user confirmation
+based on the file type. This could be exploited to trigger code
+execution in a chain of vulnerabilities.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Thunar users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=xfce-base/thunar-4.17.3"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32563">CVE-2021-32563</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-18T10:48:22.149721Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-18T10:48:22.154139Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-21.xml b/metadata/glsa/glsa-202402-21.xml
new file mode 100644
index 000000000000..a2480c2755f8
--- /dev/null
+++ b/metadata/glsa/glsa-202402-21.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-21">
+    <title>QtNetwork: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in QtNetwork, the worst of which could lead to execution of arbitrary code.</synopsis>
+    <product type="ebuild">qtbase,qtnetwork</product>
+    <announced>2024-02-18</announced>
+    <revised count="1">2024-02-18</revised>
+    <bug>907120</bug>
+    <bug>921292</bug>
+    <access>local and remote</access>
+    <affected>
+        <package name="dev-qt/qtbase" auto="yes" arch="*">
+            <unaffected range="ge">6.6.1-r2</unaffected>
+            <vulnerable range="lt">6.6.1-r2</vulnerable>
+        </package>
+        <package name="dev-qt/qtnetwork" auto="yes" arch="*">
+            <unaffected range="ge">5.15.12-r1</unaffected>
+            <vulnerable range="lt">5.15.12-r1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>QtNetwork provides a set of APIs for programming applications that use TCP/IP. It is part of the Qt framework.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in QtNetwork. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Qt 5 users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-qt/qtnetwork-5.15.12-r1"
+        </code>
+        
+        <p>All Qt 6 users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-qt/qtbase-6.6.1-r2"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32762">CVE-2023-32762</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-51714">CVE-2023-51714</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-18T11:07:25.578934Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-18T11:07:25.581712Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 07e2aad380e2..6f21717ae1cf 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sun, 18 Feb 2024 04:09:59 +0000
+Sun, 18 Feb 2024 11:10:00 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index d40985741004..9ceb48ee3f90 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-889b39b6ab80a96cf210d98b541be944a31299a9 1707720215 2024-02-12T06:43:35+00:00
+ee465149b16298ca9c2f97f5e191b2bad7299032 1708254491 2024-02-18T11:08:11+00:00
author	V3n3RiX <venerix@koprulu.sector>	2024-02-18 11:39:03 +0000
committer	V3n3RiX <venerix@koprulu.sector>	2024-02-18 11:39:03 +0000
commit	08f1ae6b8bd1202a10c5f0d07ee0adc846e0308c (patch)
tree	030000b4df6e90b84380b6c0471fd05dd547bb0f /metadata/glsa
parent	3e4b97f04e1561890eb4b0bcb3a411b931c08d02 (diff)