diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2019-08-18 18:16:17 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2019-08-18 18:16:17 +0100 |
| commit | fc637fb28da700da71ec2064d65ca5a7a31b9c6c (patch) | |
| tree | 326613a08f25851c388715e205576a2e7d25dc4f /metadata/glsa | |
| parent | b24bd25253fe093f722ab576d29fdc41d04cb1ee (diff) | |
gentoo resync : 18.08.2019
Diffstat (limited to 'metadata/glsa')
29 files changed, 1678 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 56f9a5a41f90..43909281f0ca 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 442968 BLAKE2B 0e3056acaaa1238904402db3f7b9e5da9aa5a9653669d2d7ce6f23bca37fa04e6d2464868f79b589adb4a48dae4f38f6a27f145e60e4ed4a75c40ec11b1eba6c SHA512 4b7e5da9d352bb5de232fbbf053c3a1aaed9d07615188794445787743dcee0fee452db8b05004310c60b1d29787734050729e72ec84bf2e6f7a8c0bec2b2b9e1 -TIMESTAMP 2019-08-02T17:09:13Z +MANIFEST Manifest.files.gz 446941 BLAKE2B 27348febfa1e8b0c37a6262b9e1c30afa2668e0702870fc19e3e8e049c8aa3fce3a0a847ecfdfa1843e08f25b1c541365b360bee2789c88b7c7abd1d0af7a0a4 SHA512 b604df11b0bda8c02e03d8c0f183f427ec63dd525e2cbd5b7473a5dbfd7112d964e04f46efec437421b06496482ba2148b26225bcbd4b736cd57023d4aeb1ea7 +TIMESTAMP 2019-08-18T16:09:02Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl1EbjlfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl1ZeB5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klDsRBAArnc5GDd3kNDjHwGi4hJ1A7kevTE+Wtm+tRdEoWPPYEMSyxkJaZvyhweW -dMZ3LbdYmJP1ayh4MLSMjc7Kvs3wFpGvW97+dUYxc9Xy2fSDyUmq3QZaxqB1C+1Z -IueNdMqV4v0xwT0Cc7h+2MXYt4EgNH5U4SuraJ3tqlsTMPOh10rJ6kLD6RZZITUT -raSnEGNEVjpzj1+G0nxSEEzMOTXTvfRxddzDhJe0fEovx9Svm1fP9jqEXO24dW2u -ovWGzXZ6D3yl8D1w4T7/G29lTSizGdKR1PCx9Gf4zgsOYM+oeW/fyhx8mqIfVAjo -cw/wMxBTgXKQaR49Xkl6qtpCGCgHtT2z2h+rbSGUSjLGpqit9pZJ6EifWTim7Ti/ -oXtM2MR6Ibc0fD379PbqJQqXwIGTaqq/0F4RTwugNYwdk1gEM/gt7aF747Dfnxkf -wqifk+Fc57jMKv/SBPlyD6j4FjAxQXBmN6c9Gm/kAQBA4BYPlIfIZq1lAsHAFpXE -yMp55PTDkFDojBfXJY9txO8xWoPW4LxRL+xkd789bQ4sRVV7kkEZqDJ7nv/gE6us -PA4jSXiyU+uNc00XzYt3N4ZAsxdGUBJs0/IQqkzTt6dXH/lwPNuDz3kGSaxBhIdn -wHlxxh3AUKqyio2ciFh0U8780s1mdBz//0Fa6l6XT9zywORQgJM= -=Pdab +klAlMw//Y9l50sTL8BwL9tH0qPOFngKNjcjMJzJGgU69fY+GrSyTWN0U1GMQzpcR +KqaTOuUJiSAxYhm8AZueZ73wGp21lm4qFUvKGHjWvTLT7YtlMqenG6kX/HeKoaM/ +5U1KHEAHVFgXOyQOD/h9ETZNnvB/oJhjXUgf46nYUnZi5UXrj73b8Z0G6jfNERO6 +9VQ3+VkOFYp6oOKplqDfyxrDCqwTzQRXap2dpmdozxVbydpr6BfquEbYy+0NijYC +FNsEWNCwEo8GeWSdYFS8Q/eB3Vp6oCVAwBtW6+GZwsMEpt7/yGQe1Y9Zat1VGze2 +MsCQ06nnL/G/lnRpe1LtfzEugKh1RPzv78ZruY6dqkqo/wfrIkMksM2l9IU8zsE1 +XQgI/cFLfZoMNe7DhYvWPhe9Jj8jgIjiXY5F2RuiVt+B3K8DcJoBB0LeyrTSs9w+ +1q3eOiunW4Z6wTfeYpXmnIrW/ZDM0xw0SU/fgAKmf/u1QRy9ctNVGwB02u/Oif/o +xbX5yfRQxEA7qK3RN6tPU1r+9QYbbyIUBePFXbbMCEv41QUpj9shNh3g5kC1LQPQ +VG7l+/ewS57u6wUBRAEFosLVcU5zKZydHkmqJTY4mCpGbDcJQ/q16Es/kNBprEsM +GkSyKT4EJrp8XUnqfXBVVADUP2aGqiJTQ8GPsBn5CUkb33fO2gY= +=z3VN -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 4f3d5d05a5e4..8dde4ddcf57d 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-201908-01.xml b/metadata/glsa/glsa-201908-01.xml new file mode 100644 index 000000000000..e2b90baf12fa --- /dev/null +++ b/metadata/glsa/glsa-201908-01.xml @@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-01"> + <title>Binutils: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Binutils, the worst of + which may allow remote attackers to cause a Denial of Service condition. + </synopsis> + <product type="ebuild">binutils</product> + <announced>2019-08-03</announced> + <revised count="1">2019-08-03</revised> + <bug>672904</bug> + <bug>672910</bug> + <bug>674668</bug> + <bug>682698</bug> + <bug>682702</bug> + <access>remote</access> + <affected> + <package name="sys-devel/binutils" auto="yes" arch="*"> + <unaffected range="ge">2.32-r1</unaffected> + <vulnerable range="lt">2.32-r1</vulnerable> + </package> + </affected> + <background> + <p>The GNU Binutils are a collection of tools to create, modify and analyse + binary files. Many of the files use BFD, the Binary File Descriptor + library, to do low-level manipulation. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Binutils. Please review + the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by enticing a user to compile/execute a specially + crafted ELF, object, PE, or binary file, could possibly cause a Denial of + Service condition or have other unspecified impacts. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Binutils users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.32-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10372">CVE-2018-10372</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10373">CVE-2018-10373</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10534">CVE-2018-10534</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10535">CVE-2018-10535</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12641">CVE-2018-12641</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12697">CVE-2018-12697</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12698">CVE-2018-12698</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12699">CVE-2018-12699</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12700">CVE-2018-12700</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-13033">CVE-2018-13033</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19931">CVE-2018-19931</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19932">CVE-2018-19932</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20002">CVE-2018-20002</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20651">CVE-2018-20651</uri> + </references> + <metadata tag="requester" timestamp="2019-04-29T23:24:32Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-03T11:22:15Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-02.xml b/metadata/glsa/glsa-201908-02.xml new file mode 100644 index 000000000000..0c73ede6a3c9 --- /dev/null +++ b/metadata/glsa/glsa-201908-02.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-02"> + <title>libpng: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libpng, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">libpng</product> + <announced>2019-08-03</announced> + <revised count="1">2019-08-03</revised> + <bug>683366</bug> + <access>remote</access> + <affected> + <package name="media-libs/libpng" auto="yes" arch="*"> + <unaffected range="ge" slot="0">1.6.37</unaffected> + <vulnerable range="lt" slot="0">1.6.37</vulnerable> + </package> + </affected> + <background> + <p>libpng is a standard library used to process PNG (Portable Network + Graphics) images. It is used by several programs, including web browsers + and potentially server processes. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libpng. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by enticing a user to process a specially crafted PNG + file, could cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libpng users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.6.37" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14048">CVE-2018-14048</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14550">CVE-2018-14550</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7317">CVE-2019-7317</uri> + </references> + <metadata tag="requester" timestamp="2019-04-27T06:35:05Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-08-03T11:26:12Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-03.xml b/metadata/glsa/glsa-201908-03.xml new file mode 100644 index 000000000000..2b768c68c862 --- /dev/null +++ b/metadata/glsa/glsa-201908-03.xml @@ -0,0 +1,80 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-03"> + <title>JasPer: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in JasPer, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">jasper</product> + <announced>2019-08-09</announced> + <revised count="2">2019-08-09</revised> + <bug>614028</bug> + <bug>614032</bug> + <bug>624988</bug> + <bug>629286</bug> + <bug>635552</bug> + <bug>662160</bug> + <bug>674154</bug> + <bug>674214</bug> + <access>remote</access> + <affected> + <package name="media-libs/jasper" auto="yes" arch="*"> + <vulnerable range="le">2.0.16</vulnerable> + </package> + </affected> + <background> + <p>JasPer is a software-based implementation of the codec specified in the + JPEG-2000 Part-1 standard. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in JasPer. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>JasPer is no longer maintained upstream and contains many + vulnerabilities which remain unaddressed. Gentoo users are advised to + unmerge this package. + </p> + + <code> + # emerge --unmerge media-libs/jasper + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-1000050"> + CVE-2017-1000050 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13745">CVE-2017-13745</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13746">CVE-2017-13746</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13747">CVE-2017-13747</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13748">CVE-2017-13748</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13749">CVE-2017-13749</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13750">CVE-2017-13750</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13751">CVE-2017-13751</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13752">CVE-2017-13752</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13753">CVE-2017-13753</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14132">CVE-2017-14132</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14229">CVE-2017-14229</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14232">CVE-2017-14232</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-5503">CVE-2017-5503</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-5504">CVE-2017-5504</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-5505">CVE-2017-5505</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-6851">CVE-2017-6851</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-6852">CVE-2017-6852</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9782">CVE-2017-9782</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18873">CVE-2018-18873</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20584">CVE-2018-20584</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9055">CVE-2018-9055</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9154">CVE-2018-9154</uri> + </references> + <metadata tag="requester" timestamp="2019-08-04T18:37:11Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-09T22:17:32Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-04.xml b/metadata/glsa/glsa-201908-04.xml new file mode 100644 index 000000000000..bc5160a9290f --- /dev/null +++ b/metadata/glsa/glsa-201908-04.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-04"> + <title>Redis: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Redis, the worst of + which may allow execution of arbitrary code. + </synopsis> + <product type="ebuild">redis</product> + <announced>2019-08-09</announced> + <revised count="1">2019-08-09</revised> + <bug>658066</bug> + <bug>689700</bug> + <access>remote</access> + <affected> + <package name="dev-db/redis" auto="yes" arch="*"> + <unaffected range="ge">4.0.14</unaffected> + <vulnerable range="lt">4.0.14</vulnerable> + </package> + </affected> + <background> + <p>Redis is an open source (BSD licensed), in-memory data structure store, + used as a database, cache and message broker. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Redis. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Redis users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/redis-4.0.14" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11218">CVE-2018-11218</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11219">CVE-2018-11219</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10192">CVE-2019-10192</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10193">CVE-2019-10193</uri> + </references> + <metadata tag="requester" timestamp="2019-08-03T15:15:24Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-09T20:41:48Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-05.xml b/metadata/glsa/glsa-201908-05.xml new file mode 100644 index 000000000000..42d9037a0887 --- /dev/null +++ b/metadata/glsa/glsa-201908-05.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-05"> + <title>LibVNCServer: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in LibVNCServer, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">libvncserver</product> + <announced>2019-08-09</announced> + <revised count="1">2019-08-09</revised> + <bug>659560</bug> + <bug>673508</bug> + <access>remote</access> + <affected> + <package name="net-libs/libvncserver" auto="yes" arch="*"> + <unaffected range="ge">0.9.12</unaffected> + <vulnerable range="lt">0.9.12</vulnerable> + </package> + </affected> + <background> + <p>LibVNCServer/LibVNCClient are cross-platform C libraries that allow you + to easily implement VNC server or client functionality in your program. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in LibVNCServer. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All LibVNCServer users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libvncserver-0.9.12" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20019">CVE-2018-20019</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20020">CVE-2018-20020</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20021">CVE-2018-20021</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20022">CVE-2018-20022</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20023">CVE-2018-20023</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20024">CVE-2018-20024</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7225">CVE-2018-7225</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7226">CVE-2018-7226</uri> + </references> + <metadata tag="requester" timestamp="2019-08-04T18:16:50Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-09T20:45:14Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-06.xml b/metadata/glsa/glsa-201908-06.xml new file mode 100644 index 000000000000..03379fb8e90b --- /dev/null +++ b/metadata/glsa/glsa-201908-06.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-06"> + <title>glibc: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in glibc, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">glibc</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>609386</bug> + <bug>635012</bug> + <bug>672228</bug> + <access>local, remote</access> + <affected> + <package name="sys-libs/glibc" auto="yes" arch="*"> + <unaffected range="ge">2.28-r4</unaffected> + <vulnerable range="lt">2.28-r4</vulnerable> + </package> + </affected> + <background> + <p>glibc is a package that contains the GNU C library.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in glibc. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All glibc users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.28-r4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2015-8985">CVE-2015-8985</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-6263">CVE-2016-6263</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19591">CVE-2018-19591</uri> + </references> + <metadata tag="requester" timestamp="2019-08-03T12:43:48Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:38:53Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-07.xml b/metadata/glsa/glsa-201908-07.xml new file mode 100644 index 000000000000..93df38d655c4 --- /dev/null +++ b/metadata/glsa/glsa-201908-07.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-07"> + <title>KDE KConfig: User-assisted execution of arbitrary code</title> + <synopsis>A vulnerablity has been found in KDE KConfig that could allow a + remote attacker to execute arbitrary code. + </synopsis> + <product type="ebuild">kconfig</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>691858</bug> + <access>remote</access> + <affected> + <package name="kde-frameworks/kconfig" auto="yes" arch="*"> + <unaffected range="ge">5.60.0-r1</unaffected> + <vulnerable range="lt">5.60.0-r1</vulnerable> + </package> + </affected> + <background> + <p>Provides an advanced configuration system.</p> + </background> + <description> + <p>A vulnerability was discovered in KDE KConfig’s handling of .desktop + and .directory files. + </p> + </description> + <impact type="normal"> + <p>An attacker could entice a user to execute a specially crafted .desktop + or .directory file possibly resulting in execution of arbitrary code with + the privileges of the process. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All KConfig users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=kde-frameworks/kconfig-5.60.0-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14744">CVE-2019-14744</uri> + </references> + <metadata tag="requester" timestamp="2019-08-09T20:56:22Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:41:03Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-08.xml b/metadata/glsa/glsa-201908-08.xml new file mode 100644 index 000000000000..29ebf5011b8b --- /dev/null +++ b/metadata/glsa/glsa-201908-08.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-08"> + <title>CUPS: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in CUPS, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">cups</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>660954</bug> + <access>remote</access> + <affected> + <package name="net-print/cups" auto="yes" arch="*"> + <unaffected range="ge">2.2.8</unaffected> + <vulnerable range="lt">2.2.8</vulnerable> + </package> + </affected> + <background> + <p>CUPS, the Common Unix Printing System, is a full-featured print server.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in CUPS. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All CUPS users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-2.2.8" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-15400">CVE-2017-15400</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4180">CVE-2018-4180</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4181">CVE-2018-4181</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4182">CVE-2018-4182</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4183">CVE-2018-4183</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6553">CVE-2018-6553</uri> + </references> + <metadata tag="requester" timestamp="2019-08-10T20:43:16Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:43:11Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-09.xml b/metadata/glsa/glsa-201908-09.xml new file mode 100644 index 000000000000..3ac338fad0ae --- /dev/null +++ b/metadata/glsa/glsa-201908-09.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-09"> + <title>SQLite: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in SQLite, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">sqlite</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>684840</bug> + <bug>685838</bug> + <access>remote</access> + <affected> + <package name="dev-db/sqlite" auto="yes" arch="*"> + <unaffected range="ge">3.28.0</unaffected> + <vulnerable range="lt">3.28.0</vulnerable> + </package> + </affected> + <background> + <p>SQLite is a C library that implements an SQL database engine.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in SQLite. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>A remote attacker could, by executing arbitrary SQL statements against a + vulnerable host, execute arbitrary code. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All SQLite users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.28.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5018">CVE-2019-5018</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9936">CVE-2019-9936</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9937">CVE-2019-9937</uri> + </references> + <metadata tag="requester" timestamp="2019-08-09T20:49:17Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:45:09Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-10.xml b/metadata/glsa/glsa-201908-10.xml new file mode 100644 index 000000000000..c5246faff191 --- /dev/null +++ b/metadata/glsa/glsa-201908-10.xml @@ -0,0 +1,82 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-10"> + <title>Oracle JDK/JRE: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Oracle’s JDK and JRE + software suites. + </synopsis> + <product type="ebuild">oracle,jre,jdk</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>668948</bug> + <bug>691336</bug> + <access>remote</access> + <affected> + <package name="dev-java/oracle-jdk-bin" auto="yes" arch="*"> + <unaffected range="ge" slot="1.8">1.8.0.202</unaffected> + <vulnerable range="lt" slot="1.8">1.8.0.202</vulnerable> + </package> + <package name="dev-java/oracle-jre-bin" auto="yes" arch="*"> + <unaffected range="ge" slot="1.8">1.8.0.202</unaffected> + <vulnerable range="lt" slot="1.8">1.8.0.202</vulnerable> + </package> + </affected> + <background> + <p>Java Platform, Standard Edition (Java SE) lets you develop and deploy + Java applications on desktops and servers, as well as in today’s + demanding embedded environments. Java offers the rich user interface, + performance, versatility, portability, and security that today’s + applications require. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Oracle’s JDK and JRE + software suites. Please review the CVE identifiers referenced below for + details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Oracle JDK bin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=dev-java/oracle-jdk-bin-1.8.0.202:1.8" + </code> + + <p>All Oracle JRE bin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=dev-java/oracle-jre-bin-1.8.0.202:1.8" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-13785">CVE-2018-13785</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3136">CVE-2018-3136</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3139">CVE-2018-3139</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3149">CVE-2018-3149</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3150">CVE-2018-3150</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3157">CVE-2018-3157</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3169">CVE-2018-3169</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3180">CVE-2018-3180</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3183">CVE-2018-3183</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3209">CVE-2018-3209</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3211">CVE-2018-3211</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3214">CVE-2018-3214</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2602">CVE-2019-2602</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2684">CVE-2019-2684</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2697">CVE-2019-2697</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2698">CVE-2019-2698</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2699">CVE-2019-2699</uri> + </references> + <metadata tag="requester" timestamp="2019-04-27T05:36:16Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:48:13Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-11.xml b/metadata/glsa/glsa-201908-11.xml new file mode 100644 index 000000000000..53a2922c960a --- /dev/null +++ b/metadata/glsa/glsa-201908-11.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-11"> + <title>libarchive: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libarchive, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">libarchive</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>631294</bug> + <bug>636070</bug> + <access>remote</access> + <affected> + <package name="app-arch/libarchive" auto="yes" arch="*"> + <unaffected range="ge">3.3.3</unaffected> + <vulnerable range="lt">3.3.3</vulnerable> + </package> + </affected> + <background> + <p>libarchive is a library for manipulating different streaming archive + formats, including certain tar variants, several cpio formats, and both + BSD and GNU ar variants. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libarchive. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libarchive users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.3.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14166">CVE-2017-14166</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14501">CVE-2017-14501</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14502">CVE-2017-14502</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14503">CVE-2017-14503</uri> + </references> + <metadata tag="requester" timestamp="2019-08-10T17:06:02Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:49:48Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-12.xml b/metadata/glsa/glsa-201908-12.xml new file mode 100644 index 000000000000..83d7758ea716 --- /dev/null +++ b/metadata/glsa/glsa-201908-12.xml @@ -0,0 +1,97 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-12"> + <title>Mozilla Firefox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">firefox</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>688332</bug> + <bug>690626</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge">60.8.0</unaffected> + <vulnerable range="lt">60.8.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge">60.8.0</unaffected> + <vulnerable range="lt">60.8.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>A remote attacker could entice a user to view a specially crafted web + page, possibly resulting in the execution of arbitrary code with the + privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-60.8.0" + </code> + + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-60.8.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11707">CVE-2019-11707</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11708">CVE-2019-11708</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11709">CVE-2019-11709</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11710">CVE-2019-11710</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11711">CVE-2019-11711</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11712">CVE-2019-11712</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11713">CVE-2019-11713</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11714">CVE-2019-11714</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11715">CVE-2019-11715</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11716">CVE-2019-11716</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11717">CVE-2019-11717</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11718">CVE-2019-11718</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11719">CVE-2019-11719</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11720">CVE-2019-11720</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11721">CVE-2019-11721</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11723">CVE-2019-11723</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11724">CVE-2019-11724</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11725">CVE-2019-11725</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11727">CVE-2019-11727</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11728">CVE-2019-11728</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11729">CVE-2019-11729</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11730">CVE-2019-11730</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9811">CVE-2019-9811</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/"> + MFSA2019-18 + </uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/"> + MFSA2019-19 + </uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/"> + MFSA2019-21 + </uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/"> + MFSA2019-22 + </uri> + </references> + <metadata tag="requester" timestamp="2019-06-20T18:12:58Z">whissi</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:52:20Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-13.xml b/metadata/glsa/glsa-201908-13.xml new file mode 100644 index 000000000000..c709f4ce791d --- /dev/null +++ b/metadata/glsa/glsa-201908-13.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-13"> + <title>LibreOffice: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in LibreOffice, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">libreoffice</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>690354</bug> + <access>local, remote</access> + <affected> + <package name="app-office/libreoffice" auto="yes" arch="*"> + <unaffected range="ge">6.2.5.2</unaffected> + <vulnerable range="lt">6.2.5.2</vulnerable> + </package> + <package name="app-office/libreoffice-bin" auto="yes" arch="*"> + <unaffected range="ge">6.2.5.2</unaffected> + <vulnerable range="lt">6.2.5.2</vulnerable> + </package> + </affected> + <background> + <p>LibreOffice is a powerful office suite; its clean interface and powerful + tools let you unleash your creativity and grow your productivity. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in LibreOffice. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All LibreOffice users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/libreoffice-6.2.5.2" + </code> + + <p>All LibreOffice binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-office/libreoffice-bin-6.2.5.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9848">CVE-2019-9848</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9849">CVE-2019-9849</uri> + </references> + <metadata tag="requester" timestamp="2019-08-10T20:59:28Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:53:38Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-14.xml b/metadata/glsa/glsa-201908-14.xml new file mode 100644 index 000000000000..bdd1c2c60eae --- /dev/null +++ b/metadata/glsa/glsa-201908-14.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-14"> + <title>polkit: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in polkit, the worst of + which could result in privilege escalation. + </synopsis> + <product type="ebuild">polkit</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>661470</bug> + <bug>672578</bug> + <access>remote</access> + <affected> + <package name="sys-auth/polkit" auto="yes" arch="*"> + <unaffected range="ge">0.115-r2</unaffected> + <vulnerable range="lt">0.115-r2</vulnerable> + </package> + </affected> + <background> + <p>polkit is a toolkit for managing policies relating to unprivileged + processes communicating with privileged processes. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in polkit. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All polkit users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-auth/polkit-0.115-r2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1116">CVE-2018-1116</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19788">CVE-2018-19788</uri> + </references> + <metadata tag="requester" timestamp="2019-08-11T21:46:16Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:54:53Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-15.xml b/metadata/glsa/glsa-201908-15.xml new file mode 100644 index 000000000000..56293af7dc20 --- /dev/null +++ b/metadata/glsa/glsa-201908-15.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-15"> + <title>ZNC: Privilege escalation</title> + <synopsis>A vulnerability in ZNC allows users to escalate privileges.</synopsis> + <product type="ebuild">znc</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>688152</bug> + <access>remote</access> + <affected> + <package name="net-irc/znc" auto="yes" arch="*"> + <unaffected range="ge">1.7.4_rc1</unaffected> + <vulnerable range="lt">1.7.4_rc1</vulnerable> + </package> + </affected> + <background> + <p>ZNC is an advanced IRC bouncer.</p> + </background> + <description> + <p>It was discovered that ZNC’s “Modules.cpp” allows remote + authenticated non-admin users to escalate privileges. + </p> + </description> + <impact type="normal"> + <p>A remote authenticated attacker could escalate privileges and + subsequently execute arbitrary code or conduct a Denial of Service + attack. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ZNC users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/znc-1.7.4_rc1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12816">CVE-2019-12816</uri> + </references> + <metadata tag="requester" timestamp="2019-08-11T22:44:54Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:56:13Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-16.xml b/metadata/glsa/glsa-201908-16.xml new file mode 100644 index 000000000000..e52f22844927 --- /dev/null +++ b/metadata/glsa/glsa-201908-16.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-16"> + <title>ProFTPD: Remote code execution</title> + <synopsis>A vulnerability in ProFTPD could result in the arbitrary execution + of code. + </synopsis> + <product type="ebuild">proftpd</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>690528</bug> + <access>remote</access> + <affected> + <package name="net-ftp/proftpd" auto="yes" arch="*"> + <unaffected range="ge">1.3.6-r5</unaffected> + <vulnerable range="lt">1.3.6-r5</vulnerable> + </package> + </affected> + <background> + <p>ProFTPD is an advanced and very configurable FTP server.</p> + </background> + <description> + <p>It was discovered that ProFTPD’s “mod_copy” module does not + properly restrict privileges for anonymous users. + </p> + </description> + <impact type="high"> + <p>A remote attacker, by anonymously uploading a malicious file, could + possibly execute arbitrary code with the privileges of the process, cause + a Denial of Service condition or disclose information. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ProFTPD users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.6-r5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12815">CVE-2019-12815</uri> + </references> + <metadata tag="requester" timestamp="2019-08-11T22:56:34Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:57:27Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-17.xml b/metadata/glsa/glsa-201908-17.xml new file mode 100644 index 000000000000..24e15836d90c --- /dev/null +++ b/metadata/glsa/glsa-201908-17.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-17"> + <title>ZeroMQ: Arbitrary code execution</title> + <synopsis>A vulnerability in ZeroMQ might allow an attacker to execute + arbitrary code. + </synopsis> + <product type="ebuild">zeromq</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>689426</bug> + <access>remote</access> + <affected> + <package name="net-libs/zeromq" auto="yes" arch="*"> + <unaffected range="ge">4.3.2</unaffected> + <vulnerable range="lt">4.3.2</vulnerable> + </package> + </affected> + <background> + <p>Looks like an embeddable networking library but acts like a concurrency + framework. + </p> + </background> + <description> + <p>A buffer overflow was discovered in ZeroMQ.</p> + </description> + <impact type="high"> + <p>An attacker could possibly execute arbitrary code with the privileges of + the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ZeroMQ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/zeromq-4.3.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13132">CVE-2019-13132</uri> + </references> + <metadata tag="requester" timestamp="2019-08-11T22:35:49Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-15T15:58:45Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-18.xml b/metadata/glsa/glsa-201908-18.xml new file mode 100644 index 000000000000..28f8eb0cc599 --- /dev/null +++ b/metadata/glsa/glsa-201908-18.xml @@ -0,0 +1,206 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-18"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could allow remote attackers to execute + arbitrary code. + </synopsis> + <product type="ebuild">chorme,chromium</product> + <announced>2019-08-15</announced> + <revised count="2">2019-08-16</revised> + <bug>672606</bug> + <bug>684238</bug> + <bug>684272</bug> + <bug>687732</bug> + <bug>688072</bug> + <bug>689944</bug> + <bug>691098</bug> + <bug>691682</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">76.0.3809.100</unaffected> + <vulnerable range="lt">76.0.3809.100</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">76.0.3809.100</unaffected> + <vulnerable range="lt">76.0.3809.100</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifiers and Google Chrome + Releases for details. + </p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-76.0.3809.100" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-76.0.3809.100" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5805">CVE-2019-5805</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5806">CVE-2019-5806</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5807">CVE-2019-5807</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5808">CVE-2019-5808</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5809">CVE-2019-5809</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5810">CVE-2019-5810</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5811">CVE-2019-5811</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5812">CVE-2019-5812</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5813">CVE-2019-5813</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5814">CVE-2019-5814</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5815">CVE-2019-5815</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5816">CVE-2019-5816</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5817">CVE-2019-5817</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5818">CVE-2019-5818</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5819">CVE-2019-5819</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5820">CVE-2019-5820</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5821">CVE-2019-5821</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5822">CVE-2019-5822</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5823">CVE-2019-5823</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5828">CVE-2019-5828</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5829">CVE-2019-5829</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5830">CVE-2019-5830</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5831">CVE-2019-5831</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5832">CVE-2019-5832</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5833">CVE-2019-5833</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5834">CVE-2019-5834</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5835">CVE-2019-5835</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5836">CVE-2019-5836</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5837">CVE-2019-5837</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5838">CVE-2019-5838</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5839">CVE-2019-5839</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5840">CVE-2019-5840</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5842">CVE-2019-5842</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5847">CVE-2019-5847</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5848">CVE-2019-5848</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5850">CVE-2019-5850</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5851">CVE-2019-5851</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5852">CVE-2019-5852</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5853">CVE-2019-5853</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5854">CVE-2019-5854</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5855">CVE-2019-5855</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5856">CVE-2019-5856</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5857">CVE-2019-5857</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5858">CVE-2019-5858</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5859">CVE-2019-5859</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5860">CVE-2019-5860</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5861">CVE-2019-5861</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5862">CVE-2019-5862</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5863">CVE-2019-5863</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5864">CVE-2019-5864</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5865">CVE-2019-5865</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5867">CVE-2019-5867</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5868">CVE-2019-5868</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17480">CVE-2018-17480</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17481">CVE-2018-17481</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18335">CVE-2018-18335</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18336">CVE-2018-18336</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18337">CVE-2018-18337</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18338">CVE-2018-18338</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18339">CVE-2018-18339</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18340">CVE-2018-18340</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18341">CVE-2018-18341</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18342">CVE-2018-18342</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18343">CVE-2018-18343</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18344">CVE-2018-18344</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18345">CVE-2018-18345</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18346">CVE-2018-18346</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18347">CVE-2018-18347</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18348">CVE-2018-18348</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18349">CVE-2018-18349</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18350">CVE-2018-18350</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18351">CVE-2018-18351</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18352">CVE-2018-18352</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18353">CVE-2018-18353</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18354">CVE-2018-18354</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18355">CVE-2018-18355</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18356">CVE-2018-18356</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18357">CVE-2018-18357</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18358">CVE-2018-18358</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18359">CVE-2018-18359</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5805">CVE-2019-5805</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5806">CVE-2019-5806</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5807">CVE-2019-5807</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5808">CVE-2019-5808</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5809">CVE-2019-5809</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5810">CVE-2019-5810</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5811">CVE-2019-5811</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5812">CVE-2019-5812</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5813">CVE-2019-5813</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5814">CVE-2019-5814</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5815">CVE-2019-5815</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5816">CVE-2019-5816</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5817">CVE-2019-5817</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5818">CVE-2019-5818</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5819">CVE-2019-5819</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5820">CVE-2019-5820</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5821">CVE-2019-5821</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5822">CVE-2019-5822</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5823">CVE-2019-5823</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5828">CVE-2019-5828</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5829">CVE-2019-5829</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5830">CVE-2019-5830</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5831">CVE-2019-5831</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5832">CVE-2019-5832</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5833">CVE-2019-5833</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5834">CVE-2019-5834</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5835">CVE-2019-5835</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5836">CVE-2019-5836</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5837">CVE-2019-5837</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5838">CVE-2019-5838</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5839">CVE-2019-5839</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5840">CVE-2019-5840</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5842">CVE-2019-5842</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5847">CVE-2019-5847</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5848">CVE-2019-5848</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5850">CVE-2019-5850</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5851">CVE-2019-5851</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5852">CVE-2019-5852</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5853">CVE-2019-5853</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5854">CVE-2019-5854</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5855">CVE-2019-5855</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5856">CVE-2019-5856</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5857">CVE-2019-5857</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5858">CVE-2019-5858</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5859">CVE-2019-5859</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5860">CVE-2019-5860</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5861">CVE-2019-5861</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5862">CVE-2019-5862</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5863">CVE-2019-5863</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5864">CVE-2019-5864</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5865">CVE-2019-5865</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5867">CVE-2019-5867</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5868">CVE-2019-5868</uri> + </references> + <metadata tag="requester" timestamp="2019-04-27T08:00:47Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-08-16T17:41:13Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-19.xml b/metadata/glsa/glsa-201908-19.xml new file mode 100644 index 000000000000..e6a77881ce70 --- /dev/null +++ b/metadata/glsa/glsa-201908-19.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-19"> + <title>GNU Wget: Arbitrary code execution</title> + <synopsis>A vulnerability in GNU Wget might allow an attacker to execute + arbitrary code. + </synopsis> + <product type="ebuild">wget</product> + <announced>2019-08-15</announced> + <revised count="1">2019-08-15</revised> + <bug>682994</bug> + <access>remote</access> + <affected> + <package name="net-misc/wget" auto="yes" arch="*"> + <unaffected range="ge">1.20.3</unaffected> + <vulnerable range="lt">1.20.3</vulnerable> + </package> + </affected> + <background> + <p>GNU Wget is a free software package for retrieving files using HTTP, + HTTPS and FTP, the most widely-used Internet protocols. + </p> + </background> + <description> + <p>A buffer overflow was discovered in GNU’s Wget.</p> + </description> + <impact type="normal"> + <p>An attacker could possibly execute arbitrary code with the privileges of + the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GNU Wget users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/wget-1.20.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5953">CVE-2019-5953</uri> + </references> + <metadata tag="requester" timestamp="2019-08-10T20:46:31Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-15T17:51:26Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-20.xml b/metadata/glsa/glsa-201908-20.xml new file mode 100644 index 000000000000..05b2ac48e805 --- /dev/null +++ b/metadata/glsa/glsa-201908-20.xml @@ -0,0 +1,76 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-20"> + <title>Mozilla Thunderbird: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">thunderbird</product> + <announced>2019-08-16</announced> + <revised count="1">2019-08-16</revised> + <bug>688032</bug> + <bug>690664</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">60.8.0</unaffected> + <vulnerable range="lt">60.8.0</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">60.8.0</unaffected> + <vulnerable range="lt">60.8.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the + Mozilla project + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-60.8.0" + </code> + + <p>All Mozilla Thunderbird binary users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-60.8.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11703">CVE-2019-11703</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11704">CVE-2019-11704</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11705">CVE-2019-11705</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11706">CVE-2019-11706</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11709">CVE-2019-11709</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11711">CVE-2019-11711</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11712">CVE-2019-11712</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11713">CVE-2019-11713</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11715">CVE-2019-11715</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11717">CVE-2019-11717</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11719">CVE-2019-11719</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11729">CVE-2019-11729</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11730">CVE-2019-11730</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9811">CVE-2019-9811</uri> + </references> + <metadata tag="requester" timestamp="2019-08-12T23:49:32Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-16T18:20:32Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-21.xml b/metadata/glsa/glsa-201908-21.xml new file mode 100644 index 000000000000..ec87cbf19c38 --- /dev/null +++ b/metadata/glsa/glsa-201908-21.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-21"> + <title>Adobe Flash Player: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Adobe Flash Player, the + worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">flash</product> + <announced>2019-08-18</announced> + <revised count="1">2019-08-18</revised> + <bug>683006</bug> + <bug>687894</bug> + <access>remote</access> + <affected> + <package name="www-plugins/adobe-flash" auto="yes" arch="*"> + <unaffected range="ge">32.0.0.207</unaffected> + <vulnerable range="lt">32.0.0.207</vulnerable> + </package> + </affected> + <background> + <p>The Adobe Flash Player is a renderer for the SWF file format, which is + commonly used to provide interactive websites. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Adobe Flash Player. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or bypass security restrictions. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Adobe Flash Player users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-plugins/adobe-flash-32.0.0.207" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7096">CVE-2019-7096</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7108">CVE-2019-7108</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7845">CVE-2019-7845</uri> + </references> + <metadata tag="requester" timestamp="2019-08-17T15:59:17Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-18T02:22:45Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-22.xml b/metadata/glsa/glsa-201908-22.xml new file mode 100644 index 000000000000..c4264b73b4e5 --- /dev/null +++ b/metadata/glsa/glsa-201908-22.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-22"> + <title>Patch: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Patch, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">patch</product> + <announced>2019-08-18</announced> + <revised count="1">2019-08-18</revised> + <bug>690136</bug> + <access>local</access> + <affected> + <package name="sys-devel/patch" auto="yes" arch="*"> + <unaffected range="ge">2.7.6-r4</unaffected> + <vulnerable range="lt">2.7.6-r4</vulnerable> + </package> + </affected> + <background> + <p>Patch takes a patch file containing a difference listing produced by the + diff program and applies those differences to one or more original files, + producing patched versions. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Patch. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A local attacker could pass a specially crafted diff file to Patch, + possibly resulting in a Denial of Service condition or arbitrary code + execution. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Patch users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/patch-2.7.6-r4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13636">CVE-2019-13636</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13638">CVE-2019-13638</uri> + </references> + <metadata tag="requester" timestamp="2019-08-16T21:41:00Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-18T02:24:40Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-23.xml b/metadata/glsa/glsa-201908-23.xml new file mode 100644 index 000000000000..c62336f32cf7 --- /dev/null +++ b/metadata/glsa/glsa-201908-23.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-23"> + <title>VLC: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in VLC, the worst of which + could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">vlc</product> + <announced>2019-08-18</announced> + <revised count="1">2019-08-18</revised> + <bug>688642</bug> + <access>local, remote</access> + <affected> + <package name="media-video/vlc" auto="yes" arch="*"> + <unaffected range="ge">3.0.7</unaffected> + <vulnerable range="lt">3.0.7</vulnerable> + </package> + </affected> + <background> + <p>VLC is a cross-platform media player and streaming server.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in VLC. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Remote attackers, by enticing a user to execute a specially crafted + media file, could cause a Denial of Service condition or possibly execute + arbitrary code. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All VLC users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vlc-3.0.7" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12874">CVE-2019-12874</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5439">CVE-2019-5439</uri> + </references> + <metadata tag="requester" timestamp="2019-08-01T21:30:30Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-18T02:26:26Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-24.xml b/metadata/glsa/glsa-201908-24.xml new file mode 100644 index 000000000000..f6add259ef8c --- /dev/null +++ b/metadata/glsa/glsa-201908-24.xml @@ -0,0 +1,109 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-24"> + <title>MariaDB, MySQL: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in MariaDB and MySQL, the + worst of which could result in privilege escalation. + </synopsis> + <product type="ebuild">mariadb,mysql</product> + <announced>2019-08-18</announced> + <revised count="1">2019-08-18</revised> + <bug>661500</bug> + <bug>670388</bug> + <bug>679024</bug> + <access>local, remote</access> + <affected> + <package name="dev-db/mariadb" auto="yes" arch="*"> + <unaffected range="ge">10.1.38-r1</unaffected> + <unaffected range="ge">10.2.22</unaffected> + <vulnerable range="lt">10.1.38-r1</vulnerable> + <vulnerable range="lt">10.2.22</vulnerable> + </package> + <package name="dev-db/mysql" auto="yes" arch="*"> + <unaffected range="ge">5.6.42</unaffected> + <unaffected range="ge">5.7.24</unaffected> + <vulnerable range="lt">5.6.42</vulnerable> + <vulnerable range="lt">5.7.24</vulnerable> + </package> + </affected> + <background> + <p>MariaDB is an enhanced, drop-in replacement for MySQL. MySQL is a + popular multi-threaded, multi-user SQL server. MySQL is a popular + multi-threaded, multi-user SQL server + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in MariaDB and MySQL. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All MariaDB 10.1.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.1.38-r1" + </code> + + <p>All MariaDB 10.2.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.2.22" + </code> + + <p>All MySQL 5.6.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.6.42" + </code> + + <p>All MySQL 5.7.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.7.24" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2755">CVE-2018-2755</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2759">CVE-2018-2759</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2761">CVE-2018-2761</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2766">CVE-2018-2766</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2771">CVE-2018-2771</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2777">CVE-2018-2777</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2781">CVE-2018-2781</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2782">CVE-2018-2782</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2784">CVE-2018-2784</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2786">CVE-2018-2786</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2787">CVE-2018-2787</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2810">CVE-2018-2810</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2813">CVE-2018-2813</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2817">CVE-2018-2817</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2819">CVE-2018-2819</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3143">CVE-2018-3143</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3156">CVE-2018-3156</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3162">CVE-2018-3162</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3173">CVE-2018-3173</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3174">CVE-2018-3174</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3185">CVE-2018-3185</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3200">CVE-2018-3200</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3251">CVE-2018-3251</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3252">CVE-2018-3252</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3277">CVE-2018-3277</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3282">CVE-2018-3282</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3284">CVE-2018-3284</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2510">CVE-2019-2510</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2529">CVE-2019-2529</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2537">CVE-2019-2537</uri> + </references> + <metadata tag="requester" timestamp="2019-08-12T23:27:01Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-18T02:28:58Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201908-25.xml b/metadata/glsa/glsa-201908-25.xml new file mode 100644 index 000000000000..7f2c146a9229 --- /dev/null +++ b/metadata/glsa/glsa-201908-25.xml @@ -0,0 +1,64 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201908-25"> + <title>hostapd and wpa_supplicant: Denial of Service</title> + <synopsis>A vulnerability in hostapd and wpa_supplicant could lead to a + Denial of Service condition. + </synopsis> + <product type="ebuild">wpa_supplicant</product> + <announced>2019-08-18</announced> + <revised count="1">2019-08-18</revised> + <bug>685860</bug> + <bug>688588</bug> + <access>remote</access> + <affected> + <package name="net-wireless/hostapd" auto="yes" arch="*"> + <unaffected range="ge">2.8</unaffected> + <vulnerable range="lt">2.8</vulnerable> + </package> + <package name="net-wireless/wpa_supplicant" auto="yes" arch="*"> + <unaffected range="ge">2.8</unaffected> + <vulnerable range="lt">2.8</vulnerable> + </package> + </affected> + <background> + <p>wpa_supplicant is a WPA Supplicant with support for WPA and WPA2 (IEEE + 802.11i / RSN). + </p> + + <p>hostapd is a user space daemon for access point and authentication + servers. + </p> + </background> + <description> + <p>A vulnerability was discovered in hostapd’s and wpa_supplicant’s + eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c files. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All hostapd users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/hostapd-2.8" + </code> + + <p>All wpa_supplicant users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/wpa_supplicant-2.8" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11555">CVE-2019-11555</uri> + </references> + <metadata tag="requester" timestamp="2019-08-11T00:58:42Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-08-18T02:31:07Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 326b38d4fbc7..7a755efccb78 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Fri, 02 Aug 2019 17:09:10 +0000 +Sun, 18 Aug 2019 16:08:59 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index b72a40632e5a..a0dca6b11934 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -74d83a200d28906c5e5b46a676cd5579da349080 1559842216 2019-06-06T17:30:16+00:00 +55b0fff2f98b275d6a6bcaf8e12164157936324c 1566095478 2019-08-18T02:31:18+00:00 |