diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2020-08-25 10:45:55 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2020-08-25 10:45:55 +0100 |
| commit | 3cf7c3ef441822c889356fd1812ebf2944a59851 (patch) | |
| tree | c513fe68548b40365c1c2ebfe35c58ad431cdd77 /metadata/glsa | |
| parent | 05b8b0e0af1d72e51a3ee61522941bf7605cd01c (diff) | |
gentoo resync : 25.08.2020
Diffstat (limited to 'metadata/glsa')
77 files changed, 3953 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 362bf881c1a9..560ea4376bd0 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 469226 BLAKE2B 7802023c2e2f34c26e4ab80c5dc66d82df62eae23b930c29c3bebb5b4ded87a3a117438be8d0fe26990389a3a2947f4151a8aecdd768fcd1388a595c78cd7d73 SHA512 c8862da9c01fac7f061d6ed989c78046fca0143f6f6c82ce4d8c8662fe53725e542bc7eb68e3936d66230eedcea6132083a3412ca73bd3a83c42808079029d0e -TIMESTAMP 2020-07-04T12:38:26Z +MANIFEST Manifest.files.gz 480829 BLAKE2B 7b875550bc3942bd6cddbe0c5c0ece578516314fe4a0a5cdd538e929c903b557ac2af9e301d5f7232331b35fdd266cec7820aab259fc68aadddb4451bc4fefc7 SHA512 3370d43afeebe4815706a4ff51c9176617549d872cfd990d379873d58909952b19ef588fb91c7597fe9a2d900bf73a12b47d7fb29760d1f6faf5537993cac3a5 +TIMESTAMP 2020-08-25T08:08:43Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl8AeEJfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl9ExwtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klBe4RAAls/KVsBnXuXbfOYhzbtakBwM8EOfHOhOSlGx7bUTTEJryQorcNhciCQX -foZH23v5LdLn1nXw2MJ/9BrDZD2pVJ1Iee/0cJU0SDq9HGwIYQoTScR1pH1UThIq -DlQEOemgdKUiFKWrE+37cFIDCKU7oQcjaRbrTlNfZ+dIQihDWlFxpOmD+KrSpRxb -K6BEmRgTht82RwA/wge8mWj5vdd8ISoVt5x+835LDMXQIkIRxX/Ls8O9X1Vs8kYW -LiC1gZUH56JJsgb37kREUDC0/XkIQgAMZ03/NTiDJinIBMgRK/sMzDoFaX6HDIr4 -RTsMnLykZyWK9sihYpkyXlzLaGi7psKZSpHs/vYT09tULa2YXVIzJ1AXKOOdQDps -BvabUWJwKxXIEUIq3nC0bhTnrHfDJTRX9cNLYT8Jbh3/5+DYC/j2wtCPsO32S9NX -ZU6zl1QkDIk9KMEs00NMu0aBA8HKyvB4vBSkDrN30maO9f9G7hGsesEtDJdLA6tr -N/Udq9dm1pM4Ogwpt2ZbB2UcpDktukNB7qR4ADzpKBbJbj9SC2lWpL8BLuAjq8Jr -dRzIZN0xyrk0st+dzZpgpQoeFoYcuWR9KvcqDsRsbHuIqY4hAARQq3vYOVuQYWlP -Y9CqT9ZEirrTRdCvQopODVutITJJfTUoHvctyGLY8ek59Z+ImX0= -=Sz/f +klCudBAAoNc9I702Ky7EuFyvbLNr5P2Kr1CAC3PbKVHa2oFwvQBVIEdT0dCVhCpO +mF85IrizBXh6z7OTAMPMW4QEcghCu3VSsaCbxt3r8Vi90dNDXClmU7/Dxy0YyyYV +xe0HuWhhRyqkzYgxp4rLfBw2Btcuc1regHrIVWnAF+2Trp/3sKR3+nCDYBQgnbMq +1aXjVzCmNkfCZek7ySpxDj3qzUaNMErMAzv6eCaJh1GI1nMT1yscdKJtAtP9FT0Y +QB7FtdCoek6RHqGqdy7aX4xdMbxdX27X+nluRDb3rRMgnAyu2HdW7egAz/fEgJAh +38nEstcXQVplrIA9zipwXs2M8zg6QbTg48CMqzEhhJhYPSUTI69KQFwH+3B4KGON +IUPGckNU1VmyedXr7mKINaGshM+xp3Sjtl599KsAzNmDlPCJ8EYm3VtzucrbCV2e +l7tBIr9TsI7KEy2d64wLfvD2AA3sJNGhwvO7B5cLD0Q0iSetcHyvUyJclNrQZYRN +Gj43L4m5JblwhMG8QASNT1wFQ8baxiMVsF/qMzC7seFfpvEzw/nz2rpMtjoI/JRh +CSQ0w8FXzpgNHjk9kAPYKe91TZ8SZSU1/PEYFXxxtrRHDZuf5pYK+9UFdZKNI8RS +62lBJKykUoI65vV3xFlaUGnNgMzx2zbfe7JfgRX263Xdb3aCo70= +=DunG -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 48dd3882a070..769ddee349ad 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202007-01.xml b/metadata/glsa/glsa-202007-01.xml new file mode 100644 index 000000000000..56c6b1c3013b --- /dev/null +++ b/metadata/glsa/glsa-202007-01.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-01"> + <title>netqmail: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in netqmail, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">netqmail</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>721566</bug> + <access>local, remote</access> + <affected> + <package name="mail-mta/netqmail" auto="yes" arch="*"> + <unaffected range="ge">1.06-r13</unaffected> + <vulnerable range="lt">1.06-r13</vulnerable> + </package> + </affected> + <background> + <p>qmail is a secure, reliable, efficient, simple message transfer agent.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in netqmail. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>In the default configuration, these vulnerabilities are only local. + Please review the referenced CVE identifiers for details. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All netqmail users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/netqmail-1.06-r13" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2005-1513">CVE-2005-1513</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2005-1514">CVE-2005-1514</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2005-1515">CVE-2005-1515</uri> + </references> + <metadata tag="requester" timestamp="2020-06-11T02:55:31Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T22:08:48Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-02.xml b/metadata/glsa/glsa-202007-02.xml new file mode 100644 index 000000000000..7cc7db21c7aa --- /dev/null +++ b/metadata/glsa/glsa-202007-02.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-02"> + <title>Xen: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Xen, the worst of which + could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">xen</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>731658</bug> + <access>remote</access> + <affected> + <package name="app-emulation/xen" auto="yes" arch="*"> + <unaffected range="ge">4.12.3-r2</unaffected> + <vulnerable range="lt">4.12.3-r2</vulnerable> + </package> + <package name="app-emulation/xen-tools" auto="yes" arch="*"> + <unaffected range="ge">4.12.3-r2</unaffected> + <vulnerable range="lt">4.12.3-r2</vulnerable> + </package> + </affected> + <background> + <p>Xen is a bare-metal hypervisor.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Xen. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Xen users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.12.3-r2" + </code> + + <p>All Xen Tools users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-tools-4.12.3-r2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15563">CVE-2020-15563</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15564">CVE-2020-15564</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15565">CVE-2020-15565</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15566">CVE-2020-15566</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15567">CVE-2020-15567</uri> + </references> + <metadata tag="requester" timestamp="2020-07-17T21:12:47Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T22:28:47Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-03.xml b/metadata/glsa/glsa-202007-03.xml new file mode 100644 index 000000000000..93079b9e24c7 --- /dev/null +++ b/metadata/glsa/glsa-202007-03.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-03"> + <title>Cacti: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Cacti, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">cacti</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>728678</bug> + <bug>732522</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/cacti" auto="yes" arch="*"> + <unaffected range="ge">1.2.13</unaffected> + <vulnerable range="lt">1.2.13</vulnerable> + </package> + <package name="net-analyzer/cacti-spine" auto="yes" arch="*"> + <unaffected range="ge">1.2.13</unaffected> + <vulnerable range="lt">1.2.13</vulnerable> + </package> + </affected> + <background> + <p>Cacti is a complete frontend to rrdtool.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Cacti. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Cacti users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-1.2.13" + </code> + + <p>All Cacti Spine users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-spine-1.2.13" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11022">CVE-2020-11022</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11023">CVE-2020-11023</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14295">CVE-2020-14295</uri> + </references> + <metadata tag="requester" timestamp="2020-07-19T01:50:59Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T22:31:38Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-04.xml b/metadata/glsa/glsa-202007-04.xml new file mode 100644 index 000000000000..b04ea7893e90 --- /dev/null +++ b/metadata/glsa/glsa-202007-04.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-04"> + <title>fwupd, libjcat: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in fwupd and libjcat, the + worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">fwupd,libjfcat</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>727656</bug> + <access>remote</access> + <affected> + <package name="sys-apps/fwupd" auto="yes" arch="*"> + <unaffected range="ge">1.3.10</unaffected> + <vulnerable range="lt">1.3.10</vulnerable> + </package> + <package name="dev-libs/libjcat" auto="yes" arch="*"> + <unaffected range="ge">0.1.3</unaffected> + <vulnerable range="lt">0.1.3</vulnerable> + </package> + </affected> + <background> + <p>fwupd aims to make updating firmware on Linux automatic, safe and + reliable. libjcat is a library and tool for reading and writing Jcat + files. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in fwupd and libjcat. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All fwupd users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/fwupd-1.3.10" + </code> + + <p>All libjcat users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libjcat-0.1.3" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10759">CVE-2020-10759</uri> + </references> + <metadata tag="requester" timestamp="2020-06-29T00:15:07Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T22:34:10Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-05.xml b/metadata/glsa/glsa-202007-05.xml new file mode 100644 index 000000000000..75ae7ba35b88 --- /dev/null +++ b/metadata/glsa/glsa-202007-05.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-05"> + <title>libexif: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libexif, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">libexif</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>708728</bug> + <access>remote</access> + <affected> + <package name="media-libs/libexif" auto="yes" arch="*"> + <unaffected range="ge">0.6.22</unaffected> + <vulnerable range="lt">0.6.22</vulnerable> + </package> + </affected> + <background> + <p>libexif is a library for parsing, editing and saving Exif metadata from + images. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libexif. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libexif users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libexif-0.6.22" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-6328">CVE-2016-6328</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9278">CVE-2019-9278</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-0093">CVE-2020-0093</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12767">CVE-2020-12767</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13112">CVE-2020-13112</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13113">CVE-2020-13113</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13114">CVE-2020-13114</uri> + </references> + <metadata tag="requester" timestamp="2020-07-16T01:09:55Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T22:40:47Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-06.xml b/metadata/glsa/glsa-202007-06.xml new file mode 100644 index 000000000000..e8f7cd438d97 --- /dev/null +++ b/metadata/glsa/glsa-202007-06.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-06"> + <title>HylaFAX: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in HylaFAX, the worst of + which could result in privilege escalation. + </synopsis> + <product type="ebuild">hylafax</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>730290</bug> + <access>local</access> + <affected> + <package name="net-misc/hylafaxplus" auto="yes" arch="*"> + <unaffected range="ge">7.0.2</unaffected> + <vulnerable range="lt">7.0.2</vulnerable> + </package> + </affected> + <background> + <p>HylaFAX is an enterprise-class system for sending and receiving + facsimile messages and for sending alpha-numeric pages. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in HylaFAX. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All HylaFAX users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/hylafaxplus-7.0.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15396">CVE-2020-15396</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15397">CVE-2020-15397</uri> + </references> + <metadata tag="requester" timestamp="2020-07-18T14:34:58Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T22:44:15Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-07.xml b/metadata/glsa/glsa-202007-07.xml new file mode 100644 index 000000000000..3093043f627d --- /dev/null +++ b/metadata/glsa/glsa-202007-07.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-07"> + <title>Transmission: Remote code execution</title> + <synopsis>A use-after-free possibly allowing remote execution of code was + discovered in Transmission. + </synopsis> + <product type="ebuild">transmission</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>723258</bug> + <access>remote</access> + <affected> + <package name="net-p2p/transmission" auto="yes" arch="*"> + <unaffected range="ge">3.00</unaffected> + <vulnerable range="lt">3.00</vulnerable> + </package> + </affected> + <background> + <p>Transmission is a cross-platform BitTorrent client.</p> + </background> + <description> + <p>Transmission mishandles some memory management which may allow + manipulation of the heap. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted + torrent file using Transmission, possibly resulting in execution of + arbitrary code with the privileges of the process or a Denial of Service + condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Transmission users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/transmission-3.00" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10756">CVE-2018-10756</uri> + </references> + <metadata tag="requester" timestamp="2020-06-20T02:12:52Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T23:30:38Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-08.xml b/metadata/glsa/glsa-202007-08.xml new file mode 100644 index 000000000000..a4f230e66bb5 --- /dev/null +++ b/metadata/glsa/glsa-202007-08.xml @@ -0,0 +1,96 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-08"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">chromium,google-chrome</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>728418</bug> + <bug>729310</bug> + <bug>732588</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">84.0.4147.89</unaffected> + <vulnerable range="lt">84.0.4147.89</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">84.0.4147.89</unaffected> + <vulnerable range="lt">84.0.4147.89</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-84.0.4147.89" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-84.0.4147.89" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6505">CVE-2020-6505</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6506">CVE-2020-6506</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6507">CVE-2020-6507</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6509">CVE-2020-6509</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6510">CVE-2020-6510</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6511">CVE-2020-6511</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6512">CVE-2020-6512</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6513">CVE-2020-6513</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6514">CVE-2020-6514</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6515">CVE-2020-6515</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6516">CVE-2020-6516</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6517">CVE-2020-6517</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6518">CVE-2020-6518</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6519">CVE-2020-6519</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6520">CVE-2020-6520</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6521">CVE-2020-6521</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6522">CVE-2020-6522</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6523">CVE-2020-6523</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6524">CVE-2020-6524</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6525">CVE-2020-6525</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6526">CVE-2020-6526</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6527">CVE-2020-6527</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6528">CVE-2020-6528</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6529">CVE-2020-6529</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6530">CVE-2020-6530</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6531">CVE-2020-6531</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6533">CVE-2020-6533</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6534">CVE-2020-6534</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6535">CVE-2020-6535</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6536">CVE-2020-6536</uri> + </references> + <metadata tag="requester" timestamp="2020-06-18T02:31:59Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T23:33:44Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-09.xml b/metadata/glsa/glsa-202007-09.xml new file mode 100644 index 000000000000..eafd82da1347 --- /dev/null +++ b/metadata/glsa/glsa-202007-09.xml @@ -0,0 +1,67 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-09"> + <title>Mozilla Thunderbird: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">thunderbird</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>730628</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">68.10.0</unaffected> + <vulnerable range="lt">68.10.0</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">68.10.0</unaffected> + <vulnerable range="lt">68.10.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-68.10.0" + </code> + + <p>All Mozilla Thunderbird binary users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-68.10.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12417">CVE-2020-12417</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12418">CVE-2020-12418</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12419">CVE-2020-12419</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12420">CVE-2020-12420</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12421">CVE-2020-12421</uri> + </references> + <metadata tag="requester" timestamp="2020-07-16T04:28:14Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T23:36:14Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-10.xml b/metadata/glsa/glsa-202007-10.xml new file mode 100644 index 000000000000..ba5545fd961d --- /dev/null +++ b/metadata/glsa/glsa-202007-10.xml @@ -0,0 +1,71 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-10"> + <title>Mozilla Firefox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">firefox</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>730418</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge">68.10.0</unaffected> + <vulnerable range="lt">68.10.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge">68.10.0</unaffected> + <vulnerable range="lt">68.10.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-68.10.0" + </code> + + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-68.10.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12402">CVE-2020-12402</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12415">CVE-2020-12415</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12416">CVE-2020-12416</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12417">CVE-2020-12417</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12418">CVE-2020-12418</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12419">CVE-2020-12419</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12420">CVE-2020-12420</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12421">CVE-2020-12421</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12422">CVE-2020-12422</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12424">CVE-2020-12424</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12425">CVE-2020-12425</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12426">CVE-2020-12426</uri> + </references> + <metadata tag="requester" timestamp="2020-07-07T16:00:55Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T23:38:24Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-11.xml b/metadata/glsa/glsa-202007-11.xml new file mode 100644 index 000000000000..914221d8593e --- /dev/null +++ b/metadata/glsa/glsa-202007-11.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-11"> + <title>WebKitGTK+: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in WebKitGTK+, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">webkitgtk+</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>732104</bug> + <access>remote</access> + <affected> + <package name="net-libs/webkit-gtk" auto="yes" arch="*"> + <unaffected range="ge">2.28.3</unaffected> + <vulnerable range="lt">2.28.3</vulnerable> + </package> + </affected> + <background> + <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, from hybrid + HTML/CSS applications to full-fledged web browsers. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All WebKitGTK+ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.28.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13753">CVE-2020-13753</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9802">CVE-2020-9802</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9803">CVE-2020-9803</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9805">CVE-2020-9805</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9806">CVE-2020-9806</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9807">CVE-2020-9807</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9843">CVE-2020-9843</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9850">CVE-2020-9850</uri> + </references> + <metadata tag="requester" timestamp="2020-07-19T11:27:13Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T23:40:52Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-12.xml b/metadata/glsa/glsa-202007-12.xml new file mode 100644 index 000000000000..15f5cd20ec8f --- /dev/null +++ b/metadata/glsa/glsa-202007-12.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-12"> + <title>NTP: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in NTP, the worst of which + could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">ntp</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>717798</bug> + <bug>729458</bug> + <access>remote</access> + <affected> + <package name="net-misc/ntp" auto="yes" arch="*"> + <unaffected range="ge">4.2.8_p15</unaffected> + <vulnerable range="lt">4.2.8_p15</vulnerable> + </package> + </affected> + <background> + <p>NTP contains software for the Network Time Protocol.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in NTP. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All NTP users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8_p15" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11868">CVE-2020-11868</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13817">CVE-2020-13817</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15025">CVE-2020-15025</uri> + </references> + <metadata tag="requester" timestamp="2020-06-20T02:14:32Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T23:43:52Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-13.xml b/metadata/glsa/glsa-202007-13.xml new file mode 100644 index 000000000000..5c0c85cff0ec --- /dev/null +++ b/metadata/glsa/glsa-202007-13.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-13"> + <title>Wireshark: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Wireshark, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">wireshark</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>711012</bug> + <bug>716756</bug> + <bug>724132</bug> + <bug>730414</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/wireshark" auto="yes" arch="*"> + <unaffected range="ge">3.2.5</unaffected> + <vulnerable range="lt">3.2.5</vulnerable> + </package> + </affected> + <background> + <p>Wireshark is a network protocol analyzer formerly known as ethereal.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Wireshark. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Wireshark users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-3.2.5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11647">CVE-2020-11647</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13164">CVE-2020-13164</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15466">CVE-2020-15466</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9428">CVE-2020-9428</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9429">CVE-2020-9429</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9430">CVE-2020-9430</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9431">CVE-2020-9431</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T16:22:12Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T23:47:31Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-14.xml b/metadata/glsa/glsa-202007-14.xml new file mode 100644 index 000000000000..6fe7f34940eb --- /dev/null +++ b/metadata/glsa/glsa-202007-14.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-14"> + <title>yaml-cpp: Denial of service</title> + <synopsis>A vulnerability in yaml-cpp could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">yaml-cpp</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>626662</bug> + <access>remote</access> + <affected> + <package name="dev-cpp/yaml-cpp" auto="yes" arch="*"> + <unaffected range="ge">0.6.3-r2</unaffected> + <vulnerable range="lt">0.6.3-r2</vulnerable> + </package> + </affected> + <background> + <p>yaml-cpp is a YAML parser and emitter in C++.</p> + </background> + <description> + <p>The function Scanner::peek in scanner.cpp may have an assertion failure.</p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All yaml-cpp users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-cpp/yaml-cpp-0.6.3-r2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11692">CVE-2017-11692</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T16:16:28Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T23:48:42Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-15.xml b/metadata/glsa/glsa-202007-15.xml new file mode 100644 index 000000000000..f45efd336712 --- /dev/null +++ b/metadata/glsa/glsa-202007-15.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-15"> + <title>Samba: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Samba, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">samba</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>719120</bug> + <bug>730472</bug> + <access>remote</access> + <affected> + <package name="net-fs/samba" auto="yes" arch="*"> + <unaffected range="ge">4.11.11</unaffected> + <vulnerable range="lt">4.11.11</vulnerable> + </package> + </affected> + <background> + <p>Samba is a suite of SMB and CIFS client/server programs.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Samba. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Samba users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-4.11.11" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10700">CVE-2020-10700</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10704">CVE-2020-10704</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10730">CVE-2020-10730</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10745">CVE-2020-10745</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10760">CVE-2020-10760</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14303">CVE-2020-14303</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T05:09:50Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T23:52:18Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-16.xml b/metadata/glsa/glsa-202007-16.xml new file mode 100644 index 000000000000..393e5994ccf0 --- /dev/null +++ b/metadata/glsa/glsa-202007-16.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-16"> + <title>cURL: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in cURL, the worst of + which could result in information disclosure or data loss. + </synopsis> + <product type="ebuild">curl</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>729374</bug> + <access>remote</access> + <affected> + <package name="net-misc/curl" auto="yes" arch="*"> + <unaffected range="ge">7.71.0</unaffected> + <vulnerable range="lt">7.71.0</vulnerable> + </package> + </affected> + <background> + <p>A command line tool and library for transferring data with URLs.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in cURL. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All cURL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.71.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8169">CVE-2020-8169</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8177">CVE-2020-8177</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T16:01:11Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T23:52:30Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-17.xml b/metadata/glsa/glsa-202007-17.xml new file mode 100644 index 000000000000..1234ccc4b9f0 --- /dev/null +++ b/metadata/glsa/glsa-202007-17.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-17"> + <title>JHead: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in JHead, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">jhead</product> + <announced>2020-07-26</announced> + <revised count="2">2020-07-27</revised> + <bug>701826</bug> + <bug>711220</bug> + <access>remote</access> + <affected> + <package name="media-gfx/jhead" auto="yes" arch="*"> + <unaffected range="ge">3.04</unaffected> + <vulnerable range="lt">3.04</vulnerable> + </package> + </affected> + <background> + <p>JHead is an exif jpeg header manipulation tool.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in JHead. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All JHead users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/jhead-3.04" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1010301"> + CVE-2019-1010301 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1010302"> + CVE-2019-1010302 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19035">CVE-2019-19035</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6624">CVE-2020-6624</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6625">CVE-2020-6625</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T15:53:15Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T12:29:49Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-18.xml b/metadata/glsa/glsa-202007-18.xml new file mode 100644 index 000000000000..01b58a0aaddf --- /dev/null +++ b/metadata/glsa/glsa-202007-18.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-18"> + <title>QtNetwork: Denial of service</title> + <synopsis>A vulnerability in QtNetwork could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">qtnetwork</product> + <announced>2020-07-26</announced> + <revised count="1">2020-07-26</revised> + <bug>727604</bug> + <access>remote</access> + <affected> + <package name="dev-qt/qtnetwork" auto="yes" arch="*"> + <unaffected range="ge">5.14.2-r1</unaffected> + <vulnerable range="lt">5.14.2-r1</vulnerable> + </package> + </affected> + <background> + <p>QtNetwork provides a set of APIs for programming applications that use + TCP/IP. It is part of the Qt framework. + </p> + </background> + <description> + <p>A flaw was discovered in QtNetwork’s handling of OpenSSL protocol + errors. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All QtNetwork users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtnetwork-5.14.2-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13962">CVE-2020-13962</uri> + </references> + <metadata tag="requester" timestamp="2020-06-17T14:27:39Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-26T23:59:22Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-19.xml b/metadata/glsa/glsa-202007-19.xml new file mode 100644 index 000000000000..2155cd008014 --- /dev/null +++ b/metadata/glsa/glsa-202007-19.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-19"> + <title>WavPack: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in WavPack, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">wavpack</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>672638</bug> + <access>remote</access> + <affected> + <package name="media-sound/wavpack" auto="yes" arch="*"> + <unaffected range="ge">5.3.2</unaffected> + <vulnerable range="lt">5.3.2</vulnerable> + </package> + </affected> + <background> + <p>WavPack is a set of hybrid lossless audio compression tools.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in WavPack. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could send a specially crafted audio file possibly + resulting in a Denial of Service condition. Please review the referenced + CVE identifiers for details. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All WavPack users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/wavpack-5.3.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19840">CVE-2018-19840</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19841">CVE-2018-19841</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11498">CVE-2019-11498</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T15:21:17Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:03:02Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-20.xml b/metadata/glsa/glsa-202007-20.xml new file mode 100644 index 000000000000..b05df4b8156e --- /dev/null +++ b/metadata/glsa/glsa-202007-20.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-20"> + <title>fuseiso: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in fuseiso, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">fuseiso</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>713328</bug> + <access>remote</access> + <affected> + <package name="sys-fs/fuseiso" auto="yes" arch="*"> + <unaffected range="ge">20070708-r3</unaffected> + <vulnerable range="lt">20070708-r3</vulnerable> + </package> + </affected> + <background> + <p>FuseISO is a FUSE module to mount ISO filesystem images (.iso, .nrg, + .bin, .mdf and .img files). + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in fuseiso. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted ISO + file using fuseiso, possibly resulting in execution of arbitrary code + with the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All fuseiso users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/fuseiso-20070708-r3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2015-8837">CVE-2015-8837</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T15:37:48Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:05:15Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-21.xml b/metadata/glsa/glsa-202007-21.xml new file mode 100644 index 000000000000..41a83f01f91e --- /dev/null +++ b/metadata/glsa/glsa-202007-21.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-21"> + <title>Libreswan: Denial of service</title> + <synopsis>A vulnerability in Libreswan could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">libreswan</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>722696</bug> + <access>remote</access> + <affected> + <package name="net-vpn/libreswan" auto="yes" arch="*"> + <unaffected range="ge">3.32</unaffected> + <vulnerable range="lt">3.32</vulnerable> + </package> + </affected> + <background> + <p>Libreswan is a free software implementation of the most widely supported + and standarized VPN protocol based on (“IPsec”) and the Internet Key + Exchange (“IKE”). + </p> + </background> + <description> + <p>As a result of a bug in handling certain bogus encrypted IKEv1, while + building a log message that the packet has been dropped, a NULL pointer + dereference causes Libreswan to crash and restart when it attempts to log + the state name involved. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Libreswan users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-vpn/libreswan-3.32" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1763">CVE-2020-1763</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T15:11:54Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:05:28Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-22.xml b/metadata/glsa/glsa-202007-22.xml new file mode 100644 index 000000000000..fce9e1a3bb57 --- /dev/null +++ b/metadata/glsa/glsa-202007-22.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-22"> + <title>sysstat: Arbitrary code execution</title> + <synopsis>A use-after-free in sysstat was discovered which may allow + arbitrary code execution. + </synopsis> + <product type="ebuild">sysstat</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>706206</bug> + <access>local</access> + <affected> + <package name="app-admin/sysstat" auto="yes" arch="*"> + <unaffected range="ge">12.2.1</unaffected> + <vulnerable range="lt">12.2.1</vulnerable> + </package> + </affected> + <background> + <p>sysstat is a package containing a number of performance monitoring + utilities for Linux, including sar, mpstat, iostat and sa tools. + </p> + </background> + <description> + <p>A double-free in sysstat’s check_file_actlst() function was + discovered. + </p> + </description> + <impact type="normal"> + <p>A local attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All sysstat users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.2.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19725">CVE-2019-19725</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T15:01:59Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:08:31Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-23.xml b/metadata/glsa/glsa-202007-23.xml new file mode 100644 index 000000000000..49b3737c3075 --- /dev/null +++ b/metadata/glsa/glsa-202007-23.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-23"> + <title>ClamAV: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in ClamAV, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">clamav</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>732944</bug> + <access>remote</access> + <affected> + <package name="app-antivirus/clamav" auto="yes" arch="*"> + <unaffected range="ge">0.102.4</unaffected> + <vulnerable range="lt">0.102.4</vulnerable> + </package> + </affected> + <background> + <p>ClamAV is a GPL virus scanner.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ClamAV. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ClamAV users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.102.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3327">CVE-2020-3327</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3350">CVE-2020-3350</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3481">CVE-2020-3481</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T05:37:47Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:09:14Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-24.xml b/metadata/glsa/glsa-202007-24.xml new file mode 100644 index 000000000000..1ee579b1f66c --- /dev/null +++ b/metadata/glsa/glsa-202007-24.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-24"> + <title>Twisted: Access restriction bypasses</title> + <synopsis>Multiple vulnerabilities have been found in Twisted, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">twisted</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>712240</bug> + <access>remote</access> + <affected> + <package name="dev-python/twisted" auto="yes" arch="*"> + <unaffected range="ge">20.3.0</unaffected> + <vulnerable range="lt">20.3.0</vulnerable> + </package> + </affected> + <background> + <p>Twisted is an asynchronous networking framework written in Python.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Twisted. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Twisted users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/twisted-20.3.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10108">CVE-2020-10108</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10109">CVE-2020-10109</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T05:19:42Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:12:37Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-25.xml b/metadata/glsa/glsa-202007-25.xml new file mode 100644 index 000000000000..95c3536dcf7b --- /dev/null +++ b/metadata/glsa/glsa-202007-25.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-25"> + <title>arpwatch: Root privilege escalation</title> + <synopsis>A vulnerability was discovered in arpwatch which may allow local + attackers to gain root privileges. + </synopsis> + <product type="ebuild">arpwatch</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>602552</bug> + <access>local</access> + <affected> + <package name="net-analyzer/arpwatch" auto="yes" arch="*"> + <unaffected range="ge">2.1.15-r11</unaffected> + <vulnerable range="lt">2.1.15-r11</vulnerable> + </package> + </affected> + <background> + <p>The ethernet monitor program; for keeping track of ethernet/ip address + pairings. + </p> + </background> + <description> + <p>It was discovered that Gentoo’s arpwatch ebuild made excessive + permission operations on its data directories, possibly changing + ownership of unintended files. This only affects OpenRC systems, as the + flaw was exploitable via the init script. + </p> + </description> + <impact type="high"> + <p>A local attacker could escalate privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All arpwatch users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=net-analyzer/arpwatch-2.1.15-r11" + </code> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2020-06-20T01:06:22Z">b-man</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:14:49Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-26.xml b/metadata/glsa/glsa-202007-26.xml new file mode 100644 index 000000000000..9d1a1dbc8f36 --- /dev/null +++ b/metadata/glsa/glsa-202007-26.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-26"> + <title>SQLite: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in SQLite, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">sqlite</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>716748</bug> + <access>remote</access> + <affected> + <package name="dev-db/sqlite" auto="yes" arch="*"> + <unaffected range="ge">3.32.3</unaffected> + <vulnerable range="lt">3.32.3</vulnerable> + </package> + </affected> + <background> + <p>SQLite is a C library that implements an SQL database engine.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in SQLite. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All SQLite users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.32.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20218">CVE-2019-20218</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11655">CVE-2020-11655</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11656">CVE-2020-11656</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13434">CVE-2020-13434</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13435">CVE-2020-13435</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13630">CVE-2020-13630</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13631">CVE-2020-13631</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13632">CVE-2020-13632</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13871">CVE-2020-13871</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15358">CVE-2020-15358</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T05:02:39Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:15:30Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-27.xml b/metadata/glsa/glsa-202007-27.xml new file mode 100644 index 000000000000..cc568e2427e0 --- /dev/null +++ b/metadata/glsa/glsa-202007-27.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-27"> + <title>Haml: Arbitrary code execution</title> + <synopsis>A flaw in Haml allows arbitrary code execution as a result of + improper filtering. + </synopsis> + <product type="ebuild">haml</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>699840</bug> + <access>remote</access> + <affected> + <package name="dev-ruby/haml" auto="yes" arch="*"> + <unaffected range="ge">5.1.2</unaffected> + <vulnerable range="lt">5.1.2</vulnerable> + </package> + </affected> + <background> + <p>Haml is a templating engine for HTML.</p> + </background> + <description> + <p>It was discovered that Haml was not correctly filtering out special + characters which may be used for attributes. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Haml users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/haml-5.1.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-1002201"> + CVE-2017-1002201 + </uri> + </references> + <metadata tag="requester" timestamp="2020-05-22T01:38:59Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:18:18Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-28.xml b/metadata/glsa/glsa-202007-28.xml new file mode 100644 index 000000000000..9f2b781ea0eb --- /dev/null +++ b/metadata/glsa/glsa-202007-28.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-28"> + <title>re2c: Buffer overflow</title> + <synopsis>A vulnerability in re2c could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">re2c</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>718350</bug> + <access>remote</access> + <affected> + <package name="dev-util/re2c" auto="yes" arch="*"> + <unaffected range="ge">1.3-r1</unaffected> + <vulnerable range="lt">1.3-r1</vulnerable> + </package> + </affected> + <background> + <p>re2c is a tool for generating C-based recognizers from regular + expressions. + </p> + </background> + <description> + <p>A heap buffer overflow vulnerability was discovered in re2c.</p> + </description> + <impact type="normal"> + <p>An attacker could possibly cause a Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All re2c users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/re2c-1.3-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11958">CVE-2020-11958</uri> + </references> + <metadata tag="requester" timestamp="2020-06-13T17:20:09Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:20:01Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-29.xml b/metadata/glsa/glsa-202007-29.xml new file mode 100644 index 000000000000..07c32a1b7c2f --- /dev/null +++ b/metadata/glsa/glsa-202007-29.xml @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-29"> + <title>rssh: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in rssh, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">rssh</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>699842</bug> + <access>remote</access> + <affected> + <package name="app-shells/rssh" auto="yes" arch="*"> + <vulnerable range="le">2.3.4_p3</vulnerable> + </package> + </affected> + <background> + <p>rssh is a restricted shell, allowing only a few commands like scp or + sftp. It is often used as a complement to OpenSSH to provide limited + access to users. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in rssh. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for rssh. We recommend that users + unmerge rssh: + </p> + + <code> + # emerge --unmerge "app-shells/rssh" + </code> + + <p>NOTE: The Gentoo developer(s) maintaining rssh have discontinued support + at this time. It may be possible that a new Gentoo developer will update + rssh at a later date. OpenSSH (net-misc/openssh) may be able to provide + similar functionality using its extensive configuration. + </p> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1000018"> + CVE-2019-1000018 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3463">CVE-2019-3463</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3464">CVE-2019-3464</uri> + </references> + <metadata tag="requester" timestamp="2020-06-20T04:47:11Z">b-man</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:22:59Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-30.xml b/metadata/glsa/glsa-202007-30.xml new file mode 100644 index 000000000000..7a093aa57c5a --- /dev/null +++ b/metadata/glsa/glsa-202007-30.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-30"> + <title>spice: Arbitrary code execution</title> + <synopsis>A buffer overread has been discovered in spice possibly allowing + remote execution of code. + </synopsis> + <product type="ebuild">spice</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>717776</bug> + <access>remote</access> + <affected> + <package name="app-emulation/spice" auto="yes" arch="*"> + <unaffected range="ge">0.14.2</unaffected> + <vulnerable range="lt">0.14.2</vulnerable> + </package> + </affected> + <background> + <p>Provides a complete open source solution for remote access to virtual + machines in a seamless way so you can play videos, record audio, share + USB devices, and share folders without complications. + </p> + </background> + <description> + <p>A flaw in spice’s memory handling code has been discovered, allowing + an out of bounds read. + </p> + </description> + <impact type="normal"> + <p>A remote attacker may be able to send malicious packets causing remote + code execution. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All spice users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/spice-0.14.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3813">CVE-2019-3813</uri> + </references> + <metadata tag="requester" timestamp="2020-06-13T16:22:04Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:23:35Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-31.xml b/metadata/glsa/glsa-202007-31.xml new file mode 100644 index 000000000000..add1030a6800 --- /dev/null +++ b/metadata/glsa/glsa-202007-31.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-31"> + <title>Icinga: Root privilege escalation</title> + <synopsis>Icinga installs files with insecure permissions allowing root + privilege escalation. + </synopsis> + <product type="ebuild">icinga</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>638186</bug> + <access>local</access> + <affected> + <package name="net-analyzer/icinga" auto="yes" arch="*"> + <vulnerable range="lt">1.14.2</vulnerable> + </package> + </affected> + <background> + <p>Icinga is an open source computer system and network monitoring + application. It was originally created as a fork of the Nagios system + monitoring application in 2009. + </p> + </background> + <description> + <p>It was discovered that Icinga’s installed files have insecure + permissions, possibly allowing root privilege escalation. + </p> + </description> + <impact type="high"> + <p>A local attacker could escalate privileges to root.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for Icinga. We recommend that users + unmerge Icinga: + </p> + + <code> + # emerge --unmerge "net-analyzer/icinga" + </code> + + <p>NOTE: The Gentoo developer(s) maintaining Icinga have discontinued + support at this time. It may be possible that a new Gentoo developer will + update Icinga at a later date. The natural replacement is Icinga 2 + (net-analyzer/icinga2). + </p> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16882">CVE-2017-16882</uri> + </references> + <metadata tag="requester" timestamp="2020-06-20T02:07:54Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:26:20Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-32.xml b/metadata/glsa/glsa-202007-32.xml new file mode 100644 index 000000000000..4d7d455e0ba0 --- /dev/null +++ b/metadata/glsa/glsa-202007-32.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-32"> + <title>Sarg: Local privilege escalation</title> + <synopsis>A flaw in Sarg may allow local privilege escalation.</synopsis> + <product type="ebuild">sarg</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>706748</bug> + <access>local</access> + <affected> + <package name="net-analyzer/sarg" auto="yes" arch="*"> + <unaffected range="ge">2.4.0</unaffected> + <vulnerable range="lt">2.4.0</vulnerable> + </package> + </affected> + <background> + <p>Sarg (Squid Analysis Report Generator) is a tool that provides many + informations about the Squid web proxy server users activities: time, + sites, traffic, etc. + </p> + </background> + <description> + <p>A flaw in Sarg’s handling of temporary directories was discovered.</p> + </description> + <impact type="high"> + <p>A local attacker may be able to escalate privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Sarg users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/sarg-2.4.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18932">CVE-2019-18932</uri> + </references> + <metadata tag="requester" timestamp="2020-06-20T01:21:28Z">b-man</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:26:55Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-33.xml b/metadata/glsa/glsa-202007-33.xml new file mode 100644 index 000000000000..4a0344ccad06 --- /dev/null +++ b/metadata/glsa/glsa-202007-33.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-33"> + <title>OSSEC: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in OSSEC, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">ossec-hids</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>707826</bug> + <access>local, remote</access> + <affected> + <package name="net-analyzer/ossec-hids" auto="yes" arch="*"> + <unaffected range="ge">3.6.0</unaffected> + <vulnerable range="lt">3.6.0</vulnerable> + </package> + </affected> + <background> + <p>OSSEC is a full platform to monitor and control your system(s).</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OSSEC. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OSSEC users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/ossec-hids-3.6.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8442">CVE-2020-8442</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8443">CVE-2020-8443</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8444">CVE-2020-8444</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8445">CVE-2020-8445</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8446">CVE-2020-8446</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8447">CVE-2020-8447</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8448">CVE-2020-8448</uri> + </references> + <metadata tag="requester" timestamp="2020-07-17T21:09:31Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:29:16Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-34.xml b/metadata/glsa/glsa-202007-34.xml new file mode 100644 index 000000000000..dc1ab39bcc13 --- /dev/null +++ b/metadata/glsa/glsa-202007-34.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-34"> + <title>Apache Ant: Multiple vulnerabilities</title> + <synopsis>Apache Ant uses various insecure temporary files possibly allowing + local code execution. + </synopsis> + <product type="ebuild">ant</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>723086</bug> + <access>local</access> + <affected> + <package name="dev-java/ant" auto="yes" arch="*"> + <unaffected range="ge">1.10.8</unaffected> + <vulnerable range="lt">1.10.8</vulnerable> + </package> + </affected> + <background> + <p>Ant is a Java-based build tool similar to ‘make’ that uses XML + configuration files. + </p> + </background> + <description> + <p>Apache Ant was found to be using multiple insecure temporary files which + may disclose sensitive information or execute code from an unsafe local + location. + </p> + </description> + <impact type="normal"> + <p>A local attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Apache Ant users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/ant-1.10.8" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1945">CVE-2020-1945</uri> + </references> + <metadata tag="requester" timestamp="2020-07-19T21:36:39Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:29:36Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-35.xml b/metadata/glsa/glsa-202007-35.xml new file mode 100644 index 000000000000..0e50ed083b7f --- /dev/null +++ b/metadata/glsa/glsa-202007-35.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-35"> + <title>ReportLab: Arbitrary code execution</title> + <synopsis>A vulnerability allowing arbitrary code execution was found in + ReportLab. + </synopsis> + <product type="ebuild">reportlab</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>710738</bug> + <access>remote</access> + <affected> + <package name="dev-python/reportlab" auto="yes" arch="*"> + <unaffected range="ge">3.5.42</unaffected> + <vulnerable range="lt">3.5.42</vulnerable> + </package> + </affected> + <background> + <p>ReportLab is an Open Source Python library for generating PDFs and + graphics. + </p> + </background> + <description> + <p>ReportLab was found to be mishandling XML documents and may evaluate the + contents without checking for their safety. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ReportLab users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/reportlab-3.5.42" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17626">CVE-2019-17626</uri> + </references> + <metadata tag="requester" timestamp="2020-06-20T01:26:21Z">b-man</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:33:03Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-36.xml b/metadata/glsa/glsa-202007-36.xml new file mode 100644 index 000000000000..d02db4bdd62c --- /dev/null +++ b/metadata/glsa/glsa-202007-36.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-36"> + <title>DjVu: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in DjVu, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">djvu</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>536720</bug> + <bug>718552</bug> + <access>local, remote</access> + <affected> + <package name="app-text/djvu" auto="yes" arch="*"> + <unaffected range="ge">3.5.27-r2</unaffected> + <vulnerable range="lt">3.5.27-r2</vulnerable> + </package> + </affected> + <background> + <p>DjVu is a web-centric format and software platform for distributing + documents and images. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in DjVu. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All DjVu users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/djvu-3.5.27-r2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15142">CVE-2019-15142</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15143">CVE-2019-15143</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15144">CVE-2019-15144</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15145">CVE-2019-15145</uri> + </references> + <metadata tag="requester" timestamp="2020-06-28T20:55:25Z">b-man</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:33:13Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-37.xml b/metadata/glsa/glsa-202007-37.xml new file mode 100644 index 000000000000..939c72834665 --- /dev/null +++ b/metadata/glsa/glsa-202007-37.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-37"> + <title>AWStats: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in AWStats, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">awstats</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>646786</bug> + <access>remote</access> + <affected> + <package name="www-misc/awstats" auto="yes" arch="*"> + <unaffected range="ge">7.8</unaffected> + <vulnerable range="lt">7.8</vulnerable> + </package> + </affected> + <background> + <p>AWStats is an advanced log file analyzer and statistics generator.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in AWStats. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All AWStats users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-misc/awstats-7.8" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-1000501"> + CVE-2017-1000501 + </uri> + </references> + <metadata tag="requester" timestamp="2020-07-18T00:02:30Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:37:10Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-38.xml b/metadata/glsa/glsa-202007-38.xml new file mode 100644 index 000000000000..7af45ddf4b6d --- /dev/null +++ b/metadata/glsa/glsa-202007-38.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-38"> + <title>QtGui: Arbitrary code execution</title> + <synopsis>A use-after-free was discovered in QtGui's Markdown handling code + possibly allowing a remote attacker to execute arbitrary code. + </synopsis> + <product type="ebuild">qtgui</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>719732</bug> + <access>remote</access> + <affected> + <package name="dev-qt/qtgui" auto="yes" arch="*"> + <unaffected range="ge">5.14.2</unaffected> + <vulnerable range="lt">5.14.2</vulnerable> + </package> + </affected> + <background> + <p>QtGui is a module for the Qt toolkit.</p> + </background> + <description> + <p>QtGui’s setMarkdown has a use-after-free related to + QTextMarkdownImporter::insertBlock. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All QtGui users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtgui-5.14.2" + </code> + + <p>Note that the Qt suite is best kept in sync, so a world upgrade may be + advisable to keep your system in a good state. + </p> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12267">CVE-2020-12267</uri> + </references> + <metadata tag="requester" timestamp="2020-06-06T21:54:28Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:37:49Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-39.xml b/metadata/glsa/glsa-202007-39.xml new file mode 100644 index 000000000000..58f929084ad3 --- /dev/null +++ b/metadata/glsa/glsa-202007-39.xml @@ -0,0 +1,60 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-39"> + <title>Binutils: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Binutils, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">binutils</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>688836</bug> + <bug>690590</bug> + <bug>711324</bug> + <access>remote</access> + <affected> + <package name="sys-devel/binutils" auto="yes" arch="*"> + <unaffected range="ge">2.33.1</unaffected> + <vulnerable range="lt">2.33.1</vulnerable> + </package> + </affected> + <background> + <p>The GNU Binutils are a collection of tools to create, modify and analyse + binary files. Many of the files use BFD, the Binary File Descriptor + library, to do low-level manipulation. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Binutils. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Binutils users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.33.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12972">CVE-2019-12972</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14250">CVE-2019-14250</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14444">CVE-2019-14444</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17450">CVE-2019-17450</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17451">CVE-2019-17451</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12972">CVE-2019-12972</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14250">CVE-2019-14250</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14444">CVE-2019-14444</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17450">CVE-2019-17450</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17451">CVE-2019-17451</uri> + </references> + <metadata tag="requester" timestamp="2020-06-20T01:35:54Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:47:26Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-40.xml b/metadata/glsa/glsa-202007-40.xml new file mode 100644 index 000000000000..e9df7724c5a4 --- /dev/null +++ b/metadata/glsa/glsa-202007-40.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-40"> + <title>Thin: Privilege escalation</title> + <synopsis>A vulnerability was discovered in Thin which may allow local + attackers to kill arbitrary processes (denial of service). + </synopsis> + <product type="ebuild">thin</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>642200</bug> + <access>local</access> + <affected> + <package name="www-servers/thin" auto="yes" arch="*"> + <vulnerable range="le">1.7.2</vulnerable> + </package> + </affected> + <background> + <p>Thin is a small and fast Ruby web server.</p> + </background> + <description> + <p>It was discovered that Gentoo’s Thin ebuild does not properly handle + its temporary runtime directories. This only affects OpenRC systems, as + the flaw was exploitable via the init script. + </p> + </description> + <impact type="normal"> + <p>A local attacker could cause denial of service by killing arbitrary + processes. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for Thin. We recommend that users + unmerge Thin: + </p> + + <code> + # emerge --unmerge "www-servers/thin" + </code> + + <p>NOTE: The Gentoo developer(s) maintaining Thin have discontinued support + at this time. It may be possible that a new Gentoo developer will update + Thin at a later date. There are many other web servers available in the + tree in the www-servers category. + </p> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2020-06-14T00:47:13Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:48:08Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-41.xml b/metadata/glsa/glsa-202007-41.xml new file mode 100644 index 000000000000..bf2f0ca2363b --- /dev/null +++ b/metadata/glsa/glsa-202007-41.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-41"> + <title>Roundcube: Multiple vulnerabilities</title> + <synopsis>A flaw in Roundcube's handling of configuration files may allow + arbitrary code execution, amongst other vulnerabilities. + </synopsis> + <product type="ebuild">Roundcube</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>720876</bug> + <access>remote</access> + <affected> + <package name="mail-client/roundcube" auto="yes" arch="*"> + <unaffected range="ge" slot="1.4.4">1.4.4</unaffected> + <unaffected range="ge" slot="1.3.11">1.3.11</unaffected> + <vulnerable range="lt" slot="1.4.4">1.4.4</vulnerable> + <vulnerable range="lt" slot="1.3.11">1.3.11</vulnerable> + </package> + </affected> + <background> + <p>Free and open source webmail software for the masses, written in PHP.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Roundcube. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Roundcube 1.4.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/roundcube-1.4.4" + </code> + + <p>All Roundcube 1.3.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/roundcube-1.3.11" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12625">CVE-2020-12625</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12626">CVE-2020-12626</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12640">CVE-2020-12640</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12641">CVE-2020-12641</uri> + </references> + <metadata tag="requester" timestamp="2020-07-17T23:26:23Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:48:35Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-42.xml b/metadata/glsa/glsa-202007-42.xml new file mode 100644 index 000000000000..ec32f06457cf --- /dev/null +++ b/metadata/glsa/glsa-202007-42.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-42"> + <title>LHa: Buffer overflow</title> + <synopsis>LHa has a buffer overflow in its compression utility with + unspecified impact. + </synopsis> + <product type="ebuild">lha</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>572418</bug> + <access>remote</access> + <affected> + <package name="app-arch/lha" auto="yes" arch="*"> + <unaffected range="ge">114i_p20201004</unaffected> + <vulnerable range="lt">114i_p20201004</vulnerable> + </package> + </affected> + <background> + <p>LHa is a console-based program for packing and unpacking LHarc archives.</p> + </background> + <description> + <p>A buffer overflow in LHa’s compression code was discovered which can + be triggered by a crafted input file. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could send a specially crafted file possibly resulting + in a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All LHa users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/lha-114i_p20201004" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-1925">CVE-2016-1925</uri> + </references> + <metadata tag="requester" timestamp="2020-06-22T20:49:12Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:53:34Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-43.xml b/metadata/glsa/glsa-202007-43.xml new file mode 100644 index 000000000000..ea037b2c0230 --- /dev/null +++ b/metadata/glsa/glsa-202007-43.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-43"> + <title>TRE: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in TRE, the worst of which + could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">tre</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>597616</bug> + <access>remote</access> + <affected> + <package name="dev-libs/tre" auto="yes" arch="*"> + <unaffected range="ge">0.8.0-r2</unaffected> + <vulnerable range="lt">0.8.0-r2</vulnerable> + </package> + </affected> + <background> + <p>TRE is the free and portable approximate regex matching library.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in TRE. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All TRE users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/tre-0.8.0-r2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-8859">CVE-2016-8859</uri> + </references> + <metadata tag="requester" timestamp="2020-07-17T00:41:18Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:53:51Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-44.xml b/metadata/glsa/glsa-202007-44.xml new file mode 100644 index 000000000000..faf4a14f3b73 --- /dev/null +++ b/metadata/glsa/glsa-202007-44.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-44"> + <title>FreeXL: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in FreeXL, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">freexl</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>648700</bug> + <access>remote</access> + <affected> + <package name="dev-libs/freexl" auto="yes" arch="*"> + <unaffected range="ge">1.0.5</unaffected> + <vulnerable range="lt">1.0.5</vulnerable> + </package> + </affected> + <background> + <p>FreeXL is an open source library to extract valid data from within an + Excel (.xls) spreadsheet. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in FreeXL. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All FreeXL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/freexl-1.0.5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7435">CVE-2018-7435</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7436">CVE-2018-7436</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7437">CVE-2018-7437</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7438">CVE-2018-7438</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7439">CVE-2018-7439</uri> + </references> + <metadata tag="requester" timestamp="2020-07-18T00:12:02Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:53:54Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-45.xml b/metadata/glsa/glsa-202007-45.xml new file mode 100644 index 000000000000..0e64d8ef9f33 --- /dev/null +++ b/metadata/glsa/glsa-202007-45.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-45"> + <title>NTFS-3G: Remote code execution, possible privilege escalation</title> + <synopsis>A buffer overflow in NTFS-3g might allow local or remote + attacker(s) to execute arbitrary code, or escalate privileges. + </synopsis> + <product type="ebuild">ntfs-3g</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>717640</bug> + <access>remote</access> + <affected> + <package name="sys-fs/ntfs3g" auto="yes" arch="*"> + <unaffected range="ge">2017.3.23-r3</unaffected> + <vulnerable range="lt">2017.3.23-r3</vulnerable> + </package> + </affected> + <background> + <p>NTFS-3G is a stable, full-featured, read-write NTFS driver for various + operating systems. + </p> + </background> + <description> + <p>An integer underflow issue exists in NTFS-3G which may cause a heap + buffer overflow with crafted input. + </p> + </description> + <impact type="high"> + <p>A remote attacker may be able to execute arbitrary code while a local + attacker may be able to escalate privileges. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All NTFS-3G users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/ntfs3g-2017.3.23-r3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9755">CVE-2019-9755</uri> + </references> + <metadata tag="requester" timestamp="2020-06-13T16:28:32Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:59:29Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-46.xml b/metadata/glsa/glsa-202007-46.xml new file mode 100644 index 000000000000..f4248489fd19 --- /dev/null +++ b/metadata/glsa/glsa-202007-46.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-46"> + <title>D-Bus: Denial of service</title> + <synopsis>A local Denial of Service vulnerability was discovered in D-Bus.</synopsis> + <product type="ebuild">d-bus</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>727104</bug> + <access>local</access> + <affected> + <package name="sys-apps/dbus" auto="yes" arch="*"> + <unaffected range="ge">1.12.18</unaffected> + <vulnerable range="lt">1.12.18</vulnerable> + </package> + </affected> + <background> + <p>D-Bus is a message bus system which processes can use to talk to each + other. + </p> + </background> + <description> + <p>D-Bus does not correctly dispose of old connections meaning that it is + possible for D-Bus to hit a connection limit. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All D-Bus users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.12.18" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12049">CVE-2020-12049</uri> + </references> + <metadata tag="requester" timestamp="2020-06-17T14:28:04Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:59:39Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-47.xml b/metadata/glsa/glsa-202007-47.xml new file mode 100644 index 000000000000..17e4f2257369 --- /dev/null +++ b/metadata/glsa/glsa-202007-47.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-47"> + <title>Okular: Local restricted command execution</title> + <synopsis>A logic error in Okular might allow an attacker to execute + arbitrary code. + </synopsis> + <product type="ebuild">okular</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>712490</bug> + <access>local, remote</access> + <affected> + <package name="kde-apps/okular" auto="yes" arch="*"> + <unaffected range="ge">19.12.3-r1</unaffected> + <vulnerable range="lt">19.12.3-r1</vulnerable> + </package> + </affected> + <background> + <p>Okular is a universal document viewer based on KPDF.</p> + </background> + <description> + <p>A logic error was discovered in Okular, which results in trusting action + links within a PDF, possibly allowing execution of a binary. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted PDF + using Okular, possibly resulting in execution of arbitrary code with the + privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>Avoid opening PDFs from an untrusted source.</p> + </workaround> + <resolution> + <p>All Okular users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-apps/okular-19.12.3-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9359">CVE-2020-9359</uri> + </references> + <metadata tag="requester" timestamp="2020-06-13T16:20:40Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T00:59:53Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-48.xml b/metadata/glsa/glsa-202007-48.xml new file mode 100644 index 000000000000..d89382e831b1 --- /dev/null +++ b/metadata/glsa/glsa-202007-48.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-48"> + <title>OCaml: Arbitrary code execution</title> + <synopsis>An integer overflow was discovered in OCaml's standard library, + possibly allowing arbitrary execution of code. + </synopsis> + <product type="ebuild">ocaml</product> + <announced>2020-07-27</announced> + <revised count="2">2020-07-27</revised> + <bug>719134</bug> + <access>remote</access> + <affected> + <package name="dev-lang/ocaml" auto="yes" arch="*"> + <unaffected range="ge">4.09.0</unaffected> + <vulnerable range="lt">4.09.0</vulnerable> + </package> + </affected> + <background> + <p>OCaml is a high-level, strongly-typed, functional, and object-oriented + programming language from the ML family of languages + </p> + </background> + <description> + <p>The caml_ba_deserialize function in byterun/bigarray.c in the standard + library of OCaml has an integer overflow. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OCaml users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ocaml-4.09.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9838">CVE-2018-9838</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T15:40:49Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T01:25:07Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-49.xml b/metadata/glsa/glsa-202007-49.xml new file mode 100644 index 000000000000..b49d290f49ff --- /dev/null +++ b/metadata/glsa/glsa-202007-49.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-49"> + <title>Mozilla Network Security Service (NSS): Information disclosure</title> + <synopsis>NSS has an information disclosure vulnerability when handling DSA + keys. + </synopsis> + <product type="ebuild">nss</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>726842</bug> + <access>local, remote</access> + <affected> + <package name="dev-libs/nss" auto="yes" arch="*"> + <unaffected range="ge">3.52.1</unaffected> + <vulnerable range="lt">3.52.1</vulnerable> + </package> + </affected> + <background> + <p>The Mozilla Network Security Service (NSS) is a library implementing + security features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS + #12, S/MIME and X.509 certificates. + </p> + </background> + <description> + <p>NSS was found to not always perform constant-time operations when + working with DSA key material. + </p> + </description> + <impact type="low"> + <p>An attacker may be able to obtain information about a DSA private key.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All NSS users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.52.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12399">CVE-2020-12399</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T16:09:23Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T01:25:27Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-50.xml b/metadata/glsa/glsa-202007-50.xml new file mode 100644 index 000000000000..850b4d3f9307 --- /dev/null +++ b/metadata/glsa/glsa-202007-50.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-50"> + <title>GLib Networking: Improper certificate validation</title> + <synopsis>GLib Networking was not properly verifying TLS certificates in all + circumstances, possibly allowing an integrity/confidentiality compromise. + </synopsis> + <product type="ebuild">glib-networking</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>725880</bug> + <access>remote</access> + <affected> + <package name="net-libs/glib-networking" auto="yes" arch="*"> + <unaffected range="ge">2.62.4</unaffected> + <vulnerable range="lt">2.62.4</vulnerable> + </package> + </affected> + <background> + <p>Network-related giomodules for glib</p> + </background> + <description> + <p>GTlsClientConnection skips hostname verification of the server’s TLS + certificate if the application fails to specify the expected server + identity. + </p> + </description> + <impact type="normal"> + <p>There may be a breach of integrity or confidentiality in connections + made using GLib Networking. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GLib Networking users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/glib-networking-2.62.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13645">CVE-2020-13645</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T05:58:10Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T01:34:12Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-51.xml b/metadata/glsa/glsa-202007-51.xml new file mode 100644 index 000000000000..c31beb155884 --- /dev/null +++ b/metadata/glsa/glsa-202007-51.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-51"> + <title>FileZilla: Untrusted search path</title> + <synopsis>A vulnerability was found in FileZilla which might allow privilege + escalation. + </synopsis> + <product type="ebuild">filezilla</product> + <announced>2020-07-27</announced> + <revised count="1">2020-07-27</revised> + <bug>717726</bug> + <access>remote</access> + <affected> + <package name="net-ftp/filezilla" auto="yes" arch="*"> + <unaffected range="ge">3.47.2.1</unaffected> + <vulnerable range="lt">3.47.2.1</vulnerable> + </package> + </affected> + <background> + <p>FileZilla is an open source FTP client.</p> + </background> + <description> + <p>It was discovered that FileZilla uses an untrusted search path.</p> + </description> + <impact type="normal"> + <p>An attacker could use a malicious binary to escalate privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All FileZilla users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/filezilla-3.47.2.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5429">CVE-2019-5429</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T05:27:52Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-27T01:36:28Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-52.xml b/metadata/glsa/glsa-202007-52.xml new file mode 100644 index 000000000000..ca15b4d4aab7 --- /dev/null +++ b/metadata/glsa/glsa-202007-52.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-52"> + <title>mujs: Multiple vulnerabilities + </title> + <synopsis>Multiple vulnerabilities have been found in mujs, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">mujs</product> + <announced>2020-07-28</announced> + <revised count="1">2020-07-28</revised> + <bug>719248</bug> + <access>remote</access> + <affected> + <package name="dev-lang/mujs" auto="yes" arch="*"> + <unaffected range="ge">1.0.6</unaffected> + <vulnerable range="lt">1.0.6</vulnerable> + </package> + </affected> + <background> + <p>mujs is an embeddable Javascript interpreter in C.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in mujs. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All mujs users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/mujs-" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11411">CVE-2019-11411</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11412">CVE-2019-11412</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11413">CVE-2019-11413</uri> + </references> + <metadata tag="requester" timestamp="2020-07-27T23:02:41Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-28T19:28:15Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-53.xml b/metadata/glsa/glsa-202007-53.xml new file mode 100644 index 000000000000..4a0f3ad7e39f --- /dev/null +++ b/metadata/glsa/glsa-202007-53.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-53"> + <title>Dropbear: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Dropbear, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">dropbear</product> + <announced>2020-07-28</announced> + <revised count="1">2020-07-28</revised> + <bug>723848</bug> + <access>remote</access> + <affected> + <package name="net-misc/dropbear" auto="yes" arch="*"> + <unaffected range="ge">2020.80</unaffected> + <vulnerable range="lt">2020.80</vulnerable> + </package> + </affected> + <background> + <p>Dropbear is an SSH server and client designed with a small memory + footprint. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Dropbear. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Dropbear users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/dropbear-2020.80" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-0739">CVE-2018-0739</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12437">CVE-2018-12437</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20685">CVE-2018-20685</uri> + </references> + <metadata tag="requester" timestamp="2020-07-27T22:58:27Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-28T19:29:15Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-54.xml b/metadata/glsa/glsa-202007-54.xml new file mode 100644 index 000000000000..72209c22213f --- /dev/null +++ b/metadata/glsa/glsa-202007-54.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-54"> + <title>rsync: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in rsync, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">rsync</product> + <announced>2020-07-28</announced> + <revised count="1">2020-07-28</revised> + <bug>728852</bug> + <access>remote</access> + <affected> + <package name="net-misc/rsync" auto="yes" arch="*"> + <unaffected range="ge">3.2.0</unaffected> + <vulnerable range="lt">3.2.0</vulnerable> + </package> + </affected> + <background> + <p>File transfer program to keep remote files into sync.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in rsync (within bundled + zlib). Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All rsync users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/rsync-3.2.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-9840">CVE-2016-9840</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-9841">CVE-2016-9841</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-9842">CVE-2016-9842</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-9843">CVE-2016-9843</uri> + </references> + <metadata tag="requester" timestamp="2020-07-27T22:51:51Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-28T19:29:58Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-55.xml b/metadata/glsa/glsa-202007-55.xml new file mode 100644 index 000000000000..cb2f337bffdb --- /dev/null +++ b/metadata/glsa/glsa-202007-55.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-55"> + <title>libetpan: Improper STARTTLS handling</title> + <synopsis>A vulnerability was discovered in libetpan's STARTTLS handling, + possibly allowing an integrity/confidentiality compromise. + </synopsis> + <product type="ebuild">libetpan</product> + <announced>2020-07-28</announced> + <revised count="1">2020-07-28</revised> + <bug>734130</bug> + <access>remote</access> + <affected> + <package name="net-libs/libetpan" auto="yes" arch="*"> + <unaffected range="ge">1.9.4-r1</unaffected> + <vulnerable range="lt">1.9.4-r1</vulnerable> + </package> + </affected> + <background> + <p>libetpan is a portable, efficient middleware for different kinds of mail + access. + </p> + </background> + <description> + <p>It was discovered that libetpan was not properly handling state within + the STARTTLS protocol handshake. + </p> + </description> + <impact type="normal"> + <p>There may be a breach of integrity or confidentiality in connections + made using libetpan with STARTTLS. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libetpan users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libetpan-1.9.4-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15953">CVE-2020-15953</uri> + </references> + <metadata tag="requester" timestamp="2020-07-27T22:44:41Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-28T19:35:55Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-56.xml b/metadata/glsa/glsa-202007-56.xml new file mode 100644 index 000000000000..f71973e186f1 --- /dev/null +++ b/metadata/glsa/glsa-202007-56.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-56"> + <title>Claws Mail: Improper STARTTLS handling</title> + <synopsis>A vulnerability was discovered in Claws Mail's STARTTLS handling, + possibly allowing an integrity/confidentiality compromise. + </synopsis> + <product type="ebuild">claws-mail</product> + <announced>2020-07-28</announced> + <revised count="1">2020-07-28</revised> + <bug>733684</bug> + <access>remote</access> + <affected> + <package name="mail-client/claws-mail" auto="yes" arch="*"> + <unaffected range="ge">3.17.6</unaffected> + <vulnerable range="lt">3.17.6</vulnerable> + </package> + </affected> + <background> + <p>Claws Mail is a GTK based e-mail client.</p> + </background> + <description> + <p>It was discovered that Claws Mail was not properly handling state within + the STARTTLS protocol handshake. + </p> + </description> + <impact type="normal"> + <p>There may be a breach of integrity or confidentiality in connections + made using Claws Mail with STARTTLS. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Claws Mail users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/claws-mail-3.17.6" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15917">CVE-2020-15917</uri> + </references> + <metadata tag="requester" timestamp="2020-07-27T16:52:43Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-28T19:36:02Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-57.xml b/metadata/glsa/glsa-202007-57.xml new file mode 100644 index 000000000000..3c2e72d851ec --- /dev/null +++ b/metadata/glsa/glsa-202007-57.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-57"> + <title>Mutt, Neomutt: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mutt and Neomutt, the + worst of which could result in an access restriction bypass. + </synopsis> + <product type="ebuild">mutt,neomutt</product> + <announced>2020-07-28</announced> + <revised count="1">2020-07-28</revised> + <bug>728294</bug> + <bug>728302</bug> + <bug>728708</bug> + <access>remote</access> + <affected> + <package name="mail-client/mutt" auto="yes" arch="*"> + <unaffected range="ge">1.14.4</unaffected> + <vulnerable range="lt">1.14.4</vulnerable> + </package> + <package name="mail-client/neomutt" auto="yes" arch="*"> + <unaffected range="ge">20200619</unaffected> + <vulnerable range="lt">20200619</vulnerable> + </package> + </affected> + <background> + <p>Mutt is a small but very powerful text-based mail client.</p> + + <p>NeoMutt is a command line mail reader (or MUA). It’s a fork of Mutt + with added features. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mutt and Neomutt. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mutt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mutt-1.14.4" + </code> + + <p>All Neomutt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/neomutt-20200619" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14093">CVE-2020-14093</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14154">CVE-2020-14154</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14954">CVE-2020-14954</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T15:29:54Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-28T19:36:11Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-58.xml b/metadata/glsa/glsa-202007-58.xml new file mode 100644 index 000000000000..5e62fba956d3 --- /dev/null +++ b/metadata/glsa/glsa-202007-58.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-58"> + <title>FFmpeg: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in FFmpeg, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">ffmpeg</product> + <announced>2020-07-28</announced> + <revised count="1">2020-07-28</revised> + <bug>718012</bug> + <bug>719940</bug> + <bug>727450</bug> + <access>remote</access> + <affected> + <package name="media-video/ffmpeg" auto="yes" arch="*"> + <unaffected range="ge">4.2.4</unaffected> + <vulnerable range="lt">4.2.4</vulnerable> + </package> + </affected> + <background> + <p>FFmpeg is a complete, cross-platform solution to record, convert and + stream audio and video. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in FFmpeg. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All FFmpeg users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-4.2.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13312">CVE-2019-13312</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15942">CVE-2019-15942</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12284">CVE-2020-12284</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13904">CVE-2020-13904</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14212">CVE-2020-14212</uri> + </references> + <metadata tag="requester" timestamp="2020-07-27T16:48:41Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-28T19:36:18Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-59.xml b/metadata/glsa/glsa-202007-59.xml new file mode 100644 index 000000000000..affe1e42944e --- /dev/null +++ b/metadata/glsa/glsa-202007-59.xml @@ -0,0 +1,70 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-59"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">chromium,google-chrome</product> + <announced>2020-07-29</announced> + <revised count="1">2020-07-29</revised> + <bug>734150</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">84.0.4147.105</unaffected> + <vulnerable range="lt">84.0.4147.105</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">84.0.4147.105</unaffected> + <vulnerable range="lt">84.0.4147.105</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-84.0.4147.105" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-84.0.4147.105" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6532">CVE-2020-6532</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6537">CVE-2020-6537</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6538">CVE-2020-6538</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6539">CVE-2020-6539</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6540">CVE-2020-6540</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6541">CVE-2020-6541</uri> + </references> + <metadata tag="requester" timestamp="2020-07-28T20:50:18Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-29T17:23:28Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-60.xml b/metadata/glsa/glsa-202007-60.xml new file mode 100644 index 000000000000..5edcdfccdf53 --- /dev/null +++ b/metadata/glsa/glsa-202007-60.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-60"> + <title>Mozilla Firefox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">firefox</product> + <announced>2020-07-30</announced> + <revised count="1">2020-07-30</revised> + <bug>734324</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge">68.11.0</unaffected> + <vulnerable range="lt">68.11.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge">68.11.0</unaffected> + <vulnerable range="lt">68.11.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-68.11.0" + </code> + + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-68.11.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15652">CVE-2020-15652</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15659">CVE-2020-15659</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6463">CVE-2020-6463</uri> + </references> + <metadata tag="requester" timestamp="2020-07-28T20:49:41Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-30T03:20:17Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-61.xml b/metadata/glsa/glsa-202007-61.xml new file mode 100644 index 000000000000..1b54bb27dfc9 --- /dev/null +++ b/metadata/glsa/glsa-202007-61.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-61"> + <title>WebKitGTK+: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in WebKitGTK+, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">webkitgtk+</product> + <announced>2020-07-31</announced> + <revised count="1">2020-07-31</revised> + <bug>734584</bug> + <access>remote</access> + <affected> + <package name="net-libs/webkit-gtk" auto="yes" arch="*"> + <unaffected range="ge">2.28.4</unaffected> + <vulnerable range="lt">2.28.4</vulnerable> + </package> + </affected> + <background> + <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, from hybrid + HTML/CSS applications to full-fledged web browsers. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All WebKitGTK+ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.28.4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9862">CVE-2020-9862</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9893">CVE-2020-9893</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9894">CVE-2020-9894</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9895">CVE-2020-9895</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9915">CVE-2020-9915</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9925">CVE-2020-9925</uri> + </references> + <metadata tag="requester" timestamp="2020-07-29T18:52:03Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-31T17:08:46Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-62.xml b/metadata/glsa/glsa-202007-62.xml new file mode 100644 index 000000000000..6186762c7c92 --- /dev/null +++ b/metadata/glsa/glsa-202007-62.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-62"> + <title>PyCrypto: Weak key generation</title> + <synopsis>A flaw in PyCrypto allow remote attackers to obtain sensitive + information. + </synopsis> + <product type="ebuild">pycrypto</product> + <announced>2020-07-31</announced> + <revised count="1">2020-07-31</revised> + <bug>703682</bug> + <access>remote</access> + <affected> + <package name="dev-python/pycrypto" auto="yes" arch="*"> + <vulnerable range="le">2.6.1-r2</vulnerable> + </package> + </affected> + <background> + <p>PyCrypto is the Python Cryptography Toolkit.</p> + </background> + <description> + <p>It was discovered that PyCrypto incorrectly generated ElGamal key + parameters. + </p> + </description> + <impact type="normal"> + <p>Attackers may be able to obtain sensitive information by reading + ciphertext data. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for PyCrypto. We recommend that users + unmerge PyCrypto: + </p> + + <p># emerge --unmerge “dev-python/pycrypto”</p> + + <p>NOTE: The Gentoo developer(s) maintaining PyCrypto have discontinued + support at this time. PyCryptodome is the canonical successor to + PyCrypto. + </p> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6594">CVE-2018-6594</uri> + </references> + <metadata tag="requester" timestamp="2020-07-30T01:21:33Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-31T17:10:46Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-63.xml b/metadata/glsa/glsa-202007-63.xml new file mode 100644 index 000000000000..b9966a5a0bfb --- /dev/null +++ b/metadata/glsa/glsa-202007-63.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-63"> + <title>SNMP Trap Translator: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in SNMP Trap Translator, + the worst of which could allow attackers to execute arbitrary shell code. + </synopsis> + <product type="ebuild">snmptt</product> + <announced>2020-07-31</announced> + <revised count="2">2020-08-16</revised> + <bug>733478</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/snmptt" auto="yes" arch="*"> + <unaffected range="ge">1.4.1</unaffected> + <vulnerable range="lt">1.4.1</vulnerable> + </package> + </affected> + <background> + <p>SNMP Trap Translator (SNMPTT) is an SNMP trap handler written in Perl.</p> + </background> + <description> + <p>It was found that SNMP Trap Translator does not drop privileges as + configured and does not properly escape shell commands in certain + functions. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by sending a malicious crafted SNMP trap, could + possibly execute arbitrary shell code with the privileges of the process + or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All SNMP Trap Translator users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/snmptt-1.4.1" + </code> + </resolution> + <references> + <uri link="https://sourceforge.net/p/snmptt/git/ci/snmptt_1-4-1/tree/snmptt/ChangeLog"> + SNMPTT 1.4.1 ChangeLog + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-24361">CVE-2020-24361</uri> + </references> + <metadata tag="requester" timestamp="2020-07-26T15:27:28Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-08-16T05:36:38Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-64.xml b/metadata/glsa/glsa-202007-64.xml new file mode 100644 index 000000000000..1267eab96bc4 --- /dev/null +++ b/metadata/glsa/glsa-202007-64.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-64"> + <title>Mozilla Thunderbird: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">thunderbird</product> + <announced>2020-07-31</announced> + <revised count="2">2020-07-31</revised> + <bug>734978</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">68.11.0</unaffected> + <vulnerable range="lt">68.11.0</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">68.11.0</unaffected> + <vulnerable range="lt">68.11.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-68.11.0" + </code> + + <p>All Mozilla Thunderbird binary users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-68.11.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15652">CVE-2020-15652</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15659">CVE-2020-15659</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6463">CVE-2020-6463</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6514">CVE-2020-6514</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-35/"> + MFSA-2020-35 + </uri> + </references> + <metadata tag="requester" timestamp="2020-07-31T17:27:15Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-31T19:04:30Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202007-65.xml b/metadata/glsa/glsa-202007-65.xml new file mode 100644 index 000000000000..afb2aede7b0c --- /dev/null +++ b/metadata/glsa/glsa-202007-65.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202007-65"> + <title>libsndfile: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libsndfile, the worst + of which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">libsndfile</product> + <announced>2020-07-31</announced> + <revised count="1">2020-07-31</revised> + <bug>631674</bug> + <bug>671834</bug> + <access>remote</access> + <affected> + <package name="media-libs/libsndfile" auto="yes" arch="*"> + <unaffected range="ge">1.0.29_pre2_p20191024</unaffected> + <vulnerable range="lt">1.0.29_pre2_p20191024</vulnerable> + </package> + </affected> + <background> + <p>libsndfile is a C library for reading and writing files containing + sampled sound. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libsndfile. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libsndfile users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-libs/libsndfile-1.0.29_pre2_p20191024" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14245">CVE-2017-14245</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14246">CVE-2017-14246</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3832">CVE-2019-3832</uri> + </references> + <metadata tag="requester" timestamp="2020-07-16T01:07:57Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-07-31T19:55:37Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202008-01.xml b/metadata/glsa/glsa-202008-01.xml new file mode 100644 index 000000000000..3027067a0ec7 --- /dev/null +++ b/metadata/glsa/glsa-202008-01.xml @@ -0,0 +1,77 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202008-01"> + <title>Python: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Python, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">python</product> + <announced>2020-08-02</announced> + <revised count="1">2020-08-02</revised> + <bug>728668</bug> + <bug>732498</bug> + <access>remote</access> + <affected> + <package name="dev-lang/python" auto="yes" arch="*"> + <unaffected range="ge" slot="2.7">2.7.18-r1</unaffected> + <unaffected range="ge" slot="3.6">3.6.11-r2</unaffected> + <unaffected range="ge" slot="3.7">3.7.8-r2</unaffected> + <unaffected range="ge" slot="3.8">3.8.4-r1</unaffected> + <vulnerable range="lt" slot="2.7">2.7.18-r1</vulnerable> + <vulnerable range="lt" slot="3.6">3.6.11-r2</vulnerable> + <vulnerable range="lt" slot="3.7">3.7.8-r2</vulnerable> + <vulnerable range="lt" slot="3.8">3.8.4-r1</vulnerable> + </package> + </affected> + <background> + <p>Python is an interpreted, interactive, object-oriented programming + language. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Python. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Python 2.7 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.18-r1" + </code> + + <p>All Python 3.6 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.6.11-r2" + </code> + + <p>All Python 3.7 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.7.8-r2" + </code> + + <p>All Python 3.8 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.8.4-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20907">CVE-2019-20907</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14422">CVE-2020-14422</uri> + </references> + <metadata tag="requester" timestamp="2020-07-31T17:34:38Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-08-02T03:19:15Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202008-02.xml b/metadata/glsa/glsa-202008-02.xml new file mode 100644 index 000000000000..fb25e051732c --- /dev/null +++ b/metadata/glsa/glsa-202008-02.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202008-02"> + <title>GNU GLOBAL: Arbitrary code execution</title> + <synopsis>A vulnerability in GNU GLOBAL was discovered, possibly allowing + remote attackers to execute arbitrary code. + </synopsis> + <product type="ebuild">global</product> + <announced>2020-08-08</announced> + <revised count="1">2020-08-08</revised> + <bug>646348</bug> + <access>remote</access> + <affected> + <package name="dev-util/global" auto="yes" arch="*"> + <unaffected range="ge">6.6.4</unaffected> + <vulnerable range="lt">6.6.4</vulnerable> + </package> + </affected> + <background> + <p>GNU GLOBAL is a source code tagging system that works the same way + across diverse environments, such as Emacs editor, Vi editor, Less + viewer, Bash shell, various web browsers, etc. + </p> + </background> + <description> + <p>A vulnerability was found in an undocumented function of gozilla.</p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted URL + using GNU GLOBAL, possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GNU GLOBAL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/global-6.6.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17531">CVE-2017-17531</uri> + </references> + <metadata tag="requester" timestamp="2020-08-08T02:37:03Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-08-08T04:17:26Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202008-03.xml b/metadata/glsa/glsa-202008-03.xml new file mode 100644 index 000000000000..3aac543e24c9 --- /dev/null +++ b/metadata/glsa/glsa-202008-03.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202008-03"> + <title>Ark: Arbitrary code execution</title> + <synopsis>Ark was found to allow arbitrary file overwrite, possibly allowing + arbitrary code execution. + </synopsis> + <product type="ebuild">ark</product> + <announced>2020-08-08</announced> + <revised count="1">2020-08-08</revised> + <bug>734622</bug> + <access>remote</access> + <affected> + <package name="kde-apps/ark" auto="yes" arch="*"> + <unaffected range="ge">20.04.3-r1</unaffected> + <vulnerable range="lt">20.04.3-r1</vulnerable> + </package> + </affected> + <background> + <p>Ark is a graphical file compression/decompression utility with support + for multiple formats. + </p> + </background> + <description> + <p>A maliciously crafted archive with “../” in the file path(s) could + install files anywhere in the user’s home directory upon extraction. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted + archive using Ark, possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>Avoid opening untrusted archives.</p> + </workaround> + <resolution> + <p>All Ark users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-apps/ark-20.04.3-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16116">CVE-2020-16116</uri> + </references> + <metadata tag="requester" timestamp="2020-08-08T02:42:50Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-08-08T04:18:09Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202008-04.xml b/metadata/glsa/glsa-202008-04.xml new file mode 100644 index 000000000000..cfae51c02fa5 --- /dev/null +++ b/metadata/glsa/glsa-202008-04.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202008-04"> + <title>Apache: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Apache, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">apache</product> + <announced>2020-08-08</announced> + <revised count="1">2020-08-08</revised> + <bug>736282</bug> + <access>remote</access> + <affected> + <package name="www-servers/apache" auto="yes" arch="*"> + <unaffected range="ge">2.4.46</unaffected> + <vulnerable range="lt">2.4.46</vulnerable> + </package> + </affected> + <background> + <p>The Apache HTTP server is one of the most popular web servers on the + Internet. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Apache. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Apache users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.46" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11984">CVE-2020-11984</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11985">CVE-2020-11985</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11993">CVE-2020-11993</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9490">CVE-2020-9490</uri> + </references> + <metadata tag="requester" timestamp="2020-08-08T03:51:27Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-08-08T04:18:18Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202008-05.xml b/metadata/glsa/glsa-202008-05.xml new file mode 100644 index 000000000000..bf2114ea11b5 --- /dev/null +++ b/metadata/glsa/glsa-202008-05.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202008-05"> + <title>gThumb: Arbitrary code execution</title> + <synopsis>A buffer overflow in gThumb might allow remote attacker(s) to + execute arbitrary code. + </synopsis> + <product type="ebuild">gthumb</product> + <announced>2020-08-08</announced> + <revised count="1">2020-08-08</revised> + <bug>712932</bug> + <access>remote</access> + <affected> + <package name="media-gfx/gthumb" auto="yes" arch="*"> + <unaffected range="ge">3.10.0</unaffected> + <vulnerable range="lt">3.10.0</vulnerable> + </package> + </affected> + <background> + <p>gThumb is an image viewer and browser for GNOME.</p> + </background> + <description> + <p>A heap-based buffer overflow in gThumb’s + _cairo_image_surface_create_from_jpeg() function, located in + extensions/cairo_io/cairo-image-surface-jpeg.c was discovered. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted image + file using gThumb, possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All gThumb users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/gthumb-3.10.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20326">CVE-2019-20326</uri> + </references> + <metadata tag="requester" timestamp="2020-08-08T01:58:55Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-08-08T04:18:29Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202008-06.xml b/metadata/glsa/glsa-202008-06.xml new file mode 100644 index 000000000000..56806d91c751 --- /dev/null +++ b/metadata/glsa/glsa-202008-06.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202008-06"> + <title>iproute2: Denial of service</title> + <synopsis>A use-after-free was found in iproute2, possibly allowing a Denial + of Service condition. + </synopsis> + <product type="ebuild">iproute2</product> + <announced>2020-08-08</announced> + <revised count="1">2020-08-08</revised> + <bug>722144</bug> + <access>remote</access> + <affected> + <package name="sys-apps/iproute2" auto="yes" arch="*"> + <unaffected range="ge">5.1.0</unaffected> + <vulnerable range="lt">5.1.0</vulnerable> + </package> + </affected> + <background> + <p>iproute2 is a set of tools for managing Linux network routing and + advanced features. + </p> + </background> + <description> + <p>iproute2 was found to contain a use-after-free in get_netnsid_from_name + in ip/ipnetns.c. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, able to feed iproute2 crafted data, may be able to + cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All iproute2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/iproute2-5.1.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20795">CVE-2019-20795</uri> + </references> + <metadata tag="requester" timestamp="2020-08-03T07:01:06Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-08-08T04:18:42Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202008-07.xml b/metadata/glsa/glsa-202008-07.xml new file mode 100644 index 000000000000..9105017da983 --- /dev/null +++ b/metadata/glsa/glsa-202008-07.xml @@ -0,0 +1,80 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202008-07"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">chromium,google-chrome</product> + <announced>2020-08-12</announced> + <revised count="1">2020-08-12</revised> + <bug>736659</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">84.0.4147.125</unaffected> + <vulnerable range="lt">84.0.4147.125</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">84.0.4147.125</unaffected> + <vulnerable range="lt">84.0.4147.125</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-84.0.4147.125" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-84.0.4147.125" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6542">CVE-2020-6542</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6543">CVE-2020-6543</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6544">CVE-2020-6544</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6545">CVE-2020-6545</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6547">CVE-2020-6547</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6548">CVE-2020-6548</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6549">CVE-2020-6549</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6550">CVE-2020-6550</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6551">CVE-2020-6551</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6552">CVE-2020-6552</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6553">CVE-2020-6553</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6554">CVE-2020-6554</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6555">CVE-2020-6555</uri> + <uri link="https://chromereleases.googleblog.com/2020/07/stable-channel-update-for-desktop_27.html"> + Upstream advisory + </uri> + </references> + <metadata tag="requester" timestamp="2020-08-11T22:31:50Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-08-12T06:05:51Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202008-08.xml b/metadata/glsa/glsa-202008-08.xml new file mode 100644 index 000000000000..52d74e694184 --- /dev/null +++ b/metadata/glsa/glsa-202008-08.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202008-08"> + <title>Mozilla Network Security Service (NSS): Multiple vulnerabilities</title> + <synopsis>NSS has multiple information disclosure vulnerabilities when + handling secret key material. + </synopsis> + <product type="ebuild">nss</product> + <announced>2020-08-19</announced> + <revised count="1">2020-08-19</revised> + <bug>734986</bug> + <access>local, remote</access> + <affected> + <package name="dev-libs/nss" auto="yes" arch="*"> + <unaffected range="ge">3.55</unaffected> + <vulnerable range="lt">3.55</vulnerable> + </package> + </affected> + <background> + <p>The Mozilla Network Security Service (NSS) is a library implementing + security features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS + #12, S/MIME and X.509 certificates. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in NSS. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker may be able to obtain information about secret key material.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All NSS users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.55" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12400">CVE-2020-12400</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12401">CVE-2020-12401</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12403">CVE-2020-12403</uri> + </references> + <metadata tag="requester" timestamp="2020-08-15T02:24:22Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-08-19T11:08:43Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index fc19913358c1..2a502486c9de 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sat, 04 Jul 2020 12:38:23 +0000 +Tue, 25 Aug 2020 08:08:40 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 5b35d35831c1..f48ce2bd341f 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -09c33520f8549f6a3210280c21940e14768be95d 1593200484 2020-06-26T19:41:24+00:00 +46214b1b461f1f9ad005b644d885569d46e4e959 1597835404 2020-08-19T11:10:04+00:00 |