gentoo resync : 08.01.2018

author: V3n3RiX <venerix@redcorelinux.org> 2018-01-08 21:45:04 +0000
committer: V3n3RiX <venerix@redcorelinux.org> 2018-01-08 21:45:04 +0000
commit: 65737cf14a7220bd9a487aa2af4ae0e79bd23e86 (patch)
tree: 625754b14ae80ac167d1b150c2314b647cd008e6 /metadata/glsa
parent: 5001a6c7b6da2956f5b17c695b1e0059dc7b8de5 (diff)
14 files changed, 743 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 284b40d1986f..a34a5011aebe 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 412859 BLAKE2B 29f22611257846c43da3f994e05684673fa1caa957a4b148f39ff19bc84f3682e8490d97c111e7eccbdb376d70136a0d0906ef152ce3abf044f4fb391eb520c4 SHA512 49d32fc5be9c59d40fa5555276aaf748a6274c5421c12e450644629355174f7bb6f7e77103a5571ae8f5e28bcd53505531ac68ed8f7957c3debfc9196bd152cd
-TIMESTAMP 2018-01-07T17:39:12Z
+MANIFEST Manifest.files.gz 414446 BLAKE2B 5b433dfd85097ead79bccfcdc5ac71450a49f0cd04217ea95a0da4d9b3a14d6a0df186361cf5d3a4ff24547968a8bdb79ea1e31d21aa21b86708e0885a152525 SHA512 2410eac2ebdd40b883f4296ea6c8ebefb16545c125c9ecb039ba9a79dc2d32f43aaaa01673cb98557d5d7aa414d7d0c72e688610d9b127a0d56cb1584e16cf5c
+TIMESTAMP 2018-01-08T20:39:21Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlpSW0BfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlpT1vlfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klD9oRAApKlg+9T0h/8HduioYXVIXTruWbF364BkDt5xlXVqyh204XTwjiZ9LwbK
-mkXHIe3WTHb3+GEbtrnnnewIOEUhm99+GvROXN320ZWmhqPkg03pG1KfE5V0zd+H
-puUijolR5qZGmQovk6Xy1gNG1KVoirUgUxBb6MmXfMEHetHCglduRCCcVj5jsMl3
-nOzXWnB+k+U5czmroxBOeK+jp5QvkQ8PozGuJnYD747HNekwb0Hv8nfZz2YL2ORL
-eDE8tys2ZCSX+UlDH1aPX3sf9fUHcpcnvVM66W/+vLEnOjOq9tZvAXga9rTnSucZ
-4mg7e1vPyPHVTeBdaLDvyhvGRBdsfMNOYA56HPrCg7JTuQh1hZX6wWiwxAbPv18L
-lauRs/gb8WRRQNWvBeEg1jtwCoIKKutZp//xgEieKlr7FQwfm+p8jMOhvVJjWKW/
-N+u5OkGHry6BZ6FLJtSyLgOR5RqZ+TF+7FGOzOmnMA2TAmPUAj/bEhflWTfIAYQW
-mkKrnCxQa7+GRtPokO8ydbPmxlckfa8mABXRVbaGJWpX/2pXczCoLcjbpR1DG6ir
-lgMYQmqUqcbWoFmYVtAvPtlQkavn+3Jo3fNdReGSyVQ5Uv8iplhUDgrUqiqMP8Yi
-1DvBJyPmAWefkHuWcnM3Y71kU24n0r0T3o3P0KIm6zGcUBhVasY=
-=zDn/
+klBLgQ//Y5uVKJYAn6cJvDe+2EqOvLRBi6gjPOYpBzebFtEDnPGKKK9gU9ul+kcB
+ynex9y74axfoz1/hFD3spR54aCNQGTzpZXlWQ26VIHT/btdBl5IR7xx70QWEtczw
+uy3EXPdJBnJza/n6nbtU/Eih5r3Np6ArRMombpMwDXVjM+XSTPRQBG5pN5xyrieq
+kCxSsX/mC3ETfFHTqCd2Ii51v2I7gagucRt/ohpCdtww2+9iTXks8JJZMyuf90Aq
+Ua9ILJEnQB4NZjg+1rCtf9yGsp0w/MpdnsrghhBi/DwiNArnK3m6KXi0gNVUh5iI
+1/RrEDYcZ/7qp+eI0fprTWpJ1YThrMBS61QCLPtGuDiWFNGrb4YbDaneIKCS9CHR
+B1Bd0oy2HIqcmtxox2i6wX+bJfCOJxbwx8EzC9m3Obfk7BP1QTDs6YFyVs/4V6Id
+9/p3D2Z8s/t7hjSBMyyp/nuCnOTtToJEpbPXl1n8TkCQaxZrJqRmWZFYtastbT1e
+F0iLg4p5V9xc1co27HRJcwWg/7a5XslBu7Gl+h/fR84bNA+RrRhqEOX4y0B8cXdj
+BZrXGq0iKqFk+ujumbRqcBwQ5matXtA5vWd0gCzkZ9jrkxPiz6Q86V+l3lqswi7t
+scA/wgW/n/6p1Mj2wnLQyaMGmljl82DPL3DBz8aMxghLRwLC1D0=
+=0CiG
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 6fc5b55366c7..895c44865813 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-201801-01.xml b/metadata/glsa/glsa-201801-01.xml
new file mode 100644
index 000000000000..edcda87e98f8
--- /dev/null
+++ b/metadata/glsa/glsa-201801-01.xml
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-01">
+  <title>Binutils: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Binutils, the worst of
+    which may allow remote attackers to cause a Denial of Service condition.
+  </synopsis>
+  <product type="ebuild">binutils</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>624700</bug>
+  <bug>627516</bug>
+  <bug>628538</bug>
+  <bug>629344</bug>
+  <bug>629922</bug>
+  <bug>631324</bug>
+  <bug>632100</bug>
+  <bug>632132</bug>
+  <bug>632384</bug>
+  <bug>632668</bug>
+  <bug>633988</bug>
+  <bug>635218</bug>
+  <bug>635692</bug>
+  <bug>635860</bug>
+  <bug>635968</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="sys-devel/binutils" auto="yes" arch="*">
+      <unaffected range="ge">2.29.1-r1</unaffected>
+      <vulnerable range="lt">2.29.1-r1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The GNU Binutils are a collection of tools to create, modify and analyse
+      binary files. Many of the files use BFD, the Binary File Descriptor
+      library, to do low-level manipulation.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Binutils. Please review
+      the referenced CVE identifiers for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to compile/execute a specially
+      crafted ELF, tekhex, PE, or binary file, could possibly cause a Denial of
+      Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There are no known workarounds at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Binutils users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-devel/binutils-2.29.1-r1"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12456">
+      CVE-2017-12456
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12799">
+      CVE-2017-12799
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12967">
+      CVE-2017-12967
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14128">
+      CVE-2017-14128
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14129">
+      CVE-2017-14129
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14130">
+      CVE-2017-14130
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14333">
+      CVE-2017-14333
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15023">
+      CVE-2017-15023
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15938">
+      CVE-2017-15938
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15939">
+      CVE-2017-15939
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15996">
+      CVE-2017-15996
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7209">
+      CVE-2017-7209
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7210">
+      CVE-2017-7210
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7223">
+      CVE-2017-7223
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7224">
+      CVE-2017-7224
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7225">
+      CVE-2017-7225
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7227">
+      CVE-2017-7227
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9743">
+      CVE-2017-9743
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9746">
+      CVE-2017-9746
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9749">
+      CVE-2017-9749
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9750">
+      CVE-2017-9750
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9751">
+      CVE-2017-9751
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9755">
+      CVE-2017-9755
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9756">
+      CVE-2017-9756
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:47:37Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:07:52Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-02.xml b/metadata/glsa/glsa-201801-02.xml
new file mode 100644
index 000000000000..1e7fbff303a9
--- /dev/null
+++ b/metadata/glsa/glsa-201801-02.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-02">
+  <title>OptiPNG: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in OptiPNG, the worst of
+    which may allow execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">optipng</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>637936</bug>
+  <bug>639690</bug>
+  <access>remote</access>
+  <affected>
+    <package name="media-gfx/optipng" auto="yes" arch="*">
+      <unaffected range="ge">0.7.6-r2</unaffected>
+      <vulnerable range="lt">0.7.6-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>OptiPNG is a PNG optimizer that re-compresses image files to a smaller
+      size, without losing any information.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in OptiPNG. Please review
+      the referenced CVE identifiers for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to process a specially crafted
+      image file, possibly resulting in execution of arbitrary code with the
+      privileges of the process or a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All OptiPNG users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-gfx/optipng-0.7.6-r2"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000229">
+      CVE-2017-1000229
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16938">
+      CVE-2017-16938
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-12-03T01:46:44Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:16:40Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-03.xml b/metadata/glsa/glsa-201801-03.xml
new file mode 100644
index 000000000000..67a86a6d1886
--- /dev/null
+++ b/metadata/glsa/glsa-201801-03.xml
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-03">
+  <title>Chromium, Google Chrome: Multiple vulnerabilities </title>
+  <synopsis>Multiple vulnerabilities have been found in Chromium and Google
+    Chrome, the worst of which could result in the execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">chromium,google-chrome</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>640334</bug>
+  <bug>641376</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="www-client/chromium" auto="yes" arch="*">
+      <unaffected range="ge">63.0.3239.108</unaffected>
+      <vulnerable range="lt">63.0.3239.108</vulnerable>
+    </package>
+    <package name="www-client/google-chrome" auto="yes" arch="*">
+      <unaffected range="ge">63.0.3239.108</unaffected>
+      <vulnerable range="lt">63.0.3239.108</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Chromium is an open-source browser project that aims to build a safer,
+      faster, and more stable way for all users to experience the web.
+    </p>
+    
+    <p>Google Chrome is one fast, simple, and secure browser for all your
+      devices
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Chromium and Google
+      Chrome. Please review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process, cause a Denial of Service condition, bypass
+      content security controls, or conduct URL spoofing.
+    </p>
+  </impact>
+  <workaround>
+    <p>There are no known workarounds at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Chromium users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=www-client/chromium-63.0.3239.108"
+    </code>
+    
+    <p>All Google Chrome users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=www-client/google-chrome-63.0.3239.108"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15407">
+      CVE-2017-15407
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15408">
+      CVE-2017-15408
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15409">
+      CVE-2017-15409
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15410">
+      CVE-2017-15410
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15411">
+      CVE-2017-15411
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15412">
+      CVE-2017-15412
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15413">
+      CVE-2017-15413
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15415">
+      CVE-2017-15415
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15416">
+      CVE-2017-15416
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15417">
+      CVE-2017-15417
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15418">
+      CVE-2017-15418
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15419">
+      CVE-2017-15419
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15420">
+      CVE-2017-15420
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15422">
+      CVE-2017-15422
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15423">
+      CVE-2017-15423
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15424">
+      CVE-2017-15424
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15425">
+      CVE-2017-15425
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15426">
+      CVE-2017-15426
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15427">
+      CVE-2017-15427
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15429">
+      CVE-2017-15429
+    </uri>
+    <uri link="https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html">
+      Google Chrome Release 20171206
+    </uri>
+    <uri link="https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop_14.html">
+      Google Chrome Release 20171214
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:50:33Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:22:12Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-04.xml b/metadata/glsa/glsa-201801-04.xml
new file mode 100644
index 000000000000..e49cf9f43606
--- /dev/null
+++ b/metadata/glsa/glsa-201801-04.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-04">
+  <title>LibXcursor: User-assisted execution of arbitrary code</title>
+  <synopsis>A vulnerability in LibXcursor might allow remote attackers to
+    execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">LibXcursor</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>639062</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="x11-libs/libXcursor" auto="yes" arch="*">
+      <unaffected range="ge">1.1.15</unaffected>
+      <vulnerable range="lt">1.1.15</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>X.Org X11 libXcursor runtime library.</p>
+  </background>
+  <description>
+    <p>It was discovered that libXcursor is prone to several heap overflows
+      when parsing malicious files.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to process a specially crafted
+      cursor file, could possibly execute arbitrary code with the privileges of
+      the process or cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All LibXcursor users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=x11-libs/libXcursor-1.1.15"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16612">
+      CVE-2017-16612
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:33:40Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:27:33Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-05.xml b/metadata/glsa/glsa-201801-05.xml
new file mode 100644
index 000000000000..0522284c6ea3
--- /dev/null
+++ b/metadata/glsa/glsa-201801-05.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-05">
+  <title>OpenSSH: Permission issue</title>
+  <synopsis>A flaw has been discovered in OpenSSH which could allow a remote
+    attacker to create zero-length files.
+  </synopsis>
+  <product type="ebuild">OpenSSH</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>633428</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-misc/openssh" auto="yes" arch="*">
+      <unaffected range="ge">7.5_p1-r3</unaffected>
+      <vulnerable range="lt">7.5_p1-r3</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>OpenSSH is a complete SSH protocol implementation that includes SFTP
+      client and server support.
+    </p>
+  </background>
+  <description>
+    <p>The process_open function in sftp-server.c in OpenSSH did not properly
+      prevent write operations in readonly mode.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could cause the creation of zero-length files.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All OpenSSH users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-misc/openssh-7.5_p1-r3"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15906">
+      CVE-2017-15906
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:55:47Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:36:33Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-06.xml b/metadata/glsa/glsa-201801-06.xml
new file mode 100644
index 000000000000..a0725d7cc0f7
--- /dev/null
+++ b/metadata/glsa/glsa-201801-06.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-06">
+  <title>Back In Time: Command injection</title>
+  <synopsis>A command injection vulnerability in 'Back in Time' may allow for
+    the execution of arbitrary shell commands.
+  </synopsis>
+  <product type="ebuild">backintime</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>636974</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="app-backup/backintime" auto="yes" arch="*">
+      <unaffected range="ge">1.1.24</unaffected>
+      <vulnerable range="lt">1.1.24</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>A simple backup tool for Linux, inspired by “flyback project”.</p>
+  </background>
+  <description>
+    <p>‘Back in Time’ did improper escaping/quoting of file paths used as
+      arguments to the ‘notify-send’ command leading to some parts of file
+      paths being executed as shell commands within an os.system call.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A context-dependent attacker could execute arbitrary shell commands via
+      a specially crafted file.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All ‘Back In Time’ users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-backup/backintime-1.1.24"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16667">
+      CVE-2017-16667
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:36:24Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:41:27Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-07.xml b/metadata/glsa/glsa-201801-07.xml
new file mode 100644
index 000000000000..48b58e98c066
--- /dev/null
+++ b/metadata/glsa/glsa-201801-07.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-07">
+  <title>GNU Emacs: Command injection</title>
+  <synopsis>A vulnerability has been found in Emacs which may allow for
+    arbitrary command execution.
+  </synopsis>
+  <product type="ebuild">Emacs</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-08: 2</revised>
+  <bug>630680</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-editors/emacs" auto="yes" arch="*">
+      <unaffected range="ge" slot="23">23.4-r16</unaffected>
+      <unaffected range="ge" slot="24">24.5-r4</unaffected>
+      <unaffected range="ge" slot="25">25.2-r1</unaffected>
+      <vulnerable range="lt" slot="23">23.4-r16</vulnerable>
+      <vulnerable range="lt" slot="24">24.5-r4</vulnerable>
+      <vulnerable range="lt" slot="25">25.2-r1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>GNU Emacs is a highly extensible and customizable text editor.</p>
+  </background>
+  <description>
+    <p>A command injection flaw within the Emacs “enriched mode” handling
+      has been discovered.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to open a specially crafted file,
+      could execute arbitrary commands with the privileges of process.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All GNU Emacs 23.x users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-23.4-r16:23"
+    </code>
+    
+    <p>All GNU Emacs 24.x users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-24.5-r4:24"
+    </code>
+    
+    <p>All GNU Emacs 25.x users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-25.2-r1:25"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14482">
+      CVE-2017-14482
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:59:49Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-08T13:17:01Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-08.xml b/metadata/glsa/glsa-201801-08.xml
new file mode 100644
index 000000000000..71a3eac590d4
--- /dev/null
+++ b/metadata/glsa/glsa-201801-08.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-08">
+  <title>MiniUPnPc: Arbitrary code execution</title>
+  <synopsis>A vulnerability in MiniUPnPc might allow remote attackers to
+    execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">MiniUPnP</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>562684</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-libs/miniupnpc" auto="yes" arch="*">
+      <unaffected range="ge">2.0.20170509</unaffected>
+      <vulnerable range="lt">2.0.20170509</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The client library, enabling applications to access the services
+      provided by an UPnP “Internet Gateway Device” present on the network.
+    </p>
+  </background>
+  <description>
+    <p>An exploitable buffer overflow vulnerability exists in the XML parser
+      functionality of the MiniUPnP library.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to connect to a malicious server,
+      could cause the execution of arbitrary code with the privileges of the
+      user running a MiniUPnPc linked application.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All MiniUPnPc users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-libs/miniupnpc-2.0.20170509"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6031">
+      CVE-2015-6031
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T06:06:14Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:51:08Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-09.xml b/metadata/glsa/glsa-201801-09.xml
new file mode 100644
index 000000000000..e76b2d50287a
--- /dev/null
+++ b/metadata/glsa/glsa-201801-09.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-09">
+  <title>WebkitGTK+: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in WebkitGTK+, the worst
+    of which may lead to arbitrary code execution. 
+  </synopsis>
+  <product type="ebuild">WebkitGTK+</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>641752</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-libs/webkit-gtk" auto="yes" arch="*">
+      <unaffected range="ge" slot="4">2.18.4</unaffected>
+      <vulnerable range="lt" slot="4">2.18.4</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in WebkitGTK+. Please
+      review the referenced CVE Identifiers for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>An attacker, by enticing a user to visit maliciously crafted web
+      content, may be able to execute arbitrary code or cause memory
+      corruption.
+    </p>
+  </impact>
+  <workaround>
+    <p>There are no known workarounds at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All WebkitGTK+ users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-libs/webkit-gtk-2.18.4:4"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13856">
+      CVE-2017-13856
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13866">
+      CVE-2017-13866
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13870">
+      CVE-2017-13870
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7156">
+      CVE-2017-7156
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7157">
+      CVE-2017-7157
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:25:45Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:57:41Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-10.xml b/metadata/glsa/glsa-201801-10.xml
new file mode 100644
index 000000000000..329c01883b89
--- /dev/null
+++ b/metadata/glsa/glsa-201801-10.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-10">
+  <title>LibXfont, LibXfont2: Arbitrary file access</title>
+  <synopsis>A vulnerability has been found in LibXfont and LibXfont2 which may
+    allow for arbitrary file access.
+  </synopsis>
+  <product type="ebuild">LibXfont, LibXfont2</product>
+  <announced>2018-01-08</announced>
+  <revised>2018-01-08: 1</revised>
+  <bug>639064</bug>
+  <access>local</access>
+  <affected>
+    <package name="x11-libs/libXfont" auto="yes" arch="*">
+      <unaffected range="ge">1.5.4</unaffected>
+      <vulnerable range="lt">1.5.4</vulnerable>
+    </package>
+    <package name="x11-libs/libXfont2" auto="yes" arch="*">
+      <unaffected range="ge">2.0.3</unaffected>
+      <vulnerable range="lt">2.0.3</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>X.Org Xfont library.</p>
+  </background>
+  <description>
+    <p>It was discovered that libXfont incorrectly followed symlinks when
+      opening font files.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A local unprivileged user could use this flaw to cause the X server to
+      access arbitrary files, including special device files.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All LibXfont users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=x11-libs/libXfont-1.5.4"
+    </code>
+    
+    <p>All LibXfont2 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=x11-libs/libXfont2-2.0.3"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16611">
+      CVE-2017-16611
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:31:41Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-08T12:26:24Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index a90a981eef22..0a2bfcde5afa 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sun, 07 Jan 2018 17:39:09 +0000
+Mon, 08 Jan 2018 20:39:18 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 632542b5e138..aaca69940ebb 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-30b0a682c74fee092dcec1e6356f4afc7fa14625 1513277071 2017-12-14T18:44:31+00:00
+83b03abfd2cbeb32bafb0df4d1a742e9717c33a3 1515417463 2018-01-08T13:17:43+00:00
author	V3n3RiX <venerix@redcorelinux.org>	2018-01-08 21:45:04 +0000
committer	V3n3RiX <venerix@redcorelinux.org>	2018-01-08 21:45:04 +0000
commit	65737cf14a7220bd9a487aa2af4ae0e79bd23e86 (patch)
tree	625754b14ae80ac167d1b150c2314b647cd008e6 /metadata/glsa
parent	5001a6c7b6da2956f5b17c695b1e0059dc7b8de5 (diff)