diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2022-09-25 17:34:04 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2022-09-25 17:34:04 +0100 |
| commit | 85261a4d217482e1c124937d57ec98a0aabaee59 (patch) | |
| tree | 799721e3977ad401f45cc4e1b7e691861631b5ee /metadata/glsa | |
| parent | d2e43b44e8855b7ee7b79782358dee45099efccc (diff) | |
gentoo auto-resync : 25:09:2022 - 17:34:03
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 525759 -> 527347 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-202209-06.xml | 49 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202209-07.xml | 40 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202209-08.xml | 41 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202209-09.xml | 47 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202209-10.xml | 40 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202209-11.xml | 44 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202209-12.xml | 53 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202209-13.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202209-14.xml | 44 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202209-15.xml | 64 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
14 files changed, 481 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 3d63a935101a..a29919ff1d8b 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 525759 BLAKE2B 487aaba91a7a713d59ac9586bbe0ffaeb7bf01fde9781422d78f1d1e009e745a8cea346fbefedc07f275060c3798240f56799ae9f182d10305c04a36eac8db25 SHA512 9ad37d1ae3ef248f0c465e37bce58b95e6f9da024c5d52c9ede183ff971546b15abed0e4dd4ca83a4f69fd2c722ad188eb583dd8d8337d8d99ae3e7c776b7da4 -TIMESTAMP 2022-09-25T09:40:00Z +MANIFEST Manifest.files.gz 527347 BLAKE2B 2a3ca4466b681cdb565e900ea1a740da53b44fbb53b587593768b40df60e0574c7bd692ef80c62c3eb717f2ded2eddd9f52d1600f669a4df4b5cd88371298781 SHA512 966d722a4e31cba37994e6aa7863ecd729a7c644c719a26094f88a8acb8e90825cffcd239a1f665ad159294f5377cc124a3c9da2f622fbf7561835a7bb02c3e7 +TIMESTAMP 2022-09-25T15:39:59Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmMwIfBfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmMwdk9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCUUxAAslFDlrd8yH0WOKxrv1r+O8J/5paEm3v5znX5Hf4BTe0h4wyZLzZ1JcXc -rd9CtFiDM6iZM4G/x53JfzIbgYy0pUWHffdDqlI0V9ZGCxfzgTu7vGnH0FrdjNE+ -JskW+NnyiY3K5bX/58GwVSzx70nANCTVSBCxIJ/Pq4wSLnzrPzpUTzhRX2dU6azO -cg4bmsNdahmU7s9g2lIB+aEVeU+80r3Wbw1kaP6Z2hOgVkkG1FrJAaQLjgsvbDua -HMJzl3inu4A331fVFHdPg7Z8gmYMufvekqSejro8zE4wFBSF5uctWFNfVqjSwRwX -2qp5T9dPjtMZWYupFNix64uehV7Btb9t/VSJWs4TZGAJI7FWhS7qokCQrx6jbfQd -xCgeBkYpi9X3PavL6RzP1VidxNPLLlXsXYkh0ne9SCdboLXg7eQBYY5ZNxMspNuY -zmaMj7i6NCImIN2ekzyLME2lSdk7/CUqJeFYmjrv4P/MduMxPrFkEEu3ZlKz3vMo -kSTNV3i9uuL5kPh+0KUMZIkuIv7QUf5w2is85nQqkBDAu57mbvx5wCD9UUZzvhYf -nQ8IJzMbfvfEXwESZGtQSBz8bb5t1iZNj8tg4bJBLSHDDZ4XfPg5xHMmoIgxTGc7 -4pNP51MKxdNmHkx2xyUGfKJqOdy4caHZ1fQOV4xZTc9BHx7p++o= -=Knom +klAjHQ/8CnfvUavmxxwHVLhJdivcEQYl3yvck89/E+3d1ovV67dQwiRMwka1obZO +CPRIi+w7m5VdOj4/UwBm9uuCGWEswYEHAWLphL6LktBbsYyU3bnp5o1fBUpqBGVX +n9guXnPQ03RxJYjQFcWGAn2d6VbJMoJ97d9vkSHjrYQg5UmnJ0aL10q4wDtOiKMY +tw3/pF9TM0WNlX0/z3hehD0urdPY4pjVkjW26GesjzZSam5mwlV6aLmrYcmIM2Rx +k4jF77TaOUJ43cy1ufhL05ygqOgwWM/4IO4XLICH50MDCLCDtEFLoPXydefE8rxQ +Kt9yTZo+NisAR5doQfWAUxJuNMkG1lArPAmZ0kaXWUECPN16T3or+e9WljXLhh76 +bCgn+samJLHKhVwEVVlXw3KEogmAbRU7mUgdM7LRc9vRMGpwaqCKn1TulQo1/u02 +OhHr6jHPX9r+dJYCP2Y4Dc389c2PuIvO5sWoopjgRgyK3icLEo2J//aQf8QgcZiZ +gLTjsyZm+hDFbRRaz3Cj4Mua4ARNEDWnt2avs2yuw0Y84MqtVJLYFPT/mKfzakyw +MfyGBpd/UuXSuMuCt8H0Oc1WfTPP474CgMPcKZhfLj6aywzqpe5Rg2GOLkJSEck9 +Swl3m+8Q/+TpsUI+NbOCTWGkpjfPXgF+9ySMfyjMnQSXCqhDU5I= +=AG4N -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 7ecc60fdbad4..269086cc58ee 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202209-06.xml b/metadata/glsa/glsa-202209-06.xml new file mode 100644 index 000000000000..717b6c92accc --- /dev/null +++ b/metadata/glsa/glsa-202209-06.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-06"> + <title>Rizin: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Rizin, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">rizin</product> + <announced>2022-09-25</announced> + <revised count="1">2022-09-25</revised> + <bug>861524</bug> + <bug>868999</bug> + <access>local and remote</access> + <affected> + <package name="dev-util/rizin" auto="yes" arch="*"> + <unaffected range="ge">0.4.1</unaffected> + <vulnerable range="lt">0.4.1</vulnerable> + </package> + </affected> + <background> + <p>Rizin is a reverse engineering framework for binary analysis.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Rizin. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Rizin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/rizin-0.4.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34612">CVE-2022-34612</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36039">CVE-2022-36039</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36040">CVE-2022-36040</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36041">CVE-2022-36041</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36042">CVE-2022-36042</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36043">CVE-2022-36043</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36044">CVE-2022-36044</uri> + </references> + <metadata tag="requester" timestamp="2022-09-25T13:33:58.550630Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-25T13:33:58.562441Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-07.xml b/metadata/glsa/glsa-202209-07.xml new file mode 100644 index 000000000000..556fa69ed9a8 --- /dev/null +++ b/metadata/glsa/glsa-202209-07.xml @@ -0,0 +1,40 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-07"> + <title>Mrxvt: Arbitrary Code Execution</title> + <synopsis>A vulnerability has been discovered in Mrxvt which could allow for arbitrary code execution</synopsis> + <product type="ebuild">mrxvt</product> + <announced>2022-09-25</announced> + <revised count="1">2022-09-25</revised> + <bug>791004</bug> + <access>local and remote</access> + <affected> + <package name="x11-terms/mrxvt" auto="yes" arch="*"> + <vulnerable range="le">0.5.4</vulnerable> + </package> + </affected> + <background> + <p>Mrxvt is a multi-tabbed rxvt clone with XFT, transparent background and CJK support.</p> + </background> + <description> + <p>Mrxvt mishandles certain escape sequences, some of which allow for shell command execution.</p> + </description> + <impact type="normal"> + <p>An attacker with sufficient access to write arbitrary text to the Mrxvt terminal could execute arbitrary code.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for Mrxvt. We recommend that users remove it:</p> + + <code> + # emerge --ask --depclean "x11-terms/mrxvt" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33477">CVE-2021-33477</uri> + </references> + <metadata tag="requester" timestamp="2022-09-25T13:34:13.204482Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-25T13:34:13.210077Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-08.xml b/metadata/glsa/glsa-202209-08.xml new file mode 100644 index 000000000000..9687477405a8 --- /dev/null +++ b/metadata/glsa/glsa-202209-08.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-08"> + <title>Smokeping: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Smokeping, the worst of which could result in root privilege escalation.</synopsis> + <product type="ebuild">smokeping</product> + <announced>2022-09-25</announced> + <revised count="1">2022-09-25</revised> + <bug>631140</bug> + <bug>602652</bug> + <access>local</access> + <affected> + <package name="net-analyzer/smokeping" auto="yes" arch="*"> + <vulnerable range="le">2.7.3-r1</vulnerable> + </package> + </affected> + <background> + <p>Smokeping is a powerful latency measurement tool</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Smokeping. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>A local attacker which gains access to the smokeping user could gain root privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for Smokeping. We recommend that users remove it:</p> + + <code> + # emerge --ask --depclean "net-analyzer/smokeping" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-20147">CVE-2017-20147</uri> + </references> + <metadata tag="requester" timestamp="2022-09-25T13:34:27.263575Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-25T13:34:27.268533Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202209-09.xml b/metadata/glsa/glsa-202209-09.xml new file mode 100644 index 000000000000..83bd6e71ede3 --- /dev/null +++ b/metadata/glsa/glsa-202209-09.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-09"> + <title>Smarty: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Smarty, the worst of which could result in remote code execution</synopsis> + <product type="ebuild">smarty</product> + <announced>2022-09-25</announced> + <revised count="1">2022-09-25</revised> + <bug>830980</bug> + <bug>845180</bug> + <bug>870100</bug> + <access>remote</access> + <affected> + <package name="dev-php/smarty" auto="yes" arch="*"> + <unaffected range="ge">4.2.1</unaffected> + <vulnerable range="lt">4.2.1</vulnerable> + </package> + </affected> + <background> + <p>Smarty is a template engine for PHP. The "template security" feature of Smarty is designed to help reduce the risk of a system compromise when you have untrusted parties editing templates.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Smarty. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Smarty users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/smarty-4.2.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-25047">CVE-2018-25047</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21408">CVE-2021-21408</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-29454">CVE-2021-29454</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29221">CVE-2022-29221</uri> + </references> + <metadata tag="requester" timestamp="2022-09-25T13:34:41.298611Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-25T13:34:41.303400Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-10.xml b/metadata/glsa/glsa-202209-10.xml new file mode 100644 index 000000000000..9e9ae3a3bb95 --- /dev/null +++ b/metadata/glsa/glsa-202209-10.xml @@ -0,0 +1,40 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-10"> + <title>Logcheck: Root privilege escalation</title> + <synopsis>A vulnerability has been discovered in Logcheck's ebuilds which could allow for root privilege escalation.</synopsis> + <product type="ebuild">logcheck</product> + <announced>2022-09-25</announced> + <revised count="1">2022-09-25</revised> + <bug>630752</bug> + <access>remote</access> + <affected> + <package name="app-admin/logcheck" auto="yes" arch="*"> + <vulnerable range="le">1.3.23</vulnerable> + </package> + </affected> + <background> + <p>Logcheck mails anomalies in the system logfiles to the administrator.</p> + </background> + <description> + <p>The pkg_postinst phase of the Logcheck ebuilds recursively chown the /etc/logcheck and /var/lib/logcheck directories. If the logcheck adds hardlinks to other files in these directories, the chown call will follow the link and transfer ownership of any file to the logcheck user.</p> + </description> + <impact type="normal"> + <p>A local attacker with access to the logcheck user could escalate to root privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for Logcheck. We recommend that users remove it:</p> + + <code> + # emerge --ask --depclean "app-admin/logcheck" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-20148">CVE-2017-20148</uri> + </references> + <metadata tag="requester" timestamp="2022-09-25T13:34:57.482832Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-25T13:34:57.487714Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-11.xml b/metadata/glsa/glsa-202209-11.xml new file mode 100644 index 000000000000..d1599df5c764 --- /dev/null +++ b/metadata/glsa/glsa-202209-11.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-11"> + <title>HarfBuzz: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in HarfBuzz, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">harfbuzz</product> + <announced>2022-09-25</announced> + <revised count="1">2022-09-25</revised> + <bug>830372</bug> + <bug>856049</bug> + <access>remote</access> + <affected> + <package name="media-libs/harfbuzz" auto="yes" arch="*"> + <unaffected range="ge">4.4.0</unaffected> + <vulnerable range="lt">4.4.0</vulnerable> + </package> + </affected> + <background> + <p>HarfBuzz is an OpenType text shaping engine.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in HarfBuzz. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All HarfBuzz users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/harfbuzz-4.4.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45931">CVE-2021-45931</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-33068">CVE-2022-33068</uri> + </references> + <metadata tag="requester" timestamp="2022-09-25T13:35:18.213772Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-25T13:35:18.218222Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-12.xml b/metadata/glsa/glsa-202209-12.xml new file mode 100644 index 000000000000..f7b8e7ebc453 --- /dev/null +++ b/metadata/glsa/glsa-202209-12.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-12"> + <title>GRUB: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in GRUB, the worst of which may allow for secureboot bypass.</synopsis> + <product type="ebuild">grub</product> + <announced>2022-09-25</announced> + <revised count="1">2022-09-25</revised> + <bug>850535</bug> + <bug>835082</bug> + <access>local</access> + <affected> + <package name="sys-boot/grub" auto="yes" arch="*"> + <unaffected range="ge">2.06</unaffected> + <vulnerable range="lt">2.06</vulnerable> + </package> + </affected> + <background> + <p>GNU GRUB is a multiboot boot loader used by most Linux systems.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GRUB. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GRUB users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-boot/grub-2.06-r3" + </code> + + <p>After upgrading, make sure to run the grub-install command with options appropriate for your system. See the GRUB2 Gentoo Wiki page for directions. Your system will be vulnerable until this action is performed.</p> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3695">CVE-2021-3695</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3696">CVE-2021-3696</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3697">CVE-2021-3697</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3981">CVE-2021-3981</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28733">CVE-2022-28733</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28734">CVE-2022-28734</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28735">CVE-2022-28735</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28736">CVE-2022-28736</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28737">CVE-2022-28737</uri> + </references> + <metadata tag="requester" timestamp="2022-09-25T13:35:30.406656Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-25T13:35:30.411250Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-13.xml b/metadata/glsa/glsa-202209-13.xml new file mode 100644 index 000000000000..507d8dd2000e --- /dev/null +++ b/metadata/glsa/glsa-202209-13.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-13"> + <title>libaacplus: Denial of Service</title> + <synopsis>Multiple vulnerabilities have been discovered in libaacplus, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">libaacplus</product> + <announced>2022-09-25</announced> + <revised count="1">2022-09-25</revised> + <bug>618000</bug> + <access>local and remote</access> + <affected> + <package name="media-libs/libaacplus" auto="yes" arch="*"> + <vulnerable range="le">2.0.2-r3</vulnerable> + </package> + </affected> + <background> + <p>libaacplus is an HE-AAC+ v2 library, based on the reference implementation.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libaacplus. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued suport for libaacplus. We recommend that users remove it:</p> + + <code> + # emerge --ask --depclean "media-libs/libaacplus" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-7603">CVE-2017-7603</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-7604">CVE-2017-7604</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-7605">CVE-2017-7605</uri> + </references> + <metadata tag="requester" timestamp="2022-09-25T13:35:43.192701Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-25T13:35:43.197563Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-14.xml b/metadata/glsa/glsa-202209-14.xml new file mode 100644 index 000000000000..eebe11b4cc67 --- /dev/null +++ b/metadata/glsa/glsa-202209-14.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-14"> + <title>Fetchmail: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Fetchmail, the worst of which could result in email disclosure to third parties.</synopsis> + <product type="ebuild">fetchmail</product> + <announced>2022-09-25</announced> + <revised count="1">2022-09-25</revised> + <bug>810676</bug> + <bug>804921</bug> + <access>remote</access> + <affected> + <package name="net-mail/fetchmail" auto="yes" arch="*"> + <unaffected range="ge">6.4.22</unaffected> + <vulnerable range="lt">6.4.22</vulnerable> + </package> + </affected> + <background> + <p>Fetchmail is a remote mail retrieval and forwarding utility.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Fetchmail. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Fetchmail users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.4.22" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36386">CVE-2021-36386</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39272">CVE-2021-39272</uri> + </references> + <metadata tag="requester" timestamp="2022-09-25T13:35:56.538201Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-25T13:35:56.542922Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-15.xml b/metadata/glsa/glsa-202209-15.xml new file mode 100644 index 000000000000..17ecb3f121ef --- /dev/null +++ b/metadata/glsa/glsa-202209-15.xml @@ -0,0 +1,64 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-15"> + <title>Oracle JDK/JRE: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Oracle JDK and JRE, the worst of which could result in the arbitrary execution of code.</synopsis> + <product type="ebuild">oracle-jdk-bin,oracle-jre-bin</product> + <announced>2022-09-25</announced> + <revised count="1">2022-09-25</revised> + <bug>732630</bug> + <bug>717638</bug> + <access>remote</access> + <affected> + <package name="dev-java/oracle-jdk-bin" auto="yes" arch="*"> + <vulnerable range="le">11.0.2</vulnerable> + </package> + <package name="dev-java/oracle-jre-bin" auto="yes" arch="*"> + <vulnerable range="le">1.8.0.202</vulnerable> + </package> + </affected> + <background> + <p>Java Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in today's demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that today's applications require.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Oracle's JDK and JRE software suites. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Certain uses of untrusted data by Oracle JDK and JRE could result in arbitrary code execution.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for the Oracle JDK and JRE. We recommend that users remove it, and use dev-java/openjdk, dev-java/openjdk-bin, or dev-java/openjdk-jre-bin instead:</p> + + <code> + # emerge --ask --depclean "dev-java/oracle-jre-bin" + # emerge --ask --depclean "dev-java/oracle-jdk-bin" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2585">CVE-2020-2585</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2755">CVE-2020-2755</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2756">CVE-2020-2756</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2757">CVE-2020-2757</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2773">CVE-2020-2773</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2781">CVE-2020-2781</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2800">CVE-2020-2800</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2803">CVE-2020-2803</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2805">CVE-2020-2805</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14556">CVE-2020-14556</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14562">CVE-2020-14562</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14573">CVE-2020-14573</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14577">CVE-2020-14577</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14578">CVE-2020-14578</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14579">CVE-2020-14579</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14581">CVE-2020-14581</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14583">CVE-2020-14583</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14593">CVE-2020-14593</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14621">CVE-2020-14621</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14664">CVE-2020-14664</uri> + </references> + <metadata tag="requester" timestamp="2022-09-25T13:36:11.652902Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-25T13:36:11.657278Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 56e5fa0002e2..c168cb574c68 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sun, 25 Sep 2022 09:39:58 +0000 +Sun, 25 Sep 2022 15:39:56 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 86aa630a77f5..e8679a795959 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -7771cafe7bc8660946ac9740c02f8106d63660c7 1662520070 2022-09-07T03:07:50+00:00 +2570332a2b988e5bec8319e9b7bcfceb39048f5d 1664114157 2022-09-25T13:55:57+00:00 |