gentoo resync : 19.10.2017

author: V3n3RiX <venerix@redcorelinux.org> 2017-10-19 17:57:29 +0100
committer: V3n3RiX <venerix@redcorelinux.org> 2017-10-19 17:57:29 +0100
commit: d473a706836012853193afc7000922601e4ada61 (patch)
tree: 01c43bd6b2121d90bc97ead47dd7654d9402ea1d /metadata/glsa
parent: 420eeee727d39d869d864caddb04a80dafda7160 (diff)
6 files changed, 287 insertions, 2 deletions
diff --git a/metadata/glsa/glsa-201710-17.xml b/metadata/glsa/glsa-201710-17.xml
new file mode 100644
index 000000000000..4aaef6b68378
--- /dev/null
+++ b/metadata/glsa/glsa-201710-17.xml
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201710-17">
+  <title>Xen: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Xen, the worst of which
+    may allow local attackers to escalate privileges.
+  </synopsis>
+  <product type="ebuild">xen</product>
+  <announced>2017-10-18</announced>
+  <revised>2017-10-18: 1</revised>
+  <bug>624112</bug>
+  <bug>624116</bug>
+  <bug>624118</bug>
+  <bug>624124</bug>
+  <bug>624128</bug>
+  <access>local</access>
+  <affected>
+    <package name="app-emulation/xen" auto="yes" arch="*">
+      <unaffected range="ge">4.7.3</unaffected>
+      <vulnerable range="lt">4.7.3</vulnerable>
+    </package>
+    <package name="app-emulation/xen-pvgrub" auto="yes" arch="*">
+      <unaffected range="ge">4.7.3</unaffected>
+      <vulnerable range="lt">4.7.3</vulnerable>
+    </package>
+    <package name="app-emulation/xen-tools" auto="yes" arch="*">
+      <unaffected range="ge">4.7.3</unaffected>
+      <vulnerable range="lt">4.7.3</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Xen is a bare-metal hypervisor.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Xen. Please review the
+      referenced CVE identifiers for details.
+    </p>
+  </description>
+  <impact type="high">
+    <p>A local attacker could escalate privileges, cause a Denial of Service
+      condition, obtain sensitive information, or have other unspecified
+      impacts.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Xen users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-4.7.3"
+    </code>
+    
+    <p>All Xen pvgrub users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-pvgrub-4.7.3"
+    </code>
+    
+    <p>All Xen Tools users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-tools-4.7.3"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10912">
+      CVE-2017-10912
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10913">
+      CVE-2017-10913
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10914">
+      CVE-2017-10914
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10915">
+      CVE-2017-10915
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10918">
+      CVE-2017-10918
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10920">
+      CVE-2017-10920
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10921">
+      CVE-2017-10921
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10922">
+      CVE-2017-10922
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-10-15T20:12:25Z">b-man</metadata>
+  <metadata tag="submitter" timestamp="2017-10-18T00:42:15Z">chrisadr</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201710-18.xml b/metadata/glsa/glsa-201710-18.xml
new file mode 100644
index 000000000000..e06ac6f879dc
--- /dev/null
+++ b/metadata/glsa/glsa-201710-18.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201710-18">
+  <title>Ruby: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Ruby, the worst of
+    which could lead to the remote execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">ruby</product>
+  <announced>2017-10-18</announced>
+  <revised>2017-10-18: 1</revised>
+  <bug>605536</bug>
+  <bug>629484</bug>
+  <bug>631034</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-lang/ruby" auto="yes" arch="*">
+      <unaffected range="ge">2.2.8</unaffected>
+      <vulnerable range="lt">2.2.8</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Ruby is an interpreted object-oriented programming language. The
+      elaborate standard library includes an HTTP server (“WEBRick”) and a
+      class for XML parsing (“REXML”).
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Ruby. Please review the
+      referenced CVE identifiers for details.
+    </p>
+    
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could execute arbitrary code, cause a Denial of
+      Service condition, or obtain sensitive information.
+    </p>
+    
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Ruby users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-lang/ruby-2.2.8"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2337">
+      CVE-2016-2337
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0898">
+      CVE-2017-0898
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10784">
+      CVE-2017-10784
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14033">
+      CVE-2017-14033
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14064">
+      CVE-2017-14064
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-10-17T23:47:57Z">b-man</metadata>
+  <metadata tag="submitter" timestamp="2017-10-18T00:53:55Z">chrisadr</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201710-19.xml b/metadata/glsa/glsa-201710-19.xml
new file mode 100644
index 000000000000..26dcefc9ce44
--- /dev/null
+++ b/metadata/glsa/glsa-201710-19.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201710-19">
+  <title>libarchive: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in libarchive, the worst
+    of which could lead to a Denial of Service condition.
+  </synopsis>
+  <product type="ebuild">libarchive</product>
+  <announced>2017-10-18</announced>
+  <revised>2017-10-18: 1</revised>
+  <bug>618026</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-arch/libarchive" auto="yes" arch="*">
+      <unaffected range="ge">3.3.0</unaffected>
+      <vulnerable range="lt">3.3.0</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>libarchive is a library for manipulating different streaming archive
+      formats, including certain tar variants, several cpio formats, and both
+      BSD and GNU ar variants.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in libarchive. Please
+      review the referenced CVE identifiers for details.
+    </p>
+    
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, via a specially crafted file, could possibly cause a
+      Denial of Service condition.
+    </p>
+    
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All libarchive users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-arch/libarchive-3.3.0"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10349">
+      CVE-2016-10349
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10350">
+      CVE-2016-10350
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-10-15T13:35:50Z">b-man</metadata>
+  <metadata tag="submitter" timestamp="2017-10-18T00:58:52Z">chrisadr</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201710-20.xml b/metadata/glsa/glsa-201710-20.xml
new file mode 100644
index 000000000000..d7af0c0ae9c4
--- /dev/null
+++ b/metadata/glsa/glsa-201710-20.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201710-20">
+  <title>Nagios: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Nagios, the worst of
+    which could lead to the remote execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">nagios</product>
+  <announced>2017-10-18</announced>
+  <revised>2017-10-18: 1</revised>
+  <bug>602216</bug>
+  <bug>628086</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="net-analyzer/nagios-core" auto="yes" arch="*">
+      <unaffected range="ge">4.3.3</unaffected>
+      <vulnerable range="lt">4.3.3</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Nagios is an open source host, service and network monitoring program.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Nagios. Please review
+      the referenced CVE identifiers for details.
+    </p>
+    
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly escalate privileges to root, thus
+      allowing the execution of arbitrary code, by leveraging CVE-2016-9565. 
+      Additionally, a local attacker could cause a Denial of Service condition
+      against arbitrary processes due to the improper dropping of privileges.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Nagios users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-analyzer/nagios-core-4.3.3"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9565">
+      CVE-2016-9565
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9566">
+      CVE-2016-9566
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12847">
+      CVE-2017-12847
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-10-02T06:35:45Z">BlueKnight</metadata>
+  <metadata tag="submitter" timestamp="2017-10-18T01:17:41Z">chrisadr</metadata>
+</glsa>
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 7abd667dd6de..d30b64b3c6de 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Tue, 17 Oct 2017 16:08:56 +0000
+Thu, 19 Oct 2017 16:09:11 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index a05cb7436324..5e2249358c83 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-f5081800804d6a1f4598cbc03e5a8f2664f6a070 1508098974 2017-10-15T20:22:54+00:00
+8c9b32528b910251b1fe3992838c97ba223db5d7 1508289507 2017-10-18T01:18:27+00:00
author	V3n3RiX <venerix@redcorelinux.org>	2017-10-19 17:57:29 +0100
committer	V3n3RiX <venerix@redcorelinux.org>	2017-10-19 17:57:29 +0100
commit	d473a706836012853193afc7000922601e4ada61 (patch)
tree	01c43bd6b2121d90bc97ead47dd7654d9402ea1d /metadata/glsa
parent	420eeee727d39d869d864caddb04a80dafda7160 (diff)