gentoo auto-resync : 11:08:2024 - 11:06:01

author: V3n3RiX <venerix@koprulu.sector> 2024-08-11 11:06:02 +0100
committer: V3n3RiX <venerix@koprulu.sector> 2024-08-11 11:06:02 +0100
commit: e93a38d535f2c29b55a5756d2de99425986b0bf3 (patch)
tree: c0fa85c173d211181d0093e7dc031623e7b8a9a3 /metadata/glsa
parent: fbbf0ee3d56a6fd27adf182c6907dc745623aeaa (diff)
6 files changed, 122 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index c76376065bf7..e2ef61a24169 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 583779 BLAKE2B f7a6642a36d557b2ff11656e5d2df283be9790dee856fde3df71020545fb0e5bd5078e1c9169112fd27921648ac36346a690f931e6e7698a5f277d90e867dfd7 SHA512 fc75832387cf7e22e9e60c39e8464789c05365093061abbd15f7b7abac14946af8cd70ec339f006eff65dd7ce57af26a9bcd3603bc95aa59e3dc113630acf2fb
-TIMESTAMP 2024-08-10T09:40:26Z
+MANIFEST Manifest.files.gz 584092 BLAKE2B b960ae534eff8fa6db49945007f40508967d9f8cf683f04174765fb5d1312a26cc5646608d3427f99807da6ff4f70b37eb7efd110add784653b5f6c70d58ab92 SHA512 4782a4da8afe0127d919ee8c4cb556cb1558a9d718055dc6bf2234a9b194e2fe866798c6207e59da2ae2b3cb0ac898c26cddd0aec96f25eb42fc5456622627c8
+TIMESTAMP 2024-08-11T09:10:22Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAma3NYpfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAma4f/5fFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klAtVw//T+btknyxKYOJH3QYReT9fkPb4TyG7tzX+pQmiziY8wtoQA6xhuL9ja8o
-6bFAtYrQqz/UJRaj6075gPtWZYfJ4/BKaKcBdhL26OoRsRAwMpVd6ymgN9Qrvgfd
-6enqg1xSoQgpanGx2mDNSa2jUSFyqG5ybJ0QTH7/QvLgI6zTuMiaQfchP01ZOpj/
-Hdi/bxbjTQpPeEZSBmEMpws7PFUkPFoNQ8Q39x8SkeojMPmmUMN4IqoAI7qidHGV
-B9rTwuLYCXgdBGqDJ27tKZ9nP7VUPlrAYeiu0PFBv9yBL4yGwDuWOoYy8nek68oV
-7nHJ0evbElA8c76/aXPBYuBOGLCYITRY90AFcSCFQqC8Cy08VTElCsa7wVnvuJ9w
-0IoMTe7ALcyuMzsJ98h2GeG+CwVQ/FXIpkslh1/7kUxpL4opRXF05BV/BqDwbTtd
-SwLvyS4jvvgKbazB6LQRUB4nOcT+eQvqH3AN0nl93a3d40Y75mQ0sPKyutpSz9JH
-/GHZjQH1wKuDT1zqswxRQKGOZOVJWOxWBjEyiZ3wIxM4X2kHCMPpQk88m/1Bs8Bs
-wI36fOD6DekwXLStBasn2J31lSt7Fj6UwjpIvautvB181q+y8MilwjmmAtrTG6/t
-B7FbVawKOHsH/5UmJDYFlhLoWWFYjVQdXOgUqgr/ntg33+YMew8=
-=NBcp
+klAzQw/9GH4jeeTRkOkfJCngspflMWk6VWVqjNI205Wi5C87gYKlcL1AxUZFhAde
+anHJHn0RHRsjQ1esc1afMi0GHsSbJzSmCIeTZvAgSNhZ/y9c7dPGLr1xc1evpUXV
+8iDRB/a5yDFA/uE7KeLUHPcPE0yL+EFPE70kijvvDSFOJW+Bor9BDAaTNIZCbY8G
+5xBjSmBZsYhU0Cgn25sYj8MtThZAs7wectsAszxb+2bhJx1S8njP5iDAoBwGvqgv
+dbmmn2OdOA/orylgZ7JsCXeTgXswpgn/IVKtpiXtekQ7DaW11M1DWI4dymd6UDju
+hLVysXXpzx9bXVpCrAVG+eREo5cCZ+LUjvIvKu6MfQQ661BxPl7eFdZFZg59RuhI
+tAInAZArRm+/X8Wmd4rNu7dfaYW8SuTgpxFHHjPQ4bqUw0B6yfVAXwX/G8wfeDUF
+Gxe3HkqIvH+JK/hvrHvAEKOo5uJzPHKBTctYlzhWh3Br4cW8aZP+/QB9biF8+01u
+56pXoak/RXcrBVTvCxahXeuywaLgZIT3JMRzH2jujMziin9km+H8y8LgbqzChyIC
+/5YKDc3Qi/67zCqyyfTooRN/7DS4cTZ7wkr+F6Rs3+30r6VFVruhWyxXQVaYu9BZ
+kNUpwfOVmkko4ds2DqdtiAhhiCiWkDrKP5exy+uUvTWhuGYbx+w=
+=NBwO
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index bc4e9955b329..e0113a974e93 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202408-24.xml b/metadata/glsa/glsa-202408-24.xml
new file mode 100644
index 000000000000..de8b638d730f
--- /dev/null
+++ b/metadata/glsa/glsa-202408-24.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202408-24">
+    <title>Ruby on Rails: Remote Code Execution</title>
+    <synopsis>A vulnerability has been discovered in Ruby on Rails, which can lead to remote code execution via serialization of data.</synopsis>
+    <product type="ebuild">rails</product>
+    <announced>2024-08-11</announced>
+    <revised count="1">2024-08-11</revised>
+    <bug>857840</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-ruby/rails" auto="yes" arch="*">
+            <unaffected range="ge" slot="7.0">7.0.3.1</unaffected>
+            <unaffected range="ge" slot="6.1">6.1.6.1</unaffected>
+            <vulnerable range="lt" slot="7.0">7.0.3.1</vulnerable>
+            <vulnerable range="lt" slot="6.1">6.1.6.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Ruby on Rails is a free web framework used to develop database-driven web applications.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Ruby on Rails. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.
+
+Impacted Active Record models will look something like this:
+
+class User &lt; ApplicationRecord
+  serialize :options       # Vulnerable: Uses YAML for serialization
+  serialize :values, Array # Vulnerable: Uses YAML for serialization
+  serialize :values, JSON  # Not vulnerable
+end
+
+The released versions change the default YAML deserializer to use YAML.safe_load, which prevents deserialization of possibly dangerous objects. This may introduce backwards compatibility issues with existing data.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Ruby on Rails users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-ruby/rails-6.1.6.1:6.1"
+          # emerge --ask --oneshot --verbose ">=dev-ruby/rails-7.0.3.1:7.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32224">CVE-2022-32224</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-08-11T05:35:49.928407Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-08-11T05:35:49.931387Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202408-25.xml b/metadata/glsa/glsa-202408-25.xml
new file mode 100644
index 000000000000..b96b0b374db6
--- /dev/null
+++ b/metadata/glsa/glsa-202408-25.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202408-25">
+    <title>runc: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in runc, the worst of which could lead to privilege escalation.</synopsis>
+    <product type="ebuild">runc</product>
+    <announced>2024-08-11</announced>
+    <revised count="1">2024-08-11</revised>
+    <bug>828471</bug>
+    <bug>844085</bug>
+    <bug>903079</bug>
+    <bug>923434</bug>
+    <access>local</access>
+    <affected>
+        <package name="app-containers/runc" auto="yes" arch="*">
+            <unaffected range="ge">1.1.12</unaffected>
+            <vulnerable range="lt">1.1.12</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in runc. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All runc users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-containers/runc-1.1.12"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-43784">CVE-2021-43784</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29162">CVE-2022-29162</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25809">CVE-2023-25809</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-27561">CVE-2023-27561</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28642">CVE-2023-28642</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-21626">CVE-2024-21626</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-08-11T05:45:57.598514Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-08-11T05:45:57.602231Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 45325f0ee3fd..ecc5e94eb91b 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sat, 10 Aug 2024 09:40:23 +0000
+Sun, 11 Aug 2024 09:10:18 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index a20abfa97c4f..bffbe71e66a6 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-edaa82dbe986586c12f7d0e15ccfaa2e8c17c4d2 1723279289 2024-08-10T08:41:29Z
+68a8d508cf9f0faa2bd942edbbb2cbf358d169d3 1723355180 2024-08-11T05:46:20Z
author	V3n3RiX <venerix@koprulu.sector>	2024-08-11 11:06:02 +0100
committer	V3n3RiX <venerix@koprulu.sector>	2024-08-11 11:06:02 +0100
commit	e93a38d535f2c29b55a5756d2de99425986b0bf3 (patch)
tree	c0fa85c173d211181d0093e7dc031623e7b8a9a3 /metadata/glsa
parent	fbbf0ee3d56a6fd27adf182c6907dc745623aeaa (diff)