diff options
Diffstat (limited to 'metadata/glsa')
46 files changed, 2357 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index b41a986f64dd..c76376065bf7 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 577111 BLAKE2B 0cdb2f4b37d989ec4779ab2668429fad6726d0f8262d3b4c3b6e33e9dc73ed0cef5a69d0d12e69f34f1ea8a92d72ef9e77fd098a8c9f70b001120570e5caedac SHA512 8633861ca75b10437b48ae2c2f704cd739ad0c965fd468529f3c4310836c613f1c2c3a3a0e31e8cc9f53f73bed636d933165206a4bbd67d96bc5e4ca6bcd4b36 -TIMESTAMP 2024-07-04T06:40:42Z +MANIFEST Manifest.files.gz 583779 BLAKE2B f7a6642a36d557b2ff11656e5d2df283be9790dee856fde3df71020545fb0e5bd5078e1c9169112fd27921648ac36346a690f931e6e7698a5f277d90e867dfd7 SHA512 fc75832387cf7e22e9e60c39e8464789c05365093061abbd15f7b7abac14946af8cd70ec339f006eff65dd7ce57af26a9bcd3603bc95aa59e3dc113630acf2fb +TIMESTAMP 2024-08-10T09:40:26Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmaGQ+pfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAma3NYpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klAFSw//RkaTE3/KMovSf3ut7F091ch9KM6AAxYHYK36kgV1hRPgjONbYg8Rtn+S -PtUIRIUP+mcGOQ2gV+YzRepQuEJ8bSmTJTp4PtMPL98vXFdmMxK3RovqfWy65xhx -4ZrwUR68Wu7SqVOEES085sgVsP7H6lUACABprJHq1lKx97zqP2J/+g5q0DU9svE1 -GfyJAHAYYV6N34FQ49Tcjif6M9mh1/1G7Ne20kRoYhsxYquZgS17IxNvmBOk7xMr -+RJ6JqG1bvjXo32fhgKI1EJS8uE5+hnIBtx52lnyqeKVOLs9hhAXbNgtgHDNNXpS -cpZgmGligLmt7lzZrZ9fLvDJbgA0ZggSk8Zb/FK9JGG0NsDfk49Ms3dvom1XjXa4 -B/2N/HNOSo4CT9avS72Kjjz/BfXR5Y2wrW4f8JKL9WoTGbC3LFRNam1BU4U3Vtb+ -40zX4lsmS6TCYRq1oXlBQq3wS+pvkZ7jW1R07EvunY+w/v9SnsS0z9Z+ISrsZDZ1 -eZgFl3mphsy3GiCjTe6RnYOuPUPWqaBPq1+W8IaCrdQ8Mm13P8Q/sO+HT1i1qVm0 -FJgBodkn4ck0snbz0ruL5iweUulVXq0YNNUL+n9u0wV0x/73u/niZ/YXV+vAwIaK -CuB9yPhqeGI9ZfTCia9wo3/vBgRH1X4EVRqg4WPaeHYhOV0g08s= -=MRAW +klAtVw//T+btknyxKYOJH3QYReT9fkPb4TyG7tzX+pQmiziY8wtoQA6xhuL9ja8o +6bFAtYrQqz/UJRaj6075gPtWZYfJ4/BKaKcBdhL26OoRsRAwMpVd6ymgN9Qrvgfd +6enqg1xSoQgpanGx2mDNSa2jUSFyqG5ybJ0QTH7/QvLgI6zTuMiaQfchP01ZOpj/ +Hdi/bxbjTQpPeEZSBmEMpws7PFUkPFoNQ8Q39x8SkeojMPmmUMN4IqoAI7qidHGV +B9rTwuLYCXgdBGqDJ27tKZ9nP7VUPlrAYeiu0PFBv9yBL4yGwDuWOoYy8nek68oV +7nHJ0evbElA8c76/aXPBYuBOGLCYITRY90AFcSCFQqC8Cy08VTElCsa7wVnvuJ9w +0IoMTe7ALcyuMzsJ98h2GeG+CwVQ/FXIpkslh1/7kUxpL4opRXF05BV/BqDwbTtd +SwLvyS4jvvgKbazB6LQRUB4nOcT+eQvqH3AN0nl93a3d40Y75mQ0sPKyutpSz9JH +/GHZjQH1wKuDT1zqswxRQKGOZOVJWOxWBjEyiZ3wIxM4X2kHCMPpQk88m/1Bs8Bs +wI36fOD6DekwXLStBasn2J31lSt7Fj6UwjpIvautvB181q+y8MilwjmmAtrTG6/t +B7FbVawKOHsH/5UmJDYFlhLoWWFYjVQdXOgUqgr/ntg33+YMew8= +=NBcp -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 155603e718a5..bc4e9955b329 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202407-10.xml b/metadata/glsa/glsa-202407-10.xml new file mode 100644 index 000000000000..980308027fef --- /dev/null +++ b/metadata/glsa/glsa-202407-10.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-10"> + <title>Sofia-SIP: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Sofia-SIP, the worst of which can lead to remote code execution.</synopsis> + <product type="ebuild">sofia-sip</product> + <announced>2024-07-05</announced> + <revised count="1">2024-07-05</revised> + <bug>891791</bug> + <access>remote</access> + <affected> + <package name="net-libs/sofia-sip" auto="yes" arch="*"> + <vulnerable range="lt">1.13.16</vulnerable> + </package> + </affected> + <background> + <p>Sofia-SIP is an RFC3261 compliant SIP User-Agent library.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Sofia-SIP. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Multiple vulnerabilities have been discovered in Sofia-SIP. Please review the CVE identifiers referenced below for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for the Sofia-SIP package. We recommend that users unmerge it:</p> + + <code> + # emerge --ask --depclean "net-libs/sofia-sip" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22741">CVE-2023-22741</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32307">CVE-2023-32307</uri> + </references> + <metadata tag="requester" timestamp="2024-07-05T06:01:03.002442Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-05T06:01:03.007447Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-11.xml b/metadata/glsa/glsa-202407-11.xml new file mode 100644 index 000000000000..247f229724a1 --- /dev/null +++ b/metadata/glsa/glsa-202407-11.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-11"> + <title>PuTTY: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in PuTTY, the worst of which could lead to compromised keys.</synopsis> + <product type="ebuild">putty</product> + <announced>2024-07-05</announced> + <revised count="1">2024-07-05</revised> + <bug>920304</bug> + <bug>930082</bug> + <access>remote</access> + <affected> + <package name="net-misc/putty" auto="yes" arch="*"> + <unaffected range="ge">0.81</unaffected> + <vulnerable range="lt">0.81</vulnerable> + </package> + </affected> + <background> + <p>PuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PuTTY. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PuTTY users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/putty-0.81" + </code> + + <p>In addition, any keys generated with PuTTY versions 0.68 to 0.80 should be considered breached and should be regenerated.</p> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-48795">CVE-2023-48795</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-31497">CVE-2024-31497</uri> + </references> + <metadata tag="requester" timestamp="2024-07-05T06:43:24.794955Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-05T06:43:24.797373Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-12.xml b/metadata/glsa/glsa-202407-12.xml new file mode 100644 index 000000000000..4834b8028c6e --- /dev/null +++ b/metadata/glsa/glsa-202407-12.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-12"> + <title>podman: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Podman, the worst of which could lead to privilege escalation.</synopsis> + <product type="ebuild">podman</product> + <announced>2024-07-05</announced> + <revised count="1">2024-07-05</revised> + <bug>829896</bug> + <bug>870931</bug> + <bug>896372</bug> + <bug>921290</bug> + <bug>923751</bug> + <bug>927500</bug> + <bug>927501</bug> + <access>local</access> + <affected> + <package name="app-containers/podman" auto="yes" arch="*"> + <unaffected range="ge">4.9.4</unaffected> + <vulnerable range="lt">4.9.4</vulnerable> + </package> + </affected> + <background> + <p>Podman is a tool for managing OCI containers and pods with a Docker-compatible CLI.</p> + </background> + <description> + <p>Please review the referenced CVE identifiers for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Podman users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-containers/podman-4.9.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4024">CVE-2021-4024</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2989">CVE-2022-2989</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0778">CVE-2023-0778</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-48795">CVE-2023-48795</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1753">CVE-2024-1753</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23651">CVE-2024-23651</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23652">CVE-2024-23652</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23653">CVE-2024-23653</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24786">CVE-2024-24786</uri> + </references> + <metadata tag="requester" timestamp="2024-07-05T07:05:25.139225Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-05T07:05:25.142869Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-13.xml b/metadata/glsa/glsa-202407-13.xml new file mode 100644 index 000000000000..d988629f655d --- /dev/null +++ b/metadata/glsa/glsa-202407-13.xml @@ -0,0 +1,64 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-13"> + <title>WebKitGTK+: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in WebKitGTK+, the worst of which could lead to arbitrary code execution</synopsis> + <product type="ebuild">webkit-gtk</product> + <announced>2024-07-05</announced> + <revised count="1">2024-07-05</revised> + <bug>923851</bug> + <bug>930116</bug> + <access>local and remote</access> + <affected> + <package name="net-libs/webkit-gtk" auto="yes" arch="*"> + <unaffected range="ge" slot="4">2.44.0</unaffected> + <unaffected range="ge" slot="4.1">2.44.0</unaffected> + <unaffected range="ge" slot="6">2.44.0</unaffected> + <vulnerable range="lt" slot="4">2.44.0</vulnerable> + <vulnerable range="lt" slot="4.1">2.44.0</vulnerable> + <vulnerable range="lt" slot="6">2.44.0</vulnerable> + </package> + </affected> + <background> + <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All WebKitGTK+ users should upgrade to the latest version (depending on the installed slots):</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:4" + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:4.1" + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:6" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1745">CVE-2014-1745</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40414">CVE-2023-40414</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42833">CVE-2023-42833</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42843">CVE-2023-42843</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42950">CVE-2023-42950</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42956">CVE-2023-42956</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23206">CVE-2024-23206</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23213">CVE-2024-23213</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23222">CVE-2024-23222</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23252">CVE-2024-23252</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23254">CVE-2024-23254</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23263">CVE-2024-23263</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23280">CVE-2024-23280</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23284">CVE-2024-23284</uri> + <uri link="https://webkitgtk.org/security/WSA-2024-0001.html">WSA-2024-0001</uri> + <uri link="https://webkitgtk.org/security/WSA-2024-0002.html">WSA-2024-0002</uri> + </references> + <metadata tag="requester" timestamp="2024-07-05T07:33:55.537227Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-05T07:33:55.540478Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-14.xml b/metadata/glsa/glsa-202407-14.xml new file mode 100644 index 000000000000..4037c006b564 --- /dev/null +++ b/metadata/glsa/glsa-202407-14.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-14"> + <title>TigerVNC: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in TigerVNC, the worst of which could lead to remote code execution.</synopsis> + <product type="ebuild">tigervnc</product> + <announced>2024-07-05</announced> + <revised count="1">2024-07-05</revised> + <bug>700464</bug> + <access>remote</access> + <affected> + <package name="net-misc/tigervnc" auto="yes" arch="*"> + <unaffected range="ge">1.12.0-r2</unaffected> + <vulnerable range="lt">1.12.0-r2</vulnerable> + </package> + </affected> + <background> + <p>TigerVNC is a high-performance VNC server/client.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in TigerVNC. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All TigerVNC users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/tigervnc-1.12.0-r2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15691">CVE-2019-15691</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15692">CVE-2019-15692</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15694">CVE-2019-15694</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15695">CVE-2019-15695</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26117">CVE-2020-26117</uri> + </references> + <metadata tag="requester" timestamp="2024-07-05T08:04:14.901340Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-05T08:04:14.904899Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-15.xml b/metadata/glsa/glsa-202407-15.xml new file mode 100644 index 000000000000..fc4f96ecc7e3 --- /dev/null +++ b/metadata/glsa/glsa-202407-15.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-15"> + <title>GraphicsMagick: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in GraphicsMagick, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">graphicsmagick</product> + <announced>2024-07-05</announced> + <revised count="1">2024-07-05</revised> + <bug>888545</bug> + <bug>890851</bug> + <access>local</access> + <affected> + <package name="media-gfx/graphicsmagick" auto="yes" arch="*"> + <unaffected range="ge">1.3.40</unaffected> + <vulnerable range="lt">1.3.40</vulnerable> + </package> + </affected> + <background> + <p>GraphicsMagick is a collection of tools and libraries which support reading, writing, and manipulating images in many major formats.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GraphicsMagick. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GraphicsMagick users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.3.40" + </code> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2024-07-05T08:23:55.078128Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-05T08:23:55.084776Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-16.xml b/metadata/glsa/glsa-202407-16.xml new file mode 100644 index 000000000000..e586167715d3 --- /dev/null +++ b/metadata/glsa/glsa-202407-16.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-16"> + <title>GNU Coreutils: Buffer Overflow Vulnerability</title> + <synopsis>A vulnerability has been discovered in Coreutils, which can lead to a heap buffer overflow and possibly aribitrary code execution.</synopsis> + <product type="ebuild">coreutils</product> + <announced>2024-07-05</announced> + <revised count="1">2024-07-05</revised> + <bug>922474</bug> + <access>local</access> + <affected> + <package name="sys-apps/coreutils" auto="yes" arch="*"> + <unaffected range="ge">9.4-r1</unaffected> + <vulnerable range="lt">9.4-r1</vulnerable> + </package> + </affected> + <background> + <p>The GNU Core Utilities are the basic file, shell and text manipulation utilities of the GNU operating system.</p> + </background> + <description> + <p>A vulnerability has been discovered in the Coreutils "split" program that can lead to a heap buffer overflow and possibly arbitrary code execution.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Coreutils users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/coreutils-9.4-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0684">CVE-2024-0684</uri> + </references> + <metadata tag="requester" timestamp="2024-07-05T09:26:36.559921Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-05T09:26:36.562608Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-17.xml b/metadata/glsa/glsa-202407-17.xml new file mode 100644 index 000000000000..ce7d5704e671 --- /dev/null +++ b/metadata/glsa/glsa-202407-17.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-17"> + <title>BusyBox: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in BusyBox, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">busybox</product> + <announced>2024-07-05</announced> + <revised count="1">2024-07-05</revised> + <bug>824222</bug> + <access>local</access> + <affected> + <package name="sys-apps/busybox" auto="yes" arch="*"> + <unaffected range="ge">1.34.0</unaffected> + <vulnerable range="lt">1.34.0</vulnerable> + </package> + </affected> + <background> + <p>BusyBox is set of tools for embedded systems and is a replacement for GNU Coreutils.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in BusyBox. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All BusyBox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.34.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42373">CVE-2021-42373</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42374">CVE-2021-42374</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42375">CVE-2021-42375</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42376">CVE-2021-42376</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42377">CVE-2021-42377</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42378">CVE-2021-42378</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42379">CVE-2021-42379</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42380">CVE-2021-42380</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42381">CVE-2021-42381</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42382">CVE-2021-42382</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42383">CVE-2021-42383</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42384">CVE-2021-42384</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42385">CVE-2021-42385</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42386">CVE-2021-42386</uri> + </references> + <metadata tag="requester" timestamp="2024-07-05T09:49:36.081859Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-05T09:49:36.086656Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-18.xml b/metadata/glsa/glsa-202407-18.xml new file mode 100644 index 000000000000..ea2c242f8af4 --- /dev/null +++ b/metadata/glsa/glsa-202407-18.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-18"> + <title>Stellarium: Arbitrary File Write</title> + <synopsis>A vulnerability has been discovered in Stellarium, which can lead to arbitrary file writes.</synopsis> + <product type="ebuild">stellarium</product> + <announced>2024-07-05</announced> + <revised count="1">2024-07-05</revised> + <bug>905300</bug> + <access>local and remote</access> + <affected> + <package name="sci-astronomy/stellarium" auto="yes" arch="*"> + <unaffected range="ge">23.1</unaffected> + <vulnerable range="lt">23.1</vulnerable> + </package> + </affected> + <background> + <p>Stellarium is a free open source planetarium for your computer. It shows a realistic sky in 3D, just like what you see with the naked eye, binoculars or a telescope.</p> + </background> + <description> + <p>A vulnerability has been discovered in Stellarium. Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>Attackers can write to files that are typically unintended, such as ones with absolute pathnames or .. directory traversal.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Stellarium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-astronomy/stellarium-23.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28371">CVE-2023-28371</uri> + </references> + <metadata tag="requester" timestamp="2024-07-05T17:31:39.463505Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-05T17:31:39.467808Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-19.xml b/metadata/glsa/glsa-202407-19.xml new file mode 100644 index 000000000000..2c2a7294893a --- /dev/null +++ b/metadata/glsa/glsa-202407-19.xml @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-19"> + <title>Mozilla Thunderbird: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution.</synopsis> + <product type="ebuild">thunderbird,thunderbird-bin</product> + <announced>2024-07-06</announced> + <revised count="1">2024-07-06</revised> + <bug>932375</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">115.11.0</unaffected> + <vulnerable range="lt">115.11.0</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">115.11.0</unaffected> + <vulnerable range="lt">115.11.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the Mozilla project.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.11.0" + </code> + + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.11.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2609">CVE-2024-2609</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3302">CVE-2024-3302</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3854">CVE-2024-3854</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3857">CVE-2024-3857</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3859">CVE-2024-3859</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3861">CVE-2024-3861</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3864">CVE-2024-3864</uri> + </references> + <metadata tag="requester" timestamp="2024-07-06T06:14:39.955147Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-06T06:14:39.959045Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-20.xml b/metadata/glsa/glsa-202407-20.xml new file mode 100644 index 000000000000..84856ba8345c --- /dev/null +++ b/metadata/glsa/glsa-202407-20.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-20"> + <title>KDE Plasma Workspaces: Privilege Escalation</title> + <synopsis>A vulnerability has been discovered in KDE Plasma Workspaces, which can lead to privilege escalation.</synopsis> + <product type="ebuild">plasma-workspace</product> + <announced>2024-07-06</announced> + <revised count="1">2024-07-06</revised> + <bug>933342</bug> + <access>remote</access> + <affected> + <package name="kde-plasma/plasma-workspace" auto="yes" arch="*"> + <unaffected range="ge">5.27.11.1</unaffected> + <vulnerable range="lt">5.27.11.1</vulnerable> + </package> + </affected> + <background> + <p>KDE Plasma workspace is a widget based desktop environment designed to be fast and efficient.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in KDE Plasma Workspaces. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE
+based purely on the host, allowing all local connections. This allows
+another user on the same machine to gain access to the session
+manager.
+
+A well crafted client could use the session restore feature to execute
+arbitrary code as the user on the next boot.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All KDE Plasma Workspaces users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-plasma/plasma-workspace-5.27.11.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-36041">CVE-2024-36041</uri> + </references> + <metadata tag="requester" timestamp="2024-07-06T06:45:04.101679Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-06T06:45:04.105556Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-21.xml b/metadata/glsa/glsa-202407-21.xml new file mode 100644 index 000000000000..12c0a2e5a2ed --- /dev/null +++ b/metadata/glsa/glsa-202407-21.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-21"> + <title>X.Org X11 library: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in the X.Org X11 library, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">libX11</product> + <announced>2024-07-06</announced> + <revised count="1">2024-07-06</revised> + <bug>877461</bug> + <bug>908549</bug> + <bug>915129</bug> + <access>remote</access> + <affected> + <package name="x11-libs/libX11" auto="yes" arch="*"> + <unaffected range="ge">1.8.7</unaffected> + <vulnerable range="lt">1.8.7</vulnerable> + </package> + </affected> + <background> + <p>X.Org is an implementation of the X Window System. The X.Org X11 library provides the X11 protocol library files.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in X.Org X11 library. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All X.Org X11 library users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libX11-1.8.7" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3554">CVE-2022-3554</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3555">CVE-2022-3555</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3138">CVE-2023-3138</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43785">CVE-2023-43785</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43786">CVE-2023-43786</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43787">CVE-2023-43787</uri> + </references> + <metadata tag="requester" timestamp="2024-07-06T06:46:25.255732Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-06T06:46:25.259127Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-22.xml b/metadata/glsa/glsa-202407-22.xml new file mode 100644 index 000000000000..10eb68b46743 --- /dev/null +++ b/metadata/glsa/glsa-202407-22.xml @@ -0,0 +1,72 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-22"> + <title>Mozilla Firefox: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could arbitrary code execution.</synopsis> + <product type="ebuild">firefox,firefox-bin</product> + <announced>2024-07-06</announced> + <revised count="1">2024-07-06</revised> + <bug>927559</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">124.0.1</unaffected> + <unaffected range="ge" slot="esr">115.9.1</unaffected> + <vulnerable range="lt" slot="rapid">124.0.1</vulnerable> + <vulnerable range="lt" slot="esr">115.9.1</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">124.0.1</unaffected> + <unaffected range="ge" slot="esr">115.9.1</unaffected> + <vulnerable range="lt" slot="rapid">124.0.1</vulnerable> + <vulnerable range="lt" slot="esr">115.9.1</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-124.0.1" + </code> + + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-124.0.1:rapid" + </code> + + <p>All Mozilla Firefox ESR users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-115.9.1:esr" + </code> + + <p>All Mozilla Firefox ESR binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.9.1:esr" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-29943">CVE-2024-29943</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-29944">CVE-2024-29944</uri> + </references> + <metadata tag="requester" timestamp="2024-07-06T07:11:46.269314Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-06T07:11:46.272380Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-23.xml b/metadata/glsa/glsa-202407-23.xml new file mode 100644 index 000000000000..3015033820b0 --- /dev/null +++ b/metadata/glsa/glsa-202407-23.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-23"> + <title>LIVE555 Media Server: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in LIVE555 Media Server, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">live</product> + <announced>2024-07-09</announced> + <revised count="1">2024-07-09</revised> + <bug>732598</bug> + <bug>807622</bug> + <access>local and remote</access> + <affected> + <package name="media-plugins/live" auto="yes" arch="*"> + <unaffected range="ge">2021.08.24</unaffected> + <vulnerable range="lt">2021.08.24</vulnerable> + </package> + </affected> + <background> + <p>LIVE555 Media Server is a set of libraries for multimedia streaming.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in LIVE555 Media Server. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All LIVE555 Media Server users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-plugins/live-2021.08.24" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-24027">CVE-2020-24027</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38380">CVE-2021-38380</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38381">CVE-2021-38381</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38382">CVE-2021-38382</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39282">CVE-2021-39282</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39283">CVE-2021-39283</uri> + </references> + <metadata tag="requester" timestamp="2024-07-09T13:09:03.649511Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-09T13:09:03.653871Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-24.xml b/metadata/glsa/glsa-202407-24.xml new file mode 100644 index 000000000000..118703bb07d5 --- /dev/null +++ b/metadata/glsa/glsa-202407-24.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-24"> + <title>HarfBuzz: Denial of Service</title> + <synopsis>A vulnerability has been discovered in HarfBuzz, which can lead to a denial of service.</synopsis> + <product type="ebuild">harfbuzz</product> + <announced>2024-07-10</announced> + <revised count="1">2024-07-10</revised> + <bug>905310</bug> + <access>local</access> + <affected> + <package name="media-libs/harfbuzz" auto="yes" arch="*"> + <unaffected range="ge">7.1.0</unaffected> + <vulnerable range="lt">7.1.0</vulnerable> + </package> + </affected> + <background> + <p>HarfBuzz is an OpenType text shaping engine.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in HarfBuzz. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>hb-ot-layout-gsubgpos.hh in HarfBuzz allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All HarfBuzz users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/harfbuzz-7.1.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22006">CVE-2023-22006</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22036">CVE-2023-22036</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22041">CVE-2023-22041</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22044">CVE-2023-22044</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22045">CVE-2023-22045</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22049">CVE-2023-22049</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25193">CVE-2023-25193</uri> + </references> + <metadata tag="requester" timestamp="2024-07-10T06:11:01.173024Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-10T06:11:01.176040Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-25.xml b/metadata/glsa/glsa-202407-25.xml new file mode 100644 index 000000000000..4b13514271a9 --- /dev/null +++ b/metadata/glsa/glsa-202407-25.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-25"> + <title>Buildah: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Buildah, the worst of which could lead to privilege escalation.</synopsis> + <product type="ebuild">buildah</product> + <announced>2024-07-10</announced> + <revised count="1">2024-07-10</revised> + <bug>923650</bug> + <bug>927499</bug> + <bug>927502</bug> + <access>local</access> + <affected> + <package name="app-containers/buildah" auto="yes" arch="*"> + <unaffected range="ge">1.35.3</unaffected> + <vulnerable range="lt">1.35.3</vulnerable> + </package> + </affected> + <background> + <p>Buildah is a tool that facilitates building Open Container Initiative (OCI) container images</p> + </background> + <description> + <p>Please review the referenced CVE identifiers for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Buildah users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-containers/buildah-1.35.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1753">CVE-2024-1753</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23651">CVE-2024-23651</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23652">CVE-2024-23652</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23653">CVE-2024-23653</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24786">CVE-2024-24786</uri> + </references> + <metadata tag="requester" timestamp="2024-07-10T06:35:05.025996Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-10T06:35:05.030840Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-26.xml b/metadata/glsa/glsa-202407-26.xml new file mode 100644 index 000000000000..8c4b0b7ae73a --- /dev/null +++ b/metadata/glsa/glsa-202407-26.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-26"> + <title>Dmidecode: Privilege Escalation</title> + <synopsis>A vulnerability has been discovered in Dmidecode, which can lead to privilege escalation.</synopsis> + <product type="ebuild">dmidecode</product> + <announced>2024-07-24</announced> + <revised count="1">2024-07-24</revised> + <bug>905093</bug> + <access>local</access> + <affected> + <package name="sys-apps/dmidecode" auto="yes" arch="*"> + <unaffected range="ge">3.5</unaffected> + <vulnerable range="lt">3.5</vulnerable> + </package> + </affected> + <background> + <p>Dmidecode reports information about your system's hardware as described in your system BIOS according to the SMBIOS/DMI standard (see a sample output). This information typically includes system manufacturer, model name, serial number, BIOS version, asset tag as well as a lot of other details of varying level of interest and reliability depending on the manufacturer. This will often include usage status for the CPU sockets, expansion slots (e.g. AGP, PCI, ISA) and memory module slots, and the list of I/O ports (e.g. serial, parallel, USB).</p> + </background> + <description> + <p>Dmidecode -dump-bin can overwrite a local file. This has security relevance because, for example, execution of Dmidecode via sudo is plausible.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifier for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Dmidecode users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/dmidecode-3.5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30630">CVE-2023-30630</uri> + </references> + <metadata tag="requester" timestamp="2024-07-24T06:06:10.030561Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-24T06:06:10.033680Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-27.xml b/metadata/glsa/glsa-202407-27.xml new file mode 100644 index 000000000000..8848a48c5463 --- /dev/null +++ b/metadata/glsa/glsa-202407-27.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-27"> + <title>ExifTool: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in ExifTool, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">exiftool</product> + <announced>2024-07-24</announced> + <revised count="1">2024-07-24</revised> + <bug>785667</bug> + <bug>791397</bug> + <bug>803317</bug> + <bug>832033</bug> + <access>local</access> + <affected> + <package name="media-libs/exiftool" auto="yes" arch="*"> + <unaffected range="ge">12.42</unaffected> + <vulnerable range="lt">12.42</vulnerable> + </package> + </affected> + <background> + <p>ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ExifTool. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ExifTool users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/exiftool-12.42" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22204">CVE-2021-22204</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23935">CVE-2022-23935</uri> + </references> + <metadata tag="requester" timestamp="2024-07-24T06:08:31.681636Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-24T06:08:31.685111Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-28.xml b/metadata/glsa/glsa-202407-28.xml new file mode 100644 index 000000000000..67adc3da0912 --- /dev/null +++ b/metadata/glsa/glsa-202407-28.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-28"> + <title>Freenet: Deanonymization Vulnerability</title> + <synopsis>A vulnerability has been discovered in Freenet, which can lead to deanonymization due to path folding.</synopsis> + <product type="ebuild">freenet</product> + <announced>2024-07-24</announced> + <revised count="1">2024-07-24</revised> + <bug>904441</bug> + <access>remote</access> + <affected> + <package name="net-p2p/freenet" auto="yes" arch="*"> + <unaffected range="ge">0.7.5_p1497</unaffected> + <vulnerable range="lt">0.7.5_p1497</vulnerable> + </package> + </affected> + <background> + <p>Freenet is an encrypted network without censorship.</p> + </background> + <description> + <p>This release fixes a severe vulnerability in path folding that allowed
+to distinguish between downloaders and forwarders with an adapted
+node that is directly connected via opennet.</p> + </description> + <impact type="normal"> + <p>This release fixes a severe vulnerability in path folding that allowed
+to distinguish between downloaders and forwarders with an adapted
+node that is directly connected via opennet.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Freenet users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/freenet-0.7.5_p1497" + </code> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2024-07-24T06:10:44.345056Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-24T06:10:44.351516Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-01.xml b/metadata/glsa/glsa-202408-01.xml new file mode 100644 index 000000000000..29248eda12dd --- /dev/null +++ b/metadata/glsa/glsa-202408-01.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-01"> + <title>containerd: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in containerd, the worst of which could lead to privilege escalation.</synopsis> + <product type="ebuild">containerd</product> + <announced>2024-08-06</announced> + <revised count="1">2024-08-06</revised> + <bug>897960</bug> + <access>local</access> + <affected> + <package name="app-containers/containerd" auto="yes" arch="*"> + <unaffected range="ge">1.6.19</unaffected> + <vulnerable range="lt">1.6.19</vulnerable> + </package> + </affected> + <background> + <p>containerd is a daemon with an API and a command line client, to manage containers on one machine. It uses runC to run containers according to the OCI specification.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in containerd. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All containerd users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-containers/containerd-1.6.19" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25153">CVE-2023-25153</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25173">CVE-2023-25173</uri> + </references> + <metadata tag="requester" timestamp="2024-08-06T05:38:04.316179Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-06T05:38:04.318621Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-02.xml b/metadata/glsa/glsa-202408-02.xml new file mode 100644 index 000000000000..52ce5cddf816 --- /dev/null +++ b/metadata/glsa/glsa-202408-02.xml @@ -0,0 +1,110 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-02"> + <title>Mozilla Firefox: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could lead to remote code execution.</synopsis> + <product type="ebuild">firefox,firefox-bin</product> + <announced>2024-08-06</announced> + <revised count="1">2024-08-06</revised> + <bug>930380</bug> + <bug>932374</bug> + <bug>935550</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">127.0</unaffected> + <unaffected range="ge" slot="esr">115.12.0</unaffected> + <vulnerable range="lt" slot="rapid">127.0</vulnerable> + <vulnerable range="lt" slot="esr">115.12.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">127.0</unaffected> + <unaffected range="ge" slot="esr">115.12.0</unaffected> + <vulnerable range="lt" slot="rapid">127.0</vulnerable> + <vulnerable range="lt" slot="esr">115.12.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-127.0:rapid" + </code> + + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-127.0:rapid" + </code> + + <p>All Mozilla Firefox ESR users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-115.12.0:esr" + </code> + + <p>All Mozilla Firefox ESR binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.12.0:esr" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2609">CVE-2024-2609</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3302">CVE-2024-3302</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3853">CVE-2024-3853</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3854">CVE-2024-3854</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3855">CVE-2024-3855</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3856">CVE-2024-3856</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3857">CVE-2024-3857</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3858">CVE-2024-3858</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3859">CVE-2024-3859</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3860">CVE-2024-3860</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3861">CVE-2024-3861</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3862">CVE-2024-3862</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3864">CVE-2024-3864</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3865">CVE-2024-3865</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4764">CVE-2024-4764</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4765">CVE-2024-4765</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4766">CVE-2024-4766</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4771">CVE-2024-4771</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4772">CVE-2024-4772</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4773">CVE-2024-4773</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4774">CVE-2024-4774</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4775">CVE-2024-4775</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4776">CVE-2024-4776</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4778">CVE-2024-4778</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5689">CVE-2024-5689</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5693">CVE-2024-5693</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5694">CVE-2024-5694</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5695">CVE-2024-5695</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5696">CVE-2024-5696</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5697">CVE-2024-5697</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5698">CVE-2024-5698</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5699">CVE-2024-5699</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5700">CVE-2024-5700</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5701">CVE-2024-5701</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5702">CVE-2024-5702</uri> + <uri>MFSA-2024-25</uri> + <uri>MFSA-2024-26</uri> + <uri>MFSA-2024-28</uri> + </references> + <metadata tag="requester" timestamp="2024-08-06T05:40:35.041061Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-06T05:40:35.043479Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-03.xml b/metadata/glsa/glsa-202408-03.xml new file mode 100644 index 000000000000..f6ce21719e37 --- /dev/null +++ b/metadata/glsa/glsa-202408-03.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-03"> + <title>libXpm: Multiple Vulnerabilities</title> + <synopsis>Multiple vulberabilities have been discovered in libXpm, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">libXpm</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>891209</bug> + <bug>915130</bug> + <access>local</access> + <affected> + <package name="x11-libs/libXpm" auto="yes" arch="*"> + <unaffected range="ge">3.5.17</unaffected> + <vulnerable range="lt">3.5.17</vulnerable> + </package> + </affected> + <background> + <p>The X PixMap image format is an extension of the monochrome X BitMap format specified in the X protocol, and is commonly used in traditional X applications.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libXpm. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libXpm users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libXpm-3.5.17" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4883">CVE-2022-4883</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44617">CVE-2022-44617</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46285">CVE-2022-46285</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43788">CVE-2023-43788</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43789">CVE-2023-43789</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T05:22:06.419014Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T05:22:06.422663Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-04.xml b/metadata/glsa/glsa-202408-04.xml new file mode 100644 index 000000000000..ad612f044619 --- /dev/null +++ b/metadata/glsa/glsa-202408-04.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-04"> + <title>Levenshtein: Remote Code Execution</title> + <synopsis>A vulnerability has been discovered in Levenshtein, which could lead to a remote code execution.</synopsis> + <product type="ebuild">Levenshtein</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>766009</bug> + <access>remote</access> + <affected> + <package name="dev-python/Levenshtein" auto="yes" arch="*"> + <unaffected range="ge">0.12.1</unaffected> + <vulnerable range="lt">0.12.1</vulnerable> + </package> + </affected> + <background> + <p>Levenshtein is a Python extension for computing string edit distances and similarities.</p> + </background> + <description> + <p>Fixed handling of numerous possible wraparounds in calculating the size of memory allocations; incorrect handling of which could cause denial of service or even possible remote code execution.</p> + </description> + <impact type="normal"> + <p>Fixed handling of numerous possible wraparounds in calculating the size of memory allocations; incorrect handling of which could cause denial of service or even possible remote code execution.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Levenshtein users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/Levenshtein-0.12.1" + </code> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2024-08-07T06:14:52.905613Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T06:14:52.912037Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-05.xml b/metadata/glsa/glsa-202408-05.xml new file mode 100644 index 000000000000..8919fc8f3b73 --- /dev/null +++ b/metadata/glsa/glsa-202408-05.xml @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-05"> + <title>Redis: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Redis, the worst of which may lead to a denial of service or possible remote code execution.</synopsis> + <product type="ebuild">redis</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>891169</bug> + <bug>898464</bug> + <bug>902501</bug> + <bug>904486</bug> + <bug>910191</bug> + <bug>913741</bug> + <bug>915989</bug> + <bug>921662</bug> + <access>local and remote</access> + <affected> + <package name="dev-db/redis" auto="yes" arch="*"> + <unaffected range="ge">7.2.4</unaffected> + <vulnerable range="lt">7.2.4</vulnerable> + </package> + </affected> + <background> + <p>Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Redis. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Redis users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/redis-7.2.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24834">CVE-2022-24834</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35977">CVE-2022-35977</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36021">CVE-2022-36021</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22458">CVE-2023-22458</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25155">CVE-2023-25155</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28425">CVE-2023-28425</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28856">CVE-2023-28856</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36824">CVE-2023-36824</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-41053">CVE-2023-41053</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-41056">CVE-2023-41056</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45145">CVE-2023-45145</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T06:33:13.322960Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T06:33:13.327235Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-06.xml b/metadata/glsa/glsa-202408-06.xml new file mode 100644 index 000000000000..94803695ca59 --- /dev/null +++ b/metadata/glsa/glsa-202408-06.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-06"> + <title>PostgreSQL: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in PostgreSQL, the worst of which could lead to privilege escalation or denial of service.</synopsis> + <product type="ebuild">postgresql</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>903193</bug> + <bug>912251</bug> + <bug>917153</bug> + <bug>924110</bug> + <bug>931849</bug> + <access>local</access> + <affected> + <package name="dev-db/postgresql" auto="yes" arch="*"> + <unaffected range="ge" slot="12">12.19</unaffected> + <unaffected range="ge" slot="13">13.14</unaffected> + <unaffected range="ge" slot="14">14.12-r1</unaffected> + <unaffected range="ge" slot="15">15.7-r1</unaffected> + <unaffected range="ge" slot="16">16.3-r1</unaffected> + <vulnerable range="lt">12</vulnerable> + <vulnerable range="lt" slot="12">12.19</vulnerable> + <vulnerable range="lt" slot="13">13.14</vulnerable> + <vulnerable range="lt" slot="14">14.12-r1</vulnerable> + <vulnerable range="lt" slot="15">15.7-r1</vulnerable> + <vulnerable range="lt" slot="16">16.3-r1</vulnerable> + </package> + </affected> + <background> + <p>PostgreSQL is an open source object-relational database management system.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PostgreSQL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.3-r1:16" + </code> + + <p>Or update an older slot if that is still in use.</p> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5868">CVE-2023-5868</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5869">CVE-2023-5869</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5870">CVE-2023-5870</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0985">CVE-2024-0985</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4317">CVE-2024-4317</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T08:28:46.588202Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T08:28:46.591128Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-07.xml b/metadata/glsa/glsa-202408-07.xml new file mode 100644 index 000000000000..ca4e07832cac --- /dev/null +++ b/metadata/glsa/glsa-202408-07.xml @@ -0,0 +1,64 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-07"> + <title>Go: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Go, the worst of which could lead to information leakage or a denial of service.</synopsis> + <product type="ebuild">go</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>906043</bug> + <bug>919310</bug> + <bug>926530</bug> + <bug>928539</bug> + <bug>931602</bug> + <access>remote</access> + <affected> + <package name="dev-lang/go" auto="yes" arch="*"> + <unaffected range="ge">1.22.3</unaffected> + <vulnerable range="lt">1.22.3</vulnerable> + </package> + </affected> + <background> + <p>Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Go. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Go users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/go-1.22.3" + </code> + + <p>Due to Go programs typically being statically compiled, Go users should also recompile the reverse dependencies of the Go language to ensure statically linked programs are remediated:</p> + + <code> + # emerge --ask --oneshot --verbose @golang-rebuild + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24539">CVE-2023-24539</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24540">CVE-2023-24540</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29400">CVE-2023-29400</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39326">CVE-2023-39326</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45283">CVE-2023-45283</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45285">CVE-2023-45285</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45288">CVE-2023-45288</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45289">CVE-2023-45289</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45290">CVE-2023-45290</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24783">CVE-2024-24783</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24784">CVE-2024-24784</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24785">CVE-2024-24785</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24788">CVE-2024-24788</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T09:30:13.961626Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T09:30:13.964984Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-08.xml b/metadata/glsa/glsa-202408-08.xml new file mode 100644 index 000000000000..cf494b232eb2 --- /dev/null +++ b/metadata/glsa/glsa-202408-08.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-08"> + <title>json-c: Buffer Overflow</title> + <synopsis>A vulnerability has been discovered in json-c, which can lead to a stack buffer overflow.</synopsis> + <product type="ebuild">json-c</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>918555</bug> + <access>remote</access> + <affected> + <package name="dev-libs/json-c" auto="yes" arch="*"> + <unaffected range="ge">0.16</unaffected> + <vulnerable range="lt">0.16</vulnerable> + </package> + </affected> + <background> + <p>json-c is a JSON implementation in C.</p> + </background> + <description> + <p>Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All json-c users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/json-c-0.16" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32292">CVE-2021-32292</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T11:00:32.063764Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T11:00:32.067004Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-09.xml b/metadata/glsa/glsa-202408-09.xml new file mode 100644 index 000000000000..128ef86c9f51 --- /dev/null +++ b/metadata/glsa/glsa-202408-09.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-09"> + <title>Cairo: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Cairo, the worst of which a denial of service.</synopsis> + <product type="ebuild">cairo</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>717778</bug> + <access>local</access> + <affected> + <package name="x11-libs/cairo" auto="yes" arch="*"> + <unaffected range="ge">1.18.0</unaffected> + <vulnerable range="lt">1.18.0</vulnerable> + </package> + </affected> + <background> + <p>Cairo is a 2D vector graphics library with cross-device output support.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Cairo. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Cairo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/cairo-1.18.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6461">CVE-2019-6461</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6462">CVE-2019-6462</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T11:19:32.821340Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T11:19:32.823921Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-10.xml b/metadata/glsa/glsa-202408-10.xml new file mode 100644 index 000000000000..67c3d6759ddb --- /dev/null +++ b/metadata/glsa/glsa-202408-10.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-10"> + <title>nghttp2: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in nghttp2, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">nghttp2</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>915554</bug> + <bug>928541</bug> + <access>remote</access> + <affected> + <package name="net-libs/nghttp2" auto="yes" arch="*"> + <unaffected range="ge">1.61.0</unaffected> + <vulnerable range="lt">1.61.0</vulnerable> + </package> + </affected> + <background> + <p>Nghttp2 is an implementation of HTTP/2 and its header compression algorithm HPACK in C.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in nghttp2. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All nghttp2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/nghttp2-1.61.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44487">CVE-2023-44487</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-28182">CVE-2024-28182</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T11:37:22.663338Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T11:37:22.666444Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-11.xml b/metadata/glsa/glsa-202408-11.xml new file mode 100644 index 000000000000..abd50b3cf8d4 --- /dev/null +++ b/metadata/glsa/glsa-202408-11.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-11"> + <title>aiohttp: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in aiohttp, the worst of which could lead to service compromise.</synopsis> + <product type="ebuild">aiohttp</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>918541</bug> + <bug>918968</bug> + <bug>931097</bug> + <access>remote</access> + <affected> + <package name="dev-python/aiohttp" auto="yes" arch="*"> + <unaffected range="ge">3.9.4</unaffected> + <vulnerable range="lt">3.9.4</vulnerable> + </package> + </affected> + <background> + <p>aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in aiohttp. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All aiohttp users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/aiohttp-3.9.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-47641">CVE-2023-47641</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49082">CVE-2023-49082</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-30251">CVE-2024-30251</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T11:59:46.382696Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T11:59:46.386364Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-12.xml b/metadata/glsa/glsa-202408-12.xml new file mode 100644 index 000000000000..1f3fb6d92cb9 --- /dev/null +++ b/metadata/glsa/glsa-202408-12.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-12"> + <title>Bitcoin: Denial of Service</title> + <synopsis>A vulnerability has been discovered in Bitcoin, which can lead to a denial of service.</synopsis> + <product type="ebuild">bitcoind</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>908084</bug> + <access>remote</access> + <affected> + <package name="net-p2p/bitcoind" auto="yes" arch="*"> + <unaffected range="ge">25.0</unaffected> + <vulnerable range="lt">25.0</vulnerable> + </package> + </affected> + <background> + <p>Bitcoin Core consists of both "full-node" software for fully validating the blockchain as well as a bitcoin wallet.</p> + </background> + <description> + <p>Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>Bitcoin Core, when debug mode is not used, allows attackers to cause a denial of service (CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Bitcoin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/bitcoind-25.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-33297">CVE-2023-33297</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T12:34:53.892565Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T12:34:53.895329Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-13.xml b/metadata/glsa/glsa-202408-13.xml new file mode 100644 index 000000000000..e1fa4574c49b --- /dev/null +++ b/metadata/glsa/glsa-202408-13.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-13"> + <title>Nokogiri: Denial of Service</title> + <synopsis>A vulnerability has been discovered in Nokogiri, which can lead to a denial of service.</synopsis> + <product type="ebuild">nokogiri</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>884863</bug> + <access>local</access> + <affected> + <package name="dev-ruby/nokogiri" auto="yes" arch="*"> + <unaffected range="ge">1.13.10</unaffected> + <vulnerable range="lt">1.13.10</vulnerable> + </package> + </affected> + <background> + <p>Nokogiri is an HTML, XML, SAX, and Reader parser.</p> + </background> + <description> + <p>A denial of service vulnerability has been discovered in Nokogiri. Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>Nokogiri fails to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack.</p> + </impact> + <workaround> + <p>Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.</p> + </workaround> + <resolution> + <p>All Nokogiri users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/nokogiri-1.13.10" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23476">CVE-2022-23476</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T13:11:11.971415Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T13:11:11.974740Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-14.xml b/metadata/glsa/glsa-202408-14.xml new file mode 100644 index 000000000000..094f1742184f --- /dev/null +++ b/metadata/glsa/glsa-202408-14.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-14"> + <title>Librsvg: Arbitrary File Read</title> + <synopsis>A vulnerability has been discovered in Librsvg, which can lead to arbitrary file reads.</synopsis> + <product type="ebuild">librsvg</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>918100</bug> + <access>local and remote</access> + <affected> + <package name="gnome-base/librsvg" auto="yes" arch="*"> + <unaffected range="ge">2.56.3</unaffected> + <vulnerable range="lt">2.56.3</vulnerable> + </package> + </affected> + <background> + <p>Librsvg is a library to render SVG files using cairo as a rendering engine.</p> + </background> + <description> + <p>A directory traversal problem in the URL decoder of librsvg could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifier for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Librsvg users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-base/librsvg-2.56.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38633">CVE-2023-38633</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T06:49:19.778412Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T06:49:19.781284Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-15.xml b/metadata/glsa/glsa-202408-15.xml new file mode 100644 index 000000000000..c1c44f043f37 --- /dev/null +++ b/metadata/glsa/glsa-202408-15.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-15"> + <title>Percona XtraBackup: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Percona XtraBackup, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">percona-xtrabackup,percona-xtrabackup-bin</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>849389</bug> + <bug>908033</bug> + <access>remote</access> + <affected> + <package name="dev-db/percona-xtrabackup" auto="yes" arch="*"> + <unaffected range="ge">8.0.29.22</unaffected> + <vulnerable range="lt">8.0.29.22</vulnerable> + </package> + <package name="dev-db/percona-xtrabackup-bin" auto="yes" arch="*"> + <vulnerable range="lt">8.0.29.22</vulnerable> + </package> + </affected> + <background> + <p>Percona XtraBackup is a complete and open source online backup solution for all versions of MySQL.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Percona XtraBackup. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Percona XtraBackup users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/percona-xtrabackup-8.0.29.22" + </code> + + <p>Gentoo has discontinued support for the binary package. Users should remove this from their system:</p> + + <code> + # emerge --sync + # emerge --ask --verbose --depclean "dev-db/percona-xtrabackup-bin" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-25834">CVE-2022-25834</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26944">CVE-2022-26944</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T06:59:52.845544Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T06:59:52.849111Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-16.xml b/metadata/glsa/glsa-202408-16.xml new file mode 100644 index 000000000000..ad2e807cf89f --- /dev/null +++ b/metadata/glsa/glsa-202408-16.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-16"> + <title>re2c: Denial of Service</title> + <synopsis>A vulnerability has been discovered in re2c, which can lead to a denial of service.</synopsis> + <product type="ebuild">re2c</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>719872</bug> + <access>local</access> + <affected> + <package name="dev-util/re2c" auto="yes" arch="*"> + <unaffected range="ge">2.0</unaffected> + <vulnerable range="lt">2.0</vulnerable> + </package> + </affected> + <background> + <p>re2c is a tool for generating C-based recognizers from regular expressions.</p> + </background> + <description> + <p>Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the CVE identifier referenced below for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All re2c users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/re2c-2.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-21232">CVE-2018-21232</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T07:09:13.470150Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T07:09:13.473932Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-17.xml b/metadata/glsa/glsa-202408-17.xml new file mode 100644 index 000000000000..40b55f8c2384 --- /dev/null +++ b/metadata/glsa/glsa-202408-17.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-17"> + <title>Nautilus: Denial of Service</title> + <synopsis>A vulnerability has been discovered in Nautilus, which can lead to a denial of service.</synopsis> + <product type="ebuild">nautilus</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>881509</bug> + <access>local</access> + <affected> + <package name="gnome-base/nautilus" auto="yes" arch="*"> + <unaffected range="ge">44.0</unaffected> + <vulnerable range="lt">44.0</vulnerable> + </package> + </affected> + <background> + <p>Default file manager for the GNOME desktop</p> + </background> + <description> + <p>Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>GNOME Nautilus allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Nautilus users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-base/nautilus-44.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-37290">CVE-2022-37290</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T09:22:03.162678Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T09:22:03.165420Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-18.xml b/metadata/glsa/glsa-202408-18.xml new file mode 100644 index 000000000000..5de6c546b4b1 --- /dev/null +++ b/metadata/glsa/glsa-202408-18.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-18"> + <title>QEMU: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in QEMU, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">qemu</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>857657</bug> + <bug>865121</bug> + <bug>883693</bug> + <bug>909542</bug> + <access>local</access> + <affected> + <package name="app-emulation/qemu" auto="yes" arch="*"> + <unaffected range="ge">8.0.0</unaffected> + <vulnerable range="lt">8.0.0</vulnerable> + </package> + </affected> + <background> + <p>QEMU is a generic and open source machine emulator and virtualizer.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All QEMU users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/qemu-8.0.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14394">CVE-2020-14394</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0216">CVE-2022-0216</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1050">CVE-2022-1050</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2962">CVE-2022-2962</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4144">CVE-2022-4144</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4172">CVE-2022-4172</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35414">CVE-2022-35414</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-1544">CVE-2023-1544</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2861">CVE-2023-2861</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T09:49:28.328653Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T09:49:28.332697Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-19.xml b/metadata/glsa/glsa-202408-19.xml new file mode 100644 index 000000000000..423557b67ab8 --- /dev/null +++ b/metadata/glsa/glsa-202408-19.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-19"> + <title>ncurses: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in ncurses, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">ncurses,ncurses-compat</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>839351</bug> + <bug>904247</bug> + <access>remote</access> + <affected> + <package name="sys-libs/ncurses" auto="yes" arch="*"> + <unaffected range="ge">6.4_p20230408</unaffected> + <vulnerable range="lt">6.4_p20230408</vulnerable> + </package> + <package name="sys-libs/ncurses-compat" auto="yes" arch="*"> + <unaffected range="ge">6.4_p20240330</unaffected> + <vulnerable range="lt">6.4_p20240330</vulnerable> + </package> + </affected> + <background> + <p>Free software emulation of curses in System V.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ncurses. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ncurses users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/ncurses-6.4_p20230408" + # emerge --ask --oneshot --verbose ">=sys-libs/ncurses-compat-6.4_p20240330" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29458">CVE-2022-29458</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29491">CVE-2023-29491</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T11:05:25.778609Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T11:05:25.782155Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-20.xml b/metadata/glsa/glsa-202408-20.xml new file mode 100644 index 000000000000..3d9048c60c76 --- /dev/null +++ b/metadata/glsa/glsa-202408-20.xml @@ -0,0 +1,88 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-20"> + <title>libde265: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">libde265</product> + <announced>2024-08-10</announced> + <revised count="1">2024-08-10</revised> + <bug>813486</bug> + <bug>889876</bug> + <access>local</access> + <affected> + <package name="media-libs/libde265" auto="yes" arch="*"> + <unaffected range="ge">1.0.11</unaffected> + <vulnerable range="lt">1.0.11</vulnerable> + </package> + </affected> + <background> + <p>Open h.265 video codec implementation.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libde265. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libde265 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libde265-1.0.11" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21594">CVE-2020-21594</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21595">CVE-2020-21595</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21596">CVE-2020-21596</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21597">CVE-2020-21597</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21598">CVE-2020-21598</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21599">CVE-2020-21599</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21600">CVE-2020-21600</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21601">CVE-2020-21601</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21602">CVE-2020-21602</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21603">CVE-2020-21603</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21604">CVE-2020-21604</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21605">CVE-2020-21605</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21606">CVE-2020-21606</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35452">CVE-2021-35452</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36408">CVE-2021-36408</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36409">CVE-2021-36409</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36410">CVE-2021-36410</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36411">CVE-2021-36411</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1253">CVE-2022-1253</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43235">CVE-2022-43235</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43236">CVE-2022-43236</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43237">CVE-2022-43237</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43238">CVE-2022-43238</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43239">CVE-2022-43239</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43240">CVE-2022-43240</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43241">CVE-2022-43241</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43242">CVE-2022-43242</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43243">CVE-2022-43243</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43244">CVE-2022-43244</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43245">CVE-2022-43245</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43248">CVE-2022-43248</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43249">CVE-2022-43249</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43250">CVE-2022-43250</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43252">CVE-2022-43252</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43253">CVE-2022-43253</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47655">CVE-2022-47655</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47664">CVE-2022-47664</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47665">CVE-2022-47665</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24751">CVE-2023-24751</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24752">CVE-2023-24752</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24754">CVE-2023-24754</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24755">CVE-2023-24755</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24756">CVE-2023-24756</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24757">CVE-2023-24757</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24758">CVE-2023-24758</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25221">CVE-2023-25221</uri> + </references> + <metadata tag="requester" timestamp="2024-08-10T05:53:21.175447Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-10T05:53:21.178987Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-21.xml b/metadata/glsa/glsa-202408-21.xml new file mode 100644 index 000000000000..ec29aa5d80f1 --- /dev/null +++ b/metadata/glsa/glsa-202408-21.xml @@ -0,0 +1,258 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-21"> + <title>GPAC: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">gpac</product> + <announced>2024-08-10</announced> + <revised count="1">2024-08-10</revised> + <bug>785649</bug> + <bug>835341</bug> + <access>remote</access> + <affected> + <package name="media-video/gpac" auto="yes" arch="*"> + <unaffected range="ge">2.2.0</unaffected> + <vulnerable range="lt">2.2.0</vulnerable> + </package> + </affected> + <background> + <p>GPAC is an implementation of the MPEG-4 Systems standard developed from scratch in ANSI C.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GPAC. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GPAC users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/gpac-2.2.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22673">CVE-2020-22673</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22674">CVE-2020-22674</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22675">CVE-2020-22675</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22677">CVE-2020-22677</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22678">CVE-2020-22678</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22679">CVE-2020-22679</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25427">CVE-2020-25427</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35979">CVE-2020-35979</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35980">CVE-2020-35980</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35981">CVE-2020-35981</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35982">CVE-2020-35982</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4043">CVE-2021-4043</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21834">CVE-2021-21834</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21835">CVE-2021-21835</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21836">CVE-2021-21836</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21837">CVE-2021-21837</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21838">CVE-2021-21838</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21839">CVE-2021-21839</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21840">CVE-2021-21840</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21841">CVE-2021-21841</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21842">CVE-2021-21842</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21843">CVE-2021-21843</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21844">CVE-2021-21844</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21845">CVE-2021-21845</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21846">CVE-2021-21846</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21847">CVE-2021-21847</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21848">CVE-2021-21848</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21849">CVE-2021-21849</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21850">CVE-2021-21850</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21851">CVE-2021-21851</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21852">CVE-2021-21852</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21853">CVE-2021-21853</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21854">CVE-2021-21854</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21855">CVE-2021-21855</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21856">CVE-2021-21856</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21857">CVE-2021-21857</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21858">CVE-2021-21858</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21859">CVE-2021-21859</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21860">CVE-2021-21860</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21861">CVE-2021-21861</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21862">CVE-2021-21862</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30014">CVE-2021-30014</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30015">CVE-2021-30015</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30019">CVE-2021-30019</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30020">CVE-2021-30020</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30022">CVE-2021-30022</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30199">CVE-2021-30199</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31254">CVE-2021-31254</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31255">CVE-2021-31255</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31256">CVE-2021-31256</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31257">CVE-2021-31257</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31258">CVE-2021-31258</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31259">CVE-2021-31259</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31260">CVE-2021-31260</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31261">CVE-2021-31261</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31262">CVE-2021-31262</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32132">CVE-2021-32132</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32134">CVE-2021-32134</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32135">CVE-2021-32135</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32136">CVE-2021-32136</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32137">CVE-2021-32137</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32138">CVE-2021-32138</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32139">CVE-2021-32139</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32437">CVE-2021-32437</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32438">CVE-2021-32438</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32439">CVE-2021-32439</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32440">CVE-2021-32440</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33361">CVE-2021-33361</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33362">CVE-2021-33362</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33363">CVE-2021-33363</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33364">CVE-2021-33364</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33365">CVE-2021-33365</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33366">CVE-2021-33366</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36412">CVE-2021-36412</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36414">CVE-2021-36414</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36417">CVE-2021-36417</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36584">CVE-2021-36584</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40559">CVE-2021-40559</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40562">CVE-2021-40562</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40563">CVE-2021-40563</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40564">CVE-2021-40564</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40565">CVE-2021-40565</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40566">CVE-2021-40566</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40567">CVE-2021-40567</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40568">CVE-2021-40568</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40569">CVE-2021-40569</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40570">CVE-2021-40570</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40571">CVE-2021-40571</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40572">CVE-2021-40572</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40573">CVE-2021-40573</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40574">CVE-2021-40574</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40575">CVE-2021-40575</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40576">CVE-2021-40576</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40592">CVE-2021-40592</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40606">CVE-2021-40606</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40607">CVE-2021-40607</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40608">CVE-2021-40608</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40609">CVE-2021-40609</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40942">CVE-2021-40942</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40944">CVE-2021-40944</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41456">CVE-2021-41456</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41457">CVE-2021-41457</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41458">CVE-2021-41458</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41459">CVE-2021-41459</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44918">CVE-2021-44918</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44919">CVE-2021-44919</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44920">CVE-2021-44920</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44921">CVE-2021-44921</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44922">CVE-2021-44922</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44923">CVE-2021-44923</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44924">CVE-2021-44924</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44925">CVE-2021-44925</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44926">CVE-2021-44926</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44927">CVE-2021-44927</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45258">CVE-2021-45258</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45259">CVE-2021-45259</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45260">CVE-2021-45260</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45262">CVE-2021-45262</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45263">CVE-2021-45263</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45266">CVE-2021-45266</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45267">CVE-2021-45267</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45288">CVE-2021-45288</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45289">CVE-2021-45289</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45291">CVE-2021-45291</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45292">CVE-2021-45292</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45297">CVE-2021-45297</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45760">CVE-2021-45760</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45762">CVE-2021-45762</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45763">CVE-2021-45763</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45764">CVE-2021-45764</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45767">CVE-2021-45767</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45831">CVE-2021-45831</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46038">CVE-2021-46038</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46039">CVE-2021-46039</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46040">CVE-2021-46040</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46041">CVE-2021-46041</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46042">CVE-2021-46042</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46043">CVE-2021-46043</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46044">CVE-2021-46044</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46045">CVE-2021-46045</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46046">CVE-2021-46046</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46047">CVE-2021-46047</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46049">CVE-2021-46049</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46051">CVE-2021-46051</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46234">CVE-2021-46234</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46236">CVE-2021-46236</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46237">CVE-2021-46237</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46238">CVE-2021-46238</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46239">CVE-2021-46239</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46240">CVE-2021-46240</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46311">CVE-2021-46311</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46313">CVE-2021-46313</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1035">CVE-2022-1035</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1172">CVE-2022-1172</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1222">CVE-2022-1222</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1441">CVE-2022-1441</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1795">CVE-2022-1795</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2453">CVE-2022-2453</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2454">CVE-2022-2454</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2549">CVE-2022-2549</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3178">CVE-2022-3178</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3222">CVE-2022-3222</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3957">CVE-2022-3957</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4202">CVE-2022-4202</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24249">CVE-2022-24249</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24574">CVE-2022-24574</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24575">CVE-2022-24575</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24576">CVE-2022-24576</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24577">CVE-2022-24577</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24578">CVE-2022-24578</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26967">CVE-2022-26967</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27145">CVE-2022-27145</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27146">CVE-2022-27146</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27147">CVE-2022-27147</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27148">CVE-2022-27148</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29339">CVE-2022-29339</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29340">CVE-2022-29340</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29537">CVE-2022-29537</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30976">CVE-2022-30976</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36186">CVE-2022-36186</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36190">CVE-2022-36190</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36191">CVE-2022-36191</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38530">CVE-2022-38530</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43039">CVE-2022-43039</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43040">CVE-2022-43040</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43042">CVE-2022-43042</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43043">CVE-2022-43043</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43044">CVE-2022-43044</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43045">CVE-2022-43045</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43254">CVE-2022-43254</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43255">CVE-2022-43255</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45202">CVE-2022-45202</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45204">CVE-2022-45204</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45283">CVE-2022-45283</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45343">CVE-2022-45343</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46489">CVE-2022-46489</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46490">CVE-2022-46490</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47086">CVE-2022-47086</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47087">CVE-2022-47087</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47088">CVE-2022-47088</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47089">CVE-2022-47089</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47091">CVE-2022-47091</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47092">CVE-2022-47092</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47093">CVE-2022-47093</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47094">CVE-2022-47094</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47095">CVE-2022-47095</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47653">CVE-2022-47653</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47654">CVE-2022-47654</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47656">CVE-2022-47656</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47657">CVE-2022-47657</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47658">CVE-2022-47658</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47659">CVE-2022-47659</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47660">CVE-2022-47660</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47661">CVE-2022-47661</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47662">CVE-2022-47662</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47663">CVE-2022-47663</uri> + </references> + <metadata tag="requester" timestamp="2024-08-10T05:56:40.883624Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-10T05:56:40.887094Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-22.xml b/metadata/glsa/glsa-202408-22.xml new file mode 100644 index 000000000000..f80765466515 --- /dev/null +++ b/metadata/glsa/glsa-202408-22.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-22"> + <title>Bundler: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Bundler, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">bundler</product> + <announced>2024-08-10</announced> + <revised count="1">2024-08-10</revised> + <bug>743214</bug> + <bug>798135</bug> + <bug>828884</bug> + <access>local and remote</access> + <affected> + <package name="dev-ruby/bundler" auto="yes" arch="*"> + <unaffected range="ge">2.2.33</unaffected> + <vulnerable range="lt">2.2.33</vulnerable> + </package> + </affected> + <background> + <p>Bundler provides a consistent environment for Ruby projects by tracking and installing the exact gems and versions that are needed.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Bundler. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Bundler users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/bundler-2.2.33" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3881">CVE-2019-3881</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36327">CVE-2020-36327</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-43809">CVE-2021-43809</uri> + </references> + <metadata tag="requester" timestamp="2024-08-10T08:23:41.517666Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-10T08:23:41.520457Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-23.xml b/metadata/glsa/glsa-202408-23.xml new file mode 100644 index 000000000000..eacb91286bf0 --- /dev/null +++ b/metadata/glsa/glsa-202408-23.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-23"> + <title>GnuPG: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in GnuPG, the worst of which could lead to signature spoofing.</synopsis> + <product type="ebuild">gnupg</product> + <announced>2024-08-10</announced> + <revised count="1">2024-08-10</revised> + <bug>855395</bug> + <bug>923248</bug> + <access>remote</access> + <affected> + <package name="app-crypt/gnupg" auto="yes" arch="*"> + <unaffected range="ge">2.4.4</unaffected> + <vulnerable range="lt">2.4.4</vulnerable> + </package> + </affected> + <background> + <p>The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GnuPG. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GnuPG users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.4.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34903">CVE-2022-34903</uri> + </references> + <metadata tag="requester" timestamp="2024-08-10T08:41:19.748264Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-10T08:41:19.752993Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index ea1e49452112..45325f0ee3fd 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Thu, 04 Jul 2024 06:40:39 +0000 +Sat, 10 Aug 2024 09:40:23 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 3406d37a3716..a20abfa97c4f 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -a5ba53361826e62d69077fdabaf2da4664fc05ba 1719873210 2024-07-01T22:33:30Z +edaa82dbe986586c12f7d0e15ccfaa2e8c17c4d2 1723279289 2024-08-10T08:41:29Z |