diff options
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 575680 -> 577111 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-202407-01.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202407-02.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202407-03.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202407-04.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202407-05.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202407-06.xml | 49 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202407-07.xml | 44 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202407-08.xml | 66 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202407-09.xml | 67 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
13 files changed, 453 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 11511e738118..a9efec058594 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 575680 BLAKE2B e298c9a9a84a54a79e115d8488299b411495166d729c52a15036c4d873fab5f7ff50b1913419b3a3f9da287e91238b1272e70eb59bc0f7502e2e2f8141558114 SHA512 1b590d6c6f851084c3e6daa0d86a946e6afa83cf5b4a906c8286a9ac71deeda7bcc2fa3bfbe31c4ac8a9b29cd544bee831b9d3460c3c90f683adc66c57cfb636 -TIMESTAMP 2024-07-01T06:10:33Z +MANIFEST Manifest.files.gz 577111 BLAKE2B 0cdb2f4b37d989ec4779ab2668429fad6726d0f8262d3b4c3b6e33e9dc73ed0cef5a69d0d12e69f34f1ea8a92d72ef9e77fd098a8c9f70b001120570e5caedac SHA512 8633861ca75b10437b48ae2c2f704cd739ad0c965fd468529f3c4310836c613f1c2c3a3a0e31e8cc9f53f73bed636d933165206a4bbd67d96bc5e4ca6bcd4b36 +TIMESTAMP 2024-07-02T06:10:37Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmaCSFlfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmaDmd1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klAOSQ//UY9ycubsehP5W2TNtP818SK0QFkhNmw9C0RmVxu2ge5P5HU834jUDpZX -ckV0QE9yXMzCIH3pMoAlT6ScNId+pv5M/tgyTe7OhA+E1qGSIafRqET8oFFVKSlk -yO+MxKXQ8ga2F2hSDC+IVkTmUqiVO+oj7nc5dbuVswukEoervTAEPXlmzV5EE6gy -Xfs8S8BT4j6zlBMz/GIJ8l8B6JP6mS6MUsGdAD9PbvHN47ivF1Khl3h4Ns2Wjc18 -9JuKrhUAJBq35CS/bS6WK/VLImKhpC4DGoI/UaSg0fqVEDAWWQQQO7dG4MC90w0B -8amLBZAaN9+kEtiOuSVxFpehU5i9sx1qcyk6ok5k5INPvNLMocvUwGpvl6rEqifu -iAjeP0wm4ua07NDqu11Yd3gokvUtQhVj2379ybz2PJZikmjiIAwMVE2/CuqzvYbi -pHfzV6ynMn4V9rPmvPClvw+83gF3/65k8XPBSDfl0nnNoNuTFxhp+RJjaSKy/gUO -KURDzQn10YK4qknkHqoElSTrfm7soG5DGf2TV6D3z4Gn1opw3Eyssp+T161NiMc/ -c5fiYpxnfGS6idAohnfS96dx1p5ayosC9Ulsyr0KL6AotNwqsE5ZmWnzOGuDUCj9 -24dDs2F7BZTD9u5nLLMCLQ3L8mUVO1O6al2vj+xFcARaUcb5Uyo= -=QLFE +klCBQw/+JFPig5DVwNOaVr9fqnkOpPSYNGHWS81lgKcKxnVyhLNUC9sX8r2kSeMz +DlaIKE3PO8kwwyRJ8Oc0l75Qgg4uYsv0u9YiymeCcEhY3xYSrPv+6AHWWeGn6R9m +kwnk7/yNcAOowp81u8uGqRc+nIqMm12KmoYM+IGIq+X3LFj4Pme6pxQFgCt0J9xa ++p2bi/mg/g+zxibLXULC7kjGd1VO/abfHQ6MjiGd/8IxUBIZDSXA3nbQAyZIIl95 +7pquhfhfxhQurijrvCSzFWdmWK2Orb/ZHZwYJ3v2evcmLutrSd26TWI6EXBIMXi1 +qtMiZvNcG9y6nCB2W2tkC5V7buiOiG7rX4gsgNbuMtZlwobLTD6tanKziFHcV8gL +t2AnGGABYvLfJ5KToEW/+kVAwx8/hpA5PusnQ/odEAa0LaMWD5e3onQv3OywmHhl +aCEB/hizAgD8Jo9VYVO5JwxoIEIbHs0y504Wgl3yR1HBc7vcpmgeh/ZXtz1HZSxF +uzJis8E6kpH3Zt0+TS3wEYmh6wxztl50Typ+EJm715B9bx86VEttDICezLAXxQnq +qn6rnHo3l1xgNKeAlpVnQWmjkEtVMs7J5iI7QXqUpgvM2wZjwT6y79Qzwa1eZOl2 +ZgrQF5KM3wMxA/km79qFXy280WMvPHdxs1x5jBo+KqLMdED8xRE= +=Wg5u -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex db0f25f7469b..155603e718a5 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202407-01.xml b/metadata/glsa/glsa-202407-01.xml new file mode 100644 index 000000000000..b84833eadb1c --- /dev/null +++ b/metadata/glsa/glsa-202407-01.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-01"> + <title>Zsh: Prompt Expansion Vulnerability</title> + <synopsis>A vulnerability has been discovered in Zsh, which can lead to execution of arbitrary code.</synopsis> + <product type="ebuild">zsh</product> + <announced>2024-07-01</announced> + <revised count="1">2024-07-01</revised> + <bug>833252</bug> + <access>local</access> + <affected> + <package name="app-shells/zsh" auto="yes" arch="*"> + <unaffected range="ge">5.8.1</unaffected> + <vulnerable range="lt">5.8.1</vulnerable> + </package> + </affected> + <background> + <p>A shell designed for interactive use, although it is also a powerful scripting language.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Zsh. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>A vulnerability in prompt expansion could be exploited through e.g. VCS_Info to execute arbitrary shell commands without a user's knowledge.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Zsh users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-shells/zsh-5.8.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45444">CVE-2021-45444</uri> + </references> + <metadata tag="requester" timestamp="2024-07-01T05:51:00.103014Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-01T05:51:00.106061Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-02.xml b/metadata/glsa/glsa-202407-02.xml new file mode 100644 index 000000000000..52b617ef1c09 --- /dev/null +++ b/metadata/glsa/glsa-202407-02.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-02"> + <title>SDL_ttf: Arbitrary Memory Write</title> + <synopsis>A vulnerability has been discovered in SDL_ttf, which can lead to arbitrary memory writes.</synopsis> + <product type="ebuild">sdl2-ttf</product> + <announced>2024-07-01</announced> + <revised count="1">2024-07-01</revised> + <bug>843434</bug> + <access>local and remote</access> + <affected> + <package name="media-libs/sdl2-ttf" auto="yes" arch="*"> + <unaffected range="ge">2.20.0</unaffected> + <vulnerable range="lt">2.20.0</vulnerable> + </package> + </affected> + <background> + <p>SDL_ttf is a wrapper around the FreeType and Harfbuzz libraries, allowing you to use TrueType fonts to render text in SDL applications.</p> + </background> + <description> + <p>A vulnerability has been discovered in SDL_ttf. Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>SDL_ttf was discovered to contain an arbitrary memory write via the function TTF_RenderText_Solid(). This vulnerability is triggered via a crafted TTF file.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All SDL_ttf users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/sdl2-ttf-2.20.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27470">CVE-2022-27470</uri> + </references> + <metadata tag="requester" timestamp="2024-07-01T05:56:15.409960Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-01T05:56:15.413752Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-03.xml b/metadata/glsa/glsa-202407-03.xml new file mode 100644 index 000000000000..ce1390f452e9 --- /dev/null +++ b/metadata/glsa/glsa-202407-03.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-03"> + <title>Liferea: Remote Code Execution</title> + <synopsis>A vulnerability has been discovered in Liferea, which can lead to remote code execution.</synopsis> + <product type="ebuild">liferea</product> + <announced>2024-07-01</announced> + <revised count="1">2024-07-01</revised> + <bug>901085</bug> + <access>remote</access> + <affected> + <package name="net-news/liferea" auto="yes" arch="*"> + <unaffected range="ge">1.12.10</unaffected> + <vulnerable range="lt">1.12.10</vulnerable> + </package> + </affected> + <background> + <p>Liferea is a feed reader/news aggregator that brings together all of the content from your favorite subscriptions into a simple interface that makes it easy to organize and browse feeds. Its GUI is similar to a desktop mail/news client, with an embedded web browser.</p> + </background> + <description> + <p>A vulnerability has been discovered in Liferea. Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>A vulnerability was found in liferea. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source can lead to os command injection. The attack may be launched remotely.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Liferea users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-news/liferea-1.12.10" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-1350">CVE-2023-1350</uri> + </references> + <metadata tag="requester" timestamp="2024-07-01T05:56:34.686485Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-01T05:56:34.688817Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-04.xml b/metadata/glsa/glsa-202407-04.xml new file mode 100644 index 000000000000..4e30db26288e --- /dev/null +++ b/metadata/glsa/glsa-202407-04.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-04"> + <title>Pixman: Heap Buffer Overflow</title> + <synopsis>A vulnerability has been discovered in Pixman, which can lead to a heap buffer overflow.</synopsis> + <product type="ebuild">pixman</product> + <announced>2024-07-01</announced> + <revised count="1">2024-07-01</revised> + <bug>879207</bug> + <access>local and remote</access> + <affected> + <package name="x11-libs/pixman" auto="yes" arch="*"> + <unaffected range="ge">0.42.2</unaffected> + <vulnerable range="lt">0.42.2</vulnerable> + </package> + </affected> + <background> + <p>Pixman is a pixel manipulation library.</p> + </background> + <description> + <p>A vulnerability has been discovered in Pixman. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>An out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 can occur due to an integer overflow in pixman_sample_floor_y.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Pixman users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/pixman-0.42.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44638">CVE-2022-44638</uri> + </references> + <metadata tag="requester" timestamp="2024-07-01T05:56:53.181940Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-01T05:56:53.184714Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-05.xml b/metadata/glsa/glsa-202407-05.xml new file mode 100644 index 000000000000..6145f2a4a9ff --- /dev/null +++ b/metadata/glsa/glsa-202407-05.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-05"> + <title>SSSD: Command Injection</title> + <synopsis>A vulnerability has been discovered in SSSD, which can lead to arbitrary code execution.</synopsis> + <product type="ebuild">sssd</product> + <announced>2024-07-01</announced> + <revised count="1">2024-07-01</revised> + <bug>808911</bug> + <access>local and remote</access> + <affected> + <package name="sys-auth/sssd" auto="yes" arch="*"> + <unaffected range="ge">2.5.2-r1</unaffected> + <vulnerable range="lt">2.5.2-r1</vulnerable> + </package> + </affected> + <background> + <p>SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources.</p> + </background> + <description> + <p>A vulnerability has been discovered in SSSD. Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All SSSD users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-auth/sssd-2.5.2-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3621">CVE-2021-3621</uri> + </references> + <metadata tag="requester" timestamp="2024-07-01T05:58:27.689393Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-01T05:58:27.691896Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-06.xml b/metadata/glsa/glsa-202407-06.xml new file mode 100644 index 000000000000..7589ec48580e --- /dev/null +++ b/metadata/glsa/glsa-202407-06.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-06"> + <title>cryptography: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in cryptography, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">cryptography</product> + <announced>2024-07-01</announced> + <revised count="1">2024-07-01</revised> + <bug>769419</bug> + <bug>864049</bug> + <bug>893576</bug> + <bug>918685</bug> + <bug>925120</bug> + <access>remote</access> + <affected> + <package name="dev-python/cryptography" auto="yes" arch="*"> + <unaffected range="ge">42.0.4</unaffected> + <vulnerable range="lt">42.0.4</vulnerable> + </package> + </affected> + <background> + <p>cryptography is a package which provides cryptographic recipes and primitives to Python developers.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in cryptography. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All cryptography users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/cryptography-42.0.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36242">CVE-2020-36242</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-23931">CVE-2023-23931</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49083">CVE-2023-49083</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-26130">CVE-2024-26130</uri> + </references> + <metadata tag="requester" timestamp="2024-07-01T05:59:02.809872Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-01T05:59:02.812394Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-07.xml b/metadata/glsa/glsa-202407-07.xml new file mode 100644 index 000000000000..5daea9bc8f5b --- /dev/null +++ b/metadata/glsa/glsa-202407-07.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-07"> + <title>cpio: Arbitrary Code Execution</title> + <synopsis>A vulnerability has been discovered in cpio, which can lead to arbitrary code execution.</synopsis> + <product type="ebuild">cpio</product> + <announced>2024-07-01</announced> + <revised count="1">2024-07-01</revised> + <bug>807088</bug> + <access>local</access> + <affected> + <package name="app-arch/cpio" auto="yes" arch="*"> + <unaffected range="ge">2.13-r1</unaffected> + <vulnerable range="lt">2.13-r1</vulnerable> + </package> + </affected> + <background> + <p>cpio is a file archival tool which can also read and write tar files.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in cpio. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>GNU cpio allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All cpio users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/cpio-2.13-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-2037">CVE-2016-2037</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14866">CVE-2019-14866</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38185">CVE-2021-38185</uri> + </references> + <metadata tag="requester" timestamp="2024-07-01T05:59:20.652714Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-01T05:59:20.655189Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-08.xml b/metadata/glsa/glsa-202407-08.xml new file mode 100644 index 000000000000..10cc9f730b85 --- /dev/null +++ b/metadata/glsa/glsa-202407-08.xml @@ -0,0 +1,66 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-08"> + <title>GNU Emacs, Org Mode: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in GNU Emacs and Org Mode, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">emacs,org-mode</product> + <announced>2024-07-01</announced> + <revised count="1">2024-07-01</revised> + <bug>897950</bug> + <bug>927820</bug> + <access>remote</access> + <affected> + <package name="app-editors/emacs" auto="yes" arch="*"> + <unaffected range="ge" slot="26">26.3-r16</unaffected> + <unaffected range="ge" slot="27">27.2-r14</unaffected> + <unaffected range="ge" slot="28">28.2-r10</unaffected> + <unaffected range="ge" slot="29">29.2-r1</unaffected> + <vulnerable range="lt" slot="26">26.3-r16</vulnerable> + <vulnerable range="lt" slot="27">27.2-r14</vulnerable> + <vulnerable range="lt" slot="28">28.2-r10</vulnerable> + <vulnerable range="lt" slot="29">29.2-r1</vulnerable> + </package> + <package name="app-emacs/org-mode" auto="yes" arch="*"> + <unaffected range="ge">9.6.23</unaffected> + <vulnerable range="lt">9.6.23</vulnerable> + </package> + </affected> + <background> + <p>GNU Emacs is a highly extensible and customizable text editor.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GNU Emacs. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GNU Emacs users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/emacs-29.3-r2" + </code> + + <p>All Org Mode users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emacs/org-mode-9.6.23" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-48337">CVE-2022-48337</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-48338">CVE-2022-48338</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-48339">CVE-2022-48339</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-30202">CVE-2024-30202</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-30203">CVE-2024-30203</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-30204">CVE-2024-30204</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-30205">CVE-2024-30205</uri> + </references> + <metadata tag="requester" timestamp="2024-07-01T05:59:40.316405Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-01T05:59:40.319047Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-09.xml b/metadata/glsa/glsa-202407-09.xml new file mode 100644 index 000000000000..874e12f86e1b --- /dev/null +++ b/metadata/glsa/glsa-202407-09.xml @@ -0,0 +1,67 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-09"> + <title>OpenSSH: Remote Code Execution</title> + <synopsis>A vulnerability has been discovered in OpenSSH, which can lead to remote code execution with root privileges.</synopsis> + <product type="ebuild">openssh</product> + <announced>2024-07-01</announced> + <revised count="1">2024-07-01</revised> + <bug>935271</bug> + <access>remote</access> + <affected> + <package name="net-misc/openssh" auto="yes" arch="*"> + <unaffected range="ge">9.7_p1-r6</unaffected> + <vulnerable range="lt">9.7_p1-r6</vulnerable> + </package> + </affected> + <background> + <p>OpenSSH is a free application suite consisting of server and clients that replace tools like telnet, rlogin, rcp and ftp with more secure versions offering additional functionality.</p> + </background> + <description> + <p>A vulnerability has been discovered in OpenSSH. Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="high"> + <p>A critical vulnerability in sshd(8) was present in Portable OpenSSH
+versions that may allow arbitrary code execution with root privileges.
+
+Successful exploitation has been demonstrated on 32-bit Linux/glibc
+systems with ASLR. Under lab conditions, the attack requires on
+average 6-8 hours of continuous connections up to the maximum the
+server will accept. Exploitation on 64-bit systems is believed to be
+possible but has not been demonstrated at this time. It's likely that
+these attacks will be improved upon.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.
+
+Note that Gentoo has backported the fix to the following versions:
+
+net-misc/openssh-9.6_p1-r5
+net-misc/openssh-9.7_p1-r6</p> + </workaround> + <resolution> + <p>All OpenSSH users should upgrade to the latest version and restart the sshd server (to ensure access for new sessions and no vulnerable code keeps running).</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openssh-9.7_p1-r6" + </code> + + <p>With OpenRC:</p> + + <code> + # rc-service sshd restart + </code> + + <p>With systemd:</p> + + <code> + # systemctl try-restart sshd.service + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6387">CVE-2024-6387</uri> + </references> + <metadata tag="requester" timestamp="2024-07-01T18:03:48.914047Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-01T18:03:48.917560Z">graaff</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 84f7b4de2166..2dbcc924f65c 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Mon, 01 Jul 2024 06:10:28 +0000 +Tue, 02 Jul 2024 06:10:34 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 4f52ebb21485..3406d37a3716 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -0715db682a941540ce2f4ccb909d8f446c05e0ce 1719639983 2024-06-29T05:46:23Z +a5ba53361826e62d69077fdabaf2da4664fc05ba 1719873210 2024-07-01T22:33:30Z |