summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/Manifest30
-rw-r--r--metadata/glsa/Manifest.files.gzbin412859 -> 414446 bytes
-rw-r--r--metadata/glsa/glsa-201801-01.xml137
-rw-r--r--metadata/glsa/glsa-201801-02.xml57
-rw-r--r--metadata/glsa/glsa-201801-03.xml134
-rw-r--r--metadata/glsa/glsa-201801-04.xml51
-rw-r--r--metadata/glsa/glsa-201801-05.xml50
-rw-r--r--metadata/glsa/glsa-201801-06.xml51
-rw-r--r--metadata/glsa/glsa-201801-07.xml68
-rw-r--r--metadata/glsa/glsa-201801-08.xml53
-rw-r--r--metadata/glsa/glsa-201801-09.xml63
-rw-r--r--metadata/glsa/glsa-201801-10.xml62
-rw-r--r--metadata/glsa/timestamp.chk2
-rw-r--r--metadata/glsa/timestamp.commit2
14 files changed, 743 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 284b40d1986f..a34a5011aebe 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
-MANIFEST Manifest.files.gz 412859 BLAKE2B 29f22611257846c43da3f994e05684673fa1caa957a4b148f39ff19bc84f3682e8490d97c111e7eccbdb376d70136a0d0906ef152ce3abf044f4fb391eb520c4 SHA512 49d32fc5be9c59d40fa5555276aaf748a6274c5421c12e450644629355174f7bb6f7e77103a5571ae8f5e28bcd53505531ac68ed8f7957c3debfc9196bd152cd
-TIMESTAMP 2018-01-07T17:39:12Z
+MANIFEST Manifest.files.gz 414446 BLAKE2B 5b433dfd85097ead79bccfcdc5ac71450a49f0cd04217ea95a0da4d9b3a14d6a0df186361cf5d3a4ff24547968a8bdb79ea1e31d21aa21b86708e0885a152525 SHA512 2410eac2ebdd40b883f4296ea6c8ebefb16545c125c9ecb039ba9a79dc2d32f43aaaa01673cb98557d5d7aa414d7d0c72e688610d9b127a0d56cb1584e16cf5c
+TIMESTAMP 2018-01-08T20:39:21Z
-----BEGIN PGP SIGNATURE-----
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlpSW0BfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlpT1vlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klD9oRAApKlg+9T0h/8HduioYXVIXTruWbF364BkDt5xlXVqyh204XTwjiZ9LwbK
-mkXHIe3WTHb3+GEbtrnnnewIOEUhm99+GvROXN320ZWmhqPkg03pG1KfE5V0zd+H
-puUijolR5qZGmQovk6Xy1gNG1KVoirUgUxBb6MmXfMEHetHCglduRCCcVj5jsMl3
-nOzXWnB+k+U5czmroxBOeK+jp5QvkQ8PozGuJnYD747HNekwb0Hv8nfZz2YL2ORL
-eDE8tys2ZCSX+UlDH1aPX3sf9fUHcpcnvVM66W/+vLEnOjOq9tZvAXga9rTnSucZ
-4mg7e1vPyPHVTeBdaLDvyhvGRBdsfMNOYA56HPrCg7JTuQh1hZX6wWiwxAbPv18L
-lauRs/gb8WRRQNWvBeEg1jtwCoIKKutZp//xgEieKlr7FQwfm+p8jMOhvVJjWKW/
-N+u5OkGHry6BZ6FLJtSyLgOR5RqZ+TF+7FGOzOmnMA2TAmPUAj/bEhflWTfIAYQW
-mkKrnCxQa7+GRtPokO8ydbPmxlckfa8mABXRVbaGJWpX/2pXczCoLcjbpR1DG6ir
-lgMYQmqUqcbWoFmYVtAvPtlQkavn+3Jo3fNdReGSyVQ5Uv8iplhUDgrUqiqMP8Yi
-1DvBJyPmAWefkHuWcnM3Y71kU24n0r0T3o3P0KIm6zGcUBhVasY=
-=zDn/
+klBLgQ//Y5uVKJYAn6cJvDe+2EqOvLRBi6gjPOYpBzebFtEDnPGKKK9gU9ul+kcB
+ynex9y74axfoz1/hFD3spR54aCNQGTzpZXlWQ26VIHT/btdBl5IR7xx70QWEtczw
+uy3EXPdJBnJza/n6nbtU/Eih5r3Np6ArRMombpMwDXVjM+XSTPRQBG5pN5xyrieq
+kCxSsX/mC3ETfFHTqCd2Ii51v2I7gagucRt/ohpCdtww2+9iTXks8JJZMyuf90Aq
+Ua9ILJEnQB4NZjg+1rCtf9yGsp0w/MpdnsrghhBi/DwiNArnK3m6KXi0gNVUh5iI
+1/RrEDYcZ/7qp+eI0fprTWpJ1YThrMBS61QCLPtGuDiWFNGrb4YbDaneIKCS9CHR
+B1Bd0oy2HIqcmtxox2i6wX+bJfCOJxbwx8EzC9m3Obfk7BP1QTDs6YFyVs/4V6Id
+9/p3D2Z8s/t7hjSBMyyp/nuCnOTtToJEpbPXl1n8TkCQaxZrJqRmWZFYtastbT1e
+F0iLg4p5V9xc1co27HRJcwWg/7a5XslBu7Gl+h/fR84bNA+RrRhqEOX4y0B8cXdj
+BZrXGq0iKqFk+ujumbRqcBwQ5matXtA5vWd0gCzkZ9jrkxPiz6Q86V+l3lqswi7t
+scA/wgW/n/6p1Mj2wnLQyaMGmljl82DPL3DBz8aMxghLRwLC1D0=
+=0CiG
-----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 6fc5b55366c7..895c44865813 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
Binary files differ
diff --git a/metadata/glsa/glsa-201801-01.xml b/metadata/glsa/glsa-201801-01.xml
new file mode 100644
index 000000000000..edcda87e98f8
--- /dev/null
+++ b/metadata/glsa/glsa-201801-01.xml
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-01">
+ <title>Binutils: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Binutils, the worst of
+ which may allow remote attackers to cause a Denial of Service condition.
+ </synopsis>
+ <product type="ebuild">binutils</product>
+ <announced>2018-01-07</announced>
+ <revised>2018-01-07: 1</revised>
+ <bug>624700</bug>
+ <bug>627516</bug>
+ <bug>628538</bug>
+ <bug>629344</bug>
+ <bug>629922</bug>
+ <bug>631324</bug>
+ <bug>632100</bug>
+ <bug>632132</bug>
+ <bug>632384</bug>
+ <bug>632668</bug>
+ <bug>633988</bug>
+ <bug>635218</bug>
+ <bug>635692</bug>
+ <bug>635860</bug>
+ <bug>635968</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="sys-devel/binutils" auto="yes" arch="*">
+ <unaffected range="ge">2.29.1-r1</unaffected>
+ <vulnerable range="lt">2.29.1-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>The GNU Binutils are a collection of tools to create, modify and analyse
+ binary files. Many of the files use BFD, the Binary File Descriptor
+ library, to do low-level manipulation.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Binutils. Please review
+ the referenced CVE identifiers for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker, by enticing a user to compile/execute a specially
+ crafted ELF, tekhex, PE, or binary file, could possibly cause a Denial of
+ Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There are no known workarounds at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Binutils users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=sys-devel/binutils-2.29.1-r1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12456">
+ CVE-2017-12456
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12799">
+ CVE-2017-12799
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12967">
+ CVE-2017-12967
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14128">
+ CVE-2017-14128
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14129">
+ CVE-2017-14129
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14130">
+ CVE-2017-14130
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14333">
+ CVE-2017-14333
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15023">
+ CVE-2017-15023
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15938">
+ CVE-2017-15938
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15939">
+ CVE-2017-15939
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15996">
+ CVE-2017-15996
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7209">
+ CVE-2017-7209
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7210">
+ CVE-2017-7210
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7223">
+ CVE-2017-7223
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7224">
+ CVE-2017-7224
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7225">
+ CVE-2017-7225
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7227">
+ CVE-2017-7227
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9743">
+ CVE-2017-9743
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9746">
+ CVE-2017-9746
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9749">
+ CVE-2017-9749
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9750">
+ CVE-2017-9750
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9751">
+ CVE-2017-9751
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9755">
+ CVE-2017-9755
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9756">
+ CVE-2017-9756
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-01-05T05:47:37Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2018-01-07T23:07:52Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-02.xml b/metadata/glsa/glsa-201801-02.xml
new file mode 100644
index 000000000000..1e7fbff303a9
--- /dev/null
+++ b/metadata/glsa/glsa-201801-02.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-02">
+ <title>OptiPNG: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in OptiPNG, the worst of
+ which may allow execution of arbitrary code.
+ </synopsis>
+ <product type="ebuild">optipng</product>
+ <announced>2018-01-07</announced>
+ <revised>2018-01-07: 1</revised>
+ <bug>637936</bug>
+ <bug>639690</bug>
+ <access>remote</access>
+ <affected>
+ <package name="media-gfx/optipng" auto="yes" arch="*">
+ <unaffected range="ge">0.7.6-r2</unaffected>
+ <vulnerable range="lt">0.7.6-r2</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>OptiPNG is a PNG optimizer that re-compresses image files to a smaller
+ size, without losing any information.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in OptiPNG. Please review
+ the referenced CVE identifiers for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could entice a user to process a specially crafted
+ image file, possibly resulting in execution of arbitrary code with the
+ privileges of the process or a Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All OptiPNG users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=media-gfx/optipng-0.7.6-r2"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000229">
+ CVE-2017-1000229
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16938">
+ CVE-2017-16938
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-12-03T01:46:44Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2018-01-07T23:16:40Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-03.xml b/metadata/glsa/glsa-201801-03.xml
new file mode 100644
index 000000000000..67a86a6d1886
--- /dev/null
+++ b/metadata/glsa/glsa-201801-03.xml
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-03">
+ <title>Chromium, Google Chrome: Multiple vulnerabilities </title>
+ <synopsis>Multiple vulnerabilities have been found in Chromium and Google
+ Chrome, the worst of which could result in the execution of arbitrary code.
+ </synopsis>
+ <product type="ebuild">chromium,google-chrome</product>
+ <announced>2018-01-07</announced>
+ <revised>2018-01-07: 1</revised>
+ <bug>640334</bug>
+ <bug>641376</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="www-client/chromium" auto="yes" arch="*">
+ <unaffected range="ge">63.0.3239.108</unaffected>
+ <vulnerable range="lt">63.0.3239.108</vulnerable>
+ </package>
+ <package name="www-client/google-chrome" auto="yes" arch="*">
+ <unaffected range="ge">63.0.3239.108</unaffected>
+ <vulnerable range="lt">63.0.3239.108</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Chromium is an open-source browser project that aims to build a safer,
+ faster, and more stable way for all users to experience the web.
+ </p>
+
+ <p>Google Chrome is one fast, simple, and secure browser for all your
+ devices
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Chromium and Google
+ Chrome. Please review the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could possibly execute arbitrary code with the
+ privileges of the process, cause a Denial of Service condition, bypass
+ content security controls, or conduct URL spoofing.
+ </p>
+ </impact>
+ <workaround>
+ <p>There are no known workarounds at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Chromium users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=www-client/chromium-63.0.3239.108"
+ </code>
+
+ <p>All Google Chrome users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=www-client/google-chrome-63.0.3239.108"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15407">
+ CVE-2017-15407
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15408">
+ CVE-2017-15408
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15409">
+ CVE-2017-15409
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15410">
+ CVE-2017-15410
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15411">
+ CVE-2017-15411
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15412">
+ CVE-2017-15412
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15413">
+ CVE-2017-15413
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15415">
+ CVE-2017-15415
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15416">
+ CVE-2017-15416
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15417">
+ CVE-2017-15417
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15418">
+ CVE-2017-15418
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15419">
+ CVE-2017-15419
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15420">
+ CVE-2017-15420
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15422">
+ CVE-2017-15422
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15423">
+ CVE-2017-15423
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15424">
+ CVE-2017-15424
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15425">
+ CVE-2017-15425
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15426">
+ CVE-2017-15426
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15427">
+ CVE-2017-15427
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15429">
+ CVE-2017-15429
+ </uri>
+ <uri link="https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html">
+ Google Chrome Release 20171206
+ </uri>
+ <uri link="https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop_14.html">
+ Google Chrome Release 20171214
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-01-05T05:50:33Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2018-01-07T23:22:12Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-04.xml b/metadata/glsa/glsa-201801-04.xml
new file mode 100644
index 000000000000..e49cf9f43606
--- /dev/null
+++ b/metadata/glsa/glsa-201801-04.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-04">
+ <title>LibXcursor: User-assisted execution of arbitrary code</title>
+ <synopsis>A vulnerability in LibXcursor might allow remote attackers to
+ execute arbitrary code.
+ </synopsis>
+ <product type="ebuild">LibXcursor</product>
+ <announced>2018-01-07</announced>
+ <revised>2018-01-07: 1</revised>
+ <bug>639062</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="x11-libs/libXcursor" auto="yes" arch="*">
+ <unaffected range="ge">1.1.15</unaffected>
+ <vulnerable range="lt">1.1.15</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>X.Org X11 libXcursor runtime library.</p>
+ </background>
+ <description>
+ <p>It was discovered that libXcursor is prone to several heap overflows
+ when parsing malicious files.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker, by enticing a user to process a specially crafted
+ cursor file, could possibly execute arbitrary code with the privileges of
+ the process or cause a Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All LibXcursor users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=x11-libs/libXcursor-1.1.15"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16612">
+ CVE-2017-16612
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-01-05T05:33:40Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2018-01-07T23:27:33Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-05.xml b/metadata/glsa/glsa-201801-05.xml
new file mode 100644
index 000000000000..0522284c6ea3
--- /dev/null
+++ b/metadata/glsa/glsa-201801-05.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-05">
+ <title>OpenSSH: Permission issue</title>
+ <synopsis>A flaw has been discovered in OpenSSH which could allow a remote
+ attacker to create zero-length files.
+ </synopsis>
+ <product type="ebuild">OpenSSH</product>
+ <announced>2018-01-07</announced>
+ <revised>2018-01-07: 1</revised>
+ <bug>633428</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-misc/openssh" auto="yes" arch="*">
+ <unaffected range="ge">7.5_p1-r3</unaffected>
+ <vulnerable range="lt">7.5_p1-r3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>OpenSSH is a complete SSH protocol implementation that includes SFTP
+ client and server support.
+ </p>
+ </background>
+ <description>
+ <p>The process_open function in sftp-server.c in OpenSSH did not properly
+ prevent write operations in readonly mode.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could cause the creation of zero-length files.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All OpenSSH users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-misc/openssh-7.5_p1-r3"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15906">
+ CVE-2017-15906
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-01-05T05:55:47Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2018-01-07T23:36:33Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-06.xml b/metadata/glsa/glsa-201801-06.xml
new file mode 100644
index 000000000000..a0725d7cc0f7
--- /dev/null
+++ b/metadata/glsa/glsa-201801-06.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-06">
+ <title>Back In Time: Command injection</title>
+ <synopsis>A command injection vulnerability in 'Back in Time' may allow for
+ the execution of arbitrary shell commands.
+ </synopsis>
+ <product type="ebuild">backintime</product>
+ <announced>2018-01-07</announced>
+ <revised>2018-01-07: 1</revised>
+ <bug>636974</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="app-backup/backintime" auto="yes" arch="*">
+ <unaffected range="ge">1.1.24</unaffected>
+ <vulnerable range="lt">1.1.24</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>A simple backup tool for Linux, inspired by “flyback project”.</p>
+ </background>
+ <description>
+ <p>‘Back in Time’ did improper escaping/quoting of file paths used as
+ arguments to the ‘notify-send’ command leading to some parts of file
+ paths being executed as shell commands within an os.system call.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A context-dependent attacker could execute arbitrary shell commands via
+ a specially crafted file.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All ‘Back In Time’ users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-backup/backintime-1.1.24"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16667">
+ CVE-2017-16667
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-01-05T05:36:24Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2018-01-07T23:41:27Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-07.xml b/metadata/glsa/glsa-201801-07.xml
new file mode 100644
index 000000000000..48b58e98c066
--- /dev/null
+++ b/metadata/glsa/glsa-201801-07.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-07">
+ <title>GNU Emacs: Command injection</title>
+ <synopsis>A vulnerability has been found in Emacs which may allow for
+ arbitrary command execution.
+ </synopsis>
+ <product type="ebuild">Emacs</product>
+ <announced>2018-01-07</announced>
+ <revised>2018-01-08: 2</revised>
+ <bug>630680</bug>
+ <access>remote</access>
+ <affected>
+ <package name="app-editors/emacs" auto="yes" arch="*">
+ <unaffected range="ge" slot="23">23.4-r16</unaffected>
+ <unaffected range="ge" slot="24">24.5-r4</unaffected>
+ <unaffected range="ge" slot="25">25.2-r1</unaffected>
+ <vulnerable range="lt" slot="23">23.4-r16</vulnerable>
+ <vulnerable range="lt" slot="24">24.5-r4</vulnerable>
+ <vulnerable range="lt" slot="25">25.2-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>GNU Emacs is a highly extensible and customizable text editor.</p>
+ </background>
+ <description>
+ <p>A command injection flaw within the Emacs “enriched mode” handling
+ has been discovered.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker, by enticing a user to open a specially crafted file,
+ could execute arbitrary commands with the privileges of process.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All GNU Emacs 23.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-23.4-r16:23"
+ </code>
+
+ <p>All GNU Emacs 24.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-24.5-r4:24"
+ </code>
+
+ <p>All GNU Emacs 25.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-25.2-r1:25"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14482">
+ CVE-2017-14482
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-01-05T05:59:49Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2018-01-08T13:17:01Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-08.xml b/metadata/glsa/glsa-201801-08.xml
new file mode 100644
index 000000000000..71a3eac590d4
--- /dev/null
+++ b/metadata/glsa/glsa-201801-08.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-08">
+ <title>MiniUPnPc: Arbitrary code execution</title>
+ <synopsis>A vulnerability in MiniUPnPc might allow remote attackers to
+ execute arbitrary code.
+ </synopsis>
+ <product type="ebuild">MiniUPnP</product>
+ <announced>2018-01-07</announced>
+ <revised>2018-01-07: 1</revised>
+ <bug>562684</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-libs/miniupnpc" auto="yes" arch="*">
+ <unaffected range="ge">2.0.20170509</unaffected>
+ <vulnerable range="lt">2.0.20170509</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>The client library, enabling applications to access the services
+ provided by an UPnP “Internet Gateway Device” present on the network.
+ </p>
+ </background>
+ <description>
+ <p>An exploitable buffer overflow vulnerability exists in the XML parser
+ functionality of the MiniUPnP library.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker, by enticing a user to connect to a malicious server,
+ could cause the execution of arbitrary code with the privileges of the
+ user running a MiniUPnPc linked application.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All MiniUPnPc users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-libs/miniupnpc-2.0.20170509"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6031">
+ CVE-2015-6031
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-01-05T06:06:14Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2018-01-07T23:51:08Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-09.xml b/metadata/glsa/glsa-201801-09.xml
new file mode 100644
index 000000000000..e76b2d50287a
--- /dev/null
+++ b/metadata/glsa/glsa-201801-09.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-09">
+ <title>WebkitGTK+: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in WebkitGTK+, the worst
+ of which may lead to arbitrary code execution.
+ </synopsis>
+ <product type="ebuild">WebkitGTK+</product>
+ <announced>2018-01-07</announced>
+ <revised>2018-01-07: 1</revised>
+ <bug>641752</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-libs/webkit-gtk" auto="yes" arch="*">
+ <unaffected range="ge" slot="4">2.18.4</unaffected>
+ <vulnerable range="lt" slot="4">2.18.4</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in WebkitGTK+. Please
+ review the referenced CVE Identifiers for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>An attacker, by enticing a user to visit maliciously crafted web
+ content, may be able to execute arbitrary code or cause memory
+ corruption.
+ </p>
+ </impact>
+ <workaround>
+ <p>There are no known workarounds at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All WebkitGTK+ users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-libs/webkit-gtk-2.18.4:4"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13856">
+ CVE-2017-13856
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13866">
+ CVE-2017-13866
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13870">
+ CVE-2017-13870
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7156">
+ CVE-2017-7156
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7157">
+ CVE-2017-7157
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-01-05T05:25:45Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2018-01-07T23:57:41Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-10.xml b/metadata/glsa/glsa-201801-10.xml
new file mode 100644
index 000000000000..329c01883b89
--- /dev/null
+++ b/metadata/glsa/glsa-201801-10.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-10">
+ <title>LibXfont, LibXfont2: Arbitrary file access</title>
+ <synopsis>A vulnerability has been found in LibXfont and LibXfont2 which may
+ allow for arbitrary file access.
+ </synopsis>
+ <product type="ebuild">LibXfont, LibXfont2</product>
+ <announced>2018-01-08</announced>
+ <revised>2018-01-08: 1</revised>
+ <bug>639064</bug>
+ <access>local</access>
+ <affected>
+ <package name="x11-libs/libXfont" auto="yes" arch="*">
+ <unaffected range="ge">1.5.4</unaffected>
+ <vulnerable range="lt">1.5.4</vulnerable>
+ </package>
+ <package name="x11-libs/libXfont2" auto="yes" arch="*">
+ <unaffected range="ge">2.0.3</unaffected>
+ <vulnerable range="lt">2.0.3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>X.Org Xfont library.</p>
+ </background>
+ <description>
+ <p>It was discovered that libXfont incorrectly followed symlinks when
+ opening font files.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A local unprivileged user could use this flaw to cause the X server to
+ access arbitrary files, including special device files.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All LibXfont users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=x11-libs/libXfont-1.5.4"
+ </code>
+
+ <p>All LibXfont2 users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=x11-libs/libXfont2-2.0.3"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16611">
+ CVE-2017-16611
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-01-05T05:31:41Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2018-01-08T12:26:24Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index a90a981eef22..0a2bfcde5afa 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sun, 07 Jan 2018 17:39:09 +0000
+Mon, 08 Jan 2018 20:39:18 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 632542b5e138..aaca69940ebb 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-30b0a682c74fee092dcec1e6356f4afc7fa14625 1513277071 2017-12-14T18:44:31+00:00
+83b03abfd2cbeb32bafb0df4d1a742e9717c33a3 1515417463 2018-01-08T13:17:43+00:00
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-08 23:07:58 +0000