summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/Manifest30
-rw-r--r--metadata/glsa/Manifest.files.gzbin563763 -> 564559 bytes
-rw-r--r--metadata/glsa/glsa-202402-02.xml53
-rw-r--r--metadata/glsa/glsa-202402-03.xml44
-rw-r--r--metadata/glsa/glsa-202402-04.xml40
-rw-r--r--metadata/glsa/glsa-202402-05.xml60
-rw-r--r--metadata/glsa/glsa-202402-06.xml46
-rw-r--r--metadata/glsa/timestamp.chk2
-rw-r--r--metadata/glsa/timestamp.commit2
9 files changed, 260 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 88e12973bc0c..a11f7c5e5b38 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
-MANIFEST Manifest.files.gz 563763 BLAKE2B ad08e0810fe103c6fa75e908cf8e2fc59829c625b62d3046da60e9504ee322b550dd80f2b55ca4966a6ca9514873f3ad3a971855512a73e5aa8af57c416df904 SHA512 686eceb0a4e973d3931559acc70bbca71af98c9816890a0c4197ac907326353d25dbfef06b2f26ca53274310cd12ab9ef6adfeddc7c3775d1fc39f927accf94b
-TIMESTAMP 2024-02-03T04:54:37Z
+MANIFEST Manifest.files.gz 564559 BLAKE2B 4573972668e1d15f583f0713614d500cc9049b63596c2a0bcd653c8468b9dc77c6bbcd3534aacb491dc7aca67cc1724869f381150601d1b0818f51122f081971 SHA512 2a20cbfb64231457b4db4ad02d18e1e4362a95349f0ba302b080c3047bb1e9d19cc268cdb18594ad19d7288e2966da164e36e2c508ae6749818e720a5aa1156a
+TIMESTAMP 2024-02-03T11:09:56Z
-----BEGIN PGP SIGNATURE-----
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmW9xw1fFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmW+HwRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klC7Fg//RVMH/cPM4iaurZ7LGimkgvgGRCaSqt1vsvqIOxnSruQPb1XCwEi5dT2v
-eVfXIS7eYYCy2vkCb0qjp5SadsGtfqRXFXEJPfZNHxRJMzAd8YLg7gtG0bGUF7pB
-v/wmKeDw4AiC5gHIRE9HdBf2ebJWbdJnjTrgpL9R1CYkwK9ILICu9g1EDVjJbt9g
-xGpotQTohN4RbEIUfBU9Wc+EXNy7/ZtYnzRDI6PVPqdXEvd4SWhafbBldXR3qTD+
-tqwBAVnJA6yStaF+xT/sqkGwt4wvf2xPCZSRHRKfOM+cjET2rgt4Rp3GF8bACKGj
-n3VI2RYphjGE3SVB3eBpYdFgwHliPvVr9nHk7XCNwphA1zWnsvi5dcrkBebyATWs
-Xw4xfett8D/qK1eVCSLtaeQmulO02iIzgD/8q3C4/1b3c3hPUWTigRgXI6r31v0X
-mQP6bl1RznsqQ0jbuhRERYD1HfuLE3A8bOIK+U5kwSn0lth1ia1HbTL9vEfcJ3+5
-Y9Vxf2pCOBkzrAFIWxKpy7nwtSUlcJyYSXMjlxG1IZhahev+/yKo5REv7YS7rIkT
-dpi0vdoQ0D5tkUviHhv0MhNUhZ5qKpiJ0IrCgz3eINxg8Nrg8+jO17e+mv3tEhuf
-4KbMXOvHVbja4v6XVBCDMZlmwxHxsM0dKZZuViBbYJbAIRnNwjs=
-=80iI
+klCiYQ//Vq0VxwMmqOzoiWi4Y6mruxN4r8A5gd2PmDyEpoFhabExGsQPbnOpKphs
+nEKIUwgdWN9cun8CkpOpwuX/cOujQcxglz3zG7LgM/Xo7YJLiJB1Jd/u2k6TM+Bw
+nf+osGzm02lYM4IzsVHw4iJlSKtbdEu0GJh0X57SGFp4j5S9Ep8dXQP2YX5PSH4D
+ZvVEuq8zCkH2TeQO+VCSRLSI+JbP1XSrH7FnAQ4+Gxb4JmsVKSOtMAEkCGI/vyqe
+4YCI9iDlcFDFDii6syYFK1XwoMhLPYRl05ciyl9jRV0fy+JgsTXHFiljH1LyL2rm
+7dA1WSWIpED2c4n9kS2uFBk6oKW3AiydyktDXLL7kWO9dfmvjmF9I/8dyHUlNTfO
+b9szgKapUe5b7wBUM5EJNjaGhv4zoWiTlQjrOAS3qFNknOu79K8X8ELPqOFltiAb
+R/cfND/sI2SRY7F1767nU4sKnXq2gaIGQXm2cYRT0HYqYudPzMVx3cUTi5NDVDzt
+QHPxaGUXNaMkgAllLwefTo9mhfjT7uS5WcHctfr1myIQOmUA450GZ7ydjUCEJe8R
+STIeK6Yvu1lmYtl8CN9mZCt3vhM+cVAxxBaMB5MV//rvHXuP72wv5QdmfyKkvZ67
+0+FvR1nQ/9tQBIL4gdAE0BU0FgO77xKgee2PEe4bsXG0yJQI7m0=
+=xO8Y
-----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 0935772a319d..901943427f96 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
Binary files differ
diff --git a/metadata/glsa/glsa-202402-02.xml b/metadata/glsa/glsa-202402-02.xml
new file mode 100644
index 000000000000..ddbace0e73be
--- /dev/null
+++ b/metadata/glsa/glsa-202402-02.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-02">
+ <title>SDDM: Privilege Escalation</title>
+ <synopsis>A vulnerability has been discovered in SDDM which can lead to privilege escalation.</synopsis>
+ <product type="ebuild">sddm</product>
+ <announced>2024-02-03</announced>
+ <revised count="1">2024-02-03</revised>
+ <bug>753104</bug>
+ <access>local</access>
+ <affected>
+ <package name="x11-misc/sddm" auto="yes" arch="*">
+ <unaffected range="ge">0.18.1-r6</unaffected>
+ <vulnerable range="lt">0.18.1-r6</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>SDDM is a modern display manager for X11 and Wayland sessions aiming to be fast, simple and beautiful. It uses modern technologies like QtQuick, which in turn gives the designer the ability to create smooth, animated user interfaces.</p>
+ </background>
+ <description>
+ <p>A vulnerability has been discovered in SDDM. Please review the CVE identifier referenced below for details.</p>
+ </description>
+ <impact type="normal">
+ <p>SDDM passes the -auth and -displayfd command line arguments when
+starting the Xserver. It then waits for the display number to be
+received from the Xserver via the `displayfd`, before the Xauthority
+file specified via the `-auth` parameter is actually written. This
+results in a race condition, creating a time window in which no valid
+Xauthority file is existing while the Xserver is already running.
+
+The X.Org server, when encountering a non-existing, empty or
+corrupt/incomplete Xauthority file, will grant any connecting client
+access to the Xorg display. A local unprivileged attacker can thus
+create an unauthorized connection to the Xserver and grab e.g. keyboard
+input events from other legitimate users accessing the Xserver.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All SDDM users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=x11-misc/sddm-0.18.1-r6"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28049">CVE-2020-28049</uri>
+ </references>
+ <metadata tag="requester" timestamp="2024-02-03T06:18:59.426090Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2024-02-03T06:18:59.429353Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-03.xml b/metadata/glsa/glsa-202402-03.xml
new file mode 100644
index 000000000000..0d941d010def
--- /dev/null
+++ b/metadata/glsa/glsa-202402-03.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-03">
+ <title>QtGui: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in QtGui which can lead to remote code execution.</synopsis>
+ <product type="ebuild">qtgui</product>
+ <announced>2024-02-03</announced>
+ <revised count="1">2024-02-03</revised>
+ <bug>808531</bug>
+ <bug>907119</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-qt/qtgui" auto="yes" arch="*">
+ <unaffected range="ge">5.15.9-r1</unaffected>
+ <vulnerable range="lt">5.15.9-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>QtGui is a module for the Qt toolkit.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in QtGui. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All QtGui users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-qt/qtgui-5.15.9-r1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38593">CVE-2021-38593</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32763">CVE-2023-32763</uri>
+ </references>
+ <metadata tag="requester" timestamp="2024-02-03T06:19:26.894264Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2024-02-03T06:19:26.896389Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-04.xml b/metadata/glsa/glsa-202402-04.xml
new file mode 100644
index 000000000000..c7f4ef01bdba
--- /dev/null
+++ b/metadata/glsa/glsa-202402-04.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-04">
+ <title>GNAT Ada Suite: Remote Code Execution</title>
+ <synopsis>A vulnerability has been discovered in GNAT Ada Suite which can lead to remote code execution.</synopsis>
+ <product type="ebuild">gnat-suite-bin</product>
+ <announced>2024-02-03</announced>
+ <revised count="1">2024-02-03</revised>
+ <bug>787440</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-ada/gnat-suite-bin" auto="yes" arch="*">
+ <vulnerable range="lt">2019-r2</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>The GNAT Ada Suite is an Ada development environment.</p>
+ </background>
+ <description>
+ <p>A vulnerability has been discovered in GNAT Ada Suite. Please review the CVE identifier referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>Gentoo has discontinued support for GNAT Ada Suite. We recommend that users unmerge it:</p>
+
+ <code>
+ # emerge --ask --depclean "dev-ada/gnat-suite-bin"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27619">CVE-2020-27619</uri>
+ </references>
+ <metadata tag="requester" timestamp="2024-02-03T06:20:11.020220Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2024-02-03T06:20:11.022709Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-05.xml b/metadata/glsa/glsa-202402-05.xml
new file mode 100644
index 000000000000..1a13d09e4377
--- /dev/null
+++ b/metadata/glsa/glsa-202402-05.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-05">
+ <title>Microsoft Edge: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in Microsoft Edge, the worst of which could lead to remote code execution.</synopsis>
+ <product type="ebuild">microsoft-edge</product>
+ <announced>2024-02-03</announced>
+ <revised count="1">2024-02-03</revised>
+ <bug>907817</bug>
+ <bug>908518</bug>
+ <bug>918586</bug>
+ <bug>919495</bug>
+ <access>remote</access>
+ <affected>
+ <package name="www-client/microsoft-edge" auto="yes" arch="*">
+ <unaffected range="ge">120.0.2210.61</unaffected>
+ <vulnerable range="lt">120.0.2210.61</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Microsoft Edge. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Microsoft Edge users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-120.0.2210.61"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29345">CVE-2023-29345</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-33143">CVE-2023-33143</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-33145">CVE-2023-33145</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-35618">CVE-2023-35618</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36022">CVE-2023-36022</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36029">CVE-2023-36029</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36034">CVE-2023-36034</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36409">CVE-2023-36409</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36559">CVE-2023-36559</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36562">CVE-2023-36562</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36727">CVE-2023-36727</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36735">CVE-2023-36735</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36741">CVE-2023-36741</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36787">CVE-2023-36787</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36880">CVE-2023-36880</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38174">CVE-2023-38174</uri>
+ </references>
+ <metadata tag="requester" timestamp="2024-02-03T08:00:41.979777Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2024-02-03T08:00:41.982534Z">graaff</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-06.xml b/metadata/glsa/glsa-202402-06.xml
new file mode 100644
index 000000000000..b36fa0e6fe40
--- /dev/null
+++ b/metadata/glsa/glsa-202402-06.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-06">
+ <title>FreeType: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in FreeType, the worst of which can lead to remote code execution.</synopsis>
+ <product type="ebuild">freetype</product>
+ <announced>2024-02-03</announced>
+ <revised count="1">2024-02-03</revised>
+ <bug>840224</bug>
+ <bug>881443</bug>
+ <access>local and remote</access>
+ <affected>
+ <package name="media-libs/freetype" auto="yes" arch="*">
+ <unaffected range="ge">2.13.0</unaffected>
+ <vulnerable range="lt">2.13.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>FreeType is a high-quality and portable font engine.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in FreeType. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All FreeType users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.13.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27404">CVE-2022-27404</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27405">CVE-2022-27405</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27406">CVE-2022-27406</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2004">CVE-2023-2004</uri>
+ </references>
+ <metadata tag="requester" timestamp="2024-02-03T08:57:48.987312Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2024-02-03T08:57:48.989733Z">graaff</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 5607ce607745..aa57426004ce 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sat, 03 Feb 2024 04:54:09 +0000
+Sat, 03 Feb 2024 11:09:52 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 982d77fc4215..a7ee54c922de 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-1b3d5c5b8102daf085b27905a139c5e8c4c7d591 1706843003 2024-02-02T03:03:23+00:00
+2f6d7004e06dfb3d395547c81289abf44cb1b2ac 1706950695 2024-02-03T08:58:15+00:00
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-21 04:52:43 +0000