diff options
Diffstat (limited to 'metadata/glsa')
43 files changed, 2174 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index a186763f710a..ca2dd80e5df4 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 579171 BLAKE2B c503f3149ac98a81a2a72d2364a46176b3c285a1621a8af77978b4ede84a80db1977b0d8f154263b7c2bcc353216537aa1b1e8484ae4df3253f17c00c81c0761 SHA512 74d7e8c7054b78d2f3183d3c0366fa4a3d83835c364cd7b13c4eaf7bde990556a6cb8101a1ea11386306381222e788d3c418bebff9f98a1b2d701dcad1904056 -TIMESTAMP 2024-07-09T10:10:15Z +MANIFEST Manifest.files.gz 585357 BLAKE2B 90b484a7cfadba26e75b941b109643027b5530ea0e0da6565b28a1492ef9b8c6cfc7254e54f18ef93a17f476c8c87b2c8309fbac1afa85d144cc4d664931e811 SHA512 f5bbc1b0b0163958f91ecc02b4f0422622112ac5c642a105fef46e39550fd8622a03abd647b830a766a072ad993d41863d2d1d5ca05368f5af8d868f03aaeae4 +TIMESTAMP 2024-09-04T10:10:48Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmaNDIdfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmbYMihfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCpcg//ff91BFc6l8eAsaRVOHG2v62+yxJIiFc6PSTit7vv3zHK4hAYJjEe5EI0 -yAcwMowGpB4cVPf4+7TQYqaAousZyT0Lu8arEW3+Fbn5MXHTwzN/Q6ZJQbBG7VNN -ruFefkF18aGnrDQCE6wFjd2FaiYkQ7j3eldfPPm+ng3jZTOHAJL7+WL4z9FARgah -9dFXqNS4xAQTRFmXRnlsIBvYJrG5BkzL34IHnExYdECEvWvKtWKNz8aZV8siqHk0 -WzIQfIZKQCrBdk2ITxNrHEAt665EaJIw61q172U339C8PxJAdjmOEhHn3Wv0QCKG -1zcqd+QLKVh3l+WtBBR/csPi7IsIA04iIsynJ9w+hucONJDPF1e1tXeNZEPUJPNv -Znn4CPt7cpvSBpK3NjdFRs7UaucymBoDc3AJ6r3+mJpD67YgeaxU5TjLJCcrVGY2 -QVHqGg8cIjDCc4+dz6FExaXbsVzjEOcla7nY97XBa1XyvQmlx5YbotGS+0Bx7OrI -+FKfNmJT3bf3wq+DyfdlTS7q7nEQhaMWK8+9LKJ9kX/UWUwkaMcYjQax4Qn7daCK -oIKIYw2dVKk69oEvfCj2T0pkqRwdGDz8KF4kEe3HL8xfgG9Ry9dSR/2ssrdGhQla -GrCMmHx+y1ixI1OBAU+JP3N345RInbiKNP/FfvZRlt6XDnFVTTg= -=sDm4 +klAAWBAAiqpYJJPCRVIyUVT9xxq/mC++n/zZodJHOXqNjY90StFPIhhMy3LJZUJl +9bFKMec9zYdG771FmRlVrQw2lezGH3gDwTkEREvdK+8Igwc+thJzRkbrkBptVSHm +2l70dneZGHT2L7Al/FXovanx4UiRBU27n21/ZhrFO59+aEp12hzVqmqqH90OM/f8 ++lJ4xSOmSt5nXcQ56EiS+8D+ZHA8is1CGkcH1+MLvey/gGNoH1Jo8ikN7a1yz6RR +kNrw9k8VH9O0dlWkH7x81XT+04uWV58rlsPVbicRwNv36zYmee268hJw7Dov+p4+ +h6R/D69GZIVkE98N1zpu+KgCfT1U+eyk7Wi7SqVJ2P2OR0PoQFoCRjxQ8Tg2sYIT +NBT8tqpxDRBIulup1H/LH+unCOsMsIMpcB97T8H9S2bPuBQNeRUNQxGM19Dk8kAr +ogGgOTxXPjEsvNihOz+Uh0W2qtqTdZWEMqwxCCixLoxnY5Rzy92beyoKjQ4DcqYN +Hwjl6etIEFsx52JBhJWq+iNiHI+2m3xnr0AYzmSuJ9fDJA/7aByu3lkDIe8Jq/9k +11ZqrZfn4ZTGZ//JhOXBqoByT0F6wko2xmwdtK5OUj9CanU6sJKL82hVKubK1FEk +jfNJ1EIINADrN49ANxydpszLi3ObWKl4G39tNlEEEq8EjGV+OYo= +=67QZ -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex d4c1d9b1a29b..0e491fc1977a 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202407-23.xml b/metadata/glsa/glsa-202407-23.xml new file mode 100644 index 000000000000..3015033820b0 --- /dev/null +++ b/metadata/glsa/glsa-202407-23.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-23"> + <title>LIVE555 Media Server: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in LIVE555 Media Server, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">live</product> + <announced>2024-07-09</announced> + <revised count="1">2024-07-09</revised> + <bug>732598</bug> + <bug>807622</bug> + <access>local and remote</access> + <affected> + <package name="media-plugins/live" auto="yes" arch="*"> + <unaffected range="ge">2021.08.24</unaffected> + <vulnerable range="lt">2021.08.24</vulnerable> + </package> + </affected> + <background> + <p>LIVE555 Media Server is a set of libraries for multimedia streaming.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in LIVE555 Media Server. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All LIVE555 Media Server users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-plugins/live-2021.08.24" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-24027">CVE-2020-24027</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38380">CVE-2021-38380</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38381">CVE-2021-38381</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38382">CVE-2021-38382</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39282">CVE-2021-39282</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39283">CVE-2021-39283</uri> + </references> + <metadata tag="requester" timestamp="2024-07-09T13:09:03.649511Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-09T13:09:03.653871Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-24.xml b/metadata/glsa/glsa-202407-24.xml new file mode 100644 index 000000000000..118703bb07d5 --- /dev/null +++ b/metadata/glsa/glsa-202407-24.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-24"> + <title>HarfBuzz: Denial of Service</title> + <synopsis>A vulnerability has been discovered in HarfBuzz, which can lead to a denial of service.</synopsis> + <product type="ebuild">harfbuzz</product> + <announced>2024-07-10</announced> + <revised count="1">2024-07-10</revised> + <bug>905310</bug> + <access>local</access> + <affected> + <package name="media-libs/harfbuzz" auto="yes" arch="*"> + <unaffected range="ge">7.1.0</unaffected> + <vulnerable range="lt">7.1.0</vulnerable> + </package> + </affected> + <background> + <p>HarfBuzz is an OpenType text shaping engine.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in HarfBuzz. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>hb-ot-layout-gsubgpos.hh in HarfBuzz allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All HarfBuzz users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/harfbuzz-7.1.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22006">CVE-2023-22006</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22036">CVE-2023-22036</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22041">CVE-2023-22041</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22044">CVE-2023-22044</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22045">CVE-2023-22045</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22049">CVE-2023-22049</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25193">CVE-2023-25193</uri> + </references> + <metadata tag="requester" timestamp="2024-07-10T06:11:01.173024Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-10T06:11:01.176040Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-25.xml b/metadata/glsa/glsa-202407-25.xml new file mode 100644 index 000000000000..4b13514271a9 --- /dev/null +++ b/metadata/glsa/glsa-202407-25.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-25"> + <title>Buildah: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Buildah, the worst of which could lead to privilege escalation.</synopsis> + <product type="ebuild">buildah</product> + <announced>2024-07-10</announced> + <revised count="1">2024-07-10</revised> + <bug>923650</bug> + <bug>927499</bug> + <bug>927502</bug> + <access>local</access> + <affected> + <package name="app-containers/buildah" auto="yes" arch="*"> + <unaffected range="ge">1.35.3</unaffected> + <vulnerable range="lt">1.35.3</vulnerable> + </package> + </affected> + <background> + <p>Buildah is a tool that facilitates building Open Container Initiative (OCI) container images</p> + </background> + <description> + <p>Please review the referenced CVE identifiers for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Buildah users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-containers/buildah-1.35.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1753">CVE-2024-1753</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23651">CVE-2024-23651</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23652">CVE-2024-23652</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23653">CVE-2024-23653</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24786">CVE-2024-24786</uri> + </references> + <metadata tag="requester" timestamp="2024-07-10T06:35:05.025996Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-10T06:35:05.030840Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-26.xml b/metadata/glsa/glsa-202407-26.xml new file mode 100644 index 000000000000..8c4b0b7ae73a --- /dev/null +++ b/metadata/glsa/glsa-202407-26.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-26"> + <title>Dmidecode: Privilege Escalation</title> + <synopsis>A vulnerability has been discovered in Dmidecode, which can lead to privilege escalation.</synopsis> + <product type="ebuild">dmidecode</product> + <announced>2024-07-24</announced> + <revised count="1">2024-07-24</revised> + <bug>905093</bug> + <access>local</access> + <affected> + <package name="sys-apps/dmidecode" auto="yes" arch="*"> + <unaffected range="ge">3.5</unaffected> + <vulnerable range="lt">3.5</vulnerable> + </package> + </affected> + <background> + <p>Dmidecode reports information about your system's hardware as described in your system BIOS according to the SMBIOS/DMI standard (see a sample output). This information typically includes system manufacturer, model name, serial number, BIOS version, asset tag as well as a lot of other details of varying level of interest and reliability depending on the manufacturer. This will often include usage status for the CPU sockets, expansion slots (e.g. AGP, PCI, ISA) and memory module slots, and the list of I/O ports (e.g. serial, parallel, USB).</p> + </background> + <description> + <p>Dmidecode -dump-bin can overwrite a local file. This has security relevance because, for example, execution of Dmidecode via sudo is plausible.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifier for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Dmidecode users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/dmidecode-3.5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30630">CVE-2023-30630</uri> + </references> + <metadata tag="requester" timestamp="2024-07-24T06:06:10.030561Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-24T06:06:10.033680Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-27.xml b/metadata/glsa/glsa-202407-27.xml new file mode 100644 index 000000000000..8848a48c5463 --- /dev/null +++ b/metadata/glsa/glsa-202407-27.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-27"> + <title>ExifTool: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in ExifTool, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">exiftool</product> + <announced>2024-07-24</announced> + <revised count="1">2024-07-24</revised> + <bug>785667</bug> + <bug>791397</bug> + <bug>803317</bug> + <bug>832033</bug> + <access>local</access> + <affected> + <package name="media-libs/exiftool" auto="yes" arch="*"> + <unaffected range="ge">12.42</unaffected> + <vulnerable range="lt">12.42</vulnerable> + </package> + </affected> + <background> + <p>ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ExifTool. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ExifTool users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/exiftool-12.42" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22204">CVE-2021-22204</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23935">CVE-2022-23935</uri> + </references> + <metadata tag="requester" timestamp="2024-07-24T06:08:31.681636Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-24T06:08:31.685111Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202407-28.xml b/metadata/glsa/glsa-202407-28.xml new file mode 100644 index 000000000000..67adc3da0912 --- /dev/null +++ b/metadata/glsa/glsa-202407-28.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202407-28"> + <title>Freenet: Deanonymization Vulnerability</title> + <synopsis>A vulnerability has been discovered in Freenet, which can lead to deanonymization due to path folding.</synopsis> + <product type="ebuild">freenet</product> + <announced>2024-07-24</announced> + <revised count="1">2024-07-24</revised> + <bug>904441</bug> + <access>remote</access> + <affected> + <package name="net-p2p/freenet" auto="yes" arch="*"> + <unaffected range="ge">0.7.5_p1497</unaffected> + <vulnerable range="lt">0.7.5_p1497</vulnerable> + </package> + </affected> + <background> + <p>Freenet is an encrypted network without censorship.</p> + </background> + <description> + <p>This release fixes a severe vulnerability in path folding that allowed
+to distinguish between downloaders and forwarders with an adapted
+node that is directly connected via opennet.</p> + </description> + <impact type="normal"> + <p>This release fixes a severe vulnerability in path folding that allowed
+to distinguish between downloaders and forwarders with an adapted
+node that is directly connected via opennet.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Freenet users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/freenet-0.7.5_p1497" + </code> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2024-07-24T06:10:44.345056Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-07-24T06:10:44.351516Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-01.xml b/metadata/glsa/glsa-202408-01.xml new file mode 100644 index 000000000000..29248eda12dd --- /dev/null +++ b/metadata/glsa/glsa-202408-01.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-01"> + <title>containerd: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in containerd, the worst of which could lead to privilege escalation.</synopsis> + <product type="ebuild">containerd</product> + <announced>2024-08-06</announced> + <revised count="1">2024-08-06</revised> + <bug>897960</bug> + <access>local</access> + <affected> + <package name="app-containers/containerd" auto="yes" arch="*"> + <unaffected range="ge">1.6.19</unaffected> + <vulnerable range="lt">1.6.19</vulnerable> + </package> + </affected> + <background> + <p>containerd is a daemon with an API and a command line client, to manage containers on one machine. It uses runC to run containers according to the OCI specification.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in containerd. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All containerd users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-containers/containerd-1.6.19" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25153">CVE-2023-25153</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25173">CVE-2023-25173</uri> + </references> + <metadata tag="requester" timestamp="2024-08-06T05:38:04.316179Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-06T05:38:04.318621Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-02.xml b/metadata/glsa/glsa-202408-02.xml new file mode 100644 index 000000000000..52ce5cddf816 --- /dev/null +++ b/metadata/glsa/glsa-202408-02.xml @@ -0,0 +1,110 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-02"> + <title>Mozilla Firefox: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could lead to remote code execution.</synopsis> + <product type="ebuild">firefox,firefox-bin</product> + <announced>2024-08-06</announced> + <revised count="1">2024-08-06</revised> + <bug>930380</bug> + <bug>932374</bug> + <bug>935550</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">127.0</unaffected> + <unaffected range="ge" slot="esr">115.12.0</unaffected> + <vulnerable range="lt" slot="rapid">127.0</vulnerable> + <vulnerable range="lt" slot="esr">115.12.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">127.0</unaffected> + <unaffected range="ge" slot="esr">115.12.0</unaffected> + <vulnerable range="lt" slot="rapid">127.0</vulnerable> + <vulnerable range="lt" slot="esr">115.12.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-127.0:rapid" + </code> + + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-127.0:rapid" + </code> + + <p>All Mozilla Firefox ESR users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-115.12.0:esr" + </code> + + <p>All Mozilla Firefox ESR binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.12.0:esr" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2609">CVE-2024-2609</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3302">CVE-2024-3302</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3853">CVE-2024-3853</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3854">CVE-2024-3854</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3855">CVE-2024-3855</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3856">CVE-2024-3856</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3857">CVE-2024-3857</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3858">CVE-2024-3858</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3859">CVE-2024-3859</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3860">CVE-2024-3860</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3861">CVE-2024-3861</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3862">CVE-2024-3862</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3864">CVE-2024-3864</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3865">CVE-2024-3865</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4764">CVE-2024-4764</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4765">CVE-2024-4765</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4766">CVE-2024-4766</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4771">CVE-2024-4771</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4772">CVE-2024-4772</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4773">CVE-2024-4773</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4774">CVE-2024-4774</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4775">CVE-2024-4775</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4776">CVE-2024-4776</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4778">CVE-2024-4778</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5689">CVE-2024-5689</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5693">CVE-2024-5693</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5694">CVE-2024-5694</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5695">CVE-2024-5695</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5696">CVE-2024-5696</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5697">CVE-2024-5697</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5698">CVE-2024-5698</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5699">CVE-2024-5699</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5700">CVE-2024-5700</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5701">CVE-2024-5701</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5702">CVE-2024-5702</uri> + <uri>MFSA-2024-25</uri> + <uri>MFSA-2024-26</uri> + <uri>MFSA-2024-28</uri> + </references> + <metadata tag="requester" timestamp="2024-08-06T05:40:35.041061Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-06T05:40:35.043479Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-03.xml b/metadata/glsa/glsa-202408-03.xml new file mode 100644 index 000000000000..f6ce21719e37 --- /dev/null +++ b/metadata/glsa/glsa-202408-03.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-03"> + <title>libXpm: Multiple Vulnerabilities</title> + <synopsis>Multiple vulberabilities have been discovered in libXpm, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">libXpm</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>891209</bug> + <bug>915130</bug> + <access>local</access> + <affected> + <package name="x11-libs/libXpm" auto="yes" arch="*"> + <unaffected range="ge">3.5.17</unaffected> + <vulnerable range="lt">3.5.17</vulnerable> + </package> + </affected> + <background> + <p>The X PixMap image format is an extension of the monochrome X BitMap format specified in the X protocol, and is commonly used in traditional X applications.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libXpm. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libXpm users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libXpm-3.5.17" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4883">CVE-2022-4883</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44617">CVE-2022-44617</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46285">CVE-2022-46285</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43788">CVE-2023-43788</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43789">CVE-2023-43789</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T05:22:06.419014Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T05:22:06.422663Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-04.xml b/metadata/glsa/glsa-202408-04.xml new file mode 100644 index 000000000000..ad612f044619 --- /dev/null +++ b/metadata/glsa/glsa-202408-04.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-04"> + <title>Levenshtein: Remote Code Execution</title> + <synopsis>A vulnerability has been discovered in Levenshtein, which could lead to a remote code execution.</synopsis> + <product type="ebuild">Levenshtein</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>766009</bug> + <access>remote</access> + <affected> + <package name="dev-python/Levenshtein" auto="yes" arch="*"> + <unaffected range="ge">0.12.1</unaffected> + <vulnerable range="lt">0.12.1</vulnerable> + </package> + </affected> + <background> + <p>Levenshtein is a Python extension for computing string edit distances and similarities.</p> + </background> + <description> + <p>Fixed handling of numerous possible wraparounds in calculating the size of memory allocations; incorrect handling of which could cause denial of service or even possible remote code execution.</p> + </description> + <impact type="normal"> + <p>Fixed handling of numerous possible wraparounds in calculating the size of memory allocations; incorrect handling of which could cause denial of service or even possible remote code execution.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Levenshtein users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/Levenshtein-0.12.1" + </code> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2024-08-07T06:14:52.905613Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T06:14:52.912037Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-05.xml b/metadata/glsa/glsa-202408-05.xml new file mode 100644 index 000000000000..8919fc8f3b73 --- /dev/null +++ b/metadata/glsa/glsa-202408-05.xml @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-05"> + <title>Redis: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Redis, the worst of which may lead to a denial of service or possible remote code execution.</synopsis> + <product type="ebuild">redis</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>891169</bug> + <bug>898464</bug> + <bug>902501</bug> + <bug>904486</bug> + <bug>910191</bug> + <bug>913741</bug> + <bug>915989</bug> + <bug>921662</bug> + <access>local and remote</access> + <affected> + <package name="dev-db/redis" auto="yes" arch="*"> + <unaffected range="ge">7.2.4</unaffected> + <vulnerable range="lt">7.2.4</vulnerable> + </package> + </affected> + <background> + <p>Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Redis. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Redis users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/redis-7.2.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24834">CVE-2022-24834</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35977">CVE-2022-35977</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36021">CVE-2022-36021</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22458">CVE-2023-22458</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25155">CVE-2023-25155</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28425">CVE-2023-28425</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28856">CVE-2023-28856</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36824">CVE-2023-36824</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-41053">CVE-2023-41053</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-41056">CVE-2023-41056</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45145">CVE-2023-45145</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T06:33:13.322960Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T06:33:13.327235Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-06.xml b/metadata/glsa/glsa-202408-06.xml new file mode 100644 index 000000000000..94803695ca59 --- /dev/null +++ b/metadata/glsa/glsa-202408-06.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-06"> + <title>PostgreSQL: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in PostgreSQL, the worst of which could lead to privilege escalation or denial of service.</synopsis> + <product type="ebuild">postgresql</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>903193</bug> + <bug>912251</bug> + <bug>917153</bug> + <bug>924110</bug> + <bug>931849</bug> + <access>local</access> + <affected> + <package name="dev-db/postgresql" auto="yes" arch="*"> + <unaffected range="ge" slot="12">12.19</unaffected> + <unaffected range="ge" slot="13">13.14</unaffected> + <unaffected range="ge" slot="14">14.12-r1</unaffected> + <unaffected range="ge" slot="15">15.7-r1</unaffected> + <unaffected range="ge" slot="16">16.3-r1</unaffected> + <vulnerable range="lt">12</vulnerable> + <vulnerable range="lt" slot="12">12.19</vulnerable> + <vulnerable range="lt" slot="13">13.14</vulnerable> + <vulnerable range="lt" slot="14">14.12-r1</vulnerable> + <vulnerable range="lt" slot="15">15.7-r1</vulnerable> + <vulnerable range="lt" slot="16">16.3-r1</vulnerable> + </package> + </affected> + <background> + <p>PostgreSQL is an open source object-relational database management system.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PostgreSQL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.3-r1:16" + </code> + + <p>Or update an older slot if that is still in use.</p> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5868">CVE-2023-5868</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5869">CVE-2023-5869</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5870">CVE-2023-5870</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0985">CVE-2024-0985</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4317">CVE-2024-4317</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T08:28:46.588202Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T08:28:46.591128Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-07.xml b/metadata/glsa/glsa-202408-07.xml new file mode 100644 index 000000000000..ca4e07832cac --- /dev/null +++ b/metadata/glsa/glsa-202408-07.xml @@ -0,0 +1,64 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-07"> + <title>Go: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Go, the worst of which could lead to information leakage or a denial of service.</synopsis> + <product type="ebuild">go</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>906043</bug> + <bug>919310</bug> + <bug>926530</bug> + <bug>928539</bug> + <bug>931602</bug> + <access>remote</access> + <affected> + <package name="dev-lang/go" auto="yes" arch="*"> + <unaffected range="ge">1.22.3</unaffected> + <vulnerable range="lt">1.22.3</vulnerable> + </package> + </affected> + <background> + <p>Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Go. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Go users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/go-1.22.3" + </code> + + <p>Due to Go programs typically being statically compiled, Go users should also recompile the reverse dependencies of the Go language to ensure statically linked programs are remediated:</p> + + <code> + # emerge --ask --oneshot --verbose @golang-rebuild + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24539">CVE-2023-24539</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24540">CVE-2023-24540</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29400">CVE-2023-29400</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39326">CVE-2023-39326</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45283">CVE-2023-45283</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45285">CVE-2023-45285</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45288">CVE-2023-45288</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45289">CVE-2023-45289</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45290">CVE-2023-45290</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24783">CVE-2024-24783</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24784">CVE-2024-24784</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24785">CVE-2024-24785</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24788">CVE-2024-24788</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T09:30:13.961626Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T09:30:13.964984Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-08.xml b/metadata/glsa/glsa-202408-08.xml new file mode 100644 index 000000000000..cf494b232eb2 --- /dev/null +++ b/metadata/glsa/glsa-202408-08.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-08"> + <title>json-c: Buffer Overflow</title> + <synopsis>A vulnerability has been discovered in json-c, which can lead to a stack buffer overflow.</synopsis> + <product type="ebuild">json-c</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>918555</bug> + <access>remote</access> + <affected> + <package name="dev-libs/json-c" auto="yes" arch="*"> + <unaffected range="ge">0.16</unaffected> + <vulnerable range="lt">0.16</vulnerable> + </package> + </affected> + <background> + <p>json-c is a JSON implementation in C.</p> + </background> + <description> + <p>Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All json-c users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/json-c-0.16" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32292">CVE-2021-32292</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T11:00:32.063764Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T11:00:32.067004Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-09.xml b/metadata/glsa/glsa-202408-09.xml new file mode 100644 index 000000000000..128ef86c9f51 --- /dev/null +++ b/metadata/glsa/glsa-202408-09.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-09"> + <title>Cairo: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Cairo, the worst of which a denial of service.</synopsis> + <product type="ebuild">cairo</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>717778</bug> + <access>local</access> + <affected> + <package name="x11-libs/cairo" auto="yes" arch="*"> + <unaffected range="ge">1.18.0</unaffected> + <vulnerable range="lt">1.18.0</vulnerable> + </package> + </affected> + <background> + <p>Cairo is a 2D vector graphics library with cross-device output support.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Cairo. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Cairo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/cairo-1.18.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6461">CVE-2019-6461</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6462">CVE-2019-6462</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T11:19:32.821340Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T11:19:32.823921Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-10.xml b/metadata/glsa/glsa-202408-10.xml new file mode 100644 index 000000000000..67c3d6759ddb --- /dev/null +++ b/metadata/glsa/glsa-202408-10.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-10"> + <title>nghttp2: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in nghttp2, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">nghttp2</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>915554</bug> + <bug>928541</bug> + <access>remote</access> + <affected> + <package name="net-libs/nghttp2" auto="yes" arch="*"> + <unaffected range="ge">1.61.0</unaffected> + <vulnerable range="lt">1.61.0</vulnerable> + </package> + </affected> + <background> + <p>Nghttp2 is an implementation of HTTP/2 and its header compression algorithm HPACK in C.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in nghttp2. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All nghttp2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/nghttp2-1.61.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44487">CVE-2023-44487</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-28182">CVE-2024-28182</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T11:37:22.663338Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T11:37:22.666444Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-11.xml b/metadata/glsa/glsa-202408-11.xml new file mode 100644 index 000000000000..abd50b3cf8d4 --- /dev/null +++ b/metadata/glsa/glsa-202408-11.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-11"> + <title>aiohttp: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in aiohttp, the worst of which could lead to service compromise.</synopsis> + <product type="ebuild">aiohttp</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>918541</bug> + <bug>918968</bug> + <bug>931097</bug> + <access>remote</access> + <affected> + <package name="dev-python/aiohttp" auto="yes" arch="*"> + <unaffected range="ge">3.9.4</unaffected> + <vulnerable range="lt">3.9.4</vulnerable> + </package> + </affected> + <background> + <p>aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in aiohttp. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All aiohttp users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/aiohttp-3.9.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-47641">CVE-2023-47641</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49082">CVE-2023-49082</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-30251">CVE-2024-30251</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T11:59:46.382696Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T11:59:46.386364Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-12.xml b/metadata/glsa/glsa-202408-12.xml new file mode 100644 index 000000000000..1f3fb6d92cb9 --- /dev/null +++ b/metadata/glsa/glsa-202408-12.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-12"> + <title>Bitcoin: Denial of Service</title> + <synopsis>A vulnerability has been discovered in Bitcoin, which can lead to a denial of service.</synopsis> + <product type="ebuild">bitcoind</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>908084</bug> + <access>remote</access> + <affected> + <package name="net-p2p/bitcoind" auto="yes" arch="*"> + <unaffected range="ge">25.0</unaffected> + <vulnerable range="lt">25.0</vulnerable> + </package> + </affected> + <background> + <p>Bitcoin Core consists of both "full-node" software for fully validating the blockchain as well as a bitcoin wallet.</p> + </background> + <description> + <p>Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>Bitcoin Core, when debug mode is not used, allows attackers to cause a denial of service (CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Bitcoin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/bitcoind-25.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-33297">CVE-2023-33297</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T12:34:53.892565Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T12:34:53.895329Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-13.xml b/metadata/glsa/glsa-202408-13.xml new file mode 100644 index 000000000000..e1fa4574c49b --- /dev/null +++ b/metadata/glsa/glsa-202408-13.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-13"> + <title>Nokogiri: Denial of Service</title> + <synopsis>A vulnerability has been discovered in Nokogiri, which can lead to a denial of service.</synopsis> + <product type="ebuild">nokogiri</product> + <announced>2024-08-07</announced> + <revised count="1">2024-08-07</revised> + <bug>884863</bug> + <access>local</access> + <affected> + <package name="dev-ruby/nokogiri" auto="yes" arch="*"> + <unaffected range="ge">1.13.10</unaffected> + <vulnerable range="lt">1.13.10</vulnerable> + </package> + </affected> + <background> + <p>Nokogiri is an HTML, XML, SAX, and Reader parser.</p> + </background> + <description> + <p>A denial of service vulnerability has been discovered in Nokogiri. Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>Nokogiri fails to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack.</p> + </impact> + <workaround> + <p>Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.</p> + </workaround> + <resolution> + <p>All Nokogiri users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/nokogiri-1.13.10" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23476">CVE-2022-23476</uri> + </references> + <metadata tag="requester" timestamp="2024-08-07T13:11:11.971415Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-07T13:11:11.974740Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-14.xml b/metadata/glsa/glsa-202408-14.xml new file mode 100644 index 000000000000..094f1742184f --- /dev/null +++ b/metadata/glsa/glsa-202408-14.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-14"> + <title>Librsvg: Arbitrary File Read</title> + <synopsis>A vulnerability has been discovered in Librsvg, which can lead to arbitrary file reads.</synopsis> + <product type="ebuild">librsvg</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>918100</bug> + <access>local and remote</access> + <affected> + <package name="gnome-base/librsvg" auto="yes" arch="*"> + <unaffected range="ge">2.56.3</unaffected> + <vulnerable range="lt">2.56.3</vulnerable> + </package> + </affected> + <background> + <p>Librsvg is a library to render SVG files using cairo as a rendering engine.</p> + </background> + <description> + <p>A directory traversal problem in the URL decoder of librsvg could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifier for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Librsvg users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-base/librsvg-2.56.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38633">CVE-2023-38633</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T06:49:19.778412Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T06:49:19.781284Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-15.xml b/metadata/glsa/glsa-202408-15.xml new file mode 100644 index 000000000000..c1c44f043f37 --- /dev/null +++ b/metadata/glsa/glsa-202408-15.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-15"> + <title>Percona XtraBackup: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Percona XtraBackup, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">percona-xtrabackup,percona-xtrabackup-bin</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>849389</bug> + <bug>908033</bug> + <access>remote</access> + <affected> + <package name="dev-db/percona-xtrabackup" auto="yes" arch="*"> + <unaffected range="ge">8.0.29.22</unaffected> + <vulnerable range="lt">8.0.29.22</vulnerable> + </package> + <package name="dev-db/percona-xtrabackup-bin" auto="yes" arch="*"> + <vulnerable range="lt">8.0.29.22</vulnerable> + </package> + </affected> + <background> + <p>Percona XtraBackup is a complete and open source online backup solution for all versions of MySQL.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Percona XtraBackup. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Percona XtraBackup users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/percona-xtrabackup-8.0.29.22" + </code> + + <p>Gentoo has discontinued support for the binary package. Users should remove this from their system:</p> + + <code> + # emerge --sync + # emerge --ask --verbose --depclean "dev-db/percona-xtrabackup-bin" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-25834">CVE-2022-25834</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26944">CVE-2022-26944</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T06:59:52.845544Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T06:59:52.849111Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-16.xml b/metadata/glsa/glsa-202408-16.xml new file mode 100644 index 000000000000..ad2e807cf89f --- /dev/null +++ b/metadata/glsa/glsa-202408-16.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-16"> + <title>re2c: Denial of Service</title> + <synopsis>A vulnerability has been discovered in re2c, which can lead to a denial of service.</synopsis> + <product type="ebuild">re2c</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>719872</bug> + <access>local</access> + <affected> + <package name="dev-util/re2c" auto="yes" arch="*"> + <unaffected range="ge">2.0</unaffected> + <vulnerable range="lt">2.0</vulnerable> + </package> + </affected> + <background> + <p>re2c is a tool for generating C-based recognizers from regular expressions.</p> + </background> + <description> + <p>Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the CVE identifier referenced below for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All re2c users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/re2c-2.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-21232">CVE-2018-21232</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T07:09:13.470150Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T07:09:13.473932Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-17.xml b/metadata/glsa/glsa-202408-17.xml new file mode 100644 index 000000000000..40b55f8c2384 --- /dev/null +++ b/metadata/glsa/glsa-202408-17.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-17"> + <title>Nautilus: Denial of Service</title> + <synopsis>A vulnerability has been discovered in Nautilus, which can lead to a denial of service.</synopsis> + <product type="ebuild">nautilus</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>881509</bug> + <access>local</access> + <affected> + <package name="gnome-base/nautilus" auto="yes" arch="*"> + <unaffected range="ge">44.0</unaffected> + <vulnerable range="lt">44.0</vulnerable> + </package> + </affected> + <background> + <p>Default file manager for the GNOME desktop</p> + </background> + <description> + <p>Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>GNOME Nautilus allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Nautilus users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-base/nautilus-44.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-37290">CVE-2022-37290</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T09:22:03.162678Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T09:22:03.165420Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-18.xml b/metadata/glsa/glsa-202408-18.xml new file mode 100644 index 000000000000..5de6c546b4b1 --- /dev/null +++ b/metadata/glsa/glsa-202408-18.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-18"> + <title>QEMU: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in QEMU, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">qemu</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>857657</bug> + <bug>865121</bug> + <bug>883693</bug> + <bug>909542</bug> + <access>local</access> + <affected> + <package name="app-emulation/qemu" auto="yes" arch="*"> + <unaffected range="ge">8.0.0</unaffected> + <vulnerable range="lt">8.0.0</vulnerable> + </package> + </affected> + <background> + <p>QEMU is a generic and open source machine emulator and virtualizer.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All QEMU users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/qemu-8.0.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14394">CVE-2020-14394</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0216">CVE-2022-0216</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1050">CVE-2022-1050</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2962">CVE-2022-2962</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4144">CVE-2022-4144</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4172">CVE-2022-4172</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35414">CVE-2022-35414</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-1544">CVE-2023-1544</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2861">CVE-2023-2861</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T09:49:28.328653Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T09:49:28.332697Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-19.xml b/metadata/glsa/glsa-202408-19.xml new file mode 100644 index 000000000000..423557b67ab8 --- /dev/null +++ b/metadata/glsa/glsa-202408-19.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-19"> + <title>ncurses: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in ncurses, the worst of which could lead to a denial of service.</synopsis> + <product type="ebuild">ncurses,ncurses-compat</product> + <announced>2024-08-09</announced> + <revised count="1">2024-08-09</revised> + <bug>839351</bug> + <bug>904247</bug> + <access>remote</access> + <affected> + <package name="sys-libs/ncurses" auto="yes" arch="*"> + <unaffected range="ge">6.4_p20230408</unaffected> + <vulnerable range="lt">6.4_p20230408</vulnerable> + </package> + <package name="sys-libs/ncurses-compat" auto="yes" arch="*"> + <unaffected range="ge">6.4_p20240330</unaffected> + <vulnerable range="lt">6.4_p20240330</vulnerable> + </package> + </affected> + <background> + <p>Free software emulation of curses in System V.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ncurses. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ncurses users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/ncurses-6.4_p20230408" + # emerge --ask --oneshot --verbose ">=sys-libs/ncurses-compat-6.4_p20240330" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29458">CVE-2022-29458</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29491">CVE-2023-29491</uri> + </references> + <metadata tag="requester" timestamp="2024-08-09T11:05:25.778609Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-09T11:05:25.782155Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-20.xml b/metadata/glsa/glsa-202408-20.xml new file mode 100644 index 000000000000..3d9048c60c76 --- /dev/null +++ b/metadata/glsa/glsa-202408-20.xml @@ -0,0 +1,88 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-20"> + <title>libde265: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">libde265</product> + <announced>2024-08-10</announced> + <revised count="1">2024-08-10</revised> + <bug>813486</bug> + <bug>889876</bug> + <access>local</access> + <affected> + <package name="media-libs/libde265" auto="yes" arch="*"> + <unaffected range="ge">1.0.11</unaffected> + <vulnerable range="lt">1.0.11</vulnerable> + </package> + </affected> + <background> + <p>Open h.265 video codec implementation.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libde265. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libde265 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libde265-1.0.11" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21594">CVE-2020-21594</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21595">CVE-2020-21595</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21596">CVE-2020-21596</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21597">CVE-2020-21597</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21598">CVE-2020-21598</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21599">CVE-2020-21599</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21600">CVE-2020-21600</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21601">CVE-2020-21601</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21602">CVE-2020-21602</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21603">CVE-2020-21603</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21604">CVE-2020-21604</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21605">CVE-2020-21605</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-21606">CVE-2020-21606</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35452">CVE-2021-35452</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36408">CVE-2021-36408</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36409">CVE-2021-36409</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36410">CVE-2021-36410</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36411">CVE-2021-36411</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1253">CVE-2022-1253</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43235">CVE-2022-43235</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43236">CVE-2022-43236</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43237">CVE-2022-43237</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43238">CVE-2022-43238</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43239">CVE-2022-43239</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43240">CVE-2022-43240</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43241">CVE-2022-43241</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43242">CVE-2022-43242</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43243">CVE-2022-43243</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43244">CVE-2022-43244</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43245">CVE-2022-43245</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43248">CVE-2022-43248</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43249">CVE-2022-43249</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43250">CVE-2022-43250</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43252">CVE-2022-43252</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43253">CVE-2022-43253</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47655">CVE-2022-47655</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47664">CVE-2022-47664</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47665">CVE-2022-47665</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24751">CVE-2023-24751</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24752">CVE-2023-24752</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24754">CVE-2023-24754</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24755">CVE-2023-24755</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24756">CVE-2023-24756</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24757">CVE-2023-24757</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24758">CVE-2023-24758</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25221">CVE-2023-25221</uri> + </references> + <metadata tag="requester" timestamp="2024-08-10T05:53:21.175447Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-10T05:53:21.178987Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-21.xml b/metadata/glsa/glsa-202408-21.xml new file mode 100644 index 000000000000..ec29aa5d80f1 --- /dev/null +++ b/metadata/glsa/glsa-202408-21.xml @@ -0,0 +1,258 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-21"> + <title>GPAC: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">gpac</product> + <announced>2024-08-10</announced> + <revised count="1">2024-08-10</revised> + <bug>785649</bug> + <bug>835341</bug> + <access>remote</access> + <affected> + <package name="media-video/gpac" auto="yes" arch="*"> + <unaffected range="ge">2.2.0</unaffected> + <vulnerable range="lt">2.2.0</vulnerable> + </package> + </affected> + <background> + <p>GPAC is an implementation of the MPEG-4 Systems standard developed from scratch in ANSI C.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GPAC. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GPAC users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/gpac-2.2.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22673">CVE-2020-22673</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22674">CVE-2020-22674</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22675">CVE-2020-22675</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22677">CVE-2020-22677</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22678">CVE-2020-22678</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-22679">CVE-2020-22679</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25427">CVE-2020-25427</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35979">CVE-2020-35979</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35980">CVE-2020-35980</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35981">CVE-2020-35981</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35982">CVE-2020-35982</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4043">CVE-2021-4043</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21834">CVE-2021-21834</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21835">CVE-2021-21835</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21836">CVE-2021-21836</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21837">CVE-2021-21837</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21838">CVE-2021-21838</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21839">CVE-2021-21839</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21840">CVE-2021-21840</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21841">CVE-2021-21841</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21842">CVE-2021-21842</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21843">CVE-2021-21843</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21844">CVE-2021-21844</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21845">CVE-2021-21845</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21846">CVE-2021-21846</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21847">CVE-2021-21847</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21848">CVE-2021-21848</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21849">CVE-2021-21849</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21850">CVE-2021-21850</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21851">CVE-2021-21851</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21852">CVE-2021-21852</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21853">CVE-2021-21853</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21854">CVE-2021-21854</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21855">CVE-2021-21855</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21856">CVE-2021-21856</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21857">CVE-2021-21857</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21858">CVE-2021-21858</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21859">CVE-2021-21859</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21860">CVE-2021-21860</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21861">CVE-2021-21861</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21862">CVE-2021-21862</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30014">CVE-2021-30014</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30015">CVE-2021-30015</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30019">CVE-2021-30019</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30020">CVE-2021-30020</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30022">CVE-2021-30022</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30199">CVE-2021-30199</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31254">CVE-2021-31254</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31255">CVE-2021-31255</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31256">CVE-2021-31256</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31257">CVE-2021-31257</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31258">CVE-2021-31258</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31259">CVE-2021-31259</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31260">CVE-2021-31260</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31261">CVE-2021-31261</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31262">CVE-2021-31262</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32132">CVE-2021-32132</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32134">CVE-2021-32134</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32135">CVE-2021-32135</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32136">CVE-2021-32136</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32137">CVE-2021-32137</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32138">CVE-2021-32138</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32139">CVE-2021-32139</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32437">CVE-2021-32437</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32438">CVE-2021-32438</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32439">CVE-2021-32439</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32440">CVE-2021-32440</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33361">CVE-2021-33361</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33362">CVE-2021-33362</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33363">CVE-2021-33363</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33364">CVE-2021-33364</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33365">CVE-2021-33365</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33366">CVE-2021-33366</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36412">CVE-2021-36412</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36414">CVE-2021-36414</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36417">CVE-2021-36417</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36584">CVE-2021-36584</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40559">CVE-2021-40559</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40562">CVE-2021-40562</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40563">CVE-2021-40563</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40564">CVE-2021-40564</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40565">CVE-2021-40565</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40566">CVE-2021-40566</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40567">CVE-2021-40567</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40568">CVE-2021-40568</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40569">CVE-2021-40569</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40570">CVE-2021-40570</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40571">CVE-2021-40571</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40572">CVE-2021-40572</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40573">CVE-2021-40573</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40574">CVE-2021-40574</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40575">CVE-2021-40575</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40576">CVE-2021-40576</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40592">CVE-2021-40592</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40606">CVE-2021-40606</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40607">CVE-2021-40607</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40608">CVE-2021-40608</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40609">CVE-2021-40609</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40942">CVE-2021-40942</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40944">CVE-2021-40944</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41456">CVE-2021-41456</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41457">CVE-2021-41457</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41458">CVE-2021-41458</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41459">CVE-2021-41459</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44918">CVE-2021-44918</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44919">CVE-2021-44919</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44920">CVE-2021-44920</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44921">CVE-2021-44921</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44922">CVE-2021-44922</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44923">CVE-2021-44923</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44924">CVE-2021-44924</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44925">CVE-2021-44925</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44926">CVE-2021-44926</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44927">CVE-2021-44927</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45258">CVE-2021-45258</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45259">CVE-2021-45259</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45260">CVE-2021-45260</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45262">CVE-2021-45262</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45263">CVE-2021-45263</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45266">CVE-2021-45266</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45267">CVE-2021-45267</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45288">CVE-2021-45288</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45289">CVE-2021-45289</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45291">CVE-2021-45291</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45292">CVE-2021-45292</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45297">CVE-2021-45297</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45760">CVE-2021-45760</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45762">CVE-2021-45762</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45763">CVE-2021-45763</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45764">CVE-2021-45764</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45767">CVE-2021-45767</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45831">CVE-2021-45831</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46038">CVE-2021-46038</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46039">CVE-2021-46039</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46040">CVE-2021-46040</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46041">CVE-2021-46041</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46042">CVE-2021-46042</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46043">CVE-2021-46043</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46044">CVE-2021-46044</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46045">CVE-2021-46045</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46046">CVE-2021-46046</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46047">CVE-2021-46047</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46049">CVE-2021-46049</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46051">CVE-2021-46051</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46234">CVE-2021-46234</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46236">CVE-2021-46236</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46237">CVE-2021-46237</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46238">CVE-2021-46238</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46239">CVE-2021-46239</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46240">CVE-2021-46240</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46311">CVE-2021-46311</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46313">CVE-2021-46313</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1035">CVE-2022-1035</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1172">CVE-2022-1172</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1222">CVE-2022-1222</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1441">CVE-2022-1441</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1795">CVE-2022-1795</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2453">CVE-2022-2453</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2454">CVE-2022-2454</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2549">CVE-2022-2549</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3178">CVE-2022-3178</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3222">CVE-2022-3222</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3957">CVE-2022-3957</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4202">CVE-2022-4202</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24249">CVE-2022-24249</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24574">CVE-2022-24574</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24575">CVE-2022-24575</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24576">CVE-2022-24576</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24577">CVE-2022-24577</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24578">CVE-2022-24578</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26967">CVE-2022-26967</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27145">CVE-2022-27145</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27146">CVE-2022-27146</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27147">CVE-2022-27147</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27148">CVE-2022-27148</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29339">CVE-2022-29339</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29340">CVE-2022-29340</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29537">CVE-2022-29537</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30976">CVE-2022-30976</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36186">CVE-2022-36186</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36190">CVE-2022-36190</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36191">CVE-2022-36191</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38530">CVE-2022-38530</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43039">CVE-2022-43039</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43040">CVE-2022-43040</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43042">CVE-2022-43042</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43043">CVE-2022-43043</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43044">CVE-2022-43044</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43045">CVE-2022-43045</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43254">CVE-2022-43254</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43255">CVE-2022-43255</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45202">CVE-2022-45202</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45204">CVE-2022-45204</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45283">CVE-2022-45283</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45343">CVE-2022-45343</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46489">CVE-2022-46489</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46490">CVE-2022-46490</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47086">CVE-2022-47086</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47087">CVE-2022-47087</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47088">CVE-2022-47088</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47089">CVE-2022-47089</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47091">CVE-2022-47091</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47092">CVE-2022-47092</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47093">CVE-2022-47093</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47094">CVE-2022-47094</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47095">CVE-2022-47095</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47653">CVE-2022-47653</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47654">CVE-2022-47654</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47656">CVE-2022-47656</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47657">CVE-2022-47657</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47658">CVE-2022-47658</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47659">CVE-2022-47659</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47660">CVE-2022-47660</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47661">CVE-2022-47661</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47662">CVE-2022-47662</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47663">CVE-2022-47663</uri> + </references> + <metadata tag="requester" timestamp="2024-08-10T05:56:40.883624Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-10T05:56:40.887094Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-22.xml b/metadata/glsa/glsa-202408-22.xml new file mode 100644 index 000000000000..f80765466515 --- /dev/null +++ b/metadata/glsa/glsa-202408-22.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-22"> + <title>Bundler: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Bundler, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">bundler</product> + <announced>2024-08-10</announced> + <revised count="1">2024-08-10</revised> + <bug>743214</bug> + <bug>798135</bug> + <bug>828884</bug> + <access>local and remote</access> + <affected> + <package name="dev-ruby/bundler" auto="yes" arch="*"> + <unaffected range="ge">2.2.33</unaffected> + <vulnerable range="lt">2.2.33</vulnerable> + </package> + </affected> + <background> + <p>Bundler provides a consistent environment for Ruby projects by tracking and installing the exact gems and versions that are needed.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Bundler. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Bundler users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/bundler-2.2.33" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3881">CVE-2019-3881</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36327">CVE-2020-36327</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-43809">CVE-2021-43809</uri> + </references> + <metadata tag="requester" timestamp="2024-08-10T08:23:41.517666Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-10T08:23:41.520457Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-23.xml b/metadata/glsa/glsa-202408-23.xml new file mode 100644 index 000000000000..eacb91286bf0 --- /dev/null +++ b/metadata/glsa/glsa-202408-23.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-23"> + <title>GnuPG: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in GnuPG, the worst of which could lead to signature spoofing.</synopsis> + <product type="ebuild">gnupg</product> + <announced>2024-08-10</announced> + <revised count="1">2024-08-10</revised> + <bug>855395</bug> + <bug>923248</bug> + <access>remote</access> + <affected> + <package name="app-crypt/gnupg" auto="yes" arch="*"> + <unaffected range="ge">2.4.4</unaffected> + <vulnerable range="lt">2.4.4</vulnerable> + </package> + </affected> + <background> + <p>The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GnuPG. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GnuPG users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.4.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34903">CVE-2022-34903</uri> + </references> + <metadata tag="requester" timestamp="2024-08-10T08:41:19.748264Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-10T08:41:19.752993Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-24.xml b/metadata/glsa/glsa-202408-24.xml new file mode 100644 index 000000000000..de8b638d730f --- /dev/null +++ b/metadata/glsa/glsa-202408-24.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-24"> + <title>Ruby on Rails: Remote Code Execution</title> + <synopsis>A vulnerability has been discovered in Ruby on Rails, which can lead to remote code execution via serialization of data.</synopsis> + <product type="ebuild">rails</product> + <announced>2024-08-11</announced> + <revised count="1">2024-08-11</revised> + <bug>857840</bug> + <access>remote</access> + <affected> + <package name="dev-ruby/rails" auto="yes" arch="*"> + <unaffected range="ge" slot="7.0">7.0.3.1</unaffected> + <unaffected range="ge" slot="6.1">6.1.6.1</unaffected> + <vulnerable range="lt" slot="7.0">7.0.3.1</vulnerable> + <vulnerable range="lt" slot="6.1">6.1.6.1</vulnerable> + </package> + </affected> + <background> + <p>Ruby on Rails is a free web framework used to develop database-driven web applications.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Ruby on Rails. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.
+
+Impacted Active Record models will look something like this:
+
+class User < ApplicationRecord
+ serialize :options # Vulnerable: Uses YAML for serialization
+ serialize :values, Array # Vulnerable: Uses YAML for serialization
+ serialize :values, JSON # Not vulnerable
+end
+
+The released versions change the default YAML deserializer to use YAML.safe_load, which prevents deserialization of possibly dangerous objects. This may introduce backwards compatibility issues with existing data.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Ruby on Rails users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/rails-6.1.6.1:6.1" + # emerge --ask --oneshot --verbose ">=dev-ruby/rails-7.0.3.1:7.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32224">CVE-2022-32224</uri> + </references> + <metadata tag="requester" timestamp="2024-08-11T05:35:49.928407Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-11T05:35:49.931387Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-25.xml b/metadata/glsa/glsa-202408-25.xml new file mode 100644 index 000000000000..b96b0b374db6 --- /dev/null +++ b/metadata/glsa/glsa-202408-25.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-25"> + <title>runc: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in runc, the worst of which could lead to privilege escalation.</synopsis> + <product type="ebuild">runc</product> + <announced>2024-08-11</announced> + <revised count="1">2024-08-11</revised> + <bug>828471</bug> + <bug>844085</bug> + <bug>903079</bug> + <bug>923434</bug> + <access>local</access> + <affected> + <package name="app-containers/runc" auto="yes" arch="*"> + <unaffected range="ge">1.1.12</unaffected> + <vulnerable range="lt">1.1.12</vulnerable> + </package> + </affected> + <background> + <p>runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in runc. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All runc users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-containers/runc-1.1.12" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-43784">CVE-2021-43784</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29162">CVE-2022-29162</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25809">CVE-2023-25809</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-27561">CVE-2023-27561</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28642">CVE-2023-28642</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-21626">CVE-2024-21626</uri> + </references> + <metadata tag="requester" timestamp="2024-08-11T05:45:57.598514Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-11T05:45:57.602231Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-26.xml b/metadata/glsa/glsa-202408-26.xml new file mode 100644 index 000000000000..924c5fbced4e --- /dev/null +++ b/metadata/glsa/glsa-202408-26.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-26"> + <title>matio: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in matio, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">matio</product> + <announced>2024-08-11</announced> + <revised count="1">2024-08-11</revised> + <bug>803131</bug> + <access>local</access> + <affected> + <package name="sci-libs/matio" auto="yes" arch="*"> + <unaffected range="ge">1.5.22</unaffected> + <vulnerable range="lt">1.5.22</vulnerable> + </package> + </affected> + <background> + <p>matio is a library for reading and writing matlab files.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in matio. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All matio users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-libs/matio-1.5.22" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36428">CVE-2020-36428</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36977">CVE-2021-36977</uri> + </references> + <metadata tag="requester" timestamp="2024-08-11T14:39:15.111907Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-11T14:39:15.117732Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-27.xml b/metadata/glsa/glsa-202408-27.xml new file mode 100644 index 000000000000..4274de781b85 --- /dev/null +++ b/metadata/glsa/glsa-202408-27.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-27"> + <title>AFLplusplus: Arbitrary Code Execution</title> + <synopsis>A vulnerability has been discovered in AFLplusplus, which can lead to arbitrary code execution via an untrusted CWD.</synopsis> + <product type="ebuild">aflplusplus</product> + <announced>2024-08-11</announced> + <revised count="1">2024-08-11</revised> + <bug>897924</bug> + <access>local</access> + <affected> + <package name="app-forensics/aflplusplus" auto="yes" arch="*"> + <unaffected range="ge">4.06c</unaffected> + <vulnerable range="lt">4.06c</vulnerable> + </package> + </affected> + <background> + <p>The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!</p> + </background> + <description> + <p>In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.</p> + </description> + <impact type="normal"> + <p>In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All AFLplusplus users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-forensics/aflplusplus-4.06c" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-26266">CVE-2023-26266</uri> + </references> + <metadata tag="requester" timestamp="2024-08-11T14:41:12.220665Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-11T14:41:12.227036Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-28.xml b/metadata/glsa/glsa-202408-28.xml new file mode 100644 index 000000000000..4980349efa93 --- /dev/null +++ b/metadata/glsa/glsa-202408-28.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-28"> + <title>rsyslog: Heap Buffer Overflow</title> + <synopsis>A vulnerability has been discovered in rsyslog, which could possibly lead to remote code execution.</synopsis> + <product type="ebuild">rsyslog</product> + <announced>2024-08-11</announced> + <revised count="1">2024-08-11</revised> + <bug>842846</bug> + <access>local and remote</access> + <affected> + <package name="app-admin/rsyslog" auto="yes" arch="*"> + <unaffected range="ge">8.2206.0</unaffected> + <vulnerable range="lt">8.2206.0</vulnerable> + </package> + </affected> + <background> + <p>rsyslog is an enhanced multi-threaded syslogd with database support and more.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in rsyslog. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Modules for TCP syslog reception have a heap buffer overflow when octet-counted framing is used. The attacker can corrupt heap values, leading to data integrity issues and availability impact. Remote code execution is unlikely to happen but not impossible.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All rsyslog users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/rsyslog-8.2206.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24903">CVE-2022-24903</uri> + </references> + <metadata tag="requester" timestamp="2024-08-11T14:42:54.282784Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-11T14:42:54.286434Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-29.xml b/metadata/glsa/glsa-202408-29.xml new file mode 100644 index 000000000000..af5ebf387fce --- /dev/null +++ b/metadata/glsa/glsa-202408-29.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-29"> + <title>MuPDF: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in MuPDF, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">mupdf</product> + <announced>2024-08-12</announced> + <revised count="1">2024-08-12</revised> + <bug>803305</bug> + <access>local</access> + <affected> + <package name="app-text/mupdf" auto="yes" arch="*"> + <unaffected range="ge">1.20.0</unaffected> + <vulnerable range="lt">1.20.0</vulnerable> + </package> + </affected> + <background> + <p>A lightweight PDF, XPS, and E-book viewer.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in MuPDF. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All MuPDF users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/mupdf-1.20.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4216">CVE-2021-4216</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37220">CVE-2021-37220</uri> + </references> + <metadata tag="requester" timestamp="2024-08-12T07:17:27.916325Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-12T07:17:27.921110Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-30.xml b/metadata/glsa/glsa-202408-30.xml new file mode 100644 index 000000000000..5acd36cb1c0d --- /dev/null +++ b/metadata/glsa/glsa-202408-30.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-30"> + <title>dpkg: Directory Traversal</title> + <synopsis>A vulnerability has been discovered in dpkg, which allows for directory traversal.</synopsis> + <product type="ebuild">dpkg</product> + <announced>2024-08-12</announced> + <revised count="1">2024-08-12</revised> + <bug>847976</bug> + <access>local</access> + <affected> + <package name="app-arch/dpkg" auto="yes" arch="*"> + <unaffected range="ge">1.20.9-r1</unaffected> + <vulnerable range="lt">1.20.9-r1</vulnerable> + </package> + </affected> + <background> + <p>Debian package management system.</p> + </background> + <description> + <p>Please review the CVE indentifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>Dpkg::Source::Archive in dpkg, the Debian package management system, is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All dpkg users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/dpkg-1.20.9-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1664">CVE-2022-1664</uri> + </references> + <metadata tag="requester" timestamp="2024-08-12T07:19:16.088421Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-12T07:19:16.091312Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-31.xml b/metadata/glsa/glsa-202408-31.xml new file mode 100644 index 000000000000..a12aaf308106 --- /dev/null +++ b/metadata/glsa/glsa-202408-31.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-31"> + <title>protobuf, protobuf-python: Denial of Service</title> + <synopsis>A vulnerability has been discovered in protobuf and protobuf-python, which can lead to a denial of service.</synopsis> + <product type="ebuild">protobuf,protobuf-python</product> + <announced>2024-08-12</announced> + <revised count="1">2024-08-12</revised> + <bug>872434</bug> + <access>local</access> + <affected> + <package name="dev-libs/protobuf" auto="yes" arch="*"> + <unaffected range="ge">3.20.3</unaffected> + <vulnerable range="lt">3.20.3</vulnerable> + </package> + <package name="dev-python/protobuf-python" auto="yes" arch="*"> + <unaffected range="ge">3.19.6</unaffected> + <vulnerable range="lt">3.19.6</vulnerable> + </package> + </affected> + <background> + <p>Google's Protocol Buffers are an extensible mechanism for serializing structured data.</p> + </background> + <description> + <p>A vulnerability has been discovered in protobuf and protobuf-python. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>A parsing vulnerability for the MessageSet type can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All protobuf and protobuf-python users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/protobuf-3.20.3" + # emerge --ask --oneshot --verbose ">=dev-python/protobuf-python-3.19.6" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1941">CVE-2022-1941</uri> + </references> + <metadata tag="requester" timestamp="2024-08-12T07:20:36.807024Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-12T07:20:36.811154Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202408-32.xml b/metadata/glsa/glsa-202408-32.xml new file mode 100644 index 000000000000..286bc0aee520 --- /dev/null +++ b/metadata/glsa/glsa-202408-32.xml @@ -0,0 +1,71 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-32"> + <title>PHP: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in PHP, the worst of which can lead to a denial of service.</synopsis> + <product type="ebuild">php</product> + <announced>2024-08-12</announced> + <revised count="2">2024-08-13</revised> + <bug>889882</bug> + <bug>895416</bug> + <bug>908259</bug> + <bug>912331</bug> + <bug>929929</bug> + <bug>933752</bug> + <access>local and remote</access> + <affected> + <package name="dev-lang/php" auto="yes" arch="*"> + <unaffected range="ge" slot="8.1">8.1.29</unaffected> + <unaffected range="ge" slot="8.2">8.2.20</unaffected> + <unaffected range="ge" slot="8.3">8.3.8</unaffected> + <vulnerable range="lt">8.1</vulnerable> + <vulnerable range="lt" slot="8.1">8.1.29</vulnerable> + <vulnerable range="lt" slot="8.2">8.2.20</vulnerable> + <vulnerable range="lt" slot="8.3">8.3.8</vulnerable> + </package> + </affected> + <background> + <p>PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PHP users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-8.1.29:8.1" + # emerge --ask --oneshot --verbose ">=dev-lang/php-8.2.20:8.2" + # emerge --ask --oneshot --verbose ">=dev-lang/php-8.3.8:8.3" + </code> + + <p>Support for older version has been discontinued:</p> + + <code> + # emerge --ask --verbose --depclean "<dev-lang/php-8.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31631">CVE-2022-31631</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0567">CVE-2023-0567</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0568">CVE-2023-0568</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0662">CVE-2023-0662</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3823">CVE-2023-3823</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3824">CVE-2023-3824</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2756">CVE-2024-2756</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2757">CVE-2024-2757</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3096">CVE-2024-3096</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4577">CVE-2024-4577</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5458">CVE-2024-5458</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5585">CVE-2024-5585</uri> + </references> + <metadata tag="requester" timestamp="2024-08-12T07:39:21.009398Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-08-12T07:39:21.012299Z">graaff</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202408-33.xml b/metadata/glsa/glsa-202408-33.xml new file mode 100644 index 000000000000..83ae515b0017 --- /dev/null +++ b/metadata/glsa/glsa-202408-33.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202408-33"> + <title>protobuf-c: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in protobuf-c, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">protobuf-c</product> + <announced>2024-08-12</announced> + <revised count="1">2024-08-12</revised> + <bug>856043</bug> + <bug>904423</bug> + <access>remote</access> + <affected> + <package name="dev-libs/protobuf-c" auto="yes" arch="*"> + <unaffected range="ge">1.4.1</unaffected> + <vulnerable range="lt">1.4.1</vulnerable> + </package> + </affected> + <background> + <p>protobuf-c is a protocol buffers implementation in C.</p> + </background> + <description> + <p>Multiple denial of service vulnerabilities have been discovered in protobuf-c.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All protobuf-c users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/protobuf-c-1.4.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-33070">CVE-2022-33070</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-48468">CVE-2022-48468</uri> + </references> + <metadata tag="requester" timestamp="2024-08-12T09:21:36.523749Z">ajak</metadata> + <metadata tag="submitter" timestamp="2024-08-12T09:21:36.527843Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index d051cfa8a1ab..957e398cc55c 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Tue, 09 Jul 2024 10:10:12 +0000 +Wed, 04 Sep 2024 10:10:45 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 1bc9b09c57fb..295e40287b6d 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -212a4b375c557073cdfba6c10bc0bf6cb57b54c6 1720249915 2024-07-06T07:11:55Z +7bcc5ebd7295c3c12ac47de41519dc019b4ba538 1723530188 2024-08-13T06:23:08Z |