diff options
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 494188 -> 496888 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-202101-01.xml | 54 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-02.xml | 50 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-03.xml | 49 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-04.xml | 83 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-05.xml | 77 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-06.xml | 49 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-07.xml | 69 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-08.xml | 48 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-09.xml | 147 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-10.xml | 58 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-11.xml | 63 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-12.xml | 51 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-13.xml | 91 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-14.xml | 67 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-15.xml | 70 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-16.xml | 48 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202101-17.xml | 58 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
21 files changed, 1149 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 9bd09d923bc5..807eb9d9b2ba 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 494188 BLAKE2B 06bbe4de83e86ba40cd9d32af0f5c629f7193a7b2d45313f5bbf32584c1872d72e37301ba735e9b855e0277581de211e930f66477a0bb84e9dd623fe6440fecc SHA512 f1a00ed1160522175a46c088034a8eb2afd13d41fa33354a8d74917618abeaa144f3c942f458ca2dc736b92823fe045919c4edbd9749f72b8ea031e46de95411 -TIMESTAMP 2021-01-08T11:08:39Z +MANIFEST Manifest.files.gz 496888 BLAKE2B 9a8e48e705b83d0db366e4888a292cde78b191857d846a370c8c9908479c42c700f1d323d98e4aa4d9b6c2e0d3a80723d6cf76b125a273f90c8452ccb8f52fcf SHA512 d3e9efddd34ec46cab11f602c4a7b71480efc08ed49372d92ba27d45fdaf8129db8b52a169483e512d968a24c9a22f50140b178eb538444bb6200ee4eec5ef81 +TIMESTAMP 2021-01-22T20:08:39Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl/4PTdfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmALMMdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klB45w/6A6Z7aOSRFL3fcr0UkgxjbJh6uM3zckeQsi13pI+/7xQWnhE/pFDA/Xos -kE3kKKc50xFtlIskjPs01Nb1Tz+KwDPyBY0GRzuoX8kyNYH7xTkSkOpqwn6Pa0eI -rGSySsu8TJH/cEKYcwX7whp42j4idUnrcZgGghENXm1yuill7LYzeVXuMhmCaHdX -FGOyvkj6jF6ZJufQRT+ScvMkc2B6x20h7w1a216/QHwUSCyzxiCIqQh6DvF65BbG -vclgDzas/ViUpEPn0TWNcGMKBNZvNrmEHWELB3BnPY/TLJVAeFNAgyoQoS7kFKJw -3TazOFDxXQzj9qKU64yil6IyHBWNSpPqFI2t345b+MM1ejY8TX8iengiLqDPgHVk -Q66n73nt2Ae3P5ATNE0UTN7od95o0lmjmlNUoxXpXjoro6hTLCae+CI5YsAz5kBL -mncdvP2ykC8lVXa6IYXj8kYgJ6xxLK9Z205N53ZgR2P6hE5H3Hx2tnZfn9ihY/ws -H1CU3G4JNSucHrAA15AVLRLP2qzgO3DoxL0Q6RGL7Q56+vrqodJ7XeeVo9OVUubB -FKZ92Ap9ur7mJ1qcyGi6m4hHYanbLR302//MdBh6wM7TyLvzl4F33U9E55GGvHT1 -PrlTYhiOtL9WLIi3kMu9PSlWqspmdl4YucrJeaUC3J9wLvLqKio= -=8UXH +klC88Q//X2h0rP3NYa0rA8lySWj21hExpd6/llu7LS18xkxy3t7T9SG17c7CxY8z +TTWPoQm0Ck9li0rKVfo5/GJL5gtL4jqEKWBUcfGECIzymm7ouwxn9XF8HfziX5YB +TbuZYFjemEbmPBHclDtOxS10sxuN4GL9g/yef9kBwST1bGPZBfksNIBllaqz19VW +P5bdRYoglf2LoH9Hp7VbppJAmyJPCEbJfsN5xvL0giqlR5V44JjRnfsh0RE1ni5I +Om+WilXAuyDH55a3jTZzX2IrGic5q1N7JIrTI/3/wjf8GY/ecIgtJQMpijNrcHEb +sW4OsfnbgTICm5QBLjx8IR0cFE3DQ1PkcfEJyHuStoNq2q10dIpvRdIV2dv5JeJ6 +Jy85jnXeGfXkD6PG2VoHdgqGhYmtzUoCNmyRvtIKJFXUfUoZ1Qer8kogO5xctzo5 +ro6JOuM8/vUhyyOSs7Nn08uwZ7pLTifo5omDX/pVElTxT6NQ+51Rig9ty/OQrkdt +5n+gIRdj81ntikW4pGOPOjfqt95epN2znjxapGLiw+01wWvp4YBr3OLTDCoObTxT +l0heXWC3+RVZ6Cm1CCoDdEYopn5fAuVPWG7FZ48KdZ00n5zwnHNIBbvSYb8+ahp3 +9ZlXb0dbyw0uSEtPBb7CWgEKKnH33BMoleap1KUvQfeJPzp3lLA= +=2FTv -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 20ab6831b3d6..ab29e0fa0273 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202101-01.xml b/metadata/glsa/glsa-202101-01.xml new file mode 100644 index 000000000000..c5890e4772fa --- /dev/null +++ b/metadata/glsa/glsa-202101-01.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-01"> + <title>Dovecot: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Dovecot, the worst of + which could allow remote attackers to cause a Denial of Service condition. + </synopsis> + <product type="ebuild">dovecot</product> + <announced>2021-01-10</announced> + <revised count="1">2021-01-10</revised> + <bug>763525</bug> + <access>local, remote</access> + <affected> + <package name="net-mail/dovecot" auto="yes" arch="*"> + <unaffected range="ge">2.3.13</unaffected> + <vulnerable range="lt">2.3.13</vulnerable> + </package> + </affected> + <background> + <p>Dovecot is an open source IMAP and POP3 email server.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Dovecot. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could send a specially crafted mail or send a + specially crafted IMAP command possibly resulting in a Denial of Service + condition or an authenticated remote attacker might be able to discover + the file system directory structure and access other users’ emails. + </p> + </impact> + <workaround> + <p>The information disclosure vulnerability can be mitigated by disabling + IMAP hibernation feature which isn’t enabled by default. + </p> + </workaround> + <resolution> + <p>All Dovecot users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.3.13" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-24386">CVE-2020-24386</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25275">CVE-2020-25275</uri> + </references> + <metadata tag="requester" timestamp="2021-01-06T15:39:45Z">whissi</metadata> + <metadata tag="submitter" timestamp="2021-01-10T09:16:29Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-02.xml b/metadata/glsa/glsa-202101-02.xml new file mode 100644 index 000000000000..3f021e488b95 --- /dev/null +++ b/metadata/glsa/glsa-202101-02.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-02"> + <title>Firejail: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Firejail, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">firejail</product> + <announced>2021-01-10</announced> + <revised count="1">2021-01-10</revised> + <bug>736816</bug> + <access>remote</access> + <affected> + <package name="sys-apps/firejail" auto="yes" arch="*"> + <unaffected range="ge">0.9.64</unaffected> + <vulnerable range="lt">0.9.64</vulnerable> + </package> + </affected> + <background> + <p>A SUID program that reduces the risk of security breaches by restricting + the running environment of untrusted applications using Linux namespaces + and seccomp-bpf. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Firejail. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Firejail users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/firejail-0.9.64" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-17367">CVE-2020-17367</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-17368">CVE-2020-17368</uri> + </references> + <metadata tag="requester" timestamp="2020-11-16T19:22:48Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-10T09:18:33Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-03.xml b/metadata/glsa/glsa-202101-03.xml new file mode 100644 index 000000000000..1202c1ba25c3 --- /dev/null +++ b/metadata/glsa/glsa-202101-03.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-03"> + <title>ipmitool: Multiple vulnerabilities</title> + <synopsis>A buffer overflow in ipmitool might allow remote attacker(s) to + execute arbitrary code. + </synopsis> + <product type="ebuild">ipmitool</product> + <announced>2021-01-10</announced> + <revised count="1">2021-01-10</revised> + <bug>708436</bug> + <access>remote</access> + <affected> + <package name="sys-apps/ipmitool" auto="yes" arch="*"> + <unaffected range="ge">1.8.18_p20201004-r1</unaffected> + <vulnerable range="lt">1.8.18_p20201004-r1</vulnerable> + </package> + </affected> + <background> + <p>Utility for controlling IPMI enabled devices.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ipmiool. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ipmitool users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=sys-apps/ipmitool-1.8.18_p20201004-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-5208">CVE-2020-5208</uri> + </references> + <metadata tag="requester" timestamp="2020-11-16T19:23:11Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-10T09:19:54Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-04.xml b/metadata/glsa/glsa-202101-04.xml new file mode 100644 index 000000000000..c2d23f52d15c --- /dev/null +++ b/metadata/glsa/glsa-202101-04.xml @@ -0,0 +1,83 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-04"> + <title>Mozilla Firefox: Remote code execution</title> + <synopsis>A use-after-free in Mozilla Firefox's SCTP handling may allow + remote code execution. + </synopsis> + <product type="ebuild">firefox,thunderbird</product> + <announced>2021-01-10</announced> + <revised count="1">2021-01-10</revised> + <bug>764161</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge" slot="0/esr78">78.6.1</unaffected> + <unaffected range="ge">84.0.2</unaffected> + <vulnerable range="lt">84.0.2</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge" slot="0/esr78">78.6.1</unaffected> + <unaffected range="ge">84.0.2</unaffected> + <vulnerable range="lt">84.0.2</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + project. + </p> + </background> + <description> + <p>A use-after-free bug was discovered in Mozilla Firefox’s handling of + SCTP. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Firefox ESR users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/firefox-78.6.1:0/esr78" + </code> + + <p>All Firefox ESR binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/firefox-bin-78.6.1:0/esr78" + </code> + + <p>All Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-84.0.2" + </code> + + <p>All Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-84.0.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16044">CVE-2020-16044</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/"> + MFSA-2021-01 + </uri> + </references> + <metadata tag="requester" timestamp="2021-01-09T16:49:31Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-10T09:20:31Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-05.xml b/metadata/glsa/glsa-202101-05.xml new file mode 100644 index 000000000000..ced5846cab6d --- /dev/null +++ b/metadata/glsa/glsa-202101-05.xml @@ -0,0 +1,77 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-05"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">google-chrome,chromium</product> + <announced>2021-01-10</announced> + <revised count="1">2021-01-10</revised> + <bug>764251</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">87.0.4280.141</unaffected> + <vulnerable range="lt">87.0.4280.141</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">87.0.4280.141</unaffected> + <vulnerable range="lt">87.0.4280.141</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-87.0.4280.141" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-87.0.4280.141" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15995">CVE-2020-15995</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16043">CVE-2020-16043</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21106">CVE-2021-21106</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21107">CVE-2021-21107</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21108">CVE-2021-21108</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21109">CVE-2021-21109</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21110">CVE-2021-21110</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21111">CVE-2021-21111</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21112">CVE-2021-21112</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21113">CVE-2021-21113</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21114">CVE-2021-21114</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21115">CVE-2021-21115</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21116">CVE-2021-21116</uri> + </references> + <metadata tag="requester" timestamp="2021-01-09T16:48:49Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-10T09:21:08Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-06.xml b/metadata/glsa/glsa-202101-06.xml new file mode 100644 index 000000000000..efa0c4ddc2f8 --- /dev/null +++ b/metadata/glsa/glsa-202101-06.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-06"> + <title>Ark: Symlink vulnerability</title> + <synopsis>Ark was found to allow arbitrary file overwrite, possibly allowing + arbitrary code execution. + </synopsis> + <product type="ebuild">ark</product> + <announced>2021-01-11</announced> + <revised count="1">2021-01-11</revised> + <bug>743959</bug> + <access>remote</access> + <affected> + <package name="kde-apps/ark" auto="yes" arch="*"> + <unaffected range="ge">20.04.3-r2</unaffected> + <vulnerable range="lt">20.04.3-r2</vulnerable> + </package> + </affected> + <background> + <p>Ark is a graphical file compression/decompression utility with support + for multiple formats. + </p> + </background> + <description> + <p>KDE Ark did not fully verify symlinks contained within tar archives.</p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted tar + archive using KDE Ark, possibly resulting in execution of arbitrary code + with the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All KDE Ark users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-apps/ark-20.04.3-r2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-24654">CVE-2020-24654</uri> + </references> + <metadata tag="requester" timestamp="2021-01-10T20:45:32Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-11T09:13:16Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-07.xml b/metadata/glsa/glsa-202101-07.xml new file mode 100644 index 000000000000..14b6b1ae8c7b --- /dev/null +++ b/metadata/glsa/glsa-202101-07.xml @@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-07"> + <title>NodeJS: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in NodeJS, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">nodejs</product> + <announced>2021-01-11</announced> + <revised count="1">2021-01-11</revised> + <bug>726836</bug> + <bug>731654</bug> + <bug>742893</bug> + <bug>754942</bug> + <bug>763588</bug> + <access>remote</access> + <affected> + <package name="net-libs/nodejs" auto="yes" arch="*"> + <unaffected range="ge" slot="0/15">15.5.1</unaffected> + <unaffected range="ge" slot="0/14">14.15.1</unaffected> + <unaffected range="ge" slot="0/12">12.20.1</unaffected> + <vulnerable range="lt">15.5.1</vulnerable> + </package> + </affected> + <background> + <p>Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript + engine. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in NodeJS. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All NodeJS 15 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/nodejs-15.5.1" + </code> + + <p>All NodeJS 14 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/nodejs-14.15.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15095">CVE-2020-15095</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8172">CVE-2020-8172</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8174">CVE-2020-8174</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8201">CVE-2020-8201</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8251">CVE-2020-8251</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8265">CVE-2020-8265</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8277">CVE-2020-8277</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8287">CVE-2020-8287</uri> + </references> + <metadata tag="requester" timestamp="2021-01-10T19:55:45Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-11T09:13:22Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-08.xml b/metadata/glsa/glsa-202101-08.xml new file mode 100644 index 000000000000..64adcec9d255 --- /dev/null +++ b/metadata/glsa/glsa-202101-08.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-08"> + <title>Pillow: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Pillow, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">pillow</product> + <announced>2021-01-11</announced> + <revised count="1">2021-01-11</revised> + <bug>763210</bug> + <access>remote</access> + <affected> + <package name="dev-python/pillow" auto="yes" arch="*"> + <unaffected range="ge">8.1.0</unaffected> + <vulnerable range="lt">8.1.0</vulnerable> + </package> + </affected> + <background> + <p>Python Imaging Library (fork)</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Pillow. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Pillow users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/pillow-8.1.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35653">CVE-2020-35653</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35654">CVE-2020-35654</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35655">CVE-2020-35655</uri> + </references> + <metadata tag="requester" timestamp="2021-01-04T00:06:19Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-11T09:13:26Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-09.xml b/metadata/glsa/glsa-202101-09.xml new file mode 100644 index 000000000000..a5a9f5605e0e --- /dev/null +++ b/metadata/glsa/glsa-202101-09.xml @@ -0,0 +1,147 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-09"> + <title>VirtualBox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in VirtualBox, the worst + of which could allow an attacker to take control of VirtualBox. + </synopsis> + <product type="ebuild">virtualbox</product> + <announced>2021-01-12</announced> + <revised count="1">2021-01-12</revised> + <bug>714064</bug> + <bug>717626</bug> + <bug>717782</bug> + <bug>733924</bug> + <access>remote</access> + <affected> + <package name="app-emulation/virtualbox" auto="yes" arch="*"> + <unaffected range="ge" slot="0/6.1">6.1.12</unaffected> + <unaffected range="ge" slot="0/6.0">6.0.24</unaffected> + <vulnerable range="lt">6.1.12</vulnerable> + </package> + </affected> + <background> + <p>VirtualBox is a powerful virtualization product from Oracle.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in VirtualBox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could take control of VirtualBox resulting in the execution + of arbitrary code with the privileges of the process, a Denial of Service + condition, or other unspecified impacts. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Virtualbox 6.0.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/virtualbox-6.0.24:0/6.0" + </code> + + <p>All Virtualbox 6.1.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/virtualbox-6.1.12:0/6.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2848">CVE-2019-2848</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2850">CVE-2019-2850</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2859">CVE-2019-2859</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2863">CVE-2019-2863</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2864">CVE-2019-2864</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2865">CVE-2019-2865</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2866">CVE-2019-2866</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2867">CVE-2019-2867</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2873">CVE-2019-2873</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2874">CVE-2019-2874</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2875">CVE-2019-2875</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2876">CVE-2019-2876</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2877">CVE-2019-2877</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2926">CVE-2019-2926</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2944">CVE-2019-2944</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2984">CVE-2019-2984</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3002">CVE-2019-3002</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3005">CVE-2019-3005</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3017">CVE-2019-3017</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3021">CVE-2019-3021</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3026">CVE-2019-3026</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3028">CVE-2019-3028</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3031">CVE-2019-3031</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14628">CVE-2020-14628</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14629">CVE-2020-14629</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14646">CVE-2020-14646</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14647">CVE-2020-14647</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14648">CVE-2020-14648</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14649">CVE-2020-14649</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14650">CVE-2020-14650</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14673">CVE-2020-14673</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14674">CVE-2020-14674</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14675">CVE-2020-14675</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14676">CVE-2020-14676</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14677">CVE-2020-14677</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14694">CVE-2020-14694</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14695">CVE-2020-14695</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14698">CVE-2020-14698</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14699">CVE-2020-14699</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14700">CVE-2020-14700</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14703">CVE-2020-14703</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14704">CVE-2020-14704</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14707">CVE-2020-14707</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14711">CVE-2020-14711</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14712">CVE-2020-14712</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14713">CVE-2020-14713</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14714">CVE-2020-14714</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14715">CVE-2020-14715</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2575">CVE-2020-2575</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2674">CVE-2020-2674</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2678">CVE-2020-2678</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2681">CVE-2020-2681</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2682">CVE-2020-2682</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2689">CVE-2020-2689</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2690">CVE-2020-2690</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2691">CVE-2020-2691</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2692">CVE-2020-2692</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2693">CVE-2020-2693</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2698">CVE-2020-2698</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2701">CVE-2020-2701</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2702">CVE-2020-2702</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2703">CVE-2020-2703</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2704">CVE-2020-2704</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2705">CVE-2020-2705</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2725">CVE-2020-2725</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2726">CVE-2020-2726</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2727">CVE-2020-2727</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2741">CVE-2020-2741</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2742">CVE-2020-2742</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2743">CVE-2020-2743</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2748">CVE-2020-2748</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2758">CVE-2020-2758</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2894">CVE-2020-2894</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2902">CVE-2020-2902</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2905">CVE-2020-2905</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2907">CVE-2020-2907</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2908">CVE-2020-2908</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2909">CVE-2020-2909</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2910">CVE-2020-2910</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2911">CVE-2020-2911</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2913">CVE-2020-2913</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2914">CVE-2020-2914</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2929">CVE-2020-2929</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2951">CVE-2020-2951</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2958">CVE-2020-2958</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2959">CVE-2020-2959</uri> + </references> + <metadata tag="requester" timestamp="2020-04-17T04:23:43Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2021-01-12T17:56:20Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-10.xml b/metadata/glsa/glsa-202101-10.xml new file mode 100644 index 000000000000..8abb71de9859 --- /dev/null +++ b/metadata/glsa/glsa-202101-10.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-10"> + <title>Asterisk: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Asterisk, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">asterisk</product> + <announced>2021-01-12</announced> + <revised count="1">2021-01-12</revised> + <bug>753269</bug> + <bug>761313</bug> + <access>remote</access> + <affected> + <package name="net-misc/asterisk" auto="yes" arch="*"> + <unaffected range="ge">13.38.1</unaffected> + <vulnerable range="lt">13.38.1</vulnerable> + </package> + </affected> + <background> + <p>A Modular Open Source PBX System.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Asterisk. Please review + the security advisories referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Asterisk users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-13.38.1" + </code> + </resolution> + <references> + <uri link="https://downloads.asterisk.org/pub/security/AST-2020-001.html"> + AST-2020-001 + </uri> + <uri link="https://downloads.asterisk.org/pub/security/AST-2020-002.html"> + AST-2020-002 + </uri> + <uri link="https://downloads.asterisk.org/pub/security/AST-2020-003.html"> + AST-2020-003 + </uri> + <uri link="https://downloads.asterisk.org/pub/security/AST-2020-004.html"> + AST-2020-004 + </uri> + </references> + <metadata tag="requester" timestamp="2021-01-04T16:30:21Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-12T17:58:27Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-11.xml b/metadata/glsa/glsa-202101-11.xml new file mode 100644 index 000000000000..317df24d34d7 --- /dev/null +++ b/metadata/glsa/glsa-202101-11.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-11"> + <title>Zabbix: Root privilege escalation</title> + <synopsis>Multiple vulnerabilities were discovered in Gentoo's ebuild for + Zabbix which could lead to root privilege escalation. + </synopsis> + <product type="ebuild">zabbix</product> + <announced>2021-01-21</announced> + <revised count="1">2021-01-21</revised> + <bug>629882</bug> + <bug>629884</bug> + <access>local</access> + <affected> + <package name="net-analyzer/zabbix" auto="yes" arch="*"> + <unaffected range="ge" slot="0/3.0">3.0.30</unaffected> + <unaffected range="ge" slot="0/4.0">4.0.18</unaffected> + <vulnerable range="lt">4.4.6</vulnerable> + </package> + </affected> + <background> + <p>Zabbix is software for monitoring applications, networks, and servers.</p> + </background> + <description> + <p>It was discovered that Gentoo’s Zabbix ebuild did not properly set + permissions or placed the pid file in an unsafe directory. + </p> + </description> + <impact type="normal"> + <p>A local attacker could escalate privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Zabbix 3.0.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=net-analyzer/zabbix-3.0.30:0/3.0" + </code> + + <p>All Zabbix 4.0.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=net-analyzer/zabbix-4.0.18:0/4.0" + </code> + + <p>All other Zabbix users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/zabbix-4.4.6" + </code> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2020-04-16T06:25:12Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2021-01-21T19:18:35Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-12.xml b/metadata/glsa/glsa-202101-12.xml new file mode 100644 index 000000000000..10de65bdd4a6 --- /dev/null +++ b/metadata/glsa/glsa-202101-12.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-12"> + <title>Wireshark: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Wireshark, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">wireshark</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>759541</bug> + <bug>760800</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/wireshark" auto="yes" arch="*"> + <unaffected range="ge">3.4.2</unaffected> + <vulnerable range="lt">3.4.2</vulnerable> + </package> + </affected> + <background> + <p>Wireshark is a network protocol analyzer formerly known as ethereal.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Wireshark. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Wireshark users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-3.4.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26418">CVE-2020-26418</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26419">CVE-2020-26419</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26420">CVE-2020-26420</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26421">CVE-2020-26421</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26422">CVE-2020-26422</uri> + </references> + <metadata tag="requester" timestamp="2021-01-22T00:09:25Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-22T16:10:45Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-13.xml b/metadata/glsa/glsa-202101-13.xml new file mode 100644 index 000000000000..e5c9507b0d3a --- /dev/null +++ b/metadata/glsa/glsa-202101-13.xml @@ -0,0 +1,91 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-13"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">google-chrome,chromium</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>766207</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">88.0.4324.96</unaffected> + <vulnerable range="lt">88.0.4324.96</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">88.0.4324.96</unaffected> + <vulnerable range="lt">88.0.4324.96</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-88.0.4324.96" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-88.0.4324.96" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16044">CVE-2020-16044</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21117">CVE-2021-21117</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21118">CVE-2021-21118</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21119">CVE-2021-21119</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21120">CVE-2021-21120</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21121">CVE-2021-21121</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21122">CVE-2021-21122</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21123">CVE-2021-21123</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21124">CVE-2021-21124</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21125">CVE-2021-21125</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21126">CVE-2021-21126</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21127">CVE-2021-21127</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21128">CVE-2021-21128</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21129">CVE-2021-21129</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21130">CVE-2021-21130</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21131">CVE-2021-21131</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21132">CVE-2021-21132</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21133">CVE-2021-21133</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21134">CVE-2021-21134</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21135">CVE-2021-21135</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21136">CVE-2021-21136</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21137">CVE-2021-21137</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21138">CVE-2021-21138</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21139">CVE-2021-21139</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21140">CVE-2021-21140</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21141">CVE-2021-21141</uri> + </references> + <metadata tag="requester" timestamp="2021-01-22T00:15:06Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-22T16:11:56Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-14.xml b/metadata/glsa/glsa-202101-14.xml new file mode 100644 index 000000000000..f8ce93e509b1 --- /dev/null +++ b/metadata/glsa/glsa-202101-14.xml @@ -0,0 +1,67 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-14"> + <title>Mozilla Thunderbird: Remote code execution</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">thunderbird</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>765088</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">78.6.1</unaffected> + <vulnerable range="lt">78.6.1</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">78.6.1</unaffected> + <vulnerable range="lt">78.6.1</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. + </p> + </background> + <description> + <p>A use-after-free bug was discovered in Mozilla Thunderbird handling of + SCTP. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-78.6.1" + </code> + + <p>All Mozilla Thunderbird binary users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-78.6.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16044">CVE-2020-16044</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2021-02/"> + MFSA-2021-02 + </uri> + </references> + <metadata tag="requester" timestamp="2021-01-22T00:15:52Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-22T16:13:18Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-15.xml b/metadata/glsa/glsa-202101-15.xml new file mode 100644 index 000000000000..3762d3444f79 --- /dev/null +++ b/metadata/glsa/glsa-202101-15.xml @@ -0,0 +1,70 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-15"> + <title>VirtualBox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in VirtualBox, the worst + of which could result in privilege escalation. + </synopsis> + <product type="ebuild">virtualbox</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>750782</bug> + <bug>766348</bug> + <access>remote</access> + <affected> + <package name="app-emulation/virtualbox" auto="yes" arch="*"> + <unaffected range="ge">6.1.18</unaffected> + <vulnerable range="lt">6.1.18</vulnerable> + </package> + </affected> + <background> + <p>VirtualBox is a powerful virtualization product from Oracle.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in VirtualBox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All VirtualBox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.18" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14872">CVE-2020-14872</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14881">CVE-2020-14881</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14884">CVE-2020-14884</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14885">CVE-2020-14885</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14886">CVE-2020-14886</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14889">CVE-2020-14889</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14892">CVE-2020-14892</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2073">CVE-2021-2073</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2074">CVE-2021-2074</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2086">CVE-2021-2086</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2111">CVE-2021-2111</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2112">CVE-2021-2112</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2119">CVE-2021-2119</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2120">CVE-2021-2120</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2121">CVE-2021-2121</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2123">CVE-2021-2123</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2124">CVE-2021-2124</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2125">CVE-2021-2125</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2126">CVE-2021-2126</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2127">CVE-2021-2127</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2128">CVE-2021-2128</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2129">CVE-2021-2129</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2130">CVE-2021-2130</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2131">CVE-2021-2131</uri> + </references> + <metadata tag="requester" timestamp="2021-01-18T03:00:34Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-22T16:14:33Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-16.xml b/metadata/glsa/glsa-202101-16.xml new file mode 100644 index 000000000000..2f7ed9ee6712 --- /dev/null +++ b/metadata/glsa/glsa-202101-16.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-16"> + <title>KDE Connect: Denial of service</title> + <synopsis>A vulnerability in KDE Connect could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">kde-connect</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>746401</bug> + <access>remote</access> + <affected> + <package name="kde-misc/kdeconnect" auto="yes" arch="*"> + <unaffected range="ge">20.04.3-r1</unaffected> + <vulnerable range="lt">20.04.3-r1</vulnerable> + </package> + </affected> + <background> + <p>KDE Connect is a project that enables all your devices to communicate + with each other. + </p> + </background> + <description> + <p>Multiple issues causing excessive resource consumption were found in KDE + Connect. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All KDE Connect users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-misc/kdeconnect-20.04.3-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26164">CVE-2020-26164</uri> + </references> + <metadata tag="requester" timestamp="2021-01-22T00:28:04Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-22T16:16:11Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-17.xml b/metadata/glsa/glsa-202101-17.xml new file mode 100644 index 000000000000..9fd515383c4c --- /dev/null +++ b/metadata/glsa/glsa-202101-17.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-17"> + <title>Dnsmasq: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Dnsmasq, the worst of + which may allow remote attackers to execute arbitrary code. + </synopsis> + <product type="ebuild">dnsmasq</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>766126</bug> + <access>local, remote</access> + <affected> + <package name="net-dns/dnsmasq" auto="yes" arch="*"> + <unaffected range="ge">2.83</unaffected> + <vulnerable range="lt">2.83</vulnerable> + </package> + </affected> + <background> + <p>Dnsmasq is a lightweight and easily-configurable DNS forwarder and DHCP + server. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Dnsmasq. Please review + the references below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker, by sending specially crafted DNS replies, could possibly + execute arbitrary code with the privileges of the process, perform a + cache poisoning attack or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Dnsmasq users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.83" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25681">CVE-2020-25681</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25682">CVE-2020-25682</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25683">CVE-2020-25683</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25684">CVE-2020-25684</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25685">CVE-2020-25685</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25686">CVE-2020-25686</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25687">CVE-2020-25687</uri> + </references> + <metadata tag="requester" timestamp="2021-01-21T20:58:48Z">whissi</metadata> + <metadata tag="submitter" timestamp="2021-01-22T17:55:39Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 81201ed971ce..a5dbbef5e51f 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Fri, 08 Jan 2021 11:08:36 +0000 +Fri, 22 Jan 2021 20:08:35 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 53f93d093df4..55000c1dfc6e 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -ea35db4303f80b8dc5f6dffe7a6c3111e9e37b5a 1608819368 2020-12-24T14:16:08+00:00 +fc457c57148901f04674f1d427ad8bb280eb3c72 1611338159 2021-01-22T17:55:59+00:00 |