diff options
Diffstat (limited to 'metadata/glsa')
-rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
-rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 527347 -> 529256 bytes | |||
-rw-r--r-- | metadata/glsa/glsa-202209-16.xml | 46 | ||||
-rw-r--r-- | metadata/glsa/glsa-202209-17.xml | 60 | ||||
-rw-r--r-- | metadata/glsa/glsa-202209-18.xml | 59 | ||||
-rw-r--r-- | metadata/glsa/glsa-202209-19.xml | 45 | ||||
-rw-r--r-- | metadata/glsa/glsa-202209-20.xml | 71 | ||||
-rw-r--r-- | metadata/glsa/glsa-202209-21.xml | 43 | ||||
-rw-r--r-- | metadata/glsa/glsa-202209-22.xml | 42 | ||||
-rw-r--r-- | metadata/glsa/glsa-202209-23.xml | 112 | ||||
-rw-r--r-- | metadata/glsa/glsa-202209-24.xml | 61 | ||||
-rw-r--r-- | metadata/glsa/glsa-202209-25.xml | 42 | ||||
-rw-r--r-- | metadata/glsa/glsa-202209-26.xml | 49 | ||||
-rw-r--r-- | metadata/glsa/glsa-202209-27.xml | 76 | ||||
-rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
-rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
16 files changed, 723 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index c4366491356c..990add4b4944 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 527347 BLAKE2B 2a3ca4466b681cdb565e900ea1a740da53b44fbb53b587593768b40df60e0574c7bd692ef80c62c3eb717f2ded2eddd9f52d1600f669a4df4b5cd88371298781 SHA512 966d722a4e31cba37994e6aa7863ecd729a7c644c719a26094f88a8acb8e90825cffcd239a1f665ad159294f5377cc124a3c9da2f622fbf7561835a7bb02c3e7 -TIMESTAMP 2022-09-29T13:39:41Z +MANIFEST Manifest.files.gz 529256 BLAKE2B a8ad285bac1cf4317c62825ad52e916f3d77cdd05175694abbde87461cf015178a8cf1dd6c3af6013668089990ee96f6cb9be7de7409b13ba538d09d94cde515 SHA512 3502c0b489efa2b78e07af6e3b1c1c817c21c7435c1db2224f9b91f9d0ce815b1514a1e3062680326c8a33813260f974b3b492221b06b61e7499b2dcad6eaeb1 +TIMESTAMP 2022-09-29T19:39:43Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmM1oB1fFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmM19H9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCH4RAApjoc1l9sFlS5Wzv3kyDqbH2fv4Bdu6G2pVn7VRs4QALVR8/+I1cqGAj5 -V3JNleiulw7qaPDsm6UXg/zahQS2p+uvgjW9Wflxo8A6guxnh5W2Ev4cuir7o9+P -kGydcdGLcRnT+Y3ALUz/LWyxX/bLhhGuGaPzryVvDCWPsULv2+NOgR5/KFOy7Fqo -Ux73qBHnxMBtjqSr//MQYhGj37xsGmtWCK00/5D3X9dnM0g1oTtJd22emLqI6ge0 -wX8P4VWIf3YOSYniTRG0a1yh2s+bZXkbs1wRgdo3I6i80KoxArH2nU9uKddBU6Hv -PipXG/3n7qu2z39XuFBuLd1KUbfUfuIMH1Zh+w2LkFp9r9KYYscMDJpXk+z1wLGS -9KaR3u5rrNqJ/gyXwHZzAI3yRu7c7n4qvOqvZygGBzZu3k6lWnlgz6R7qWloa94z -aqDS52Gbo5oZGUTumjOYZ0qh5lltaqTMSUOVBk9XpdHSSimoCZYPoZ+KmBx+j4Xq -JmzueRWL1qZ/+dE09stBDemD53N4/lZ1MLA31vr1lmwgwUs/bN0RQCvwMQgoEvjP -l+bPHfBbG6FkaWfQqq31bSnZacDqCaPYz+fqPq6XG8xynp9ivVqbIW080xcVAOBw -VwT33Y4RnlgydQgJI6ZY4Fl98A2NXQCfX+lWa+HlQzih1AsXgtI= -=glHt +klDRjg/8CQTCNLgMV5v8FqVdK+ZdY1ZXKd7zQMxvX1GBsh2r/ODfTicyPGbnf9AS +JiDKYj9njQ2tuQAKtmZIERM0/gNQ+X0Fh4bdgEdBAK1hwrVyhlw8XMaP0lYCjZ8P +RnkjTjnr7ZqO5l9F3yJ2QHSPWwatfYB4h/U383Z+WHQ+QObL8T34ESU0RufFRO7C +DAj20/u3VUvVy3QkRLYS+AmbYAWsgL18PtYKkL7g6WUDf16Gk0a2DX+MurXk4Rqm +LdjjczlGQqw1Odl/z6ZD4zgsyLmu7klu8tYkCRF4xCVGFt6iGP3a16+9apxZXX3s +vadXAA18VqrzMhn8pCncUKjO89dtNTpaRhrcvmyfE3O1Zbkje2948BmjdmPRibNI +wEA6HkVIhDsTRX4tlgzX+YMQbA1s52jWwye1fRdrb1n4kv7N1RZ8SmrtZGU0doix +2iHn1HXXvdMwmJ2drbtJCidirGX5ELM8zHzfK41i2kRx1BQMzxtYHFbQuONFWAgU +vUUOEdTvitRm7vR07Yz8AQqi3pgc6LHoLAEu/wWnpwzNpqSAKuGD1J65o2KAm/xS +8DXClgczeKlxjDGV4nzUNoXFGo8xbPprXSJ9tBkLILmbE7oCfE+yTSeU3NPXs/ca +H8Xx7zPBx0gpfJnEEpXWpSIRmf8gbKroajBopWJ49h4LqMwK4Lw= +=pnDq -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 269086cc58ee..8230cd2e186c 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202209-16.xml b/metadata/glsa/glsa-202209-16.xml new file mode 100644 index 000000000000..1f0069fee5ea --- /dev/null +++ b/metadata/glsa/glsa-202209-16.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-16"> + <title>BlueZ: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in BlueZ, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">bluez</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>797712</bug> + <bug>835077</bug> + <access>remote</access> + <affected> + <package name="net-wireless/bluez" auto="yes" arch="*"> + <unaffected range="ge">5.63</unaffected> + <vulnerable range="lt">5.63</vulnerable> + </package> + </affected> + <background> + <p>BlueZ is the canonical bluetooth tools and system daemons package for Linux.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in BlueZ. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All BlueZ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/bluez-5.63" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26558">CVE-2020-26558</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-0129">CVE-2021-0129</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3588">CVE-2021-3588</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0204">CVE-2022-0204</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:21:34.715873Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:21:34.729713Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-17.xml b/metadata/glsa/glsa-202209-17.xml new file mode 100644 index 000000000000..38ff99dcd559 --- /dev/null +++ b/metadata/glsa/glsa-202209-17.xml @@ -0,0 +1,60 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-17"> + <title>Redis: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Redis, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">redis</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>803302</bug> + <bug>816282</bug> + <bug>841404</bug> + <bug>856040</bug> + <bug>859181</bug> + <bug>872278</bug> + <access>remote</access> + <affected> + <package name="dev-db/redis" auto="yes" arch="*"> + <unaffected range="ge">7.0.5</unaffected> + <vulnerable range="lt">7.0.5</vulnerable> + </package> + </affected> + <background> + <p>Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Redis. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Redis users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/redis-7.0.5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32626">CVE-2021-32626</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32627">CVE-2021-32627</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32628">CVE-2021-32628</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32672">CVE-2021-32672</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32675">CVE-2021-32675</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32687">CVE-2021-32687</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32761">CVE-2021-32761</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32762">CVE-2021-32762</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41099">CVE-2021-41099</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24735">CVE-2022-24735</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24736">CVE-2022-24736</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31144">CVE-2022-31144</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-33105">CVE-2022-33105</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35951">CVE-2022-35951</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:21:49.334830Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:21:49.338636Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-18.xml b/metadata/glsa/glsa-202209-18.xml new file mode 100644 index 000000000000..5c7df9f40c10 --- /dev/null +++ b/metadata/glsa/glsa-202209-18.xml @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-18"> + <title>Mozilla Thunderbird: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird, the world of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">thunderbird,thunderbird-bin</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>872572</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">102.3.0</unaffected> + <vulnerable range="lt">102.3.0</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">102.3.0</unaffected> + <vulnerable range="lt">102.3.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the Mozilla project.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.3.0" + </code> + + <p>All Mozilla Thunderbird binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.3.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3155">CVE-2022-3155</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40956">CVE-2022-40956</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40957">CVE-2022-40957</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40958">CVE-2022-40958</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40959">CVE-2022-40959</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40960">CVE-2022-40960</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40962">CVE-2022-40962</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:22:02.610681Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:22:02.615638Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-19.xml b/metadata/glsa/glsa-202209-19.xml new file mode 100644 index 000000000000..1b587ba0e128 --- /dev/null +++ b/metadata/glsa/glsa-202209-19.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-19"> + <title>GraphicsMagick: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in GraphicsMagick, the worst of which are fuzzing issues presumed to allow for arbitrary code execution.</synopsis> + <product type="ebuild">graphicsmagick</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>721328</bug> + <bug>836283</bug> + <bug>873367</bug> + <access>remote</access> + <affected> + <package name="media-gfx/graphicsmagick" auto="yes" arch="*"> + <unaffected range="ge">1.3.38</unaffected> + <vulnerable range="lt">1.3.38</vulnerable> + </package> + </affected> + <background> + <p>GraphicsMagick is a collection of tools and libraries which support reading, writing, and manipulating images in many major formats.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GraphicsMagick. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GraphicsMagick users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.3.38" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12672">CVE-2020-12672</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1270">CVE-2022-1270</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:22:18.052582Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:22:18.057915Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-20.xml b/metadata/glsa/glsa-202209-20.xml new file mode 100644 index 000000000000..de8287e1ca48 --- /dev/null +++ b/metadata/glsa/glsa-202209-20.xml @@ -0,0 +1,71 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-20"> + <title>PHP: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in PHP, the worst of which could result in local root privilege escalation.</synopsis> + <product type="ebuild">php</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>799776</bug> + <bug>810526</bug> + <bug>819510</bug> + <bug>833585</bug> + <bug>850772</bug> + <bug>857054</bug> + <access>remote</access> + <affected> + <package name="dev-lang/php" auto="yes" arch="*"> + <unaffected range="ge" slot="7.4">7.4.30</unaffected> + <unaffected range="ge" slot="8.0">8.0.23</unaffected> + <unaffected range="ge" slot="8.1">8.1.8</unaffected> + <vulnerable range="lt" slot="7.4">7.4.30</vulnerable> + <vulnerable range="lt" slot="8.0">8.0.23</vulnerable> + <vulnerable range="lt" slot="8.1">8.1.8</vulnerable> + </package> + </affected> + <background> + <p>PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PHP 7.4 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.30:7.4" + </code> + + <p>All PHP 8.0 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-8.0.23:8.0" + </code> + + <p>All PHP 8.1 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-8.1.8:8.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21703">CVE-2021-21703</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21704">CVE-2021-21704</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21705">CVE-2021-21705</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21708">CVE-2021-21708</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31625">CVE-2022-31625</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31626">CVE-2022-31626</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31627">CVE-2022-31627</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:23:13.296193Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:23:13.301732Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-21.xml b/metadata/glsa/glsa-202209-21.xml new file mode 100644 index 000000000000..4c938a048ef8 --- /dev/null +++ b/metadata/glsa/glsa-202209-21.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-21"> + <title>Poppler: Arbitrary Code Execution</title> + <synopsis>A vulnerability has been discovered in Poppler which could allow for arbitrary code execution.</synopsis> + <product type="ebuild">poppler</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>867958</bug> + <access>remote</access> + <affected> + <package name="app-text/poppler" auto="yes" arch="*"> + <unaffected range="ge">22.09.0</unaffected> + <vulnerable range="lt">22.09.0</vulnerable> + </package> + </affected> + <background> + <p>Poppler is a PDF rendering library based on the xpdf-3.0 code base.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Poppler. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code.</p> + </impact> + <workaround> + <p>Avoid opening untrusted PDFs.</p> + </workaround> + <resolution> + <p>All Poppler users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/poppler-22.09.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30860">CVE-2021-30860</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38784">CVE-2022-38784</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:23:57.782903Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:23:57.787650Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-22.xml b/metadata/glsa/glsa-202209-22.xml new file mode 100644 index 000000000000..436a5965270a --- /dev/null +++ b/metadata/glsa/glsa-202209-22.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-22"> + <title>Kitty: Arbitrary Code Execution</title> + <synopsis>A vulnerability has been found in Kitty which could allow for arbitrary code execution with user input.</synopsis> + <product type="ebuild">kitty</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>868543</bug> + <access>remote</access> + <affected> + <package name="x11-terms/kitty" auto="yes" arch="*"> + <unaffected range="ge">0.26.2</unaffected> + <vulnerable range="lt">0.26.2</vulnerable> + </package> + </affected> + <background> + <p>Kitty is a fast, feature-rich, GPU-based terminal.</p> + </background> + <description> + <p>Carter Sande discovered that maliciously constructed control sequences can cause Kitty to display a notification that, when clicked, can cause Kitty to execute arbitrary commands.</p> + </description> + <impact type="normal"> + <p>Kitty can produce notifications that, when clicked, can execute arbitrary commands.</p> + </impact> + <workaround> + <p>Avoid clicking unexpected notifications.</p> + </workaround> + <resolution> + <p>All Kitty users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/kitty-0.26.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41322">CVE-2022-41322</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:24:10.185134Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:24:10.190433Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-23.xml b/metadata/glsa/glsa-202209-23.xml new file mode 100644 index 000000000000..58f76d401fd0 --- /dev/null +++ b/metadata/glsa/glsa-202209-23.xml @@ -0,0 +1,112 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-23"> + <title>Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution.</synopsis> + <product type="ebuild">chromium,chromium-bin,google-chrome,microsoft-edge</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>868156</bug> + <bug>868354</bug> + <bug>872407</bug> + <bug>870142</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">105.0.5195.125</unaffected> + <vulnerable range="lt">105.0.5195.125</vulnerable> + </package> + <package name="www-client/chromium-bin" auto="yes" arch="*"> + <unaffected range="ge">105.0.5195.125</unaffected> + <vulnerable range="lt">105.0.5195.125</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">105.0.5195.125</unaffected> + <vulnerable range="lt">105.0.5195.125</vulnerable> + </package> + <package name="www-client/microsoft-edge" auto="yes" arch="*"> + <unaffected range="ge">105.0.1343.42</unaffected> + <vulnerable range="lt">105.0.1343.42</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
+
+Google Chrome is one fast, simple, and secure browser for all your devices.
+
+Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium, Google Chrome, Microsoft Edge. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/chromium-105.0.5195.125" + </code> + + <p>All Chromium binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/chromium-bin-105.0.5195.125" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/google-chrome-105.0.5195.125" + </code> + + <p>All Microsoft Edge users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-105.0.1343.42" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3038">CVE-2022-3038</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3039">CVE-2022-3039</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3040">CVE-2022-3040</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3041">CVE-2022-3041</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3042">CVE-2022-3042</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3043">CVE-2022-3043</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3044">CVE-2022-3044</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3045">CVE-2022-3045</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3046">CVE-2022-3046</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3047">CVE-2022-3047</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3048">CVE-2022-3048</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3049">CVE-2022-3049</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3050">CVE-2022-3050</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3051">CVE-2022-3051</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3052">CVE-2022-3052</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3053">CVE-2022-3053</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3054">CVE-2022-3054</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3055">CVE-2022-3055</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3056">CVE-2022-3056</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3057">CVE-2022-3057</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3058">CVE-2022-3058</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3071">CVE-2022-3071</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3075">CVE-2022-3075</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3195">CVE-2022-3195</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3196">CVE-2022-3196</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3197">CVE-2022-3197</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3198">CVE-2022-3198</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3199">CVE-2022-3199</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3200">CVE-2022-3200</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3201">CVE-2022-3201</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38012">CVE-2022-38012</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:24:25.561065Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:24:25.563560Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-24.xml b/metadata/glsa/glsa-202209-24.xml new file mode 100644 index 000000000000..218e97d92590 --- /dev/null +++ b/metadata/glsa/glsa-202209-24.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-24"> + <title>Expat: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Expat, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">expat</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>791703</bug> + <bug>830422</bug> + <bug>831918</bug> + <bug>833431</bug> + <bug>870097</bug> + <access>remote</access> + <affected> + <package name="dev-libs/expat" auto="yes" arch="*"> + <unaffected range="ge">2.4.9</unaffected> + <vulnerable range="lt">2.4.9</vulnerable> + </package> + </affected> + <background> + <p>Expat is a set of XML parsing libraries.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Expat. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Expat users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/expat-2.4.9" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45960">CVE-2021-45960</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46143">CVE-2021-46143</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22822">CVE-2022-22822</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22823">CVE-2022-22823</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22824">CVE-2022-22824</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22825">CVE-2022-22825</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22826">CVE-2022-22826</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22827">CVE-2022-22827</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23852">CVE-2022-23852</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23990">CVE-2022-23990</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-25235">CVE-2022-25235</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-25236">CVE-2022-25236</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-25313">CVE-2022-25313</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-25314">CVE-2022-25314</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-25315">CVE-2022-25315</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40674">CVE-2022-40674</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:24:39.510183Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:24:39.514035Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-25.xml b/metadata/glsa/glsa-202209-25.xml new file mode 100644 index 000000000000..29e1792c1e01 --- /dev/null +++ b/metadata/glsa/glsa-202209-25.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-25"> + <title>Zutty: Arbitrary Code Execution</title> + <synopsis>A vulnerability has been discovered in Zutty which could allow for arbitrary code execution.</synopsis> + <product type="ebuild">zutty</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>868495</bug> + <access>remote</access> + <affected> + <package name="x11-terms/zutty" auto="yes" arch="*"> + <unaffected range="ge">0.13</unaffected> + <vulnerable range="lt">0.13</vulnerable> + </package> + </affected> + <background> + <p>Zutty is an X terminal emulator rendering through OpenGL ES Compute Shaders.</p> + </background> + <description> + <p>Zutty does not correctly handle invalid DECRQSS commands, which can be exploited to run arbitrary commands in the terminal.</p> + </description> + <impact type="normal"> + <p>Untrusted text written to the Zutty terminal can achieve arbitrary code execution.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Zutty users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/zutty-0.13" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41138">CVE-2022-41138</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:24:54.456443Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:24:54.462355Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-26.xml b/metadata/glsa/glsa-202209-26.xml new file mode 100644 index 000000000000..aad69644bc5a --- /dev/null +++ b/metadata/glsa/glsa-202209-26.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-26"> + <title>Go: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Go, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">go</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>869002</bug> + <access>remote</access> + <affected> + <package name="dev-lang/go" auto="yes" arch="*"> + <unaffected range="ge">1.18.6</unaffected> + <vulnerable range="lt">1.18.6</vulnerable> + </package> + </affected> + <background> + <p>Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Go. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Go users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/go-1.18.6" + </code> + + <p>In addition, users using Portage 3.0.9 or later should ensure that packages with Go binaries have no vulnerable code statically linked into their binaries by rebuilding the @golang-rebuild set:</p> + + <code> + # emerge --ask --oneshot --verbose @golang-rebuild + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27664">CVE-2022-27664</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32190">CVE-2022-32190</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:25:08.594710Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:25:08.600219Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202209-27.xml b/metadata/glsa/glsa-202209-27.xml new file mode 100644 index 000000000000..7b945322eac5 --- /dev/null +++ b/metadata/glsa/glsa-202209-27.xml @@ -0,0 +1,76 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202209-27"> + <title>Mozilla Firefox: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">firefox,firefox-bin</product> + <announced>2022-09-29</announced> + <revised count="1">2022-09-29</revised> + <bug>872059</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">105.0</unaffected> + <unaffected range="ge" slot="esr">102.3.0</unaffected> + <vulnerable range="lt" slot="rapid">105.0</vulnerable> + <vulnerable range="lt" slot="esr">102.3.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">105.0</unaffected> + <unaffected range="ge" slot="esr">102.3.0</unaffected> + <vulnerable range="lt" slot="rapid">105.0</vulnerable> + <vulnerable range="lt" slot="esr">102.3.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox ESR users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-102.3.0" + </code> + + <p>All Mozilla Firefox ESR binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.3.0" + </code> + + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-105.0" + </code> + + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-105.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40956">CVE-2022-40956</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40957">CVE-2022-40957</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40958">CVE-2022-40958</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40959">CVE-2022-40959</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40960">CVE-2022-40960</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40962">CVE-2022-40962</uri> + </references> + <metadata tag="requester" timestamp="2022-09-29T14:25:19.979184Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-09-29T14:25:19.985055Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 712330eb8b3c..cfb343b1c375 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Thu, 29 Sep 2022 13:39:38 +0000 +Thu, 29 Sep 2022 19:39:39 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index e8679a795959..82d38176045a 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -2570332a2b988e5bec8319e9b7bcfceb39048f5d 1664114157 2022-09-25T13:55:57+00:00 +423ddf8af24c3cf1486229480c2c24ed81d77ba6 1664462883 2022-09-29T14:48:03+00:00 |