8 files changed, 194 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 86fd3f12d516..4b7a38f792a4 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 551527 BLAKE2B db64d10d2fa1122803097d484fee003fef693bdaf1bbc3e95adeb74bc10a4f4d9fb91c2a44ce8126e382ca58789a31168c226892f8e9b697446331bb0348d0ef SHA512 2574a3347157ae0bb1a2009e7010804d3b1b384faccb3d7bd553d8691f02c4ce971671af6ae20b2989ae24ed00352b3210d3b61e28abbc9963d54bcf5e71eb27
-TIMESTAMP 2023-10-30T09:10:00Z
+MANIFEST Manifest.files.gz 552160 BLAKE2B c4a5477dbfb55c3bbe641438b3e9adf48fa50c0d3441ac98776b2554a171a4e603b690216aa384b9c720945f640c9a42d5bdc15ee8cebb6472ed148f81a03524 SHA512 92d0fedf6186bf9ffacb9ed55ab2129e7804756cf5b4d56d9a6de290ec38c4f69a9495d06d0f581ffecce1fad1e401d08bb1de2e4df369a23c39ca978499e608
+TIMESTAMP 2023-10-30T15:09:57Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmU/cuhfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmU/x0VfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klDpAg//RfjD9/+os2dkzr8e5EF//F2+MCaAgEEWV+SMfe8sU+d4xXl6ioVOtlFb
-JatT/BML1zSUrSJ6ojy/UirG1Sio8sbHUoj4ZRaS+p9jSdxG4jxChvsdlCidJcHc
-6pAKAqwmteF67Vq5AAp9A2bJs8IQlohSdCnTZXoiNFtKj09X0F5l5cEcvG98INFR
-XQvtYWrwKrOEZ7Gm/yimaY/TMsot+DoBGVKgus/ByLmwEYNPNlMmrmvgaw4le41V
-L69R0ZnQmVE65F/cNnXvd1CMgR3VBVS2J0rUz4W4zHzypSp/o5ZbZdY5TuphhwOB
-EiHTJXxVP9raBbhUAjuRfKWaaJ8mBdFeyU9jgkR1uQPlTKLSQW30IpLnvP9p0pOY
-FNBf6FnLW872vjenEzSOiho0SNJAwU2633zqQ0JdVPYGzyZ3mhYrLlrPvVIMBiHh
-vW40b8zP+9NBfK9hllvtLyxAOlx7ByUGn7NYWdummrexZYu6YlumfM5d+fz/atoA
-FnH4vnymn47u2iZpLSLS9VWS6bBQOA02Joh6DKu+DCWu3h8UEXRDRQmTGfkaK/44
-hwk8eN1oEEB9bRkyQuxsTIkPJXXxlZt5uzj0etAeViHRM5vkT5P8TfeS2rzveQ9n
-74pMWIUZHRaa7JLuFUhL8NXPMM9j5p4vmIbSPzs2iHEcBsG1GTs=
-=RxoY
+klBozA//beKZo6QTORRDrOZPjnhG9n8t/HrsmnuyAYxaJmou9Pim0/TwwtBtE9P7
+mywDMODhx1Z4q6ho/ALPdNtNb+L95LVZvKQ910m2JIb/KDj0Zlz2sU6GuKPDMNcp
+2nB6WI1+L4xbvvP58I1CB07k+oHoBnzr7mDQUkXKImexlNFXsXnBRZ3UaPYiYu0G
+NW8UwnvybPTl0eWY3HmXGwjmpV1vBRzqzB/iYHrksQHp38FY9OoCy2Ex7EOrNb+j
+fD/WfgZqVVN8A1FixrnKRvRImrkOE+4FgP7oPegyHHcs4cHZS+R0itRUMUej8frk
+8eUS/XI1QA38eOheL2gia5dyeJ99Hv3pNC7AN2+v1HxptFUrxAQ29Wj383D0R6qC
+iiY6aO9hAzUi8INGZVLQyCwmqx/iQwXbNvjV7rMZeljT9yfe9E1shvE9aMb1wEEQ
+03oDmj9YzLH8L3BjWIxG/1paayFIbAAZlXKpNrFAEqE910NLqQE/l/AaikzAMgvC
+HlwwhSleBY/urYyJEqxvfEYGnTBYgEqmVR2wRxNMnA6KdneUUxJNB6ipbqFpOr+S
+afyrFxgdO04jb7zNHMKfI/tnOKa9OzCJcZsaFS/Kb77h7QlCtOTQiDlft5EXQjL8
+WjLGZEnSXAmDCKdiPv9sMkggTyQ6fI5T6NdrGN33wruJ6ve70gs=
+=mAty
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 91ebb5d9dc28..184a203d91d6 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202310-17.xml b/metadata/glsa/glsa-202310-17.xml
new file mode 100644
index 000000000000..2bc9e20328f5
--- /dev/null
+++ b/metadata/glsa/glsa-202310-17.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-17">
+    <title>UnZip: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in UnZip, the worst of which could lead to code execution.</synopsis>
+    <product type="ebuild">unzip</product>
+    <announced>2023-10-30</announced>
+    <revised count="1">2023-10-30</revised>
+    <bug>831190</bug>
+    <access>local</access>
+    <affected>
+        <package name="app-arch/unzip" auto="yes" arch="*">
+            <unaffected range="ge">6.0_p27</unaffected>
+            <vulnerable range="lt">6.0_p27</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Info-ZIP’s UnZip is a tool to list and extract files inside PKZIP compressed files.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in UnZip. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All UnZip users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-arch/unzip-6.0_p27"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0529">CVE-2022-0529</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0530">CVE-2022-0530</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-30T09:22:55.998380Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-10-30T09:22:56.000940Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202310-18.xml b/metadata/glsa/glsa-202310-18.xml
new file mode 100644
index 000000000000..b66189f1dca0
--- /dev/null
+++ b/metadata/glsa/glsa-202310-18.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-18">
+    <title>Rack: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging compontents.</synopsis>
+    <product type="ebuild">rack</product>
+    <announced>2023-10-30</announced>
+    <revised count="1">2023-10-30</revised>
+    <bug>884795</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-ruby/rack" auto="yes" arch="*">
+            <unaffected range="ge">2.2.3.1</unaffected>
+            <vulnerable range="lt">2.2.3.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Rack is a modular Ruby web server interface.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Rack. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>A possible denial of service vulnerability was found in the multipart parsing component of Rack.
+
+A sequence injection vulnerability was found which could allow a possible shell escape in the Lint and CommonLogger components of Rack.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Rack users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-ruby/rack-2.2.3.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30122">CVE-2022-30122</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30123">CVE-2022-30123</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-30T09:36:59.521630Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-10-30T09:36:59.526118Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202310-19.xml b/metadata/glsa/glsa-202310-19.xml
new file mode 100644
index 000000000000..c054d9841f8f
--- /dev/null
+++ b/metadata/glsa/glsa-202310-19.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-19">
+    <title>Dovecot: Privilege Escalation</title>
+    <synopsis>A vulnerability has been discovered in Dovecot that can lead to a privilege escalation when master and non-master passdbs are used.</synopsis>
+    <product type="ebuild">dovecot</product>
+    <announced>2023-10-30</announced>
+    <revised count="1">2023-10-30</revised>
+    <bug>856733</bug>
+    <access>local and remote</access>
+    <affected>
+        <package name="net-mail/dovecot" auto="yes" arch="*">
+            <unaffected range="ge">2.3.19.1-r1</unaffected>
+            <vulnerable range="lt">2.3.19.1-r1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Dovecot is an open source IMAP and POP3 email server.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in Dovecot. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>When two passdb configuration entries exist in Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving master user authentication.
+
+Dovecot documentation does not advise against the use of passdb definitions which have the same driver and args settings. One such configuration would be where an administrator wishes to use the same pam configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Dovecot users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.3.19.1-r1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30550">CVE-2022-30550</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-30T09:51:47.939912Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-10-30T09:51:47.942574Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202310-20.xml b/metadata/glsa/glsa-202310-20.xml
new file mode 100644
index 000000000000..09fddfed57dc
--- /dev/null
+++ b/metadata/glsa/glsa-202310-20.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-20">
+    <title>rxvt-unicode: Arbitrary Code Execution</title>
+    <synopsis>A vulnerability has been discovered in rxvt-unicode where data written to the terminal can lead to code execution.</synopsis>
+    <product type="ebuild">rxvt-unicode</product>
+    <announced>2023-10-30</announced>
+    <revised count="1">2023-10-30</revised>
+    <bug>884787</bug>
+    <access>local and remote</access>
+    <affected>
+        <package name="x11-terms/rxvt-unicode" auto="yes" arch="*">
+            <unaffected range="ge">9.30</unaffected>
+            <vulnerable range="lt">9.30</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>rxvt-unicode is a clone of the well known terminal emulator rxvt.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in rxvt-unicode. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>in the Perl background extension, when an attacker can
+control the data written to the user&#39;s terminal and certain options are set.
+
+The &#34;background&#34; extension is automatically loaded if certain X resources are set such as &#39;transparent&#39; (see the full list at the top of src/perl/background[1]). So it is possible to be using this extension without realising it.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All rxvt-unicode users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=x11-terms/rxvt-unicode-9.30"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4170">CVE-2022-4170</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-30T10:19:42.802538Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-10-30T10:19:42.804901Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 00cffb1c3532..4fe089370ddb 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Mon, 30 Oct 2023 09:09:57 +0000
+Mon, 30 Oct 2023 15:09:54 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index e64bf8942b68..74d6c3070aed 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-9f1c7e1afafc090d1c9f5074a8f34ce83f4bf4af 1698295694 2023-10-26T04:48:14+00:00
+d12a82540d0c09c7cbfd5cec49458e7628226b4b 1698661209 2023-10-30T10:20:09+00:00