diff options
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 490524 -> 491803 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-202012-01.xml | 65 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-02.xml | 79 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-03.xml | 95 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-04.xml | 81 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-05.xml | 92 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-06.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-07.xml | 94 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-08.xml | 74 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
12 files changed, 649 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 9c07b3e8e9ba..615552220673 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 490524 BLAKE2B be35a1d153e1ba81293ae8ab5c825660ca94c79791160c09b03110828197671a59a74fda786aa87df0a823f5f18368ee4bdb024182195c06d7785f78d4cdfc02 SHA512 92605b968213805888bbe32f28bff22d2b23ff8e28d68962bb98d751b39f639824fc3891bdf662b3c74e0cdbff6403326e6a81180cc9ca128519d4ae6770b3d7 -TIMESTAMP 2020-11-28T20:08:39Z +MANIFEST Manifest.files.gz 491803 BLAKE2B 78c7b315718b290681f17c40a54b26e436d02ce9c07c7af217a95b8ba814d80acc88d2663352de1ae84551e2ca2c3599522f47f220f7729a6058ea3424c7371f SHA512 ab40e1589be1f2a6217a23c90ec3460c0358c487f815e9eedbe4164a7eadf4bd9b00bc1444285fbffeeff87fdc732a5321cd9e70839cc4622c40fa254a9b51a2 +TIMESTAMP 2020-12-14T12:38:37Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl/CrkdfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl/XXM1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klDyHw//Z/IYbKCPQYDIm3voXi324H2zwHStEBKt+/XzU13hGnJ3JZdKna23NEI6 -ehQwBv0iolQHVQCLqv/kJCrLrbJJE8TZHPauwIjLzdVooG26ERSlAh2jpEO5xgJk -RCbU0q67yfB6G02lITQFh8az4CNzMFJWR2F3SMn0V6MInYlZBmVRAiou260zpSiz -YHGVhbLuCPx8E+XkmS+jvwYzUI8SC+oy2NieyvC8DyEiD8XxT/ODihG5o6G2DkTm -bBBmixSALNrMlwK86UO3Mz7sLZFjNrH4xNlZe/f+d4JQTN827bOExOw4M/CPw//0 -qghc3ABPblP/xrUwtpE+UzIxYfDCqFPX4fuFoNuKSRNBlkzEjghqwtEaOeP1IgDd -JbNajSk/hFJeaz4ffKLm4rtxlZJgh2Gh0sTcpnSxFonxv/ljIN47ie1/pdvue/Pr -uSXTu+GuR2/a3NriJ6K3FrgbmvejfYyF9c5vU7hgvcliPdyzAv1BQCNzIcdUJuBO -rVguYqDy2tgjVv21WRXRo21O22K66VNq879UsIq4tihmEKppuKpIk184wMC+LYgp -YcL+gxMPJF6SX3isjQII4Tio415DWrI0uaXhHOUO6IQ52SaFza71diYD6iqh8ckp -tPfeLZqjOzKweTK7DepdgpGYv1Pzqou++9H1hGC4pyUTciOJFig= -=XtVb +klB+zBAAtnX8CU+fDWhwY4AhdfiSbgKwdRbA7mVns4Ut9Umkcko5cWZxjkA3QP+T +2W1b+zmgwqOx9Sn+lzktJs7wbtfgx2oCCYjsN7wsxOQBArnu/0ra4aq9ZP8E4j1+ +PIp14pHFdc/7xyJXbxRjfQq8pxDcqGwFPA0WT7Nbef9PGdcSakPjFL2hTygZR+j7 ++39qp4iKsCID2enGZiFkht8Kwz4/2/1Ffaa45BVjAbnIrahhp1IliujBQyVBwFes +BvMycm2Ieghf22F0tW6PN7nmA+WjFlxAVHeGG6EDzqZ7p9RbxD7//ZP9U704RzJ2 +z8hdlu8oCSq1sGyYE0rW0b481DMoVjjHC7DZ5wMsx+sa4CFDZng5gBjl/F4Qjeq5 +r6sgD+CGBeEjMLMve5Qg9Hxkq7Dx3B5N9lLtWAy0onS0W842AMmPAKU8PtxsapuG +v6wq9Xxf1gyksUKkJm6wgq3VgEBw8txCudeF5tnCKBMYoPnaDF8X9m+Leu3PPL5V +DfeNJS7bY5IUq4m/h/FWkQSYHvLgs0dIfr7zSO1uaVBhDgsra2xiNWlnCdezIDdU +mk5Xt6zSmyNDIgJzK67ZBoNm9mWo3yoQs5OIjbbrYMH1nCZr0ISLBGdpUBoUi3IQ +4AEhG828+glON93vgUa4hyHAAcnZOiUzqRZbEXXghprZu4iZojw= +=XeFZ -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex cfb40c7df80f..c21bcf6ee949 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202012-01.xml b/metadata/glsa/glsa-202012-01.xml new file mode 100644 index 000000000000..eade9bb0a6aa --- /dev/null +++ b/metadata/glsa/glsa-202012-01.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-01"> + <title>X.Org X Server: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in X.org X Server, the + worst of which could lead to privilege escalation. + </synopsis> + <product type="ebuild">xorg x server</product> + <announced>2020-12-07</announced> + <revised count="1">2020-12-07</revised> + <bug>734976</bug> + <bug>757882</bug> + <access>local</access> + <affected> + <package name="x11-base/xorg-server" auto="yes" arch="*"> + <unaffected range="ge">1.20.10</unaffected> + <vulnerable range="lt">1.20.10</vulnerable> + </package> + </affected> + <background> + <p>The X Window System is a graphical windowing system based on a + client/server model. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in X.org X Server. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>A local attacker could escalate privileges.</p> + </workaround> + <resolution> + <p>All X.org X Server users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=11-base/xorg-server-1.20.10" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14345">CVE-2020-14345</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14346">CVE-2020-14346</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14347">CVE-2020-14347</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14360">CVE-2020-14360</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14361">CVE-2020-14361</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14362">CVE-2020-14362</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25712">CVE-2020-25712</uri> + <uri link="https://lists.x.org/archives/xorg-announce/2020-July/003051.html"> + Upstream advisory (2020-07-31) + </uri> + <uri link="https://lists.x.org/archives/xorg-announce/2020-August/003058.html"> + Upstream advisory (2020-08-25) + </uri> + <uri link="https://lists.x.org/archives/xorg-announce/2020-December/003066.html"> + Upstream advisory (2020-12-01) + </uri> + </references> + <metadata tag="requester" timestamp="2020-08-25T22:22:49Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-12-07T00:18:30Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-02.xml b/metadata/glsa/glsa-202012-02.xml new file mode 100644 index 000000000000..7ad33f8171e4 --- /dev/null +++ b/metadata/glsa/glsa-202012-02.xml @@ -0,0 +1,79 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-02"> + <title>SeaMonkey: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in SeaMonkey, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">seamonkey</product> + <announced>2020-12-07</announced> + <revised count="1">2020-12-07</revised> + <bug>718738</bug> + <bug>718746</bug> + <access>local, remote</access> + <affected> + <package name="www-client/seamonkey" auto="yes" arch="*"> + <unaffected range="ge">2.53.5</unaffected> + <vulnerable range="lt">2.53.5.1</vulnerable> + </package> + <package name="www-client/seamonkey-bin" auto="yes" arch="*"> + <vulnerable range="le">2.49.1_rc2</vulnerable> + </package> + </affected> + <background> + <p>The SeaMonkey project is a community effort to deliver + production-quality releases of code derived from the application formerly + known as “Mozilla Application Suite”. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in SeaMonkey. Please + review referenced release notes for more details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced release notes for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All SeaMonkey users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/seamonkey-2.53.5.1" + </code> + + <p>Gentoo has discontinued support for the SeaMonkey binary package. We + recommend that users unmerge the SeaMonkey binary package: + </p> + + <p># emerge --unmerge “www-client/seamonkey-bin”</p> + + <p>NOTE: The Gentoo developer(s) maintaining the SeaMonkey binary package + have discontinued support at this time. It may be possible that a new + Gentoo developer will update it at a later date. The alternative is using + the standard SeaMonkey package. + </p> + </resolution> + <references> + <uri link="https://www.seamonkey-project.org/releases/seamonkey2.53.2/"> + SeaMonkey 2.53.2 Release Notes + </uri> + <uri link="https://www.seamonkey-project.org/releases/seamonkey2.53.3/"> + SeaMonkey 2.53.3 Release Notes + </uri> + <uri link="https://www.seamonkey-project.org/releases/seamonkey2.53.4/"> + SeaMonkey 2.53.4 Release Notes + </uri> + <uri link="https://www.seamonkey-project.org/releases/seamonkey2.53.5/"> + SeaMonkey 2.53.5 Release Notes + </uri> + <uri link="https://www.seamonkey-project.org/releases/seamonkey2.53.5.1/"> + SeaMonkey 2.53.5.1 Release Notes + </uri> + </references> + <metadata tag="requester" timestamp="2020-06-13T16:26:44Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-12-07T00:18:47Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-03.xml b/metadata/glsa/glsa-202012-03.xml new file mode 100644 index 000000000000..b44b423513d1 --- /dev/null +++ b/metadata/glsa/glsa-202012-03.xml @@ -0,0 +1,95 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-03"> + <title>Mozilla Firefox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">firefox</product> + <announced>2020-12-07</announced> + <revised count="1">2020-12-07</revised> + <bug>755170</bug> + <access>local, remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge">83</unaffected> + <unaffected range="ge" slot="0/esr78">78.5.0</unaffected> + <vulnerable range="lt">83</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge">83</unaffected> + <unaffected range="ge" slot="0/esr78">78.5.0</unaffected> + <vulnerable range="lt">83</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-83" + </code> + + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-83" + </code> + + <p>All Mozilla Firefox (ESR) users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/firefox-78.5.0:0/esr78" + </code> + + <p>All Mozilla Firefox (ESR) binary users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/firefox-bin-78.5.0:0/esr78" + </code> + + </resolution> + <references> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/"> + Mozilla Foundation Security Advisory 2020-51 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16012">CVE-2020-16012</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26951">CVE-2020-26951</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26953">CVE-2020-26953</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26956">CVE-2020-26956</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26958">CVE-2020-26958</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26959">CVE-2020-26959</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26960">CVE-2020-26960</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26961">CVE-2020-26961</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26965">CVE-2020-26965</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26968">CVE-2020-26968</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/"> + Mozilla Foundation Security Advisory 2020-50 + </uri> + </references> + <metadata tag="requester" timestamp="2020-11-17T23:17:23Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-12-07T00:18:57Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-04.xml b/metadata/glsa/glsa-202012-04.xml new file mode 100644 index 000000000000..e0bf6a7a5f55 --- /dev/null +++ b/metadata/glsa/glsa-202012-04.xml @@ -0,0 +1,81 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-04"> + <title>Mozilla Thunderbird: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could lead to the execution of arbitrary code. + </synopsis> + <product type="ebuild">thunderbird</product> + <announced>2020-12-07</announced> + <revised count="1">2020-12-07</revised> + <bug>758857</bug> + <access>local, remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">78.5.1</unaffected> + <vulnerable range="lt">78.5.1</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">78.5.1</unaffected> + <vulnerable range="lt">78.5.1</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the referenced Mozilla Foundation Security Advisories and + CVE identifiers below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-78.5.1" + </code> + + <p>All Mozilla Thunderbird binary users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-78.5.1" + </code> + + </resolution> + <references> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/"> + Mozilla Foundation Security Advisory 2020-52 + </uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-53/#CVE-2020-26970"> + Mozilla Foundation Security Advisory 2020-53 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15999">CVE-2020-15999</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16012">CVE-2020-16012</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26951">CVE-2020-26951</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26953">CVE-2020-26953</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26956">CVE-2020-26956</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26958">CVE-2020-26958</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26959">CVE-2020-26959</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26960">CVE-2020-26960</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26961">CVE-2020-26961</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26965">CVE-2020-26965</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26968">CVE-2020-26968</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26970">CVE-2020-26970</uri> + </references> + <metadata tag="requester" timestamp="2020-12-06T23:15:02Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-07T00:19:10Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-05.xml b/metadata/glsa/glsa-202012-05.xml new file mode 100644 index 000000000000..4d9179db4f6a --- /dev/null +++ b/metadata/glsa/glsa-202012-05.xml @@ -0,0 +1,92 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-05"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">chromium,google-chrome</product> + <announced>2020-12-07</announced> + <revised count="1">2020-12-07</revised> + <bug>755227</bug> + <bug>758368</bug> + <access>local, remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">87.0.4280.88</unaffected> + <vulnerable range="lt">87.0.4280.88</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">87.0.4280.88</unaffected> + <vulnerable range="lt">87.0.4280.88</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-87.0.4280.88" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-87.0.4280.88" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16014">CVE-2020-16014</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16015">CVE-2020-16015</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16018">CVE-2020-16018</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16019">CVE-2020-16019</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16020">CVE-2020-16020</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16021">CVE-2020-16021</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16022">CVE-2020-16022</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16023">CVE-2020-16023</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16024">CVE-2020-16024</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16025">CVE-2020-16025</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16026">CVE-2020-16026</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16027">CVE-2020-16027</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16028">CVE-2020-16028</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16029">CVE-2020-16029</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16030">CVE-2020-16030</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16031">CVE-2020-16031</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16032">CVE-2020-16032</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16033">CVE-2020-16033</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16034">CVE-2020-16034</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16036">CVE-2020-16036</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16037">CVE-2020-16037</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16038">CVE-2020-16038</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16039">CVE-2020-16039</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16040">CVE-2020-16040</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16041">CVE-2020-16041</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16042">CVE-2020-16042</uri> + </references> + <metadata tag="requester" timestamp="2020-11-22T03:12:48Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-12-07T00:19:23Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-06.xml b/metadata/glsa/glsa-202012-06.xml new file mode 100644 index 000000000000..daa51d141144 --- /dev/null +++ b/metadata/glsa/glsa-202012-06.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-06"> + <title>Linux-PAM: Authentication bypass</title> + <synopsis>A vulnerability has been found in Linux-PAM, allowing attackers to + bypass the authentication process. + </synopsis> + <product type="ebuild">pam</product> + <announced>2020-12-07</announced> + <revised count="1">2020-12-07</revised> + <bug>756361</bug> + <access>local, remote</access> + <affected> + <package name="sys-libs/pam" auto="yes" arch="*"> + <unaffected range="ge">1.5.1</unaffected> + <vulnerable range="lt">1.5.1</vulnerable> + </package> + </affected> + <background> + <p>Linux-PAM (Pluggable Authentication Modules) is an architecture allowing + the separation of the development of privilege granting software from the + development of secure and appropriate authentication schemes. + </p> + </background> + <description> + <p>A flaw was found in Linux-Pam in the way it handle empty passwords for + non-existing users. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, who only needs to know a non-existing username, could + bypass security restrictions and authenticate as root user. + </p> + </impact> + <workaround> + <p>Ensure that root account is protected by a non-empty password.</p> + </workaround> + <resolution> + <p>All Linux-PAM users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/pam-1.5.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27780">CVE-2020-27780</uri> + </references> + <metadata tag="requester" timestamp="2020-11-26T02:08:08Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-12-07T00:19:35Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-07.xml b/metadata/glsa/glsa-202012-07.xml new file mode 100644 index 000000000000..3ce91200d184 --- /dev/null +++ b/metadata/glsa/glsa-202012-07.xml @@ -0,0 +1,94 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-07"> + <title>PostgreSQL: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in PostgreSQL, the worst + of which could result in arbitrary code execution. + </synopsis> + <product type="ebuild">postgresql</product> + <announced>2020-12-07</announced> + <revised count="1">2020-12-07</revised> + <bug>754363</bug> + <access>local, remote</access> + <affected> + <package name="dev-db/postgresql" auto="yes" arch="*"> + <unaffected range="ge" slot="9.5">9.5.24</unaffected> + <unaffected range="ge" slot="9.6">9.6.20</unaffected> + <unaffected range="ge" slot="10">10.15</unaffected> + <unaffected range="ge" slot="11">11.10</unaffected> + <unaffected range="ge" slot="12">12.5</unaffected> + <unaffected range="ge" slot="13">13.1</unaffected> + <vulnerable range="lt">13.1</vulnerable> + </package> + </affected> + <background> + <p>PostgreSQL is an open source object-relational database management + system. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PostgreSQL. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly obtain sensitive information, alter SQL + commands, escape PostgreSQL sandbox or execute arbitrary code with the + privileges of the process. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PostgreSQL 9.5.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.24:9.5" + </code> + + <p>All PostgreSQL 9.6.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.20:9.6" + </code> + + <p>All PostgreSQL 10.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.15:10" + </code> + + <p>All PostgreSQL 11.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.10:11" + </code> + + <p>All PostgreSQL 12.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.5:12" + </code> + + <p>All PostgreSQL 13.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.1:13" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25694">CVE-2020-25694</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25695">CVE-2020-25695</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25696">CVE-2020-25696</uri> + </references> + <metadata tag="requester" timestamp="2020-11-19T19:52:44Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-07T00:19:47Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-08.xml b/metadata/glsa/glsa-202012-08.xml new file mode 100644 index 000000000000..468beb7d8a9a --- /dev/null +++ b/metadata/glsa/glsa-202012-08.xml @@ -0,0 +1,74 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-08"> + <title>MariaDB: Multiple vulnerabilities</title> + <synopsis> Multiple vulnerabilities have been found in MariaDB, the worst of + which could result in privilege escalation. + </synopsis> + <product type="ebuild">mariadb</product> + <announced>2020-12-07</announced> + <revised count="1">2020-12-07</revised> + <bug>722782</bug> + <access>remote</access> + <affected> + <package name="dev-db/mariadb" auto="yes" arch="*"> + <unaffected range="ge" slot="10.2">10.2.36</unaffected> + <unaffected range="ge" slot="10.3">10.3.27</unaffected> + <unaffected range="ge" slot="10.4">10.4.17</unaffected> + <unaffected range="ge" slot="10.5">10.5.8</unaffected> + <vulnerable range="lt">10.5.8</vulnerable> + </package> + </affected> + <background> + <p>MariaDB is an enhanced, drop-in replacement for MySQL.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in MariaDB. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All MariaDB 10.2.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.2.36:10.2" + </code> + + <p>All MariaDB 10.3.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.3.27:10.3" + </code> + + <p>All MariaDB 10.4.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.4.17:10.4" + </code> + + <p>All MariaDB 10.5.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.5.8:10.5" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2752">CVE-2020-2752</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2760">CVE-2020-2760</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2812">CVE-2020-2812</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2814">CVE-2020-2814</uri> + </references> + <metadata tag="requester" timestamp="2020-10-08T02:32:04Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-12-07T00:20:00Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index b3c207d72a82..82166fb8f88f 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sat, 28 Nov 2020 20:08:35 +0000 +Mon, 14 Dec 2020 12:38:34 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 972525befa14..d6f3da74af96 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -41b92ddadb281165194d571c52b3240cf7b140e5 1605559931 2020-11-16T20:52:11+00:00 +2d6a7eded7a3cf117b214efd061a0ad33a26510d 1607301079 2020-12-07T00:31:19+00:00 |