diff options
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 435197 -> 437590 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-201903-01.xml | 55 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-02.xml | 62 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-03.xml | 53 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-04.xml | 73 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-05.xml | 50 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-06.xml | 66 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-07.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-08.xml | 48 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-09.xml | 50 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-10.xml | 59 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-11.xml | 49 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-12.xml | 61 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-13.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-14.xml | 82 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201903-15.xml | 50 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
19 files changed, 879 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 8c83558cb00b..549df1977bb3 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 435197 BLAKE2B 5ef1f755677fba588afa252a22622c045d099b3f39fb6b356786170399bb20e8c58212856a5ddc6f59dc6076e3f84a95376a4dc3b4d5154c7d540151a154c88a SHA512 fb541e904c3c6b5ec17c08e76f9ce1dcd0d8f0b31dee092dd3542b9a34a04890e9a1b1e6b0d78d3523fb451deb84b3316ae6b588a29aec6f4741dfb52941ecc9 -TIMESTAMP 2019-03-03T12:38:43Z +MANIFEST Manifest.files.gz 437590 BLAKE2B 89b5299a2ae5909a2f126e7d079e486a46a84b314ae3fd8e955c116ff1469671110300e3034ae816a3f8d7760ff951864b0f6a2ea8e63f69093f03e040aaa3f5 SHA512 af2b9c5421b1ff957533cc161bb0347cbaa2e3e90c9069b5b7e6141ce2a943b1cc971aacd34224e34915a04db19e7b1d06ff5519de5e8c67f4753e7fc7157bf3 +TIMESTAMP 2019-03-19T10:38:40Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlx7ytNfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlyQxrBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCtBBAAgh3tJOs+G5xDpl2QuCYf2giFlkDyaDPs6ThTfp/NddodbmAWHI8FYfbI -NmGHgMVOO399JI++u+C+aHQN9iYgO6wn7I7WTulUi4YrmG7DyfcErqpd7vchKFiX -RZq1U6B51aFEMOMdTjifHwXCY/TAnFWXf9X3LBQTgAwFloiBfp/rDLavCV/aQuV1 -KjQtGvisX91dWSp6JTsj/tdzgf5VLIilBOwa786iXZdJ4O9pgZUUWDdRCF3rqLDi -ThDBtQTa7frrnXWwWhlByLf2CR8XJqqz69OHML7UcBrvnMuIA1AUy/R+fT0/vFZ2 -Yd6MGgnVu2rdbhjZkpzJfbqpVa3BPgL7BBxDppR3Hsp9z0qTPRHO9DG0iwCx1i78 -oaqTdYhj/LnZSma8clsy6iM4AyjztM5+EB41IBCBSo3wQ/EltjZGBmCTI/y8yjvZ -k4yK3OwPmzpZUNanav4orzO1ZJj21c/l62G434F5oi1tPvvBeodeLwOjX5MukjpG -EOnWC1TvnWLn0/2AbVdJoNbvSOj/HJLxLZ7b7JatBt/1AcyTmw+sIc611cLbDuGu -i45ORvI9kn7ZWvfB3W1gS/Uhr7cNBC9MzmeMCZhlBJJbTbqikvb6wUlwVdvot7gw -LRuIowIz8Cs+WLlPx/GNxzFck7hORv+ulpeb43LXR3t2OOQTfkI= -=c5aV +klDrDg//YyE6JU2ZaXcEyszFO1/7+5m21MFqI0yNLvg6NpEYpKPXydaplPlZWePP +KwpwB/UCravezXqOive8GyGbClBKOrXI2PzX7gn+PgyNW5BQQgVgg1JKev4FCcr1 +IwrdKhLI7hi9VnGspot1SSROQfYoCq/Y367bv6t87fZ+0FLq3+Q2wJvSo0tbAWCM +CzxtPT6j9wZll3TFTLHqccw9cOCSJkgJ1U9lhTVfn47ACO4O3AmwZA08vANyJPGA +WBw1k9mdh6OPBXf72NauBPeEFDB9L39HHYifdCRlBhw1e/Go3ptjBcsKjqG5ZJO7 +JcVz4jtLrFpHDRlKQjtxeUZstkUTmnk3hXtKnHH9pCNUnAWWa09gFpz6iRIomEEQ +7f4CKWJI69WtZlfj0U3FdUkO7L2TXdikJWp/rLTyQDsM4JNrBEgUqr1DnReVhijW +A93TJ+0GrFh9717ym8XNsIJPgQlS0p5kMY+41d3e2IE+GRTDz2IOWHfnqmmOaS+/ +7pz9Gs1yjim+GnWgCPPVp3zVE/lUTq4n2w6TQZg6q6Q5AI+8z4OKwu8S5QbgsgVH +56Jh1U7gh7y1z/3TtiFJ4fsi6LX91KtsYc8D7+J1Kq9lHkXUMRLaqnDd5zPgGG8I +4QZ2SeDBsAb2Zu96B4fqWf8PkO9Vw97rWhWRJxux9jXzeeFpH4k= +=Xxnn -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex b87f67ec613a..01756e23b684 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-201903-01.xml b/metadata/glsa/glsa-201903-01.xml new file mode 100644 index 000000000000..beacb00e0bc4 --- /dev/null +++ b/metadata/glsa/glsa-201903-01.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-01"> + <title>Keepalived: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Keepalived, the worst + of which could allow an attacker to cause Denial of Service condition. + </synopsis> + <product type="ebuild">keepalived</product> + <announced>2019-03-10</announced> + <revised count="1">2019-03-10</revised> + <bug>670856</bug> + <access>local, remote</access> + <affected> + <package name="sys-cluster/keepalived" auto="yes" arch="*"> + <unaffected range="ge">2.0.10</unaffected> + <vulnerable range="lt">2.0.10</vulnerable> + </package> + </affected> + <background> + <p>Keepalived is a strong & robust keepalive facility to the Linux + Virtual Server project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in keepalived. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could send a specially crafted request possibly + resulting in a Denial of Service condition. A local attacker could + perform symlink attacks to overwrite arbitrary files with the privileges + of the user running the application. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Keepalived users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-cluster/keepalived-2.0.10" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19044">CVE-2018-19044</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19045">CVE-2018-19045</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19046">CVE-2018-19046</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19115">CVE-2018-19115</uri> + </references> + <metadata tag="requester" timestamp="2019-01-07T16:53:52Z">whissi</metadata> + <metadata tag="submitter" timestamp="2019-03-10T02:16:03Z">pinkbyte</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-02.xml b/metadata/glsa/glsa-201903-02.xml new file mode 100644 index 000000000000..11ae0246fe90 --- /dev/null +++ b/metadata/glsa/glsa-201903-02.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-02"> + <title>Zsh: User-assisted execution of arbitrary code</title> + <synopsis>Input validation errors in Zsh could result in arbitrary code + execution. + </synopsis> + <product type="ebuild">zsh</product> + <announced>2019-03-10</announced> + <revised count="1">2019-03-10</revised> + <bug>665278</bug> + <access>local, remote</access> + <affected> + <package name="app-shells/zsh" auto="yes" arch="*"> + <unaffected range="ge">5.6</unaffected> + <vulnerable range="lt">5.6</vulnerable> + </package> + </affected> + <background> + <p>A shell designed for interactive use, although it is also a powerful + scripting language. + </p> + </background> + <description> + <p>Two input validation errors have been discovered in how Zsh parses + scripts: + </p> + + <ul> + <li>Parsing a malformed shebang line could cause Zsh to call a program + listed in the second line (CVE-2018-0502) + </li> + <li>Shebang lines longer than 64 characters are truncated + (CVE-2018-13259) + </li> + </ul> + </description> + <impact type="normal"> + <p>An attacker could entice a user to execute a specially crafted script + using Zsh, possibly resulting in execution of arbitrary code with the + privileges of the process. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Zsh users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-shells/zsh-5.6" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-0502">CVE-2018-0502</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-13259">CVE-2018-13259</uri> + </references> + <metadata tag="requester" timestamp="2018-12-31T07:32:39Z">Zlogene</metadata> + <metadata tag="submitter" timestamp="2019-03-10T02:21:31Z">ackle</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-03.xml b/metadata/glsa/glsa-201903-03.xml new file mode 100644 index 000000000000..eb2941f015e4 --- /dev/null +++ b/metadata/glsa/glsa-201903-03.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-03"> + <title>cURL: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in cURL, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">curl</product> + <announced>2019-03-10</announced> + <revised count="1">2019-03-10</revised> + <bug>665292</bug> + <bug>670026</bug> + <bug>677346</bug> + <access>remote</access> + <affected> + <package name="net-misc/curl" auto="yes" arch="*"> + <unaffected range="ge">7.64.0</unaffected> + <vulnerable range="lt">7.64.0</vulnerable> + </package> + </affected> + <background> + <p>A command line tool and library for transferring data with URLs.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in cURL. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Remote attackers could cause a Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All cURL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.64.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14618">CVE-2018-14618</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16839">CVE-2018-16839</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16840">CVE-2018-16840</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16842">CVE-2018-16842</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3822">CVE-2019-3822</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3823">CVE-2019-3823</uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T02:44:40Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-03-10T19:47:40Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-04.xml b/metadata/glsa/glsa-201903-04.xml new file mode 100644 index 000000000000..14dee74c7b65 --- /dev/null +++ b/metadata/glsa/glsa-201903-04.xml @@ -0,0 +1,73 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-04"> + <title>Mozilla Firefox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which may allow execution of arbitrary code. + </synopsis> + <product type="ebuild">firefox</product> + <announced>2019-03-10</announced> + <revised count="1">2019-03-10</revised> + <bug>672956</bug> + <bug>676892</bug> + <bug>677856</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge">60.5.1</unaffected> + <vulnerable range="lt">60.5.1</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge">60.5.1</unaffected> + <vulnerable range="lt">60.5.1</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to view a specially crafted web + page possibly resulting in the execution of arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla FireFox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-60.5.1" + </code> + + <p>All Mozilla FireFox bin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-60.5.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12405">CVE-2018-12405</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18356">CVE-2018-18356</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18492">CVE-2018-18492</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18493">CVE-2018-18493</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18494">CVE-2018-18494</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18498">CVE-2018-18498</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18500">CVE-2018-18500</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18501">CVE-2018-18501</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18505">CVE-2018-18505</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5785">CVE-2019-5785</uri> + </references> + <metadata tag="requester" timestamp="2019-02-06T14:21:19Z">whissi</metadata> + <metadata tag="submitter" timestamp="2019-03-10T19:49:50Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-05.xml b/metadata/glsa/glsa-201903-05.xml new file mode 100644 index 000000000000..106046f3f707 --- /dev/null +++ b/metadata/glsa/glsa-201903-05.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-05"> + <title>Tar: Denial of Service</title> + <synopsis>A vulnerability in Tar could led to a Denial of Service condition.</synopsis> + <product type="ebuild">tar</product> + <announced>2019-03-10</announced> + <revised count="1">2019-03-10</revised> + <bug>674210</bug> + <access>local</access> + <affected> + <package name="app-arch/tar" auto="yes" arch="*"> + <unaffected range="ge">1.30-r1</unaffected> + <vulnerable range="lt">1.30-r1</vulnerable> + </package> + </affected> + <background> + <p>The Tar program provides the ability to create and manipulate tar + archives. + </p> + </background> + <description> + <p>The sparse_dump_region function in sparse.c file in Tar allows an + infinite loop using the --sparse option. + </p> + </description> + <impact type="normal"> + <p>A local attacker could cause a Denial of Service condition by modifying + a file that is supposed to be archived by a different user’s process + (e.g., a system backup running as root). + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Tar users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/tar-1.30-r1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20482">CVE-2018-20482</uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T16:20:01Z">Zlogene</metadata> + <metadata tag="submitter" timestamp="2019-03-10T20:04:34Z">Zlogene</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-06.xml b/metadata/glsa/glsa-201903-06.xml new file mode 100644 index 000000000000..456d05712031 --- /dev/null +++ b/metadata/glsa/glsa-201903-06.xml @@ -0,0 +1,66 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-06"> + <title>rdesktop: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in rdesktop, the + worst of which could result in the remote execution of arbitrary code. + </synopsis> + <product type="ebuild">rdesktop</product> + <announced>2019-03-10</announced> + <revised count="1">2019-03-10</revised> + <bug>674558</bug> + <access>remote</access> + <affected> + <package name="net-misc/rdesktop" auto="yes" arch="*"> + <unaffected range="ge">1.8.4</unaffected> + <vulnerable range="lt">1.8.4</vulnerable> + </package> + </affected> + <background> + <p>rdesktop is a Remote Desktop Protocol (RDP) Client.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in rdesktop. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could cause a Denial of Service condition, obtain + sensitive information, or execute arbitrary code. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All rdesktop users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/rdesktop-1.8.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20174">CVE-2018-20174</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20175">CVE-2018-20175</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20176">CVE-2018-20176</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20177">CVE-2018-20177</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20178">CVE-2018-20178</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20179">CVE-2018-20179</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20180">CVE-2018-20180</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20181">CVE-2018-20181</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20182">CVE-2018-20182</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8791">CVE-2018-8791</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8792">CVE-2018-8792</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8793">CVE-2018-8793</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8794">CVE-2018-8794</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8795">CVE-2018-8795</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8796">CVE-2018-8796</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8797">CVE-2018-8797</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8798">CVE-2018-8798</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8799">CVE-2018-8799</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8800">CVE-2018-8800</uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T19:30:37Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-03-10T20:45:00Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-07.xml b/metadata/glsa/glsa-201903-07.xml new file mode 100644 index 000000000000..5ef41e69dd92 --- /dev/null +++ b/metadata/glsa/glsa-201903-07.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-07"> + <title>systemd: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in systemd, the worst of + which may allow execution of arbitrary code. + </synopsis> + <product type="ebuild">systemd</product> + <announced>2019-03-10</announced> + <revised count="1">2019-03-10</revised> + <bug>674144</bug> + <bug>677944</bug> + <access>remote</access> + <affected> + <package name="sys-apps/systemd" auto="yes" arch="*"> + <unaffected range="ge">239-r4</unaffected> + <vulnerable range="lt">239-r4</vulnerable> + </package> + </affected> + <background> + <p>A system and service manager.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in systemd. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a Denial of Service condition or possibly + execute arbitrary code. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All systemd users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/systemd-239-r4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16864">CVE-2018-16864</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16865">CVE-2018-16865</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16866">CVE-2018-16866</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6454">CVE-2019-6454</uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T19:34:40Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-03-10T20:47:25Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-08.xml b/metadata/glsa/glsa-201903-08.xml new file mode 100644 index 000000000000..3793a2326d8f --- /dev/null +++ b/metadata/glsa/glsa-201903-08.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-08"> + <title>GNU Wget: Password and metadata leak</title> + <synopsis>A vulnerability in GNU Wget which could allow an attacker to obtain + sensitive information. + </synopsis> + <product type="ebuild">wget</product> + <announced>2019-03-10</announced> + <revised count="1">2019-03-10</revised> + <bug>674170</bug> + <access>local</access> + <affected> + <package name="net-misc/wget" auto="yes" arch="*"> + <unaffected range="ge">1.20.1</unaffected> + <vulnerable range="lt">1.20.1</vulnerable> + </package> + </affected> + <background> + <p>GNU Wget is a free software package for retrieving files using HTTP, + HTTPS and FTP, the most widely-used Internet protocols. + </p> + </background> + <description> + <p>A vulnerability was discovered in GNU Wget’s file_metadata in xattr.c.</p> + </description> + <impact type="normal"> + <p>A local attacker could obtain sensitive information to include + credentials. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GNU Wget users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/wget-1.20.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20483">CVE-2018-20483</uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T06:22:02Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-10T20:49:49Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-09.xml b/metadata/glsa/glsa-201903-09.xml new file mode 100644 index 000000000000..036d610ff7a3 --- /dev/null +++ b/metadata/glsa/glsa-201903-09.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-09"> + <title>GNU C Library: Arbitrary descriptor allocation</title> + <synopsis>A vulnerability in the GNU C Library could result in a Denial of + Service condition. + </synopsis> + <product type="ebuild">glibc</product> + <announced>2019-03-14</announced> + <revised count="1">2019-03-14</revised> + <bug>617938</bug> + <access>remote</access> + <affected> + <package name="sys-libs/glibc" auto="yes" arch="*"> + <unaffected range="ge">2.26.0</unaffected> + <vulnerable range="lt">2.26.0</vulnerable> + </package> + </affected> + <background> + <p>The GNU C library is the standard C library used by Gentoo Linux + systems. + </p> + </background> + <description> + <p>A vulnerability was discovered in the GNU C Library functions xdr_bytes + and xdr_string. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by sending a crafted UDP packet, could cause a Denial + of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GNU C Library users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.26.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19591">CVE-2018-19591</uri> + </references> + <metadata tag="requester" timestamp="2018-12-30T15:32:10Z">Zlogene</metadata> + <metadata tag="submitter" timestamp="2019-03-14T01:31:55Z">Zlogene</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-10.xml b/metadata/glsa/glsa-201903-10.xml new file mode 100644 index 000000000000..afb36ae60d5c --- /dev/null +++ b/metadata/glsa/glsa-201903-10.xml @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-10"> + <title>OpenSSL: Multiple vulnerabilities</title> + <synopsis>Multiple Information Disclosure vulnerabilities in OpenSSL allow + attackers to obtain sensitive information. + </synopsis> + <product type="ebuild">openssl</product> + <announced>2019-03-14</announced> + <revised count="1">2019-03-14</revised> + <bug>673056</bug> + <bug>678564</bug> + <access>local, remote</access> + <affected> + <package name="dev-libs/openssl" auto="yes" arch="*"> + <unaffected range="ge">1.0.2r</unaffected> + <vulnerable range="lt">1.0.2r</vulnerable> + </package> + </affected> + <background> + <p>OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer + (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general + purpose cryptography library. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenSSL. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker to obtain sensitive information, caused by the failure + to immediately close the TCP connection after the hosts encounter a + zero-length record with valid padding. + </p> + + <p>A local attacker could run a malicious process next to legitimate + processes using the architecture’s parallel thread running capabilities + to leak encrypted data from the CPU’s internal processes. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenSSL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2r" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5407">CVE-2018-5407</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1559">CVE-2019-1559</uri> + </references> + <metadata tag="requester" timestamp="2019-01-07T18:47:40Z">whissi</metadata> + <metadata tag="submitter" timestamp="2019-03-14T01:34:24Z">Zlogene</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-11.xml b/metadata/glsa/glsa-201903-11.xml new file mode 100644 index 000000000000..7eea14bf14fa --- /dev/null +++ b/metadata/glsa/glsa-201903-11.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-11"> + <title>XRootD: Remote code execution</title> + <synopsis>A vulnerability was discovered in XRootD which could lead to the + remote execution of code. + </synopsis> + <product type="ebuild">xrootd</product> + <announced>2019-03-14</announced> + <revised count="1">2019-03-14</revised> + <bug>638420</bug> + <access>remote</access> + <affected> + <package name="net-libs/xrootd" auto="yes" arch="*"> + <unaffected range="ge">4.8.3</unaffected> + <vulnerable range="lt">4.8.3</vulnerable> + </package> + </affected> + <background> + <p>A project that aims at giving high performance, scalable, and fault + tolerant access to data repositories of many kinds. + </p> + </background> + <description> + <p>A shell command injection was discovered in XRootD.</p> + + </description> + <impact type="normal"> + <p>A remote attacker could execute arbitrary code.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All XRootD users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/xrootd-4.8.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-1000215"> + CVE-2017-1000215 + </uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T02:02:16Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-14T01:35:58Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-12.xml b/metadata/glsa/glsa-201903-12.xml new file mode 100644 index 000000000000..ddbe0d19b08a --- /dev/null +++ b/metadata/glsa/glsa-201903-12.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-12"> + <title>WebkitGTK+: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in WebkitGTK+, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">webkit-gtk</product> + <announced>2019-03-14</announced> + <revised count="1">2019-03-14</revised> + <bug>672108</bug> + <bug>674702</bug> + <bug>678334</bug> + <access>remote</access> + <affected> + <package name="net-libs/webkit-gtk" auto="yes" arch="*"> + <unaffected range="ge">2.22.6</unaffected> + <vulnerable range="lt">2.22.6</vulnerable> + </package> + </affected> + <background> + <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, from hybrid + HTML/CSS applications to full-fledged web browsers. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please + review the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could execute arbitrary code or conduct cross-site + scripting. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All WebkitGTK+ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.22.6" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6212">CVE-2019-6212</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6215">CVE-2019-6215</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6216">CVE-2019-6216</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6217">CVE-2019-6217</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6226">CVE-2019-6226</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6227">CVE-2019-6227</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6229">CVE-2019-6229</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6233">CVE-2019-6233</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6234">CVE-2019-6234</uri> + </references> + <metadata tag="requester" timestamp="2019-03-07T21:59:07Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-14T01:37:23Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-13.xml b/metadata/glsa/glsa-201903-13.xml new file mode 100644 index 000000000000..11e3fcfdcde5 --- /dev/null +++ b/metadata/glsa/glsa-201903-13.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-13"> + <title>BIND: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in BIND, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">bind</product> + <announced>2019-03-14</announced> + <revised count="1">2019-03-14</revised> + <bug>657654</bug> + <bug>666946</bug> + <access>remote</access> + <affected> + <package name="net-dns/bind" auto="yes" arch="*"> + <unaffected range="ge">9.12.1_p2-r1</unaffected> + <vulnerable range="lt">9.12.1_p2-r1</vulnerable> + </package> + </affected> + <background> + <p>BIND (Berkeley Internet Name Domain) is a Name Server.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in BIND. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>BIND can improperly permit recursive query service to unauthorized + clients possibly resulting in a Denial of Service condition or to be used + in DNS reflection attacks. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All bind users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-9.12.1_p2-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5738">CVE-2018-5738</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5740">CVE-2018-5740</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5741">CVE-2018-5741</uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T00:30:31Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-14T01:41:21Z">BlueKnight</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-14.xml b/metadata/glsa/glsa-201903-14.xml new file mode 100644 index 000000000000..88f56cdca5e3 --- /dev/null +++ b/metadata/glsa/glsa-201903-14.xml @@ -0,0 +1,82 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-14"> + <title>Oracle JDK/JRE: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Oracle’s JDK and JRE + software suites. + </synopsis> + <product type="ebuild">oracle-jdk-bin,oracle-jre-bin</product> + <announced>2019-03-14</announced> + <revised count="1">2019-03-14</revised> + <bug>653560</bug> + <bug>661456</bug> + <bug>676134</bug> + <access>remote</access> + <affected> + <package name="dev-java/oracle-jdk-bin" auto="yes" arch="*"> + <unaffected range="ge">1.8.0.202</unaffected> + <vulnerable range="lt">1.8.0.202</vulnerable> + </package> + <package name="dev-java/oracle-jre-bin" auto="yes" arch="*"> + <unaffected range="ge">1.8.0.202</unaffected> + <vulnerable range="lt">1.8.0.202</vulnerable> + </package> + </affected> + <background> + <p>Java Platform, Standard Edition (Java SE) lets you develop and deploy + Java applications on desktops and servers, as well as in today’s + demanding embedded environments. Java offers the rich user interface, + performance, versatility, portability, and security that today’s + applications require. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Oracle’s JDK and JRE + software suites. Please review the CVE identifiers referenced below for + details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, gain access to information, or cause a Denial + of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Oracle JDK bin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=dev-java/oracle-jdk-bin-1.8.0.202" + </code> + + <p>All Oracle JRE bin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=dev-java/oracle-jre-bin-1.8.0.202" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2790">CVE-2018-2790</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2794">CVE-2018-2794</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2795">CVE-2018-2795</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2796">CVE-2018-2796</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2797">CVE-2018-2797</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2798">CVE-2018-2798</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2799">CVE-2018-2799</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2800">CVE-2018-2800</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2811">CVE-2018-2811</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2814">CVE-2018-2814</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2815">CVE-2018-2815</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2422">CVE-2019-2422</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2426">CVE-2019-2426</uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T05:01:22Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-14T01:44:42Z">BlueKnight</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-15.xml b/metadata/glsa/glsa-201903-15.xml new file mode 100644 index 000000000000..7683138d59b5 --- /dev/null +++ b/metadata/glsa/glsa-201903-15.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-15"> + <title>NTP: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in NTP, the worst of which + could result in the remote execution of arbitrary code. + </synopsis> + <product type="ebuild">ntp</product> + <announced>2019-03-19</announced> + <revised count="1">2019-03-19</revised> + <bug>658576</bug> + <bug>679742</bug> + <access>remote</access> + <affected> + <package name="net-misc/ntp" auto="yes" arch="*"> + <unaffected range="ge">4.2.8_p13</unaffected> + <vulnerable range="lt">4.2.8_p13</vulnerable> + </package> + </affected> + <background> + <p>NTP contains software for the Network Time Protocol.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in NTP. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a Denial of Service condition, escalate + privileges, or remotely execute arbitrary code. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All NTP users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8_p13" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12327">CVE-2018-12327</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8936">CVE-2019-8936</uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T05:15:13Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-19T03:13:50Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index ff7250c080ed..e93b41aac52e 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sun, 03 Mar 2019 12:38:39 +0000 +Tue, 19 Mar 2019 10:38:37 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 991ee1687290..98bcf26d91f9 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -baa5a86124960e22df1f11ab63da9f282dd4cdd3 1546204642 2018-12-30T21:17:22+00:00 +0a72c299702ffceee8f32f22b9d7b2c33e5140a0 1552965642 2019-03-19T03:20:42+00:00 |