summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/glsa-201710-28.xml49
-rw-r--r--metadata/glsa/glsa-201710-29.xml58
-rw-r--r--metadata/glsa/glsa-201710-30.xml63
-rw-r--r--metadata/glsa/glsa-201710-31.xml114
-rw-r--r--metadata/glsa/glsa-201710-32.xml77
-rw-r--r--metadata/glsa/timestamp.chk2
-rw-r--r--metadata/glsa/timestamp.commit2
7 files changed, 363 insertions, 2 deletions
diff --git a/metadata/glsa/glsa-201710-28.xml b/metadata/glsa/glsa-201710-28.xml
new file mode 100644
index 000000000000..1324e48c3901
--- /dev/null
+++ b/metadata/glsa/glsa-201710-28.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201710-28">
+ <title>Jython: Arbitrary code execution</title>
+ <synopsis>A vulnerability in Jython may lead to arbitrary code execution.
+ </synopsis>
+ <product type="ebuild">Jython</product>
+ <announced>2017-10-29</announced>
+ <revised>2017-10-29: 1</revised>
+ <bug>621876</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-java/jython" auto="yes" arch="*">
+ <unaffected range="ge">2.7.0-r2</unaffected>
+ <vulnerable range="lt">2.7.0-r2</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>An implementation of Python written in Java.</p>
+ </background>
+ <description>
+ <p>It was found that Jython is vulnerable to arbitrary code execution by
+ sending a serialized function to the deserializer.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>Remote execution of arbitrary code by enticing a user to execute
+ malicious code.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Jython users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-java/jython-2.7.0-r2"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000">
+ CVE-2016-4000
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-10-26T13:31:13Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2017-10-29T17:17:48Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201710-29.xml b/metadata/glsa/glsa-201710-29.xml
new file mode 100644
index 000000000000..a2dfda779ecf
--- /dev/null
+++ b/metadata/glsa/glsa-201710-29.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201710-29">
+ <title>Asterisk: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Asterisk, the worst of
+ which allows remote execution of arbitrary shell commands.
+ </synopsis>
+ <product type="ebuild">asterisk</product>
+ <announced>2017-10-29</announced>
+ <revised>2017-10-29: 1</revised>
+ <bug>629682</bug>
+ <bug>629692</bug>
+ <bug>633856</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-misc/asterisk" auto="yes" arch="*">
+ <unaffected range="ge">11.25.3</unaffected>
+ <vulnerable range="lt">11.25.3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>A Modular Open Source PBX System.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Asterisk. Please review
+ the referenced CVE identifiers for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could execute arbitrary code, cause a denial of
+ service condition, or cause an unauthorized data disclosure by enticing a
+ user to run malicious code.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Asterisk users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-misc/asterisk-13.17.2"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14098">CVE-2017-14098</uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14099">
+ CVE-2017-14099
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14100">
+ CVE-2017-14100
+ </uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14603">CVE-2017-14603</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-10-26T14:19:30Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2017-10-29T19:14:13Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201710-30.xml b/metadata/glsa/glsa-201710-30.xml
new file mode 100644
index 000000000000..67af29cd0fc6
--- /dev/null
+++ b/metadata/glsa/glsa-201710-30.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201710-30">
+ <title>X.Org Server: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in X.Org Server the worst
+ of which could allow a local attacker to replace shared memory segments.
+ </synopsis>
+ <product type="ebuild">X.Org Server</product>
+ <announced>2017-10-29</announced>
+ <revised>2017-10-29: 1</revised>
+ <bug>493294</bug>
+ <bug>611350</bug>
+ <bug>633910</bug>
+ <access>local</access>
+ <affected>
+ <package name="x11-base/xorg-server" auto="yes" arch="*">
+ <unaffected range="ge">1.19.4</unaffected>
+ <vulnerable range="lt">1.19.4</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>The X.Org project provides an open source implementation of the X Window
+ System.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in X.Org Server. Please
+ review the referenced CVE identifiers for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A local attacker could cause a global buffer overflow or a Denial of
+ Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time</p>
+ </workaround>
+ <resolution>
+ <p>All X.Org Server users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=x11-base/xorg-server-1.19.4"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6424">
+ CVE-2013-6424
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13721">
+ CVE-2017-13721
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13723">
+ CVE-2017-13723
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2624">
+ CVE-2017-2624
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-10-25T07:28:16Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2017-10-29T19:44:06Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201710-31.xml b/metadata/glsa/glsa-201710-31.xml
new file mode 100644
index 000000000000..b6e438df406f
--- /dev/null
+++ b/metadata/glsa/glsa-201710-31.xml
@@ -0,0 +1,114 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201710-31">
+ <title>Oracle JDK/JRE: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Oracle's JDK and JRE
+ software suites, the worst of which can be remotely exploited without
+ authentication.
+ </synopsis>
+ <product type="ebuild">oracle,jdk,jre</product>
+ <announced>2017-10-29</announced>
+ <revised>2017-10-29: 1</revised>
+ <bug>635030</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-java/oracle-jdk-bin" auto="yes" arch="*">
+ <unaffected range="ge">1.8.0.152-r1</unaffected>
+ <vulnerable range="lt">1.8.0.152-r1</vulnerable>
+ </package>
+ <package name="dev-java/oracle-jre-bin" auto="yes" arch="*">
+ <unaffected range="ge">1.8.0.152-r1</unaffected>
+ <vulnerable range="lt">1.8.0.152-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Java Platform, Standard Edition (Java SE) lets you develop and deploy
+ Java applications on desktops and servers, as well as in today’s
+ demanding embedded environments. Java offers the rich user interface,
+ performance, versatility, portability, and security that today’s
+ applications require.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Oracle’s Java SE.
+ Please review the referenced CVE identifiers for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could cause a Denial of Service condition, modify
+ arbitrary data, or have numerous other impacts.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Oracle JDK users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=dev-java/oracle-jdk-bin-1.8.0.152-r1"
+ </code>
+
+ <p>All Oracle JRE users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=dev-java/oracle-jre-bin-1.8.0.152-r1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10274">
+ CVE-2017-10274
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10281">
+ CVE-2017-10281
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10285">
+ CVE-2017-10285
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10293">
+ CVE-2017-10293
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10295">
+ CVE-2017-10295
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10309">
+ CVE-2017-10309
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10345">
+ CVE-2017-10345
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10346">
+ CVE-2017-10346
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10347">
+ CVE-2017-10347
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10348">
+ CVE-2017-10348
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10349">
+ CVE-2017-10349
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10350">
+ CVE-2017-10350
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10355">
+ CVE-2017-10355
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10356">
+ CVE-2017-10356
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10357">
+ CVE-2017-10357
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10388">
+ CVE-2017-10388
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-10-24T17:32:20Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2017-10-29T22:47:00Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201710-32.xml b/metadata/glsa/glsa-201710-32.xml
new file mode 100644
index 000000000000..61324a61d421
--- /dev/null
+++ b/metadata/glsa/glsa-201710-32.xml
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201710-32">
+ <title>Apache: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Apache, the worst of
+ which may result in the loss of secrets.
+ </synopsis>
+ <product type="ebuild">Apache</product>
+ <announced>2017-10-29</announced>
+ <revised>2017-10-29: 1</revised>
+ <bug>622240</bug>
+ <bug>624868</bug>
+ <bug>631308</bug>
+ <access>remote</access>
+ <affected>
+ <package name="www-servers/apache" auto="yes" arch="*">
+ <unaffected range="ge">2.4.27-r1</unaffected>
+ <vulnerable range="lt">2.4.27-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>The Apache HTTP server is one of the most popular web servers on the
+ Internet.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Apache. Please review
+ the referenced CVE identifiers for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>The Optionsbleed vulnerability can leak arbitrary memory from the server
+ process that may contain secrets. Additionally attackers may cause a
+ Denial of Service condition, bypass authentication, or cause information
+ loss.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Apache users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=www-servers/apache-2.4.27-r1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3167">
+ CVE-2017-3167
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3169">
+ CVE-2017-3169
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7659">
+ CVE-2017-7659
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7668">
+ CVE-2017-7668
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7679">
+ CVE-2017-7679
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9788">
+ CVE-2017-9788
+ </uri>
+ <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9789">
+ CVE-2017-9789
+ </uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798">
+ CVE-2017-9798
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-10-23T01:26:58Z">jmbailey</metadata>
+ <metadata tag="submitter" timestamp="2017-10-29T23:04:17Z">jmbailey</metadata>
+</glsa>
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index efc7a33c3304..c592e26b02de 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sun, 29 Oct 2017 10:39:29 +0000
+Tue, 31 Oct 2017 15:09:38 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 350c70c794f0..3a85cafb79b7 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-3c64211d24fa5a633310d841c0bd5cddc991cc02 1508723227 2017-10-23T01:47:07+00:00
+a3bfb3d4e245b9bc89b32be1e708c2ef1dd05b93 1509318312 2017-10-29T23:05:12+00:00
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-18 21:19:06 +0000