diff options
Diffstat (limited to 'metadata/glsa')
24 files changed, 1042 insertions, 43 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 549df1977bb3..e9f4a151bebc 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 437590 BLAKE2B 89b5299a2ae5909a2f126e7d079e486a46a84b314ae3fd8e955c116ff1469671110300e3034ae816a3f8d7760ff951864b0f6a2ea8e63f69093f03e040aaa3f5 SHA512 af2b9c5421b1ff957533cc161bb0347cbaa2e3e90c9069b5b7e6141ce2a943b1cc971aacd34224e34915a04db19e7b1d06ff5519de5e8c67f4753e7fc7157bf3 -TIMESTAMP 2019-03-19T10:38:40Z +MANIFEST Manifest.files.gz 440286 BLAKE2B 2af5ef9362c78ba7bf11bdae9a9489f74edad467df6b2ae46f4c40f90efff0d9b9a16871d4b4dc3152d243cdeef378b57c07f591978c6f08430193f3f3b50211 SHA512 7e4746f00d3d1c261bcbe86e5a5e69eaabba6282a2dc735d9c66666182e861452e574ab7acbc8ab5e371b58e03c97a798c1b6252a2fefecafc24796f9bf8af6f +TIMESTAMP 2019-04-05T19:38:48Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlyQxrBfFIAAAAAALgAo +iQKSBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlynrshfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klDrDg//YyE6JU2ZaXcEyszFO1/7+5m21MFqI0yNLvg6NpEYpKPXydaplPlZWePP -KwpwB/UCravezXqOive8GyGbClBKOrXI2PzX7gn+PgyNW5BQQgVgg1JKev4FCcr1 -IwrdKhLI7hi9VnGspot1SSROQfYoCq/Y367bv6t87fZ+0FLq3+Q2wJvSo0tbAWCM -CzxtPT6j9wZll3TFTLHqccw9cOCSJkgJ1U9lhTVfn47ACO4O3AmwZA08vANyJPGA -WBw1k9mdh6OPBXf72NauBPeEFDB9L39HHYifdCRlBhw1e/Go3ptjBcsKjqG5ZJO7 -JcVz4jtLrFpHDRlKQjtxeUZstkUTmnk3hXtKnHH9pCNUnAWWa09gFpz6iRIomEEQ -7f4CKWJI69WtZlfj0U3FdUkO7L2TXdikJWp/rLTyQDsM4JNrBEgUqr1DnReVhijW -A93TJ+0GrFh9717ym8XNsIJPgQlS0p5kMY+41d3e2IE+GRTDz2IOWHfnqmmOaS+/ -7pz9Gs1yjim+GnWgCPPVp3zVE/lUTq4n2w6TQZg6q6Q5AI+8z4OKwu8S5QbgsgVH -56Jh1U7gh7y1z/3TtiFJ4fsi6LX91KtsYc8D7+J1Kq9lHkXUMRLaqnDd5zPgGG8I -4QZ2SeDBsAb2Zu96B4fqWf8PkO9Vw97rWhWRJxux9jXzeeFpH4k= -=Xxnn +klDmmw/1FnKMgyH5T28DSzwMZuE8YkwURYIHCA5qWo9cxMNC3+zkmbbSk0VVpFYM +x4Kbujp284QVXKb0qFnaOIgg8I8vV8ZsfycoIlgBeMtC5lSK06za+aOIQtIsqUqA +dVKlptpy1PW0Yq2mtUHcU3km8JTzzyGCpmTEEQpYXP/aIzj9MdVW1tTGfeJFUILf +Wb9D/3A9ccU6tfdkPQMJGE2g3+vWU3yocfJtsAPdFFb3npZXrtQKQgLHm48OMKmU +q60eSg5qePVkgL67iitIoO5HFleNkTAgaOzTpGtd7/oxGzAqzgPQ3915hqTodC6E +ZUqxcXe+qVtWbFJkO9VtaQ1ZMVa2LjldoNY7ZvexOwmGZg7QGx7yx7sMato1XsM2 +S8+i7ylkBCxnk3gV1Bi4t6fgZEV9wK9cURpJEto5QFkqJDY/XHNxFlB0S8FWs/Uv +5DGhPi5nsjdHhUAoifJ22u21IRgAaS2GFXuwDLGgpA2ZOjRWXdMK2IfK84wHzWvj +ESHnObusGk5CJ6NDyLeo22ibnfKT/e4diLBE/wQZ/0BAb1VtTsCIUDPXv8pqEF3L +jSuKXXDo/qWtQChKbtLngMxCrxqo5j2n67itEcEPYCVCrTrvJDyqwb5bzBjtwlIn +sdgofFSpC7jNGj79z5H+d5QrMTDa46VgeVg3h/O/8TgzVM3JFw== +=Of+c -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 01756e23b684..c193a1df00d8 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-201401-04.xml b/metadata/glsa/glsa-201401-04.xml index 8783065d40fa..8455a8b2cd1c 100644 --- a/metadata/glsa/glsa-201401-04.xml +++ b/metadata/glsa/glsa-201401-04.xml @@ -17,23 +17,10 @@ <access>remote</access> <affected> <package name="dev-lang/python" auto="yes" arch="*"> - <unaffected range="rge">3.2.5-r1</unaffected> - <unaffected range="rge">2.6.8</unaffected> - <unaffected range="rge">2.7.3-r1</unaffected> + <unaffected range="ge">3.2.5-r1</unaffected> + <unaffected range="ge">2.6.8</unaffected> + <unaffected range="ge">2.7.3-r1</unaffected> <unaffected range="ge">3.3.2-r1</unaffected> - <unaffected range="rge">2.6.9</unaffected> - <unaffected range="rge">2.7.4</unaffected> - <unaffected range="rge">2.7.5</unaffected> - <unaffected range="rge">2.7.6</unaffected> - <unaffected range="rge">2.7.7</unaffected> - <unaffected range="rge">2.7.8</unaffected> - <unaffected range="rge">2.7.9</unaffected> - <unaffected range="rge">2.7.10</unaffected> - <unaffected range="rge">2.7.11</unaffected> - <unaffected range="rge">2.7.12</unaffected> - <unaffected range="rge">2.7.13</unaffected> - <unaffected range="rge">2.7.14</unaffected> - <unaffected range="rge">2.7.15</unaffected> <vulnerable range="lt">3.3.2-r1</vulnerable> </package> </affected> diff --git a/metadata/glsa/glsa-201503-10.xml b/metadata/glsa/glsa-201503-10.xml index b1968049e389..52c86ad82e0e 100644 --- a/metadata/glsa/glsa-201503-10.xml +++ b/metadata/glsa/glsa-201503-10.xml @@ -19,13 +19,7 @@ <affected> <package name="dev-lang/python" auto="yes" arch="*"> <unaffected range="ge">3.3.5-r1</unaffected> - <unaffected range="rge">2.7.9-r1</unaffected> - <unaffected range="rge">2.7.10</unaffected> - <unaffected range="rge">2.7.11</unaffected> - <unaffected range="rge">2.7.12</unaffected> - <unaffected range="rge">2.7.13</unaffected> - <unaffected range="rge">2.7.14</unaffected> - <unaffected range="rge">2.7.15</unaffected> + <unaffected range="ge">2.7.9-r1</unaffected> <vulnerable range="lt">3.3.5-r1</vulnerable> </package> </affected> diff --git a/metadata/glsa/glsa-201811-02.xml b/metadata/glsa/glsa-201811-02.xml index 6ba1bc458393..ce9a6b6e7109 100644 --- a/metadata/glsa/glsa-201811-02.xml +++ b/metadata/glsa/glsa-201811-02.xml @@ -12,8 +12,8 @@ <access>remote</access> <affected> <package name="dev-lang/python" auto="yes" arch="*"> - <unaffected range="ge">2.7.15</unaffected> - <vulnerable range="lt">2.7.15</vulnerable> + <unaffected range="ge" slot="2.7">2.7.15</unaffected> + <vulnerable range="lt" slot="2.7">2.7.15</vulnerable> </package> </affected> <background> @@ -39,7 +39,7 @@ <code> # emerge --sync - # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.15" + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.15:2.7" </code> </resolution> diff --git a/metadata/glsa/glsa-201903-16.xml b/metadata/glsa/glsa-201903-16.xml new file mode 100644 index 000000000000..7e9889dc2827 --- /dev/null +++ b/metadata/glsa/glsa-201903-16.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-16"> + <title>OpenSSH: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in OpenSSH, the worst of + which could allow a remote attacker to gain unauthorized access. + </synopsis> + <product type="ebuild">openssh</product> + <announced>2019-03-20</announced> + <revised count="1">2019-03-20</revised> + <bug>675520</bug> + <bug>675522</bug> + <access>remote</access> + <affected> + <package name="net-misc/openssh" auto="yes" arch="*"> + <unaffected range="ge">7.9_p1-r4</unaffected> + <vulnerable range="lt">7.9_p1-r4</vulnerable> + </package> + </affected> + <background> + <p>OpenSSH is a complete SSH protocol implementation that includes SFTP + client and server support. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenSSH. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could overwrite arbitrary files, transfer malicious + files, or gain unauthorized access. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenSSH users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openssh-7.9_p1-r4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20685">CVE-2018-20685</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6109">CVE-2019-6109</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6110">CVE-2019-6110</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6111">CVE-2019-6111</uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T21:55:11Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-20T13:35:05Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-17.xml b/metadata/glsa/glsa-201903-17.xml new file mode 100644 index 000000000000..f561605e8c58 --- /dev/null +++ b/metadata/glsa/glsa-201903-17.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-17"> + <title>SDL2_Image: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in the image loading + library + for Simple DirectMedia Layer, the worst of which could result in the remote + execution of arbitrary code. + </synopsis> + <product type="ebuild">sdl_image</product> + <announced>2019-03-28</announced> + <revised count="1">2019-03-28</revised> + <bug>655226</bug> + <bug>674132</bug> + <access>local, remote</access> + <affected> + <package name="media-libs/sdl2-image" auto="yes" arch="*"> + <unaffected range="ge">2.0.4</unaffected> + <vulnerable range="lt">2.0.4</vulnerable> + </package> + </affected> + <background> + <p>SDL_image is an image file library that loads images as SDL surfaces, + and supports various formats like BMP, GIF, JPEG, LBM, PCX, PNG, PNM, + TGA, TIFF, XCF, XPM, and XV. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in SDL2_Image. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by enticing a user to process a specially crafted + image file, could execute arbitrary code, cause a Denial of Service + condition, or obtain sensitive information. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All SDL2_Image users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/sdl2-image-2.0.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12122">CVE-2017-12122</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14440">CVE-2017-14440</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14441">CVE-2017-14441</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14442">CVE-2017-14442</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14448">CVE-2017-14448</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14449">CVE-2017-14449</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14450">CVE-2017-14450</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3837">CVE-2018-3837</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3838">CVE-2018-3838</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3839">CVE-2018-3839</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3977">CVE-2018-3977</uri> + </references> + <metadata tag="requester" timestamp="2018-12-02T21:13:59Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-03-28T02:06:35Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-18.xml b/metadata/glsa/glsa-201903-18.xml new file mode 100644 index 000000000000..8a568d6c284b --- /dev/null +++ b/metadata/glsa/glsa-201903-18.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-18"> + <title>GD: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in GD, the worst of which + could result in the remote execution of arbitrary code. + </synopsis> + <product type="ebuild">gd</product> + <announced>2019-03-28</announced> + <revised count="1">2019-03-28</revised> + <bug>664732</bug> + <bug>679702</bug> + <access>local, remote</access> + <affected> + <package name="media-libs/gd" auto="yes" arch="*"> + <unaffected range="ge">2.2.5-r2</unaffected> + <vulnerable range="lt">2.2.5-r2</vulnerable> + </package> + </affected> + <background> + <p>GD is a graphic library for fast image creation.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GD. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to process a specially crafted + image, possibly resulting in execution of arbitrary code or a Denial of + Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GD users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/gd-2.2.5-r2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000222"> + CVE-2018-1000222 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5711">CVE-2018-5711</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6977">CVE-2019-6977</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6978">CVE-2019-6978</uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T05:25:03Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-28T02:09:10Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-19.xml b/metadata/glsa/glsa-201903-19.xml new file mode 100644 index 000000000000..1594fdca63ff --- /dev/null +++ b/metadata/glsa/glsa-201903-19.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-19"> + <title>NASM: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in NASM, the worst of + which could result in the remote execution of arbitrary code. + </synopsis> + <product type="ebuild">nasm</product> + <announced>2019-03-28</announced> + <revised count="1">2019-03-28</revised> + <bug>635358</bug> + <bug>659550</bug> + <bug>670884</bug> + <access>remote</access> + <affected> + <package name="dev-lang/nasm" auto="yes" arch="*"> + <unaffected range="ge">2.14.02</unaffected> + <vulnerable range="lt">2.14.02</vulnerable> + </package> + </affected> + <background> + <p>NASM is a 80x86 assembler that has been created for portability and + modularity. NASM supports Pentium, P6, SSE MMX, and 3DNow extensions. It + also supports a wide range of objects formats (ELF, a.out, COFF, etc), + and has its own disassembler. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in NASM. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>A remote attacker could cause a Denial of Service condition or execute + arbitrary code. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All NASM users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/nasm-2.14.02" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-10686">CVE-2017-10686</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11111">CVE-2017-11111</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14228">CVE-2017-14228</uri> + </references> + <metadata tag="requester" timestamp="2019-03-10T04:10:57Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-28T02:11:39Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-20.xml b/metadata/glsa/glsa-201903-20.xml new file mode 100644 index 000000000000..87cc4d4c6744 --- /dev/null +++ b/metadata/glsa/glsa-201903-20.xml @@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-20"> + <title>cabextract, libmspack: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in cabextract and + libmspack, the worst of which could result in a Denial of Service. + </synopsis> + <product type="ebuild">cabextract, libmspack</product> + <announced>2019-03-28</announced> + <revised count="1">2019-03-28</revised> + <bug>662874</bug> + <bug>669280</bug> + <access>remote</access> + <affected> + <package name="app-arch/cabextract" auto="yes" arch="*"> + <unaffected range="ge">1.8</unaffected> + <vulnerable range="lt">1.8</vulnerable> + </package> + <package name="dev-libs/libmspack" auto="yes" arch="*"> + <unaffected range="ge">0.8_alpha</unaffected> + <vulnerable range="lt">0.8_alpha</vulnerable> + </package> + </affected> + <background> + <p>cabextract is free software for extracting Microsoft cabinet files.</p> + + <p>libmspack is a portable library for some loosely related Microsoft + compression formats + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in cabextract and + libmspack. Please review the CVE identifiers referenced below for + details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE’s for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All cabextract users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/cabextract-1.8" + </code> + + <p>All libmspack users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libmspack-0.8_alpha" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14679">CVE-2018-14679</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14680">CVE-2018-14680</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14681">CVE-2018-14681</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14682">CVE-2018-14682</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18584">CVE-2018-18584</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18585">CVE-2018-18585</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18586">CVE-2018-18586</uri> + </references> + <metadata tag="requester" timestamp="2019-03-24T19:20:01Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-03-28T02:14:01Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-21.xml b/metadata/glsa/glsa-201903-21.xml new file mode 100644 index 000000000000..bfbf093933d1 --- /dev/null +++ b/metadata/glsa/glsa-201903-21.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-21"> + <title>Apache: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Apache Web Server, the + worst of which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">apache</product> + <announced>2019-03-28</announced> + <revised count="1">2019-03-28</revised> + <bug>676064</bug> + <access>remote</access> + <affected> + <package name="www-servers/apache" auto="yes" arch="*"> + <unaffected range="ge">2.4.38-r1</unaffected> + <vulnerable range="lt">2.4.38-r1</vulnerable> + </package> + </affected> + <background> + <p>The Apache HTTP server is one of the most popular web servers on the + Internet. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Apache. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker can possibly cause a Denial of Service condition or + could bypass mod_session_cookie expiration time. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Apache users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.38-r1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17189">CVE-2018-17189</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17190">CVE-2018-17190</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17199">CVE-2018-17199</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-0190">CVE-2019-0190</uri> + </references> + <metadata tag="requester" timestamp="2019-03-24T13:34:22Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-28T02:17:53Z">Zlogene</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-22.xml b/metadata/glsa/glsa-201903-22.xml new file mode 100644 index 000000000000..a4ca5781ef35 --- /dev/null +++ b/metadata/glsa/glsa-201903-22.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-22"> + <title>ZeroMQ: Code execution</title> + <synopsis>An overflow was discovered in ZeroMQ which could lead to arbitrary + code execution. + </synopsis> + <product type="ebuild">zeromq</product> + <announced>2019-03-28</announced> + <revised count="1">2019-03-28</revised> + <bug>675376</bug> + <access>local, remote</access> + <affected> + <package name="net-libs/zeromq" auto="yes" arch="*"> + <unaffected range="ge">4.3.1</unaffected> + <vulnerable range="lt">4.3.1</vulnerable> + </package> + </affected> + <background> + <p>Looks like an embeddable networking library but acts like a concurrency + framework + </p> + </background> + <description> + <p>Please reference the CVE for details.</p> + </description> + <impact type="high"> + <p>Please reference the CVE for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ZeroMQ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/zeromq-4.3.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6250">CVE-2019-6250</uri> + </references> + <metadata tag="requester" timestamp="2019-03-24T14:21:11Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-28T02:20:04Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201903-23.xml b/metadata/glsa/glsa-201903-23.xml new file mode 100644 index 000000000000..cd7a6ab5f4c2 --- /dev/null +++ b/metadata/glsa/glsa-201903-23.xml @@ -0,0 +1,76 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-23"> + <title>Chromium: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium, the worst of + which could result in the remote execution of code. + </synopsis> + <product type="ebuild">chromium</product> + <announced>2019-03-28</announced> + <revised count="1">2019-03-28</revised> + <bug>671550</bug> + <bug>677066</bug> + <bug>679530</bug> + <bug>680242</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">73.0.3683.75</unaffected> + <vulnerable range="lt">73.0.3683.75</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifiers and Google Chrome + Releases for details. + </p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers and Google Chrome Releases + for details. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-73.0.3683.75" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17479">CVE-2018-17479</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5786">CVE-2019-5786</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5786">CVE-2019-5786</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5787">CVE-2019-5787</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5788">CVE-2019-5788</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5789">CVE-2019-5789</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5790">CVE-2019-5790</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5791">CVE-2019-5791</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5792">CVE-2019-5792</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5793">CVE-2019-5793</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5794">CVE-2019-5794</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5795">CVE-2019-5795</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5796">CVE-2019-5796</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5797">CVE-2019-5797</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5798">CVE-2019-5798</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5799">CVE-2019-5799</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5800">CVE-2019-5800</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5801">CVE-2019-5801</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5802">CVE-2019-5802</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5803">CVE-2019-5803</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5804">CVE-2019-5804</uri> + </references> + <metadata tag="requester" timestamp="2019-03-24T22:13:31Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-03-28T02:22:18Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201904-01.xml b/metadata/glsa/glsa-201904-01.xml new file mode 100644 index 000000000000..413cf96f361e --- /dev/null +++ b/metadata/glsa/glsa-201904-01.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201904-01"> + <title>Cairo: Denial of Service</title> + <synopsis>Multiple vulnerabilities were found in Cairo, the worst of which + could cause a Denial of Service condition. + </synopsis> + <product type="ebuild">cairo</product> + <announced>2019-04-02</announced> + <revised count="1">2019-04-02</revised> + <bug>596756</bug> + <bug>625636</bug> + <bug>672908</bug> + <access>remote</access> + <affected> + <package name="x11-libs/cairo" auto="yes" arch="*"> + <unaffected range="ge">1.16.0-r3</unaffected> + <vulnerable range="lt">1.16.0-r3</vulnerable> + </package> + </affected> + <background> + <p>Cairo is a 2D vector graphics library with cross-device output support.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Cairo. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Cairo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/cairo-1.16.0-r2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-9082">CVE-2016-9082</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9814">CVE-2017-9814</uri> + </references> + <metadata tag="requester" timestamp="2019-03-27T00:20:40Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-04-02T04:14:37Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201904-02.xml b/metadata/glsa/glsa-201904-02.xml new file mode 100644 index 000000000000..dbf891e06df0 --- /dev/null +++ b/metadata/glsa/glsa-201904-02.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201904-02"> + <title>Libical: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Libical, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">libical</product> + <announced>2019-04-02</announced> + <revised count="1">2019-04-02</revised> + <bug>587572</bug> + <bug>587574</bug> + <access>remote</access> + <affected> + <package name="dev-libs/libical" auto="yes" arch="*"> + <unaffected range="ge">3.0.0</unaffected> + <vulnerable range="lt">3.0.0</vulnerable> + </package> + </affected> + <background> + <p>An Open Source implementation of the iCalendar protocols and protocol + data units. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Libical. Please review + the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Libical users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libical-3.0.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-5823">CVE-2016-5823</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-5824">CVE-2016-5824</uri> + </references> + <metadata tag="requester" timestamp="2019-03-29T18:17:49Z">b-man</metadata> + <metadata tag="submitter" timestamp="2019-04-02T04:17:39Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201904-03.xml b/metadata/glsa/glsa-201904-03.xml new file mode 100644 index 000000000000..8a5ae4cdfa0e --- /dev/null +++ b/metadata/glsa/glsa-201904-03.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201904-03"> + <title>Unbound: Multiple vulnerabilities </title> + <synopsis>Multiple vulnerabilities have been found in Unbound, the worst of + which could lead to privilege escalation. + </synopsis> + <product type="ebuild">unbound</product> + <announced>2019-04-02</announced> + <revised count="1">2019-04-02</revised> + <bug>641042</bug> + <bug>677054</bug> + <access>remote</access> + <affected> + <package name="net-dns/unbound" auto="yes" arch="*"> + <unaffected range="ge">1.8.3</unaffected> + <vulnerable range="lt">1.8.3</vulnerable> + </package> + </affected> + <background> + <p>Unbound is a validating, recursive, and caching DNS resolver.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Unbound. Please review + the referenced bugs for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced bugs for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Unbound users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/unbound-1.8.3" + </code> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2019-03-10T00:48:50Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-04-02T04:20:03Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201904-04.xml b/metadata/glsa/glsa-201904-04.xml new file mode 100644 index 000000000000..4dbd20dd48a5 --- /dev/null +++ b/metadata/glsa/glsa-201904-04.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201904-04"> + <title>Poppler: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Poppler, the worst of + which could allow a Denial of Service. + </synopsis> + <product type="ebuild">poppler</product> + <announced>2019-04-02</announced> + <revised count="1">2019-04-02</revised> + <bug>659828</bug> + <bug>670880</bug> + <access>remote</access> + <affected> + <package name="app-text/poppler" auto="yes" arch="*"> + <unaffected range="ge">0.70.0</unaffected> + <vulnerable range="lt">0.70.0</vulnerable> + </package> + </affected> + <background> + <p>Poppler is a PDF rendering library based on the xpdf-3.0 code base.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Poppler. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Poppler users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/poppler-0.70.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19149">CVE-2018-19149</uri> + </references> + <metadata tag="requester" timestamp="2019-03-27T05:17:10Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-04-02T04:21:51Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201904-05.xml b/metadata/glsa/glsa-201904-05.xml new file mode 100644 index 000000000000..32f4490fde55 --- /dev/null +++ b/metadata/glsa/glsa-201904-05.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201904-05"> + <title>BURP: Root privilege escalation</title> + <synopsis>A vulnerability was discovered in Gentoo's ebuild for BURP which + could lead to root privilege escalation. + </synopsis> + <product type="ebuild">burp</product> + <announced>2019-04-02</announced> + <revised count="1">2019-04-02</revised> + <bug>641842</bug> + <access>local</access> + <affected> + <package name="app-backup/burp" auto="yes" arch="*"> + <unaffected range="ge">2.1.32-r1</unaffected> + <vulnerable range="lt">2.1.32-r1</vulnerable> + </package> + </affected> + <background> + <p>A network backup and restore program.</p> + </background> + <description> + <p>It was discovered that Gentoo’s BURP ebuild does not properly set + permissions or place the pid file in a safe directory. Additionally, the + first set of patches did not completely address this. As such, a + revision has been made available that addresses all concerns of the + initial report. + </p> + </description> + <impact type="normal"> + <p>A local attacker could escalate privileges.</p> + </impact> + <workaround> + <p>Users should ensure the proper permissions are set as discussed in the + referenced bugs. + </p> + </workaround> + <resolution> + <p>All BURP users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-backup/burp-2.1.32-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-18285">CVE-2017-18285</uri> + </references> + <metadata tag="requester" timestamp="2019-03-27T01:35:48Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-04-02T04:23:38Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201904-06.xml b/metadata/glsa/glsa-201904-06.xml new file mode 100644 index 000000000000..e5338d314d68 --- /dev/null +++ b/metadata/glsa/glsa-201904-06.xml @@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201904-06"> + <title>GlusterFS: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in GlusterFS, the worst of + which could result in the execution of arbitrary code. + </synopsis> + <product type="ebuild">glusterfs</product> + <announced>2019-04-02</announced> + <revised count="2">2019-04-02</revised> + <bug>653070</bug> + <bug>658606</bug> + <bug>664336</bug> + <bug>670088</bug> + <access>remote</access> + <affected> + <package name="sys-cluster/glusterfs" auto="yes" arch="*"> + <unaffected range="ge">4.1.8</unaffected> + <vulnerable range="lt">4.1.8</vulnerable> + </package> + </affected> + <background> + <p>A free and open source software scalable network filesystem.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GlusterFS. Please + review the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GlusterFS users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-cluster/glusterfs-4.1.8" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10841">CVE-2018-10841</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1088">CVE-2018-1088</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10904">CVE-2018-10904</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10907">CVE-2018-10907</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10911">CVE-2018-10911</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10913">CVE-2018-10913</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10914">CVE-2018-10914</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10923">CVE-2018-10923</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10924">CVE-2018-10924</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10926">CVE-2018-10926</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10927">CVE-2018-10927</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10928">CVE-2018-10928</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10929">CVE-2018-10929</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10930">CVE-2018-10930</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14651">CVE-2018-14651</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14652">CVE-2018-14652</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14653">CVE-2018-14653</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14654">CVE-2018-14654</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14659">CVE-2018-14659</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14660">CVE-2018-14660</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14661">CVE-2018-14661</uri> + </references> + <metadata tag="requester" timestamp="2019-03-24T12:37:38Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-04-02T04:26:59Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201904-07.xml b/metadata/glsa/glsa-201904-07.xml new file mode 100644 index 000000000000..0cddfaf2c8dd --- /dev/null +++ b/metadata/glsa/glsa-201904-07.xml @@ -0,0 +1,109 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201904-07"> + <title>Mozilla Thunderbird and Firefox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird and + Firefox, the worst of which could lead to the execution of arbitrary code. + </synopsis> + <product type="ebuild">thunderbird,firefox,mozilla</product> + <announced>2019-04-02</announced> + <revised count="1">2019-04-02</revised> + <bug>676954</bug> + <bug>678072</bug> + <bug>681834</bug> + <bug>681836</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">60.6.1</unaffected> + <vulnerable range="lt">60.6.1</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">60.6.1</unaffected> + <vulnerable range="lt">60.6.1</vulnerable> + </package> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge">60.6.1</unaffected> + <vulnerable range="lt">60.6.1</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge">60.6.1</unaffected> + <vulnerable range="lt">60.6.1</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. + Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird and + Firefox. Please review the referenced Mozilla Foundation Security + Advisories and CVE identifiers below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced Mozilla Foundation Security Advisories and + CVE identifiers below for details. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-60.6.1" + </code> + + <p>All Thunderbird bin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-60.6.1" + </code> + + <p>All Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-60.6.1" + </code> + + <p>All Firefox bin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-60.6.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-5824">CVE-2016-5824</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18335">CVE-2018-18335</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18356">CVE-2018-18356</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18500">CVE-2018-18500</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18501">CVE-2018-18501</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18505">CVE-2018-18505</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18506">CVE-2018-18506</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18509">CVE-2018-18509</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18512">CVE-2018-18512</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18513">CVE-2018-18513</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5785">CVE-2019-5785</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9788">CVE-2019-9788</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9790">CVE-2019-9790</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9791">CVE-2019-9791</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9792">CVE-2019-9792</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9793">CVE-2019-9793</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9795">CVE-2019-9795</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9796">CVE-2019-9796</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9810">CVE-2019-9810</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9813">CVE-2019-9813</uri> + </references> + <metadata tag="requester" timestamp="2019-03-27T02:10:22Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-04-02T04:32:51Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201904-08.xml b/metadata/glsa/glsa-201904-08.xml new file mode 100644 index 000000000000..9a634deb75e5 --- /dev/null +++ b/metadata/glsa/glsa-201904-08.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201904-08"> + <title>Subversion: Denial of Service</title> + <synopsis>A vulnerability in Subversion could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">subversion</product> + <announced>2019-04-02</announced> + <revised count="1">2019-04-02</revised> + <bug>676094</bug> + <access>remote</access> + <affected> + <package name="dev-vcs/subversion" auto="yes" arch="*"> + <unaffected range="ge">1.10.4</unaffected> + <vulnerable range="lt">1.10.4</vulnerable> + </package> + </affected> + <background> + <p>Subversion is a version control system intended to eventually replace + CVS. Like CVS, it has an optional client-server architecture (where the + server can be an Apache server running mod_svn, or an ssh program as in + CVS’s :ext: method). In addition to supporting the features found in + CVS, Subversion also provides support for moving and copying files and + directories. + </p> + </background> + <description> + <p>A vulnerability was discovered in Subversion’s mod_dav_svn, that could + lead to a Denial of Service Condition. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible enial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Subversion users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.10.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11803">CVE-2018-11803</uri> + </references> + <metadata tag="requester" timestamp="2019-03-22T00:07:51Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-04-02T04:35:47Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201904-09.xml b/metadata/glsa/glsa-201904-09.xml new file mode 100644 index 000000000000..1f133aea4a5e --- /dev/null +++ b/metadata/glsa/glsa-201904-09.xml @@ -0,0 +1,70 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201904-09"> + <title>Xen: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Xen, the worst of which + could result in privilege escalation. + </synopsis> + <product type="ebuild">xen</product> + <announced>2019-04-04</announced> + <revised count="2">2019-04-04</revised> + <bug>679580</bug> + <access>remote</access> + <affected> + <package name="app-emulation/xen" auto="yes" arch="*"> + <unaffected range="ge">4.10.3-r1</unaffected> + <vulnerable range="lt">4.10.3-r1</vulnerable> + </package> + <package name="app-emulation/xen-pvgrub" auto="yes" arch="*"> + <unaffected range="ge">4.10.3</unaffected> + <vulnerable range="lt">4.10.3</vulnerable> + </package> + <package name="app-emulation/xen-tools" auto="yes" arch="*"> + <unaffected range="ge">4.10.3-r2</unaffected> + <vulnerable range="lt">4.10.3-r2</vulnerable> + </package> + </affected> + <background> + <p>Xen is a bare-metal hypervisor.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Xen. Please review the + referenced XSA security advisories. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced XSA security advisories for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Xen users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.10.3-r2" + </code> + + <p>All Xen pvgrub users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-pvgrub-4.10.3-r2" + </code> + + <p>All Xen tools users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-tools-4.10.3-r2" + </code> + </resolution> + <references> + <uri link="http://xenbits.xen.org/xsa/">XSA Security Advisory</uri> + </references> + <metadata tag="requester" timestamp="2019-03-28T03:48:31Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2019-04-04T18:34:06Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index e93b41aac52e..96a4d66147ab 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Tue, 19 Mar 2019 10:38:37 +0000 +Fri, 05 Apr 2019 19:38:44 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 98bcf26d91f9..8bf01aa3c270 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -0a72c299702ffceee8f32f22b9d7b2c33e5140a0 1552965642 2019-03-19T03:20:42+00:00 +7c09f6fddfb8f5996646e8bceb05ce66a9df690d 1554402888 2019-04-04T18:34:48+00:00 |