summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/Manifest30
-rw-r--r--metadata/glsa/Manifest.files.gzbin556922 -> 557720 bytes
-rw-r--r--metadata/glsa/glsa-202312-10.xml42
-rw-r--r--metadata/glsa/glsa-202312-11.xml42
-rw-r--r--metadata/glsa/glsa-202312-12.xml52
-rw-r--r--metadata/glsa/glsa-202312-13.xml45
-rw-r--r--metadata/glsa/glsa-202312-14.xml60
-rw-r--r--metadata/glsa/timestamp.chk2
-rw-r--r--metadata/glsa/timestamp.commit2
9 files changed, 258 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 84e4a3860c11..799148902b5c 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
-MANIFEST Manifest.files.gz 556922 BLAKE2B 4af97573db7aa951e408380dafaf4564604dab984a92046d73d1682616bf5972d8277f1ff5a139ca402707c848cbc37c64071d88cba8e2a217aa0fa1c81922f9 SHA512 ff2c1ae85d7fd96100abd1ac489ec14ce252228d4d7f01d4cc15ce1d273416a97c18a8c2879acb4b68cc91a2cec9f67808cb86557333ea7c653ae804465d62e0
-TIMESTAMP 2023-12-23T07:10:06Z
+MANIFEST Manifest.files.gz 557720 BLAKE2B 1bc79beb7b22c2ce6b80e7677302891c872d6ac116096c06d9dbba6d7683aec51bbbcefe97cf8126dd25818fe0c936a6b25df9e1c8c1be9da6a5c9580fff46e2 SHA512 273602eb349fcbbef4c2202ec5c33b66d702f53716aad3f0abfbf14db5c7ba667dd6fefa620e348109b82427555dd8d45ab0b261320d92f551c7162d8f78de5f
+TIMESTAMP 2023-12-23T13:10:02Z
-----BEGIN PGP SIGNATURE-----
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmWGh85fFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmWG3CpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klCN8g/+OyfRUJNtzl7mbM0UMuwHEWEqN8Y55+bG6Z+gvLI4buLIwG46AtQC5Dmw
-PiMXq1GTXXeRQLqueB/QYsroFcfP+RLYcFbpRSWuV7tYYsJSHONyFHPWczU9nujy
-PpVl6GIfZYYEMfwh88kQJmsxr3GGxNPvJriMx40R6Sa5GFguxgdsMSJtCa5WROIh
-UqcMJ+8g+Yir51JptSxcpOAnf/kh3H+5MNcw+2RK25UcNSJJWgXKSDXFBrCt9hcz
-hYYtwg1hJ1sGuGa1ygajG7Ib45SAS9iDmtd3P4BP2quOeDxoSzZ0rv8P24L8mYJV
-FzaEM/3dmatzQuaCEz2OEz6Xdt/QJ7XK25DxVGIkrPvEF6KCgRPfGucwYM1HuMwf
-oUBbpD4BL6oo8nfBVavjV+416qSWXmT0WpFN5Z/D3WaWsB1YrxvZd2kzYlS+k7CD
-phhw5rIMo7GTpaZ5yrSCTZze/hil5Sfmd/4+5v0KXguQ8sEA6gCx+aACQpek7kXT
-/60ufkGTvJDyBG3PP++1V5LwC2L30Petqv1yBGFKvDSXHGJAiU6o4urxwEgOVavh
-JicbrswpZ17krdmwb3ieTUd76KZcM9uXLEyM4AUnYus7AVXehqAit9rv8Z1hRR71
-xrqy7z5YLCsqL+Ve4Y032rRflx4CHZvHgYjsv14fnWDgb7m5HyI=
-=Msrs
+klBBZg//dt3NUAfgxUmvVwtx5dKdGNB/MHXCXwSlq5+ban+nAt1BE7ft2CNIFFB5
+3CC1bGF6bVHipcxcI7S9jlfUv39YG2NE/TLLwTSeJNjbQEPKOqtdaEx9uf5MU1kP
+eQDWEQwVpU2J2ptfjmMYntOWaJ3wdxpJBrWw8nk8BnxorNlKpupwPZTNH2NS2Jqg
+TBydI0/Jbg3KbZEPYwncGOj/becWs34H9UG1aTkqldF7ZEj9F6B6TBeD4e/MHZhg
+4rPN3KH8O58vCyMlwSVf/qYY2eQr47SUxB8MqZ3fLIU0ql5cknXCpJkpPqkBPwJV
+GibXbB2jpqkXoIM+iPX2VUIY1jvkbBV1Z5JjHiUfeBjxJ2BLy3In3AlGWPaJJ/PQ
+UewNSiQUaumyBpVHZ/NgHBwkXkcb2hEsE0BLrUYaXlbOu9P9Zxoog80SIHHg2mhP
+6PkjROISCVqTirP3zm3gPn+1F3xZxAas+M1sC0b910vXLfutbBDAFEvj2/3FtnWw
+FbnWIvpYSv1GnxU+l/aaNeif1hHpMR4B+AtmgxnolV5CNXqJOLTwBRZhww8ZZnZr
+gXpJpJJga+Vs2Ok5BG3X6mn3t2fBtMFlazvZHhbxY81BckWJImoAGSAl9fwH1Zp7
+Y3DxpGu2HWF+ckjQBeQCCfjg4PWKfaHKLV06D37lkVhgjcR6EMk=
+=INQ4
-----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index fbe6d36a44bb..0bbb2a52458b 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
Binary files differ
diff --git a/metadata/glsa/glsa-202312-10.xml b/metadata/glsa/glsa-202312-10.xml
new file mode 100644
index 000000000000..2f3185e353ba
--- /dev/null
+++ b/metadata/glsa/glsa-202312-10.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202312-10">
+ <title>Ceph: Root Privilege Escalation</title>
+ <synopsis>A vulnerability has been found in Ceph which can lead to root privilege escalation.</synopsis>
+ <product type="ebuild">ceph</product>
+ <announced>2023-12-23</announced>
+ <revised count="1">2023-12-23</revised>
+ <bug>878277</bug>
+ <access>local</access>
+ <affected>
+ <package name="sys-cluster/ceph" auto="yes" arch="*">
+ <unaffected range="ge">17.2.6</unaffected>
+ <vulnerable range="lt">17.2.6</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Ceph is a distributed network file system designed to provide excellent performance, reliability, and scalability.</p>
+ </background>
+ <description>
+ <p>A vulnerability has been discovered in Ceph. Please review the CVE identifier referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>The ceph-crash.service runs the ceph-crash Python script as root. The script is operating in the directory /var/lib/ceph/crash which is controlled by the unprivileged ceph user (ceph:ceph mode 0750). The script periodically scans for new crash directories and forwards the content via `ceph crash post`.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Ceph users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-cluster/ceph-17.2.6"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3650">CVE-2022-3650</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-12-23T08:04:29.237847Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2023-12-23T08:04:29.240199Z">graaff</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202312-11.xml b/metadata/glsa/glsa-202312-11.xml
new file mode 100644
index 000000000000..8a76344d531c
--- /dev/null
+++ b/metadata/glsa/glsa-202312-11.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202312-11">
+ <title>SABnzbd: Remote Code Execution</title>
+ <synopsis>A vulnerability has been found in SABnzbd which allows for remote code execution.</synopsis>
+ <product type="ebuild">sabnzbd</product>
+ <announced>2023-12-23</announced>
+ <revised count="1">2023-12-23</revised>
+ <bug>908032</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-nntp/sabnzbd" auto="yes" arch="*">
+ <unaffected range="ge">4.0.2</unaffected>
+ <vulnerable range="lt">4.0.2</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Free and easy binary newsreader with web interface.</p>
+ </background>
+ <description>
+ <p>A vulnerability has been discovered in SABnzbd. Please review the CVE identifier referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process. Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from `localhost`, with no authentication required for the web interface.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All SABnzbd users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-nntp/sabnzbd-4.0.2"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34237">CVE-2023-34237</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-12-23T08:21:16.397965Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2023-12-23T08:21:16.402529Z">graaff</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202312-12.xml b/metadata/glsa/glsa-202312-12.xml
new file mode 100644
index 000000000000..2cf088a78322
--- /dev/null
+++ b/metadata/glsa/glsa-202312-12.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202312-12">
+ <title>Flatpak: Multiple Vulnerabilities</title>
+ <synopsis>Several vulnerabilities have been found in Flatpack, the worst of which lead to privilege escalation and sandbox escape.</synopsis>
+ <product type="ebuild">flatpak</product>
+ <announced>2023-12-23</announced>
+ <revised count="1">2023-12-23</revised>
+ <bug>775365</bug>
+ <bug>816951</bug>
+ <bug>831087</bug>
+ <bug>901507</bug>
+ <access>remote</access>
+ <affected>
+ <package name="sys-apps/flatpak" auto="yes" arch="*">
+ <unaffected range="ge">1.14.4</unaffected>
+ <vulnerable range="lt">1.14.4</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Flatpak is a Linux application sandboxing and distribution framework.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Flatpak. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Flatpak users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.14.4"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21381">CVE-2021-21381</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41133">CVE-2021-41133</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-43860">CVE-2021-43860</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21682">CVE-2022-21682</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28100">CVE-2023-28100</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28101">CVE-2023-28101</uri>
+ <uri>GHSA-67h7-w3jq-vh4q</uri>
+ <uri>GHSA-xgh4-387p-hqpp</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-12-23T09:05:21.412904Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2023-12-23T09:05:21.415262Z">graaff</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202312-13.xml b/metadata/glsa/glsa-202312-13.xml
new file mode 100644
index 000000000000..b7e051ae5fe3
--- /dev/null
+++ b/metadata/glsa/glsa-202312-13.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202312-13">
+ <title>Gitea: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in Gitea, the worst of which could result in information leakage.</synopsis>
+ <product type="ebuild">gitea</product>
+ <announced>2023-12-23</announced>
+ <revised count="1">2023-12-23</revised>
+ <bug>887825</bug>
+ <bug>891983</bug>
+ <bug>905886</bug>
+ <bug>918674</bug>
+ <access>remote</access>
+ <affected>
+ <package name="www-apps/gitea" auto="yes" arch="*">
+ <unaffected range="ge">1.20.6</unaffected>
+ <vulnerable range="lt">1.20.6</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Gitea is a painless self-hosted Git service.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Gitea. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="low">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Gitea users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-apps/gitea-1.20.6"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3515">CVE-2023-3515</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-12-23T09:39:06.392845Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2023-12-23T09:39:06.395056Z">graaff</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202312-14.xml b/metadata/glsa/glsa-202312-14.xml
new file mode 100644
index 000000000000..d3f9f79b9353
--- /dev/null
+++ b/metadata/glsa/glsa-202312-14.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202312-14">
+ <title>FFmpeg: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilitiies have been discovered in FFmpeg, the worst of which could lead to code execution</synopsis>
+ <product type="ebuild">ffmpeg</product>
+ <announced>2023-12-23</announced>
+ <revised count="1">2023-12-23</revised>
+ <bug>795696</bug>
+ <bug>842267</bug>
+ <bug>881523</bug>
+ <bug>903805</bug>
+ <access>local and remote</access>
+ <affected>
+ <package name="media-video/ffmpeg" auto="yes" arch="*">
+ <unaffected range="ge">6.0</unaffected>
+ <unaffected range="ge">4.4.3</unaffected>
+ <vulnerable range="lt">6.0</vulnerable>
+ <vulnerable range="lt">4.4.3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>FFmpeg is a complete solution to record, convert and stream audio and video.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in FFmpeg. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All FFmpeg 4 users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-4.4.3"
+ </code>
+
+ <p>All FFmpeg 6 users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-6.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33815">CVE-2021-33815</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38171">CVE-2021-38171</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38291">CVE-2021-38291</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1475">CVE-2022-1475</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3964">CVE-2022-3964</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3965">CVE-2022-3965</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-48434">CVE-2022-48434</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-12-23T11:07:01.789201Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2023-12-23T11:07:01.791705Z">graaff</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 633b4fc98ac2..a057d352b9a2 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sat, 23 Dec 2023 07:10:02 +0000
+Sat, 23 Dec 2023 13:09:58 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 920ff58ffd43..f144ab9f3de3 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-9f9ee310bf6c4ebf26d43ff75e027e27f23beb80 1703247114 2023-12-22T12:11:54+00:00
+054115a94fa38350f4468052ec239cbacb5b8e26 1703329649 2023-12-23T11:07:29+00:00
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-04 03:44:44 +0000