summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/Manifest30
-rw-r--r--metadata/glsa/Manifest.files.gzbin485271 -> 486217 bytes
-rw-r--r--metadata/glsa/glsa-202009-13.xml74
-rw-r--r--metadata/glsa/glsa-202009-14.xml61
-rw-r--r--metadata/glsa/glsa-202009-15.xml50
-rw-r--r--metadata/glsa/glsa-202009-16.xml52
-rw-r--r--metadata/glsa/glsa-202009-17.xml48
-rw-r--r--metadata/glsa/glsa-202009-18.xml71
-rw-r--r--metadata/glsa/timestamp.chk2
-rw-r--r--metadata/glsa/timestamp.commit2
10 files changed, 373 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index eede2bc1bc2a..27b24e14f18c 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
-MANIFEST Manifest.files.gz 485271 BLAKE2B 4eb8988705304f2e383081a3133de4ec8449e5f0f46de62a4f4c2c2af6353817ee8ec26fe0ae3fd4c8426b8050e7c0de9c3059ab313f7900ebd16aafc208995f SHA512 fa3aa9f4ae7a8c7e47f52390c6374a7742be939c44aa7705cde67726e11710429dacc0c2688d754eb68f752d311d29aaf6454c0cefcd866c171ec1f1a33d76df
-TIMESTAMP 2020-09-23T21:38:30Z
+MANIFEST Manifest.files.gz 486217 BLAKE2B a2e8388c21e11622400955df84cf5750d3dc1ed97260561adcf8593401f8ff3776aefdf5d04f851eb00ee9174b5b2687221348810862c270d26525ad93d576a6 SHA512 b61762e35911592950f03484850ed8e6736359d874b45a8dc2f8c3e462bef78fc8623da4842eeba0a994b89218e6ced81235ec4b0d1cee904aa59dd83fa038b1
+TIMESTAMP 2020-09-30T15:38:36Z
-----BEGIN PGP SIGNATURE-----
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl9rwFZfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl90pnxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klCkvg/9GqU7PqhiUj/jHu50sSnjG7fROWk9HPkbQYV/eNrv6GS/dAXuyNlem1Bm
-I8OzOjOW2cQgkyojFvjdDz/VEBVxaUoF+w9yxwyMoLBEym/QXmq9UrG35MIPo/j5
-RbXaQmUsf1QwdZ64AYpSsmCo7l1i7dqaiLpkIGpGdkZxN69OCiCthNk/WovGY3zy
-5vHo2JwljJ9RJzXyrRZSAyGOAdAHB+IOsIVkWiP/XlpFlulGZImN8STTO0irVwQ3
-MZ9WzpjdjsTypz+k6pvCLrgDDQl9hwo0+MI58TWvzHiQA+6dHrWDL6KrHp1fMLEM
-tn5ILsmHu5v93jGaCaID5BEi98slgup9XBdXzGTW9ZnXuNkRkvT/sI/yiyxCgGki
-ChvonvsrD/tXVCVFgWJ+drStZUAsxGiM7ELn72vdMgzBw7uZQA2b2oLcvUfuC6Qz
-haj0Uhb0cycrpa10Rn8n7/ACuK6qsTS2voIxwTfw20X/ZVIHinyO1jVlVHavw/Pf
-2ybnnlRoFVaPbuiiutkupUYUVPdDlUPf8XAySI55vMD0GCmga66mS7P2JQNwwvoQ
-pJm6tBpHnzIXEbxZNkfDvOiKJ3RKnH+inPgsM/i7Wv5OJ2Aje6iSd+/jPNc56Aiz
-6amqzGLhWgf3BjJsjXPmmqvCc1fC0bcvEfUo4cZxHU7DKUqSpFQ=
-=lcFW
+klB6yxAAmUaNNp1dEV1oQioyfUW4M7TTIAN67TaCYpBpi4b3zo83udZ72Ciuc8jN
+gCo9FLvu2L2i5dUZbm4v7+1lpyz63ZduGxqo4gnhxaLx8CXHnOm/aaTYfKVaBj5Z
+o3BCJEwYZQdIMR8teZLTscsUJsi3wuOQNmOnxnFAmthTj8O1TR4i3qfZnStGDQ6l
++2IKHY9kdpvbZLenSkoftv8nVI8SC/qAutL9BDsCD6aYhndSLgP/Dy3z7J/nxJDs
+varjiOBuwms7lnXKka6NAH7OkSbJ6+nyE231Ea92yK9z1hg2N2+C2MZVA/vIIJTA
+JEWz+RnoVvB8EnjeV78MuZvfhV8RDDZQz7uJ/N8emgMQLvQiA4vtxX0d6tGgKhQo
+dYqhXahoAwrnqTqDRxIrdtzLfQmuWiVEBSexWg485z/GjKD1cXdAEDwjmEC3QgeW
+yuaxF6hdpjpFpaduFz74vq1R12g/G8zu0XCklhNZ4R+6WZi25l2KI3WZFzDsBFV1
+KaKubf1j8ci4VUcplDKVSjQaqeyHzlVbOHourAcOpdsayCHIFOgcAqWX1tl8GztN
+ljBLQ8yBQxaYwffo4GvpDOTK4ugxBRR9LS+lCmFUhTPT3aS/HQUyJcI7eBpLH6QC
+s6e9tkhiMqfmdvNKUGmhun1wPf6jJwYjmDonwjDCod+3EBgTsP0=
+=O4C1
-----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 3bdc6fcc838a..57704eac4cbc 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
Binary files differ
diff --git a/metadata/glsa/glsa-202009-13.xml b/metadata/glsa/glsa-202009-13.xml
new file mode 100644
index 000000000000..163c6c7718e7
--- /dev/null
+++ b/metadata/glsa/glsa-202009-13.xml
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202009-13">
+ <title>Chromium, Google Chrome: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Chromiun and Google
+ Chrome, the worst of which could result in the arbitrary execution of code.
+ </synopsis>
+ <product type="ebuild">chromium,google-chrome</product>
+ <announced>2020-09-29</announced>
+ <revised count="1">2020-09-29</revised>
+ <bug>744007</bug>
+ <access>remote</access>
+ <affected>
+ <package name="www-client/chromium" auto="yes" arch="*">
+ <unaffected range="ge">85.0.4183.121</unaffected>
+ <vulnerable range="lt">85.0.4183.121</vulnerable>
+ </package>
+ <package name="www-client/google-chrome" auto="yes" arch="*">
+ <unaffected range="ge">85.0.4183.121</unaffected>
+ <vulnerable range="lt">85.0.4183.121</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Chromium is an open-source browser project that aims to build a safer,
+ faster, and more stable way for all users to experience the web.
+ </p>
+
+ <p>Google Chrome is one fast, simple, and secure browser for all your
+ devices.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Chromium and Google
+ Chrome. Please review the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Chromium users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=www-client/chromium-85.0.4183.121"
+ </code>
+
+ <p>All Google Chrome users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=www-client/google-chrome-85.0.4183.121"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15960">CVE-2020-15960</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15961">CVE-2020-15961</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15962">CVE-2020-15962</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15963">CVE-2020-15963</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15964">CVE-2020-15964</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15965">CVE-2020-15965</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15966">CVE-2020-15966</uri>
+ <uri link="https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html">
+ Upstream advisory
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2020-09-23T03:40:44Z">sam_c</metadata>
+ <metadata tag="submitter" timestamp="2020-09-29T18:05:33Z">sam_c</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202009-14.xml b/metadata/glsa/glsa-202009-14.xml
new file mode 100644
index 000000000000..e7f29aeae16a
--- /dev/null
+++ b/metadata/glsa/glsa-202009-14.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202009-14">
+ <title>Xen: Buffer overflow</title>
+ <synopsis>A buffer overflow in Xen might allow remote attacker(s) to execute
+ arbitrary code.
+ </synopsis>
+ <product type="ebuild">xen</product>
+ <announced>2020-09-29</announced>
+ <revised count="1">2020-09-29</revised>
+ <bug>738040</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="app-emulation/xen" auto="yes" arch="*">
+ <unaffected range="ge">4.13.1-r3</unaffected>
+ <vulnerable range="lt">4.13.1-r3</vulnerable>
+ </package>
+ <package name="app-emulation/xen-tools" auto="yes" arch="*">
+ <unaffected range="ge">4.13.1-r3</unaffected>
+ <vulnerable range="lt">4.13.1-r3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Xen is a bare-metal hypervisor.</p>
+ </background>
+ <description>
+ <p>An out-of-bounds read/write access issue was found in the USB emulator
+ when using QEMU.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could possibly execute arbitrary code with the
+ privileges of the process or cause a Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Xen users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-4.13.1-r3"
+ </code>
+
+ <p>All Xen tools users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=app-emulation/xen-tools-4.13.1-r3"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14364">CVE-2020-14364</uri>
+ <uri link="https://xenbits.xen.org/xsa/advisory-335.html">XSA-335</uri>
+ </references>
+ <metadata tag="requester" timestamp="2020-09-23T03:24:25Z">sam_c</metadata>
+ <metadata tag="submitter" timestamp="2020-09-29T18:05:39Z">sam_c</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202009-15.xml b/metadata/glsa/glsa-202009-15.xml
new file mode 100644
index 000000000000..8fb1616dfeff
--- /dev/null
+++ b/metadata/glsa/glsa-202009-15.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202009-15">
+ <title>libuv: Buffer overflow</title>
+ <synopsis>A buffer overflow in libuv might allow remote attacker(s) to
+ execute arbitrary code.
+ </synopsis>
+ <product type="ebuild">libuv</product>
+ <announced>2020-09-29</announced>
+ <revised count="1">2020-09-29</revised>
+ <bug>742890</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-libs/libuv" auto="yes" arch="*">
+ <unaffected range="ge">1.39.0</unaffected>
+ <vulnerable range="lt">1.39.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>libuv is a multi-platform support library with a focus on asynchronous
+ I/O.
+ </p>
+ </background>
+ <description>
+ <p>libuv used an incorrect buffer size for paths, causing a buffer
+ overflow.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could possibly execute arbitrary code with the
+ privileges of the process, or cause a Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All libuv users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-libs/libuv-1.39.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8252">CVE-2020-8252</uri>
+ </references>
+ <metadata tag="requester" timestamp="2020-09-23T13:49:20Z">sam_c</metadata>
+ <metadata tag="submitter" timestamp="2020-09-29T18:05:50Z">sam_c</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202009-16.xml b/metadata/glsa/glsa-202009-16.xml
new file mode 100644
index 000000000000..f58afe91c747
--- /dev/null
+++ b/metadata/glsa/glsa-202009-16.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202009-16">
+ <title>LinuxCIFS: Shell injection</title>
+ <synopsis>A vulnerability in LinuxCIFS may allow a remote code execution via
+ a command line option.
+ </synopsis>
+ <product type="ebuild">LinuxCIFS</product>
+ <announced>2020-09-29</announced>
+ <revised count="1">2020-09-29</revised>
+ <bug>743211</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-fs/cifs-utils" auto="yes" arch="*">
+ <unaffected range="ge">6.11</unaffected>
+ <vulnerable range="lt">6.11</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>The LinuxCIFS utils are a collection of tools for managing Linux CIFS
+ Client Filesystems.
+ </p>
+ </background>
+ <description>
+ <p>The mount.cifs utility had a shell injection issue where one can embed
+ shell commands via the username mount option. Those commands will be run
+ via popen() in the context of the user calling mount.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could entice a user to use a specially crafted
+ argument using mount.cifs, possibly resulting in execution of arbitrary
+ code with the privileges of the process or a Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All LinuxCIFS users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-fs/cifs-utils-6.11"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14342">CVE-2020-14342</uri>
+ </references>
+ <metadata tag="requester" timestamp="2020-09-20T13:02:21Z">sam_c</metadata>
+ <metadata tag="submitter" timestamp="2020-09-29T18:06:06Z">sam_c</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202009-17.xml b/metadata/glsa/glsa-202009-17.xml
new file mode 100644
index 000000000000..408f401fbb95
--- /dev/null
+++ b/metadata/glsa/glsa-202009-17.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202009-17">
+ <title>gpsd: Arbitrary code execution</title>
+ <synopsis>A vulnerability in gpsd could allow remote code execution.</synopsis>
+ <product type="ebuild">gpsd</product>
+ <announced>2020-09-29</announced>
+ <revised count="1">2020-09-29</revised>
+ <bug>743766</bug>
+ <access>remote</access>
+ <affected>
+ <package name="sci-geosciences/gpsd" auto="yes" arch="*">
+ <unaffected range="ge">3.18</unaffected>
+ <vulnerable range="lt">3.18</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>gpsd is a GPS daemon and library for USB/serial GPS devices and
+ GPS/mapping clients.
+ </p>
+ </background>
+ <description>
+ <p>A stack-based buffer overflow was discovered in gpsd on port 2947/TCP or
+ crafted JSON inputs.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could possibly execute arbitrary code with the
+ privileges of the process, or cause a Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All gpsd users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=sci-geosciences/gpsd-3.18"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17937">CVE-2018-17937</uri>
+ </references>
+ <metadata tag="requester" timestamp="2020-09-25T20:46:53Z">sam_c</metadata>
+ <metadata tag="submitter" timestamp="2020-09-29T18:06:31Z">sam_c</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202009-18.xml b/metadata/glsa/glsa-202009-18.xml
new file mode 100644
index 000000000000..024a1e62ea62
--- /dev/null
+++ b/metadata/glsa/glsa-202009-18.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202009-18">
+ <title>Bitcoin: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Bitcoin, the worst of
+ which could result in a Denial of Service condition.
+ </synopsis>
+ <product type="ebuild">bitcoin</product>
+ <announced>2020-09-30</announced>
+ <revised count="1">2020-09-30</revised>
+ <bug>711198</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-p2p/bitcoind" auto="yes" arch="*">
+ <unaffected range="ge">0.20.1</unaffected>
+ <vulnerable range="lt">0.20.1</vulnerable>
+ </package>
+ <package name="net-p2p/bitcoin-qt" auto="yes" arch="*">
+ <unaffected range="ge">0.20.1</unaffected>
+ <vulnerable range="lt">0.20.1</vulnerable>
+ </package>
+ <package name="net-p2p/bitcoin-cli" auto="yes" arch="*">
+ <unaffected range="ge">0.20.1</unaffected>
+ <vulnerable range="lt">0.20.1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Bitcoin Core consists of both “full-node” software for fully
+ validating the blockchain as well as a bitcoin wallet.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Bitcoin. Please review
+ the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All bitcoind users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-p2p/bitcoind-0.20.1"
+ </code>
+
+ <p>All bitcoin-qt users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-p2p/bitcoin-qt-0.20.1"
+ </code>
+
+ <p>All bitcoin-cli users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-p2p/bitcoin-cli-0.20.1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15947">CVE-2019-15947</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14198">CVE-2020-14198</uri>
+ </references>
+ <metadata tag="requester" timestamp="2020-09-18T00:17:00Z">sam_c</metadata>
+ <metadata tag="submitter" timestamp="2020-09-30T00:20:42Z">sam_c</metadata>
+</glsa>
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index b272585312a4..ef606278e760 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Wed, 23 Sep 2020 21:38:27 +0000
+Wed, 30 Sep 2020 15:38:33 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index fd63cfbeda80..25e643fc27d2 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-7204454a89cbf14c4905c5fdedcd66553a95e8aa 1600040174 2020-09-13T23:36:14+00:00
+785de3f76c77159a620986af784b88d221fb335c 1601425319 2020-09-30T00:21:59+00:00