From 5046e96fa41cb320765bdf30253b2a98c27fe94d Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@koprulu.sector>
Date: Sat, 18 Jan 2025 06:41:56 +0000
Subject: gentoo auto-resync : 18:01:2025 - 06:41:55

---
 metadata/glsa/Manifest           |  30 +++++++++++-----------
 metadata/glsa/Manifest.files.gz  | Bin 595076 -> 595397 bytes
 metadata/glsa/glsa-202501-02.xml |  53 +++++++++++++++++++++++++++++++++++++++
 metadata/glsa/glsa-202501-03.xml |  42 +++++++++++++++++++++++++++++++
 metadata/glsa/timestamp.chk      |   2 +-
 metadata/glsa/timestamp.commit   |   2 +-
 6 files changed, 112 insertions(+), 17 deletions(-)
 create mode 100644 metadata/glsa/glsa-202501-02.xml
 create mode 100644 metadata/glsa/glsa-202501-03.xml

(limited to 'metadata/glsa')

diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index ffb304aaac9a..e622eeb258b8 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 595076 BLAKE2B 9227ab236a3bb3f23858c767e17a9513cd0c0e76b282940d5855c7bb217f59cead2a59f0dd39f3aa278e887b5c4b9114e0c02c9c8604f5d82c14acbaa0e8a1d3 SHA512 8c24f1410b4bf7d8713e266119872ede63eebb49f85a32d13c2875e242edc2ce1ee05716986a96b3b406799ef58315cfe9e38e1e20f8ddb291032d055f3b48ad
-TIMESTAMP 2025-01-17T06:11:00Z
+MANIFEST Manifest.files.gz 595397 BLAKE2B c091fb1cccb25d1bd231a5b0eae73c055792a740c1270838b58a4ba0d2f5ea35c5e6e54eb5c05b6bd9bea0b505f30adafe1776a56002d71f5b40e012ce981b7d SHA512 7c910ee81344c6b4ed38aa01233d456284eb0d8eb9c5d9ef374de1cb430a8d188606014cf42199af90370b97a64a7f75997b53ced4abfb5e81eaa654179b37f7
+TIMESTAMP 2025-01-18T06:10:31Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmeJ9HRfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmeLRddfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klA/lQ//XuhtD25y8G0k+uQYmZ4wtQjRPlIV0FtQzhtl5ZXjlH1GAQgE4psRLBUu
-exBTbRoRl6MhgY2+aoEksXu7im98vqZSWEuZ1MgW8bL3nzsFuCR3YPqMOHPF31CA
-fx0l/eR+3cKzOAo9NMqMbgIHiUxFqSw0VgR2Z2pEj9pkG9ovKUMCmJN3oTQc1r7t
-r9wViLWngFpEi8SVfMW+SX9snutwnllEfSVrtrqZDco0Pv6XpX3EsPfKqL60fnDV
-kR5KYgNKjwyrt9OsZm2oqr3YslMRR1Hy1dshF2IH6kW0g90kNMG4h5UxO5lpTSsE
-SnrlAqVmZd78DJAd/OrX/3iEctDXiC3E0CKzSn4bz8tEeMezC/cTp/BqN1gNG0cU
-MC0RLG1Al8zJSW1e0v58o98f7DgnDU0aaoelk63tCZQJtx71GRhOPLqI6WNCkrCF
-3s3243HcOe0Ef1a3JeUxlC9lZItATj5CNrwB+/FmwzYT0w9/3WDndjcE8U66C4f1
-0AETLX1ow46gXvkNPrXdb4UbFtb7TXoCQYAHVob70obWgbZTA1emqNpirHzr4sZJ
-6p5rGt/tYtAYC9vgA68MVRFd//79AXZsje5af8DbuvGDrOKcukwh9qP9GGBd5pBD
-1G/4Adauetpx3fTel/f0S2d2AqUefQIsGwnbq1cnRka+n4d8nhY=
-=gcI9
+klBzOA//eMvhJ+Ad+UuTOcVZ+FmyGJF1Zn8CZWGc62qJMSEgY0fxfpV6EGmJJ2yf
+7nOKmDre9XUHKbZavho05i75qTCP5YQ5W63DpqzS0dqNcTb2bk4DYOVrC9kWbWE1
+tCzuIh9MQ9jCd85BV1ngs8fNKLbOoThB09OH3O5/f1bn7oYjRPFkAtVz4HIPKukv
+2w9hklBYqVj/1U1mhtAhfEB7uRfcZvzTFnQ5bTN2EpdpNS9CyM5PAShsoithNVpu
+5z//O0XkGf+2JnXaeBcBpUz/MiIp6hC3aTNBJVW+rIiJMXEOD1q7P3Q9fnwEQp2K
+Tq63d1iSfDQsxUjEZmyCGKGLWF2Gf59SvAyg1F1rRcKAPzpL9lJuUokRJHGo5Fwz
+rz2vzA/E8BdO9nnBoi2XobmZnfhWJ6sAC+ZnHbVra+dsJ61yNZ0ulfVMKZHB244/
+VW/xsRzitFt47fcUlqtTO+G/4nHpX0mQOpHCKZpAmuR8DzOn0qNL5MaveNV1NfgW
+wszZo3izUI9E39xzy0/K7jt5di+PAwzdIN5o4kSxY3qPHSIydxv0MYGm5CgwUY2x
+N5loOCzMaSYSxawpWdDa3EFLjrhsDvffpbIXEUhKYKZ65QFMwNAXBg7H4VEby6Lu
+99Um87OsydbYhqhd3Vzc7MqWD3tv19KHNYrlPzJI/xEYoXt5hfE=
+=4G2D
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 056a672a6712..b3d8e25fcb38 100644
Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ
diff --git a/metadata/glsa/glsa-202501-02.xml b/metadata/glsa/glsa-202501-02.xml
new file mode 100644
index 000000000000..92666be17e69
--- /dev/null
+++ b/metadata/glsa/glsa-202501-02.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202501-02">
+    <title>GIMP: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in GIMP, the worst of which can lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">gimp</product>
+    <announced>2025-01-17</announced>
+    <revised count="1">2025-01-17</revised>
+    <bug>845402</bug>
+    <bug>856283</bug>
+    <bug>917406</bug>
+    <access>remote</access>
+    <affected>
+        <package name="media-gfx/gimp" auto="yes" arch="*">
+            <unaffected range="ge">2.10.36</unaffected>
+            <vulnerable range="lt">2.10.36</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>GIMP is the GNU Image Manipulation Program. XCF is the native image file format used by GIMP.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in GIMP. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All GIMP users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=media-gfx/gimp-2.10.36"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30067">CVE-2022-30067</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32990">CVE-2022-32990</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44441">CVE-2023-44441</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44442">CVE-2023-44442</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44443">CVE-2023-44443</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44444">CVE-2023-44444</uri>
+        <uri>ZDI-CAN-22093</uri>
+        <uri>ZDI-CAN-22094</uri>
+        <uri>ZDI-CAN-22096</uri>
+        <uri>ZDI-CAN-22097</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-01-17T07:05:31.622583Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-01-17T07:05:31.625362Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202501-03.xml b/metadata/glsa/glsa-202501-03.xml
new file mode 100644
index 000000000000..63c8aa14428d
--- /dev/null
+++ b/metadata/glsa/glsa-202501-03.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202501-03">
+    <title>pip: arbitrary configuration injection</title>
+    <synopsis>A vulnerability has been discovered in pip, which could lead to arbitrary configuration options being injected.</synopsis>
+    <product type="ebuild">pip</product>
+    <announced>2025-01-17</announced>
+    <revised count="1">2025-01-17</revised>
+    <bug>918427</bug>
+    <access>local</access>
+    <affected>
+        <package name="dev-python/pip" auto="yes" arch="*">
+            <unaffected range="ge">23.3</unaffected>
+            <vulnerable range="lt">23.3</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>pip is a tool for installing and managing Python packages.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in pip. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>When installing a package from a Mercurial VCS URL  (ie &#34;pip install hg+...&#34;), the specified Mercurial revision could be used to inject arbitrary configuration options to the &#34;hg clone&#34; call (ie &#34;--config&#34;). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren&#39;t installing from Mercurial.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All pip users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-python/pip-23.3"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5752">CVE-2023-5752</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-01-17T07:08:02.410954Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-01-17T07:08:02.413296Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 2b4cb7c88c35..12235ef16a68 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Fri, 17 Jan 2025 06:10:57 +0000
+Sat, 18 Jan 2025 06:10:27 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 405752cc0ae4..0ddec9db69c6 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-889122c49e5c31f1eef3898e4cc046b7dc7e71e3 1736961519 2025-01-15T17:18:39Z
+2bebd1f6ef19542db597ac157cb68c5918ce711d 1737097690 2025-01-17T07:08:10Z
-- 
cgit v1.2.3