From 519e4d5d99fc43d5c9a038098c029dc4ef9d6792 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sun, 12 Nov 2017 16:49:02 +0000 Subject: gentoo resync : 12.11.2017 --- metadata/glsa/glsa-201711-01.xml | 82 ++++++++++++++++ metadata/glsa/glsa-201711-02.xml | 80 ++++++++++++++++ metadata/glsa/glsa-201711-03.xml | 97 +++++++++++++++++++ metadata/glsa/glsa-201711-04.xml | 64 +++++++++++++ metadata/glsa/glsa-201711-05.xml | 73 +++++++++++++++ metadata/glsa/glsa-201711-06.xml | 57 ++++++++++++ metadata/glsa/glsa-201711-07.xml | 195 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-201711-08.xml | 65 +++++++++++++ metadata/glsa/glsa-201711-09.xml | 50 ++++++++++ metadata/glsa/glsa-201711-10.xml | 58 ++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 12 files changed, 823 insertions(+), 2 deletions(-) create mode 100644 metadata/glsa/glsa-201711-01.xml create mode 100644 metadata/glsa/glsa-201711-02.xml create mode 100644 metadata/glsa/glsa-201711-03.xml create mode 100644 metadata/glsa/glsa-201711-04.xml create mode 100644 metadata/glsa/glsa-201711-05.xml create mode 100644 metadata/glsa/glsa-201711-06.xml create mode 100644 metadata/glsa/glsa-201711-07.xml create mode 100644 metadata/glsa/glsa-201711-08.xml create mode 100644 metadata/glsa/glsa-201711-09.xml create mode 100644 metadata/glsa/glsa-201711-10.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/glsa-201711-01.xml b/metadata/glsa/glsa-201711-01.xml new file mode 100644 index 000000000000..7ca8635c8541 --- /dev/null +++ b/metadata/glsa/glsa-201711-01.xml @@ -0,0 +1,82 @@ + + + + libxml2: Multiple vulnerabilities + Multiple vulnerabilities have been found in libxml2, the worst of + which could result in the execution of arbitrary code. + + libxml2 + 2017-11-10 + 2017-11-10: 2 + 599192 + 605208 + 618604 + 622914 + 623206 + remote + + + 2.9.4-r3 + 2.9.4-r3 + + + +

libxml2 is the XML (eXtended Markup Language) C parser and toolkit + initially developed for the Gnome project. +

+ + +

Multiple vulnerabilities have been discovered in libxml2. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker, by enticing a user to process a specially crafted XML + document, could remotely execute arbitrary code, conduct XML External + Entity (XXE) attacks, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All libxml2 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.9.4-r3" + + +

Packages which depend on this library may need to be recompiled. Tools + such as revdep-rebuild may assist in identifying some of these packages. +

+ + + + CVE-2016-9318 + + + CVE-2017-0663 + + + CVE-2017-5969 + + + CVE-2017-7375 + + + CVE-2017-9047 + + + CVE-2017-9048 + + + CVE-2017-9049 + + + CVE-2017-9050 + + + chrisadr + b-man + diff --git a/metadata/glsa/glsa-201711-02.xml b/metadata/glsa/glsa-201711-02.xml new file mode 100644 index 000000000000..5b92f5baab49 --- /dev/null +++ b/metadata/glsa/glsa-201711-02.xml @@ -0,0 +1,80 @@ + + + + Chromium, Google Chrome: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the execution of arbitrary code. + + chromium,google-chrome + 2017-11-10 + 2017-11-10: 2 + 635556 + 636800 + remote + + + 62.0.3202.89 + 62.0.3202.89 + + + 62.0.3202.89 + 62.0.3202.89 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ +

Google Chrome is one fast, simple, and secure browser for all your + devices +

+ + +

Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifier and Google Chrome + Releases for details. +

+ + +

A remote attack may be able to execute arbitrary code, cause a Denial of + Service condition, or have other unspecified impacts. +

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-62.0.3202.89" + + +

All Google Chrome users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-62.0.3202.89" + + + + + CVE-2017-15396 + + + Google Chrome Releases + + + CVE-2017-15398 + + + CVE-2017-15399 + + + b-man + b-man + diff --git a/metadata/glsa/glsa-201711-03.xml b/metadata/glsa/glsa-201711-03.xml new file mode 100644 index 000000000000..f66a488b6950 --- /dev/null +++ b/metadata/glsa/glsa-201711-03.xml @@ -0,0 +1,97 @@ + + + + hostapd and wpa_supplicant: Key Reinstallation (KRACK) attacks + A flaw was discovered in the 4-way handshake in hostapd and + wpa_supplicant that allows attackers to conduct a Man in the Middle attack. + + hostapd,wpa_supplicant + 2017-11-10 + 2017-11-10: 1 + 634436 + 634438 + local, remote + + + 2.6-r1 + 2.6-r1 + + + 2.6-r3 + 2.6-r3 + + + +

wpa_supplicant is a WPA Supplicant with support for WPA and WPA2 (IEEE + 802.11i / RSN). hostapd is a user space daemon for access point and + authentication servers. +

+ + +

WiFi Protected Access (WPA and WPA2) and it’s associated technologies + are all vulnerable to the KRACK attacks. Please review the referenced CVE + identifiers for details. +

+ + +

An attacker can carry out the KRACK attacks on a wireless network in + order to gain access to network clients. Once achieved, the attacker can + potentially harvest confidential information (e.g. HTTP/HTTPS), inject + malware, or perform a myriad of other attacks. +

+ + +

There is no known workaround at this time.

+ + +

All hostapd users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/hostapd-2.6-r1" + + +

All wpa_supplicant users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=net-wireless/wpa_supplicant-2.6-r3" + + + + + CVE-2017-13077 + + + CVE-2017-13078 + + + CVE-2017-13079 + + + CVE-2017-13080 + + + CVE-2017-13081 + + + CVE-2017-13082 + + + CVE-2017-13084 + + + CVE-2017-13086 + + + CVE-2017-13087 + + + CVE-2017-13088 + + KRACK Attacks Website + + whissi + b-man + diff --git a/metadata/glsa/glsa-201711-04.xml b/metadata/glsa/glsa-201711-04.xml new file mode 100644 index 000000000000..146b32e40cb1 --- /dev/null +++ b/metadata/glsa/glsa-201711-04.xml @@ -0,0 +1,64 @@ + + + + MariaDB, MySQL: Root privilege escalation + A vulnerability was discovered in MariaDB and MySQL which may allow + local users to gain root privileges. + + mariadb,mysql + 2017-11-10 + 2017-11-10: 1 + 635704 + 635706 + remote + + + 10.0.30-r1 + 10.0.30-r1 + + + 5.6.36-r1 + 5.6.36-r1 + + + +

MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an + enhanced, drop-in replacement for MySQL. +

+ + +

The Gentoo installation scripts before 2017-09-29 have chown calls for + user-writable directory trees, which allows local users to gain + privileges by leveraging access to the mysql account for creation of a + link. +

+ + +

A local attacker could escalate privileges to root.

+ + +

There is no known workaround at this time.

+ + +

All MariaDB users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.0.30-r1" + + +

All MySQL users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.6.36-r1" + + + + + CVE-2017-15945 + + + whissi + b-man + diff --git a/metadata/glsa/glsa-201711-05.xml b/metadata/glsa/glsa-201711-05.xml new file mode 100644 index 000000000000..de0fba5f460c --- /dev/null +++ b/metadata/glsa/glsa-201711-05.xml @@ -0,0 +1,73 @@ + + + + X.Org Server: Multiple vulnerabilities + Multiple vulnerabilities have been found in X.Org Server, the worst + of which could allow an attacker to execute arbitrary code. + + xorg-server + 2017-11-10 + 2017-11-10: 1 + 635974 + remote + + + 1.19.5 + 1.19.5 + + + +

The X.Org project provides an open source implementation of the X Window + System. +

+ + +

Multiple vulnerabilities have been discovered in X.Org Server. Please + review the referenced CVE identifiers for details. +

+ + +

Attackers could execute arbitrary code or cause a Denial of Service + condition. +

+ + +

There is now know workaround at this time.

+ + +

All X.Org Server users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.19.5" + + + + + CVE-2017-12176 + + + CVE-2017-12177 + + + CVE-2017-12178 + + + CVE-2017-12179 + + + CVE-2017-12180 + + + CVE-2017-12181 + + + CVE-2017-12182 + + + CVE-2017-12183 + + + jmbailey + jmbailey + diff --git a/metadata/glsa/glsa-201711-06.xml b/metadata/glsa/glsa-201711-06.xml new file mode 100644 index 000000000000..d03d850a7c94 --- /dev/null +++ b/metadata/glsa/glsa-201711-06.xml @@ -0,0 +1,57 @@ + + + + GNU Wget: Multiple vulnerabilities + Multiple vulnerabilities have been found in Wget, the worst of + which could allow remote attackers to execute arbitrary code. + + wget + 2017-11-11 + 2017-11-11: 1 + 635496 + remote + + + 1.19.1-r2 + 1.19.1-r2 + + + +

GNU Wget is a free software package for retrieving files using HTTP, + HTTPS and FTP, the most widely-used Internet protocols. +

+ + + +

Multiple vulnerabilities have been discovered in Wget. Please review the + referenced CVE identifiers for details. +

+ + +

A remote attacker, by enticing a user to connect to a malicious server, + could remotely execute arbitrary code or cause a Denial of Service + condition. +

+ + +

There is no known workaround at this time.

+ + +

All Wget users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/wget-1.19.1-r2" + + + + + CVE-2017-13089 + + + CVE-2017-13090 + + + jmbailey + jmbailey + diff --git a/metadata/glsa/glsa-201711-07.xml b/metadata/glsa/glsa-201711-07.xml new file mode 100644 index 000000000000..dda1ff9a47fe --- /dev/null +++ b/metadata/glsa/glsa-201711-07.xml @@ -0,0 +1,195 @@ + + + + ImageMagick: Multiple vulnerabilities + Multiple vulnerabilities have been found in ImageMagick, the worst + of which may allow remote attackers to cause a Denial of Service condition. + + imagemagick + 2017-11-11 + 2017-11-11: 1 + 626454 + 626906 + 627036 + 628192 + 628490 + 628646 + 628650 + 628700 + 628702 + 629354 + 629482 + 629576 + 629932 + 630256 + 630458 + 630674 + 635200 + 635664 + 635666 + remote + + + 6.9.9.20 + 6.9.9.20 + + + +

A collection of tools and libraries for many image formats.

+ + +

Multiple vulnerabilities have been discovered in ImageMagick. Please + review the referenced CVE identifiers for details. +

+ + +

Remote attackers, by enticing a user to process a specially crafted + file, could obtain sensitive information, cause a Denial of Service + condition, or have other unspecified impacts. +

+ + +

There is no known workaround at this time.

+ + +

All ImageMagick users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.9.9.20" + + + + + CVE-2017-11640 + + + CVE-2017-11724 + + + CVE-2017-12140 + + + CVE-2017-12418 + + + CVE-2017-12427 + + + CVE-2017-12691 + + + CVE-2017-12692 + + + CVE-2017-12693 + + + CVE-2017-12876 + + + CVE-2017-12877 + + + CVE-2017-12983 + + + CVE-2017-13058 + + + CVE-2017-13059 + + + CVE-2017-13060 + + + CVE-2017-13061 + + + CVE-2017-13062 + + + CVE-2017-13131 + + + CVE-2017-13132 + + + CVE-2017-13133 + + + CVE-2017-13134 + + + CVE-2017-13139 + + + CVE-2017-13140 + + + CVE-2017-13141 + + + CVE-2017-13142 + + + CVE-2017-13143 + + + CVE-2017-13144 + + + CVE-2017-13145 + + + CVE-2017-13146 + + + CVE-2017-13758 + + + CVE-2017-13768 + + + CVE-2017-13769 + + + CVE-2017-14060 + + + CVE-2017-14137 + + + CVE-2017-14138 + + + CVE-2017-14139 + + + CVE-2017-14172 + + + CVE-2017-14173 + + + CVE-2017-14174 + + + CVE-2017-14175 + + + CVE-2017-14224 + + + CVE-2017-14248 + + + CVE-2017-14249 + + + CVE-2017-15281 + + + jmbailey + jmbailey + diff --git a/metadata/glsa/glsa-201711-08.xml b/metadata/glsa/glsa-201711-08.xml new file mode 100644 index 000000000000..b02d041603ad --- /dev/null +++ b/metadata/glsa/glsa-201711-08.xml @@ -0,0 +1,65 @@ + + + + LibXfont, LibXfont2: Multiple vulnerabilities + Multiple vulnerabilities have been found in LibXfont and Libxfont2, + the worst of which could allow attackers to cause a Denial of Service + condition. + + libxfont,libxfont2 + 2017-11-11 + 2017-11-11: 1 + 634044 + local + + + 2.0.2 + 2.0.2 + + + 1.5.3 + 1.5.3 + + + +

X.Org Xfont library

+ + +

Multiple vulnerabilities have been discovered in LibXfont and LibXfont2. + Please review the referenced CVE identifiers for details. +

+ + +

Local attackers could obtain sensitive information or possibly cause a + Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All LibXfont2 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libXfont2-2.0.2" + + +

All LibXfont users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.5.3" + + + + + CVE-2017-13720 + + + CVE-2017-13722 + + + jmbailey + jmbailey + diff --git a/metadata/glsa/glsa-201711-09.xml b/metadata/glsa/glsa-201711-09.xml new file mode 100644 index 000000000000..74aeece40ac9 --- /dev/null +++ b/metadata/glsa/glsa-201711-09.xml @@ -0,0 +1,50 @@ + + + + LXC: Remote security bypass + A vulnerability in LXC may lead to an unauthorized security bypass. + lxc + 2017-11-11 + 2017-11-11: 1 + 636386 + remote + + + 2.0.7 + 2.0.7 + + + +

LinuX Containers userspace utilities

+ + +

Previous versions of lxc-attach ran a shell or the specified command + without allocating a pseudo terminal making it vulnerable to input faking + via a TIOCSTI ioctl call. +

+ + +

Remote attackers can escape the container and perform unauthorized + modifications. +

+ + +

There is no know workaround at this time.

+ + +

All LXC users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/lxc-2.0.7" + + + + + + CVE-2016-10124 + + + jmbailey + jmbailey + diff --git a/metadata/glsa/glsa-201711-10.xml b/metadata/glsa/glsa-201711-10.xml new file mode 100644 index 000000000000..20a92dda7718 --- /dev/null +++ b/metadata/glsa/glsa-201711-10.xml @@ -0,0 +1,58 @@ + + + + Cacti: Multiple vulnerabilities + Multiple vulnerabilities have been found in Cacti, the worst of + which could lead to the remote execution of arbitrary code. + + cacti + 2017-11-11 + 2017-11-11: 1 + 607732 + 626828 + remote + + + 1.1.20 + 1.1.20 + + + +

Cacti is a complete frontend to rrdtool.

+ + +

Multiple vulnerabilities have been discovered in Cacti. Please review + the CVE identifiers referenced below for details. +

+ + +

Remote attackers could execute arbitrary code or bypass intended access + restrictions. +

+ + +

There is no known workaround at this time.

+ + +

All Cacti users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=net-analyzer/cacti-1.1.20:1.1.20" + + + + + CVE-2014-4000 + + + CVE-2016-2313 + + + CVE-2017-12065 + + + jmbailey + jmbailey + diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index bef73a1adb24..48e2af0c46b1 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Thu, 09 Nov 2017 23:40:24 +0000 +Sun, 12 Nov 2017 04:09:03 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 3a85cafb79b7..e0857bc083f2 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -a3bfb3d4e245b9bc89b32be1e708c2ef1dd05b93 1509318312 2017-10-29T23:05:12+00:00 +711052638906820458ee7059a25ac28c7e04ad40 1510430325 2017-11-11T19:58:45+00:00 -- cgit v1.2.3