From 623ee73d661e5ed8475cb264511f683407d87365 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sun, 12 Apr 2020 03:41:30 +0100 Subject: gentoo Easter resync : 12.04.2020 --- metadata/glsa/Manifest | 30 ++++---- metadata/glsa/Manifest.files.gz | Bin 450288 -> 462212 bytes metadata/glsa/glsa-201807-03.xml | 2 +- metadata/glsa/glsa-201807-04.xml | 2 +- metadata/glsa/glsa-202003-01.xml | 48 ++++++++++++ metadata/glsa/glsa-202003-02.xml | 104 ++++++++++++++++++++++++++ metadata/glsa/glsa-202003-03.xml | 102 +++++++++++++++++++++++++ metadata/glsa/glsa-202003-04.xml | 65 ++++++++++++++++ metadata/glsa/glsa-202003-05.xml | 53 +++++++++++++ metadata/glsa/glsa-202003-06.xml | 65 ++++++++++++++++ metadata/glsa/glsa-202003-07.xml | 52 +++++++++++++ metadata/glsa/glsa-202003-08.xml | 156 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-202003-09.xml | 56 ++++++++++++++ metadata/glsa/glsa-202003-10.xml | 106 ++++++++++++++++++++++++++ metadata/glsa/glsa-202003-11.xml | 42 +++++++++++ metadata/glsa/glsa-202003-12.xml | 55 ++++++++++++++ metadata/glsa/glsa-202003-13.xml | 53 +++++++++++++ metadata/glsa/glsa-202003-14.xml | 53 +++++++++++++ metadata/glsa/glsa-202003-15.xml | 54 ++++++++++++++ metadata/glsa/glsa-202003-16.xml | 52 +++++++++++++ metadata/glsa/glsa-202003-17.xml | 55 ++++++++++++++ metadata/glsa/glsa-202003-18.xml | 52 +++++++++++++ metadata/glsa/glsa-202003-19.xml | 50 +++++++++++++ metadata/glsa/glsa-202003-20.xml | 48 ++++++++++++ metadata/glsa/glsa-202003-21.xml | 56 ++++++++++++++ metadata/glsa/glsa-202003-22.xml | 94 +++++++++++++++++++++++ metadata/glsa/glsa-202003-23.xml | 51 +++++++++++++ metadata/glsa/glsa-202003-24.xml | 50 +++++++++++++ metadata/glsa/glsa-202003-25.xml | 58 +++++++++++++++ metadata/glsa/glsa-202003-26.xml | 87 ++++++++++++++++++++++ metadata/glsa/glsa-202003-27.xml | 50 +++++++++++++ metadata/glsa/glsa-202003-28.xml | 55 ++++++++++++++ metadata/glsa/glsa-202003-29.xml | 53 +++++++++++++ metadata/glsa/glsa-202003-30.xml | 76 +++++++++++++++++++ metadata/glsa/glsa-202003-31.xml | 55 ++++++++++++++ metadata/glsa/glsa-202003-32.xml | 51 +++++++++++++ metadata/glsa/glsa-202003-33.xml | 54 ++++++++++++++ metadata/glsa/glsa-202003-34.xml | 61 +++++++++++++++ metadata/glsa/glsa-202003-35.xml | 55 ++++++++++++++ metadata/glsa/glsa-202003-36.xml | 55 ++++++++++++++ metadata/glsa/glsa-202003-37.xml | 63 ++++++++++++++++ metadata/glsa/glsa-202003-38.xml | 52 +++++++++++++ metadata/glsa/glsa-202003-39.xml | 50 +++++++++++++ metadata/glsa/glsa-202003-40.xml | 54 ++++++++++++++ metadata/glsa/glsa-202003-41.xml | 48 ++++++++++++ metadata/glsa/glsa-202003-42.xml | 53 +++++++++++++ metadata/glsa/glsa-202003-43.xml | 62 ++++++++++++++++ metadata/glsa/glsa-202003-44.xml | 52 +++++++++++++ metadata/glsa/glsa-202003-45.xml | 49 ++++++++++++ metadata/glsa/glsa-202003-46.xml | 51 +++++++++++++ metadata/glsa/glsa-202003-47.xml | 52 +++++++++++++ metadata/glsa/glsa-202003-48.xml | 78 ++++++++++++++++++++ metadata/glsa/glsa-202003-49.xml | 50 +++++++++++++ metadata/glsa/glsa-202003-50.xml | 58 +++++++++++++++ metadata/glsa/glsa-202003-51.xml | 54 ++++++++++++++ metadata/glsa/glsa-202003-52.xml | 88 ++++++++++++++++++++++ metadata/glsa/glsa-202003-53.xml | 78 ++++++++++++++++++++ metadata/glsa/glsa-202003-54.xml | 52 +++++++++++++ metadata/glsa/glsa-202003-55.xml | 49 ++++++++++++ metadata/glsa/glsa-202003-56.xml | 73 ++++++++++++++++++ metadata/glsa/glsa-202003-57.xml | 78 ++++++++++++++++++++ metadata/glsa/glsa-202003-58.xml | 56 ++++++++++++++ metadata/glsa/glsa-202003-59.xml | 63 ++++++++++++++++ metadata/glsa/glsa-202003-60.xml | 60 +++++++++++++++ metadata/glsa/glsa-202003-61.xml | 52 +++++++++++++ metadata/glsa/glsa-202003-62.xml | 52 +++++++++++++ metadata/glsa/glsa-202003-63.xml | 53 +++++++++++++ metadata/glsa/glsa-202003-64.xml | 59 +++++++++++++++ metadata/glsa/glsa-202003-65.xml | 63 ++++++++++++++++ metadata/glsa/glsa-202003-66.xml | 51 +++++++++++++ metadata/glsa/glsa-202004-01.xml | 66 +++++++++++++++++ metadata/glsa/glsa-202004-02.xml | 122 ++++++++++++++++++++++++++++++ metadata/glsa/glsa-202004-03.xml | 60 +++++++++++++++ metadata/glsa/glsa-202004-04.xml | 53 +++++++++++++ metadata/glsa/glsa-202004-05.xml | 55 ++++++++++++++ metadata/glsa/glsa-202004-06.xml | 49 ++++++++++++ metadata/glsa/glsa-202004-07.xml | 64 ++++++++++++++++ metadata/glsa/glsa-202004-08.xml | 53 +++++++++++++ metadata/glsa/glsa-202004-09.xml | 97 ++++++++++++++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 81 files changed, 4673 insertions(+), 19 deletions(-) create mode 100644 metadata/glsa/glsa-202003-01.xml create mode 100644 metadata/glsa/glsa-202003-02.xml create mode 100644 metadata/glsa/glsa-202003-03.xml create mode 100644 metadata/glsa/glsa-202003-04.xml create mode 100644 metadata/glsa/glsa-202003-05.xml create mode 100644 metadata/glsa/glsa-202003-06.xml create mode 100644 metadata/glsa/glsa-202003-07.xml create mode 100644 metadata/glsa/glsa-202003-08.xml create mode 100644 metadata/glsa/glsa-202003-09.xml create mode 100644 metadata/glsa/glsa-202003-10.xml create mode 100644 metadata/glsa/glsa-202003-11.xml create mode 100644 metadata/glsa/glsa-202003-12.xml create mode 100644 metadata/glsa/glsa-202003-13.xml create mode 100644 metadata/glsa/glsa-202003-14.xml create mode 100644 metadata/glsa/glsa-202003-15.xml create mode 100644 metadata/glsa/glsa-202003-16.xml create mode 100644 metadata/glsa/glsa-202003-17.xml create mode 100644 metadata/glsa/glsa-202003-18.xml create mode 100644 metadata/glsa/glsa-202003-19.xml create mode 100644 metadata/glsa/glsa-202003-20.xml create mode 100644 metadata/glsa/glsa-202003-21.xml create mode 100644 metadata/glsa/glsa-202003-22.xml create mode 100644 metadata/glsa/glsa-202003-23.xml create mode 100644 metadata/glsa/glsa-202003-24.xml create mode 100644 metadata/glsa/glsa-202003-25.xml create mode 100644 metadata/glsa/glsa-202003-26.xml create mode 100644 metadata/glsa/glsa-202003-27.xml create mode 100644 metadata/glsa/glsa-202003-28.xml create mode 100644 metadata/glsa/glsa-202003-29.xml create mode 100644 metadata/glsa/glsa-202003-30.xml create mode 100644 metadata/glsa/glsa-202003-31.xml create mode 100644 metadata/glsa/glsa-202003-32.xml create mode 100644 metadata/glsa/glsa-202003-33.xml create mode 100644 metadata/glsa/glsa-202003-34.xml create mode 100644 metadata/glsa/glsa-202003-35.xml create mode 100644 metadata/glsa/glsa-202003-36.xml create mode 100644 metadata/glsa/glsa-202003-37.xml create mode 100644 metadata/glsa/glsa-202003-38.xml create mode 100644 metadata/glsa/glsa-202003-39.xml create mode 100644 metadata/glsa/glsa-202003-40.xml create mode 100644 metadata/glsa/glsa-202003-41.xml create mode 100644 metadata/glsa/glsa-202003-42.xml create mode 100644 metadata/glsa/glsa-202003-43.xml create mode 100644 metadata/glsa/glsa-202003-44.xml create mode 100644 metadata/glsa/glsa-202003-45.xml create mode 100644 metadata/glsa/glsa-202003-46.xml create mode 100644 metadata/glsa/glsa-202003-47.xml create mode 100644 metadata/glsa/glsa-202003-48.xml create mode 100644 metadata/glsa/glsa-202003-49.xml create mode 100644 metadata/glsa/glsa-202003-50.xml create mode 100644 metadata/glsa/glsa-202003-51.xml create mode 100644 metadata/glsa/glsa-202003-52.xml create mode 100644 metadata/glsa/glsa-202003-53.xml create mode 100644 metadata/glsa/glsa-202003-54.xml create mode 100644 metadata/glsa/glsa-202003-55.xml create mode 100644 metadata/glsa/glsa-202003-56.xml create mode 100644 metadata/glsa/glsa-202003-57.xml create mode 100644 metadata/glsa/glsa-202003-58.xml create mode 100644 metadata/glsa/glsa-202003-59.xml create mode 100644 metadata/glsa/glsa-202003-60.xml create mode 100644 metadata/glsa/glsa-202003-61.xml create mode 100644 metadata/glsa/glsa-202003-62.xml create mode 100644 metadata/glsa/glsa-202003-63.xml create mode 100644 metadata/glsa/glsa-202003-64.xml create mode 100644 metadata/glsa/glsa-202003-65.xml create mode 100644 metadata/glsa/glsa-202003-66.xml create mode 100644 metadata/glsa/glsa-202004-01.xml create mode 100644 metadata/glsa/glsa-202004-02.xml create mode 100644 metadata/glsa/glsa-202004-03.xml create mode 100644 metadata/glsa/glsa-202004-04.xml create mode 100644 metadata/glsa/glsa-202004-05.xml create mode 100644 metadata/glsa/glsa-202004-06.xml create mode 100644 metadata/glsa/glsa-202004-07.xml create mode 100644 metadata/glsa/glsa-202004-08.xml create mode 100644 metadata/glsa/glsa-202004-09.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index d37d8363faf0..49bc42a5cc48 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 450288 BLAKE2B 3798da941a15fcee18382da626450662d799e35257d8ad4a0b1552a6ddaae69d623b969c7ea2a3ff528f29e7ea6067f37208f6499dc6674753bd8f0bc73ac9b6 SHA512 c989a03018fd5d5d0ec3658457962a1285eb9736eaf370cd03c34b1c2e6807a141280958db2771efc54eda1120570c478512f7e244686722c0c6fc53bcfde64c -TIMESTAMP 2020-02-29T17:08:56Z +MANIFEST Manifest.files.gz 462212 BLAKE2B 5776c6001abb402454a2b47a7b9bf3bf9047598d1aece9f78d5b9c3c27b9e2beb04358067b23d0aab0fa3a39a6704dbc7989395dc50e173ff19712be407974d6 SHA512 b5ee2fe405b23fa0d01a4455e021e430490898b9d86f37bdd8cdf6f3e1e612bc5782cde9c380e6d19690d6c9d75154b7ece632c229e69202510fa1255c1cb2a6 +TIMESTAMP 2020-04-12T01:38:57Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl5amqhfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl6ScTFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCHfxAAmv5fe0cimS/BvBWb68hWQT6uIavQxJAUFxKYrPePg9IuJZunH8wuUJ4+ -11QC13WcNsSOH57LXwJW+3D5UcDeZjCIGbbMeRv5ZSmA6/Yyn52l+bB5rzXpX7ac -Ic92e3yodi7wdbDXHD90WM/iLSUABuLMLR798uV4Vt3/vakM15MfIERifdMXFUSN -5pAs2jXmbk+5f8kIwKCnZ+mdD1WfTRJ5q1bmAljoqqq5sbr2GRilHBdntooO1BC4 -b51CcbXLwMPOQjehZRH70aDfNYzinbAF8kmi3ADXsrpghv02GBwA0NQnfyPRc+OM -9qOOl0XoXhMj7i+rKCBWBDzXgk9MmDwe03twMSeSqiZtYcK0MMJT2QKdjw+TfJ58 -6ZbR64V3tvOL0iW6UZsqU0+4hO7q/9LMhAO70s/YHdCi+ZtPK1bz7WJpHd/4MgtV -rp0paRLbwLlp+nwuP62vBvGmZupkmj9Np1YR7/+oTc6yNhNSKn0l/E9k1k6rsZIJ -sLXi20A4H8KslGzDlDzHlOWz1gH4IccRr0gCLqhovYvPtbi5qPis+dvtfBOhJYr8 -69VpqzYyDApC8COokXla1AEc9jkg79BYvLAFav+6i6e0OYf2j/9fdmH+LKsusmhx -WG9WQUoXUE0T1X2MzeGwZMqzZzwNwOA9e7XnJz8Hk27zmmGjhYw= -=Hcmt +klA2DRAAiTm99vhWjrVbLyTspLIxWs+f341vqhSR6EQ84k1H/pKRoeywOosu+v3R +BdECknFaydhSJg47U8hdOxn3DDywQy//55TuTN40jUS/kWyrEIMhpiRz3PvIl7Gl +coLa52mwdV6GLywJKcsZwn1T0S3ttMDnmlBWn/EYnkOvbXV1vrn32obvcUbaUMMP +C/ha+l2syTF73FJqr1EEjzq2aFxvcJNtojuHhNqeyfwJe+PEI0juLfMehrlucSsd +7+zAk+srYuBo6p0KrOwXno5Uj4griXaT7JJhe2t78ruqwHOMwQQzF0f8l/hRHs3O +p6dKK4cyAbU03tGCfAuw9BPyCYlGCDzJbD1GPmfM5FP4ywFZxWHG+enfgoUjFwvI +Q2YiBT/sRzajy0jjbS/XZZ4CabIQPI40+WRyEatcrEx3IoiwcpMbiwngwlqVg4wf +YLAAWIGcsQiCD42TbY1UOXApUT4eVLRQHPVK/gVJGQeF8ODRh+I5Ie2kC3oi5yGN +8APaSiS1jGARXWcNc5PhVlkNUW6TtE6AWciUwVlM7S2112Hy27/2TrW4UEzHyvWX +5HMwTGblMzdSpSlerwjF2HikolBD7KbmqmFJzvPD78LbibRib2F3P+7I40v67Uoc +MP/sUqUU3ZOMwAO/YUV5tj+MDxqhESs+O/HHbXWgc89AZjGjMmk= +=PlQ9 -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz index 07b7a7ec9a25..e387e538aea7 100644 Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ diff --git a/metadata/glsa/glsa-201807-03.xml b/metadata/glsa/glsa-201807-03.xml index f6a41e2fa62d..60ab861e112d 100644 --- a/metadata/glsa/glsa-201807-03.xml +++ b/metadata/glsa/glsa-201807-03.xml @@ -1,7 +1,7 @@ - ZNC:Multiple Vulnerabilities + ZNC: Multiple Vulnerabilities Multiple vulnerabilities have been found in ZNC, the worst of which could result in privilege escalation. diff --git a/metadata/glsa/glsa-201807-04.xml b/metadata/glsa/glsa-201807-04.xml index 38cedbc06c3c..4c7b0637d0f1 100644 --- a/metadata/glsa/glsa-201807-04.xml +++ b/metadata/glsa/glsa-201807-04.xml @@ -1,7 +1,7 @@ - cURL:Heap-based Buffer Overflow + cURL: Heap-based buffer overflow A heap-based buffer overflow in cURL might allow remote attackers to execute arbitrary code. diff --git a/metadata/glsa/glsa-202003-01.xml b/metadata/glsa/glsa-202003-01.xml new file mode 100644 index 000000000000..6a4beffcf47b --- /dev/null +++ b/metadata/glsa/glsa-202003-01.xml @@ -0,0 +1,48 @@ + + + + Groovy: Arbitrary code execution + A vulnerability within serialization might allow remote attackers + to execute arbitrary code. + + groovy + 2020-03-07 + 2020-03-12 + 605690 + remote + + + 2.4.5 + + + +

A multi-faceted language for the Java platform

+ + +

It was discovered that there was a vulnerability within the Java + serialization/deserialization process. +

+ + +

An attacker, by crafting a special serialized object, could execute + arbitrary code. +

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for Groovy. We recommend that users + unmerge Groovy: +

+ + + # emerge --unmerge "dev-java/groovy" + + + + CVE-2016-6814 + + b-man + b-man + diff --git a/metadata/glsa/glsa-202003-02.xml b/metadata/glsa/glsa-202003-02.xml new file mode 100644 index 000000000000..38ac4d055367 --- /dev/null +++ b/metadata/glsa/glsa-202003-02.xml @@ -0,0 +1,104 @@ + + + + Mozilla Firefox: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which may allow execution of arbitrary code. + + firefox + 2020-03-12 + 2020-03-12 + 702638 + 705000 + 709346 + 712182 + remote + + + 68.6.0 + 68.6.0 + + + 68.6.0 + 68.6.0 + + + +

Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. +

+ + +

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to view a specially crafted web + page, possibly resulting in the execution of arbitrary code with the + privileges of the process or a Denial of Service condition. Furthermore, + a remote attacker may be able to perform Man-in-the-Middle attacks, + obtain sensitive information, spoof the address bar, conduct clickjacking + attacks, bypass security restrictions and protection mechanisms, or have + other unspecified impact. +

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Firefox users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-68.6.0" + + +

All Mozilla Firefox binary users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-68.6.0" + + + + + CVE-2019-11745 + CVE-2019-17005 + CVE-2019-17008 + CVE-2019-17010 + CVE-2019-17011 + CVE-2019-17012 + CVE-2019-17016 + CVE-2019-17017 + CVE-2019-17022 + CVE-2019-17024 + CVE-2019-17026 + CVE-2019-20503 + CVE-2020-6796 + CVE-2020-6797 + CVE-2020-6798 + CVE-2020-6799 + CVE-2020-6800 + CVE-2020-6805 + CVE-2020-6806 + CVE-2020-6807 + CVE-2020-6811 + CVE-2020-6812 + CVE-2020-6814 + + MFSA-2019-37 + + + MFSA-2020-03 + + + MFSA-2020-06 + + + MFSA-2020-09 + + + BlueKnight + BlueKnight + diff --git a/metadata/glsa/glsa-202003-03.xml b/metadata/glsa/glsa-202003-03.xml new file mode 100644 index 000000000000..65df80e511e4 --- /dev/null +++ b/metadata/glsa/glsa-202003-03.xml @@ -0,0 +1,102 @@ + + + + PostgreSQL: Multiple vulnerabilities + Multiple vulnerabilities have been found in PostgreSQL, the worst + of which could result in the execution of arbitrary code. + + postgresql + 2020-03-12 + 2020-03-12 + 685846 + 688420 + 709708 + local, remote + + + 9.4.26 + 9.5.21 + 9.6.17 + 10.12 + 11.7 + 12.2 + 9.4.26 + 9.5.21 + 9.6.17 + 10.12 + 11.7 + 12.2 + + + +

PostgreSQL is an open source object-relational database management + system. +

+ + +

Multiple vulnerabilities have been discovered in PostgreSQL. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, bypass certain client-side connection security + features, read arbitrary server memory, alter certain data or cause a + Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All PostgreSQL 9.4.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.26:9.4" + + +

All PostgreSQL 9.5.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.21:9.5" + + +

All PostgreSQL 9.6.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.17:9.6" + + +

All PostgreSQL 10.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.12:10" + + +

All PostgreSQL 11.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.7:11" + + +

All PostgreSQL 12.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.2:12" + + + + CVE-2019-10129 + CVE-2019-10130 + CVE-2019-10164 + CVE-2020-1720 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-04.xml b/metadata/glsa/glsa-202003-04.xml new file mode 100644 index 000000000000..c822e21abf22 --- /dev/null +++ b/metadata/glsa/glsa-202003-04.xml @@ -0,0 +1,65 @@ + + + + Vim, gVim: Remote execution of arbitrary code + A vulnerability has been found in Vim and gVim concerning how + certain modeline options are treated. + + vim,gvim + 2020-03-12 + 2020-03-12 + 687394 + local, remote + + + 8.1.1486 + 8.1.1486 + + + 8.1.1486 + 8.1.1486 + + + +

Vim is an efficient, highly configurable improved version of the classic + ‘vi’ text editor. gVim is the GUI version of Vim. +

+ + +

+ It was found that the :source! command was not restricted by + the sandbox mode. If modeline was explicitly enabled, opening a specially + crafted text file in vim could result in arbitrary command execution. +

+ + +

A remote attacker could entice a user to open a specially crafted file + using Vim or gVim, possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Vim users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/vim-8.1.1486" + + +

All gVim users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/gvim-8.1.1486" + + + + + CVE-2019-12735 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-05.xml b/metadata/glsa/glsa-202003-05.xml new file mode 100644 index 000000000000..ee3c3f3c4499 --- /dev/null +++ b/metadata/glsa/glsa-202003-05.xml @@ -0,0 +1,53 @@ + + + + e2fsprogs: Arbitrary code execution + A vulnerability in e2fsprogs might allow an attacker to execute + arbitrary code. + + e2fsprogs + 2020-03-13 + 2020-03-13 + 695522 + local, remote + + + 1.45.4 + 1.45.4 + + + +

e2fsprogs is a set of utilities for maintaining the ext2, ext3 and ext4 + file systems. +

+ + +

It was discovered that e2fsprogs incorrectly handled certain ext4 + partitions. +

+ + +

A remote attacker could entice a user to process a specially crafted + corrupted file system using e2fsck, possibly resulting in execution of + arbitrary code with the privileges of the process or a Denial of Service + condition. +

+ + +

There is no known workaround at this time.

+ + +

All e2fsprogs users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/e2fsprogs-1.45.4" + + + + + CVE-2019-5094 + + ackle + whissi + diff --git a/metadata/glsa/glsa-202003-06.xml b/metadata/glsa/glsa-202003-06.xml new file mode 100644 index 000000000000..8dd5cbb7ee92 --- /dev/null +++ b/metadata/glsa/glsa-202003-06.xml @@ -0,0 +1,65 @@ + + + + Ruby: Multiple vulnerabilities + Multiple vulnerabilities have been found in Ruby, the worst of + which could lead to the remote execution of arbitrary code. + + ruby + 2020-03-13 + 2020-03-13 + 696004 + remote + + + 2.4.9 + 2.5.7 + 2.4.9 + 2.5.7 + + + +

Ruby is an interpreted object-oriented programming language. The + elaborate standard library includes an HTTP server (“WEBRick”) and a + class for XML parsing (“REXML”). +

+ + +

Multiple vulnerabilities have been discovered in Ruby. Please review the + CVE identifiers referenced below for details. +

+ + +

A remote attacker could execute arbitrary code, have unauthorized access + by bypassing intended path matching or cause a Denial of Service + condition. +

+ + +

There is no known workaround at this time.

+ + +

All Ruby 2.4.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-2.4.9:2.4" + + +

All Ruby 2.5.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-2.5.7:2.5" + + + + + CVE-2019-15845 + CVE-2019-16201 + CVE-2019-16254 + CVE-2019-16255 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-07.xml b/metadata/glsa/glsa-202003-07.xml new file mode 100644 index 000000000000..ef7f30132b20 --- /dev/null +++ b/metadata/glsa/glsa-202003-07.xml @@ -0,0 +1,52 @@ + + + + RabbitMQ C client: Arbitrary code execution + A vulnerability in RabbitMQ C client might allow an attacker to + execute arbitrary code. + + rabbitmq-c + 2020-03-13 + 2020-03-13 + 701810 + remote + + + 0.10.0 + 0.10.0 + + + +

A C-language AMQP client library for use with v2.0+ of the RabbitMQ + broker. +

+ + +

It was discovered that RabbitMQ C client incorrectly handled certain + inputs. +

+ + +

A remote attacker, by sending a specially crafted request, could + possibly execute arbitrary code with the privileges of the process or + cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All RabbitMQ C client users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/rabbitmq-c-0.10.0" + + + + + CVE-2019-18609 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-08.xml b/metadata/glsa/glsa-202003-08.xml new file mode 100644 index 000000000000..2860dda152c1 --- /dev/null +++ b/metadata/glsa/glsa-202003-08.xml @@ -0,0 +1,156 @@ + + + + Chromium, Google Chrome: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could allow remote attackers to execute + arbitrary code. + + chromium,google-chrome + 2020-03-13 + 2020-03-13 + 699676 + 700588 + 702498 + 703286 + 704960 + 705638 + 708322 + 710760 + 711570 + local, remote + + + 80.0.3987.132 + 80.0.3987.132 + + + 80.0.3987.132 + 80.0.3987.132 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ +

Google Chrome is one fast, simple, and secure browser for all your + devices. +

+ + +

Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifiers and Google Chrome + Releases for details. +

+ + +

A remote attacker could execute arbitrary code, escalate privileges, + obtain sensitive information, spoof an URL or cause a Denial of Service + condition. +

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-80.0.3987.132" + + +

All Google Chrome users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-80.0.3987.132" + + + + + CVE-2019-13723 + CVE-2019-13724 + CVE-2019-13725 + CVE-2019-13726 + CVE-2019-13727 + CVE-2019-13728 + CVE-2019-13729 + CVE-2019-13730 + CVE-2019-13732 + CVE-2019-13734 + CVE-2019-13735 + CVE-2019-13736 + CVE-2019-13737 + CVE-2019-13738 + CVE-2019-13739 + CVE-2019-13740 + CVE-2019-13741 + CVE-2019-13742 + CVE-2019-13743 + CVE-2019-13744 + CVE-2019-13745 + CVE-2019-13746 + CVE-2019-13747 + CVE-2019-13748 + CVE-2019-13749 + CVE-2019-13750 + CVE-2019-13751 + CVE-2019-13752 + CVE-2019-13753 + CVE-2019-13754 + CVE-2019-13755 + CVE-2019-13756 + CVE-2019-13757 + CVE-2019-13758 + CVE-2019-13759 + CVE-2019-13761 + CVE-2019-13762 + CVE-2019-13763 + CVE-2019-13764 + CVE-2019-13767 + CVE-2020-6377 + CVE-2020-6378 + CVE-2020-6379 + CVE-2020-6380 + CVE-2020-6381 + CVE-2020-6382 + CVE-2020-6385 + CVE-2020-6387 + CVE-2020-6388 + CVE-2020-6389 + CVE-2020-6390 + CVE-2020-6391 + CVE-2020-6392 + CVE-2020-6393 + CVE-2020-6394 + CVE-2020-6395 + CVE-2020-6396 + CVE-2020-6397 + CVE-2020-6398 + CVE-2020-6399 + CVE-2020-6400 + CVE-2020-6401 + CVE-2020-6402 + CVE-2020-6403 + CVE-2020-6404 + CVE-2020-6406 + CVE-2020-6407 + CVE-2020-6408 + CVE-2020-6409 + CVE-2020-6410 + CVE-2020-6411 + CVE-2020-6412 + CVE-2020-6413 + CVE-2020-6414 + CVE-2020-6415 + CVE-2020-6416 + CVE-2020-6418 + CVE-2020-6420 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-09.xml b/metadata/glsa/glsa-202003-09.xml new file mode 100644 index 000000000000..60427a9d7ac9 --- /dev/null +++ b/metadata/glsa/glsa-202003-09.xml @@ -0,0 +1,56 @@ + + + + OpenID library for Ruby: Server-Side Request Forgery + A vulnerability in OpenID library for Ruby at worst might allow an + attacker to bypass authentication. + + ruby-openid + 2020-03-14 + 2020-03-14 + 698464 + remote + + + 2.9.2 + 2.9.2 + + + +

A Ruby library for verifying and serving OpenID identities.

+ + +

It was discovered that OpenID library for Ruby performed discovery + first, and then verification. +

+ + +

A remote attacker could possibly change the URL used for discovery and + trick the server into connecting to the URL. This server in turn could be + a private server not + publicly accessible. +

+ +

In addition, if the client that uses this library discloses connection + errors, this in turn could disclose information from the private server + to the attacker. +

+ + +

There is no known workaround at this time.

+ + +

All ruby-openid users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/ruby-openid-2.9.2" + + + + + CVE-2019-11027 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-10.xml b/metadata/glsa/glsa-202003-10.xml new file mode 100644 index 000000000000..f14245582c42 --- /dev/null +++ b/metadata/glsa/glsa-202003-10.xml @@ -0,0 +1,106 @@ + + + + Mozilla Thunderbird: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could result in the arbitrary execution of code. + + thunderbird + 2020-03-14 + 2020-03-14 + 698516 + 702638 + 709350 + 712518 + remote + + + 68.6.0 + 68.6.0 + + + 68.6.0 + 68.6.0 + + + +

Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. +

+ + +

Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the CVE identifiers referenced below for details. +

+ + +

A remote attacker may be able to execute arbitrary code, cause a Denial + of Service condition, obtain sensitive information, or conduct Cross-Site + Request Forgery (CSRF). +

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Thunderbird users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-68.6.0" + + +

All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-68.6.0" + + + + + + MFSA-2019-35 + + + MFSA-2019-37 + + + MFSA-2020-07 + + + MFSA-2020-10 + + CVE-2019-11745 + CVE-2019-11757 + CVE-2019-11759 + CVE-2019-11760 + CVE-2019-11761 + CVE-2019-11762 + CVE-2019-11763 + CVE-2019-11764 + CVE-2019-17005 + CVE-2019-17008 + CVE-2019-17010 + CVE-2019-17011 + CVE-2019-17012 + CVE-2019-20503 + CVE-2020-6792 + CVE-2020-6793 + CVE-2020-6794 + CVE-2020-6795 + CVE-2020-6798 + CVE-2020-6800 + CVE-2020-6805 + CVE-2020-6806 + CVE-2020-6807 + CVE-2020-6811 + CVE-2020-6812 + CVE-2020-6814 + + BlueKnight + BlueKnight + diff --git a/metadata/glsa/glsa-202003-11.xml b/metadata/glsa/glsa-202003-11.xml new file mode 100644 index 000000000000..d8f1f2bd9813 --- /dev/null +++ b/metadata/glsa/glsa-202003-11.xml @@ -0,0 +1,42 @@ + + + + SVG Salamander: Server-Side Request Forgery + A SSRF may allow remote attackers to forge illegitimate requests. + svgsalamander + 2020-03-14 + 2020-03-14 + 607720 + remote + + + 0.0-r2 + + + +

SVG Salamander is a light weight SVG renderer and animator for Java.

+ + +

A Server-Side Request Forgery was discovered in SVG Salamander.

+ + +

An attacker, by sending a specially crafted SVG file, can conduct SSRF.

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for SVG Salamander. We recommend that + users unmerge SVG Salamander: +

+ + + # emerge --unmerge "dev-java/svgsalamander" + + + + CVE-2017-5617 + + b-man + b-man + diff --git a/metadata/glsa/glsa-202003-12.xml b/metadata/glsa/glsa-202003-12.xml new file mode 100644 index 000000000000..4232a5655da1 --- /dev/null +++ b/metadata/glsa/glsa-202003-12.xml @@ -0,0 +1,55 @@ + + + + sudo: Multiple vulnerabilities + Multiple vulnerabilities have been found in sudo, the worst of + which could result in privilege escalation. + + sudo + 2020-03-14 + 2020-03-14 + 697462 + 707574 + local + + + 1.8.31 + 1.8.31 + + + +

sudo (su “do”) allows a system administrator to delegate authority + to give certain users (or groups of users) the ability to run some (or + all) commands as root or another user while providing an audit trail of + the commands and their arguments. +

+ + +

Multiple vulnerabilities have been discovered in sudo. Please review the + CVE identifiers referenced below for details. +

+ + +

A local attacker could expose or corrupt memory information, inject code + to be run as a root user or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All sudo users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.31" + + + + + CVE-2019-14287 + CVE-2019-18634 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-13.xml b/metadata/glsa/glsa-202003-13.xml new file mode 100644 index 000000000000..4eabdcd70b9b --- /dev/null +++ b/metadata/glsa/glsa-202003-13.xml @@ -0,0 +1,53 @@ + + + + musl: x87 floating-point stack adjustment imbalance + An x87 stack handling error in musl might allow an attacker to have + an application dependent impact. + + musl + 2020-03-14 + 2020-03-15 + 711276 + local, remote + + + 1.1.24 + 1.1.24 + + + +

musl is an implementation of the C standard library built on top of the + Linux system call API, including interfaces defined in the base language + standard, POSIX, and widely agreed-upon extensions. +

+ + +

A flaw in musl libc’s arch-specific math assembly code for i386 was + found which can lead to x87 stack overflow in the execution of subsequent + math code. +

+ + +

Impact depends on how the application built against musl libc handles + the ABI-violating x87 state. +

+ + +

There is no known workaround at this time.

+ + +

All musl users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/musl-1.1.24" + + + + + CVE-2019-14697 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-14.xml b/metadata/glsa/glsa-202003-14.xml new file mode 100644 index 000000000000..a209c716b4b9 --- /dev/null +++ b/metadata/glsa/glsa-202003-14.xml @@ -0,0 +1,53 @@ + + + + atftp: Multiple vulnerabilities + Multiple vulnerabilities have been found in atftp, the worst of + which could result in the execution of arbitrary code. + + atftp + 2020-03-14 + 2020-03-14 + 711630 + remote + + + 0.7.2 + 0.7.2 + + + +

atftp is a client/server implementation of the TFTP protocol that + implements RFCs 1350, 2090, 2347, 2348, and 2349. +

+ + +

Multiple vulnerabilities have been discovered in atftp. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could send a specially crafted packet to an atftp + instance, possibly resulting in the execution of arbitrary code with the + privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All atftp users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/atftp-0.7.2" + + + + + CVE-2019-11365 + CVE-2019-11366 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-15.xml b/metadata/glsa/glsa-202003-15.xml new file mode 100644 index 000000000000..6ed03f0156b4 --- /dev/null +++ b/metadata/glsa/glsa-202003-15.xml @@ -0,0 +1,54 @@ + + + + ICU: Integer overflow + An integer overflow flaw in ICU could possibly allow for the + execution of arbitrary code. + + ICU + 2020-03-15 + 2020-03-15 + 710758 + local, remote + + + 65.1-r1 + 65.1-r1 + + + +

ICU is a mature, widely used set of C/C++ and Java libraries providing + Unicode and Globalization support for software applications. +

+ + +

It was discovered that ICU’s UnicodeString::doAppend() function is + vulnerable to an integer overflow. Please review the CVE identifiers + referenced below for more details. +

+ + +

A remote attacker could entice a user to process a specially crafted + string in an application linked against ICU, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All ICU users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/icu-65.1-r1" + + + + + CVE-2020-10531 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-16.xml b/metadata/glsa/glsa-202003-16.xml new file mode 100644 index 000000000000..0e89f97242b7 --- /dev/null +++ b/metadata/glsa/glsa-202003-16.xml @@ -0,0 +1,52 @@ + + + + SQLite: Multiple vulnerabilities + Multiple vulnerabilities have been found in SQLite, the worst of + which could result in the arbitrary execution of code. + + sqlite + 2020-03-15 + 2020-03-15 + 697678 + 711526 + local, remote + + + 3.31.1 + 3.31.1 + + + +

SQLite is a C library that implements an SQL database engine.

+ + +

Multiple vulnerabilities have been discovered in SQLite. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All SQLite users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.31.1" + + + + + CVE-2019-16168 + CVE-2019-5827 + CVE-2020-9327 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-17.xml b/metadata/glsa/glsa-202003-17.xml new file mode 100644 index 000000000000..42fa05e08494 --- /dev/null +++ b/metadata/glsa/glsa-202003-17.xml @@ -0,0 +1,55 @@ + + + + nfdump: Multiple vulnerabilities + Multiple vulnerabilities have been found in nfdump, the worst of + which could result in the execution of arbitrary code. + + nfsdump + 2020-03-15 + 2020-03-15 + 711316 + local, remote + + + 1.6.19 + 1.6.19 + + + +

nfdump is a toolset in order to collect and process netflow and sflow + data, sent from netflow/sflow compatible devices. +

+ + +

Multiple vulnerabilities have been discovered in nfdump. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker, by sending specially crafted netflow/sflow data, + could possibly execute arbitrary code with the privileges of the process + or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All nfdump users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/nfdump-1.6.19" + + + + + + CVE-2019-1010057 + + CVE-2019-14459 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-18.xml b/metadata/glsa/glsa-202003-18.xml new file mode 100644 index 000000000000..26f12a64feb7 --- /dev/null +++ b/metadata/glsa/glsa-202003-18.xml @@ -0,0 +1,52 @@ + + + + libvirt: Multiple vulnerabilities + Multiple vulnerabilities have been discovered in libvirt, the worst + of which may result in the execution of arbitrary commands. + + libvirt + 2020-03-15 + 2020-03-15 + 711306 + local + + + 5.4.1 + 5.4.1 + + + +

libvirt is a C toolkit for manipulating virtual machines.

+ + +

Multiple vulnerabilities have been discovered in libvirt. Please review + the CVE identifiers referenced below for details. +

+ + +

A local privileged attacker could execute arbitrary commands, escalate + privileges or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All libvirt users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/libvirt-5.4.1" + + + + + CVE-2019-10161 + CVE-2019-10166 + CVE-2019-10167 + CVE-2019-10168 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-19.xml b/metadata/glsa/glsa-202003-19.xml new file mode 100644 index 000000000000..30fa979f684d --- /dev/null +++ b/metadata/glsa/glsa-202003-19.xml @@ -0,0 +1,50 @@ + + + + PPP: Buffer overflow + A buffer overflow in PPP might allow a remote attacker to execute + arbitrary code. + + PPP + 2020-03-15 + 2020-03-15 + 710308 + remote + + + 2.4.8 + 2.4.8 + + + +

PPP is a Unix implementation of the Point-to-Point Protocol.

+ + +

It was discovered that bounds check in PPP for the rhostname was + improperly constructed in the EAP request and response functions. +

+ + +

A remote attacker, by sending specially crafted authentication data, + could possibly execute arbitrary code with the privileges of the process + or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All PPP users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/ppp-2.4.8" + + + + + CVE-2020-8597 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-20.xml b/metadata/glsa/glsa-202003-20.xml new file mode 100644 index 000000000000..696a1298d328 --- /dev/null +++ b/metadata/glsa/glsa-202003-20.xml @@ -0,0 +1,48 @@ + + + + systemd: Heap use-after-free + A heap use-after-free flaw in systemd at worst might allow an + attacker to execute arbitrary code. + + systemd + 2020-03-15 + 2020-03-15 + 708806 + local + + + 244.3 + 244.3 + + + +

A system and service manager.

+ + +

It was found that systemd incorrectly handled certain Polkit queries.

+ + +

A local unprivileged user, by sending a specially crafted Polkit query, + could possibly execute arbitrary code with the privileges of the process, + escalate privileges or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All systemd users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/systemd-244.3" + + + + + CVE-2020-1712 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-21.xml b/metadata/glsa/glsa-202003-21.xml new file mode 100644 index 000000000000..5f5c03bbfac4 --- /dev/null +++ b/metadata/glsa/glsa-202003-21.xml @@ -0,0 +1,56 @@ + + + + runC: Multiple vulnerabilities + Multiple vulnerabilities have been discovered in runC, the worst of + which may lead to privilege escalation. + + runC + 2020-03-15 + 2020-03-15 + 677744 + 709456 + 711182 + local, remote + + + 1.0.0_rc10 + 1.0.0_rc10 + + + +

RunC is a CLI tool for spawning and running containers according to the + OCI specification. +

+ + +

Multiple vulnerabilities have been discovered in runC. Please review the + CVE identifiers referenced below for details. +

+ + +

An attacker, by running a malicious Docker image, could escape the + container, bypass security restrictions, escalate privileges or cause a + Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All runC users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/runc-1.0.0_rc10" + + + + + CVE-2019-16884 + CVE-2019-19921 + CVE-2019-5736 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-22.xml b/metadata/glsa/glsa-202003-22.xml new file mode 100644 index 000000000000..c69d16f0a64e --- /dev/null +++ b/metadata/glsa/glsa-202003-22.xml @@ -0,0 +1,94 @@ + + + + WebkitGTK+: Multiple vulnerabilities + Multiple vulnerabilities have been found in WebKitGTK+, the worst + of which may lead to arbitrary code execution. + + webkitgtk+ + 2020-03-15 + 2020-03-15 + 699156 + 706374 + 709612 + remote + + + 2.26.4 + 2.26.4 + + + +

WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, from hybrid + HTML/CSS applications to full-fledged web browsers. +

+ + +

Multiple vulnerabilities have been discovered in WebKitGTK+. Please + review the referenced CVE identifiers for details. +

+ + +

A remote attacker could execute arbitrary code, cause a Denial of + Service condition, bypass intended memory-read restrictions, conduct a + timing side-channel attack to bypass the Same Origin Policy or obtain + sensitive information. +

+ + +

There is no known workaround at this time.

+ + +

All WebkitGTK+ users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.26.4" + + + + + CVE-2019-8625 + CVE-2019-8674 + CVE-2019-8707 + CVE-2019-8710 + CVE-2019-8719 + CVE-2019-8720 + CVE-2019-8726 + CVE-2019-8733 + CVE-2019-8735 + CVE-2019-8743 + CVE-2019-8763 + CVE-2019-8764 + CVE-2019-8765 + CVE-2019-8766 + CVE-2019-8768 + CVE-2019-8769 + CVE-2019-8771 + CVE-2019-8782 + CVE-2019-8783 + CVE-2019-8808 + CVE-2019-8811 + CVE-2019-8812 + CVE-2019-8813 + CVE-2019-8814 + CVE-2019-8815 + CVE-2019-8816 + CVE-2019-8819 + CVE-2019-8820 + CVE-2019-8821 + CVE-2019-8822 + CVE-2019-8823 + CVE-2019-8835 + CVE-2019-8844 + CVE-2019-8846 + CVE-2020-3862 + CVE-2020-3864 + CVE-2020-3865 + CVE-2020-3867 + CVE-2020-3868 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-23.xml b/metadata/glsa/glsa-202003-23.xml new file mode 100644 index 000000000000..0a16d80df9a3 --- /dev/null +++ b/metadata/glsa/glsa-202003-23.xml @@ -0,0 +1,51 @@ + + + + libjpeg-turbo: User-assisted execution of arbitrary code + Several integer overflows in libjpeg-turbo might allow an attacker + to execute arbitrary code. + + libjpeg-turbo + 2020-03-15 + 2020-03-15 + 699830 + local, remote + + + 2.0.3 + 2.0.3 + + + +

libjpeg-turbo is a MMX, SSE, and SSE2 SIMD accelerated JPEG library.

+ + +

It was discovered that libjpeg-turbo incorrectly handled certain JPEG + images. +

+ + +

A remote attacker could entice a user to open a specially crafted JPEG + file in an application linked against libjpeg-turbo, possibly resulting + in execution of arbitrary code with the privileges of the process or a + Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All libjpeg-turbo users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-2.0.3" + + + + + CVE-2019-2201 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-24.xml b/metadata/glsa/glsa-202003-24.xml new file mode 100644 index 000000000000..dbb042e1771b --- /dev/null +++ b/metadata/glsa/glsa-202003-24.xml @@ -0,0 +1,50 @@ + + + + file: Heap-based buffer overflow + A heap-based buffer overflow in file might allow remote attackers + to execute arbitrary code. + + file + 2020-03-15 + 2020-03-15 + 698610 + local, remote + + + 5.37-r1 + 5.37-r1 + + + +

file is a utility that guesses a file format by scanning binary data for + patterns. +

+ + +

It was discovered that file incorrectly handled certain malformed files.

+ + +

A remote attacker could entice a user to process a specially crafted + file via libmagic or file, possibly resulting in execution of arbitrary + code with the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All file users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/file-5.37-r1" + + + + + CVE-2019-18218 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-25.xml b/metadata/glsa/glsa-202003-25.xml new file mode 100644 index 000000000000..ed368e6fbbd2 --- /dev/null +++ b/metadata/glsa/glsa-202003-25.xml @@ -0,0 +1,58 @@ + + + + libTIFF: Multiple vulnerabilities + Multiple vulnerabilities have been found in LibTIFF, the worst of + which could result in a Denial of Service condition. + + tiff + 2020-03-15 + 2020-03-15 + 639700 + 690732 + 699868 + local, remote + + + 4.1.0 + 4.1.0 + + + +

The TIFF library contains encoding and decoding routines for the Tag + Image File Format. It is called by numerous programs, including GNOME and + KDE applications, to interpret TIFF images. +

+ + +

Multiple vulnerabilities have been discovered in libTIFF. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker, by enticing the user to process a specially crafted + TIFF file, could possibly cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All libTIFF users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/tiff-4.1.0" + + + + + CVE-2017-17095 + CVE-2018-19210 + CVE-2019-17546 + CVE-2019-6128 + CVE-2019-7663 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-26.xml b/metadata/glsa/glsa-202003-26.xml new file mode 100644 index 000000000000..570a06748746 --- /dev/null +++ b/metadata/glsa/glsa-202003-26.xml @@ -0,0 +1,87 @@ + + + + Python: Multiple vulnerabilities + Multiple vulnerabilities have been found in Python, the worst of + which could result in a Denial of Service condition. + + python + 2020-03-15 + 2020-03-15 + 676700 + 680246 + 680298 + 684838 + 689822 + local, remote + + + 2.7.17 + 3.5.7 + 3.6.9 + 3.7.4 + 2.7.17 + 3.5.7 + 3.6.9 + 3.7.4 + + + +

Python is an interpreted, interactive, object-oriented programming + language. +

+ + +

Multiple vulnerabilities have been discovered in Python. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly perform a CRLF injection attack, obtain + sensitive information, trick Python into sending cookies to the wrong + domain or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Python 2.7.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.17:2.7" + + +

All Python 3.5.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.5.7:3.5/3.5m" + + +

All Python 3.6.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.6.9:3.6/3.6m" + + +

All Python 3.7x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.7.4:3.7/3.7m" + + + + CVE-2018-20852 + CVE-2019-5010 + CVE-2019-9636 + CVE-2019-9740 + CVE-2019-9947 + CVE-2019-9948 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-27.xml b/metadata/glsa/glsa-202003-27.xml new file mode 100644 index 000000000000..d34f8ce9fe80 --- /dev/null +++ b/metadata/glsa/glsa-202003-27.xml @@ -0,0 +1,50 @@ + + + + libssh: Arbitrary command execution + A vulnerability in libssh could allow a remote attacker to execute + arbitrary commands. + + libssh + 2020-03-15 + 2020-03-15 + 701598 + remote + + + 0.9.3 + 0.9.3 + + + +

libssh is a multiplatform C library implementing the SSHv2 protocol on + client and server side. +

+ + +

It was discovered that libssh incorrectly handled certain scp commands.

+ + +

A remote attacker could trick a victim into using a specially crafted + scp command, possibly resulting in the execution of arbitrary commands on + the server. +

+ + +

There is no known workaround at this time.

+ + +

All libssh users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.9.3" + + + + + CVE-2019-14889 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-28.xml b/metadata/glsa/glsa-202003-28.xml new file mode 100644 index 000000000000..19bc271b64a7 --- /dev/null +++ b/metadata/glsa/glsa-202003-28.xml @@ -0,0 +1,55 @@ + + + + libarchive: Multiple vulnerabilities + Multiple vulnerabilities have been found in libarchive, the worst + of which may lead to arbitrary code execution. + + libarchive + 2020-03-15 + 2020-03-15 + 699222 + 710358 + local, remote + + + 3.4.2 + 3.4.2 + + + +

libarchive is a library for manipulating different streaming archive + formats, including certain tar variants, several cpio formats, and both + BSD and GNU ar variants. +

+ + +

Multiple vulnerabilities have been discovered in libarchive. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to open a specially crafted + archive file possibly resulting in the execution of arbitrary code with + the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All libarchive users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.4.2" + + + + + CVE-2019-18408 + CVE-2020-9308 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-29.xml b/metadata/glsa/glsa-202003-29.xml new file mode 100644 index 000000000000..e075f5d26ae3 --- /dev/null +++ b/metadata/glsa/glsa-202003-29.xml @@ -0,0 +1,53 @@ + + + + cURL: Multiple vulnerabilities + Multiple vulnerabilities have been found in cURL, the worst of + which may lead to arbitrary code execution. + + curl + 2020-03-15 + 2020-03-15 + 686050 + 694020 + remote + + + 7.66.0 + 7.66.0 + + + +

A command line tool and library for transferring data with URLs.

+ + +

Multiple vulnerabilities have been discovered in cURL. Please review the + CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All cURL users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.66.0" + + + + + CVE-2019-5435 + CVE-2019-5436 + CVE-2019-5481 + CVE-2019-5482 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-30.xml b/metadata/glsa/glsa-202003-30.xml new file mode 100644 index 000000000000..894d97beb939 --- /dev/null +++ b/metadata/glsa/glsa-202003-30.xml @@ -0,0 +1,76 @@ + + + + Git: Multiple vulnerabilities + Multiple vulnerabilities have been found in Git, the worst of which + could result in the arbitrary execution of code. + + git + 2020-03-15 + 2020-03-20 + 702296 + local, remote + + + 2.21.1 + 2.23.1-r1 + 2.24.1 + 2.24.1 + + + +

Git is a free and open source distributed version control system + designed to handle everything from small to very large projects with + speed and efficiency. +

+ + +

Multiple vulnerabilities have been discovered in Git. Please review the + CVE identifiers referenced below for details. +

+ + +

An attacker could possibly overwrite arbitrary paths, execute arbitrary + code, and overwrite files in the .git directory. +

+ + +

There is no known workaround at this time.

+ + +

All Git 2.21.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.21.1" + + +

All Git 2.23.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.23.1-r1" + + +

All Git 2.24.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.24.1" + + + + + CVE-2019-1348 + CVE-2019-1349 + CVE-2019-1350 + CVE-2019-1351 + CVE-2019-1352 + CVE-2019-1353 + CVE-2019-1354 + CVE-2019-1387 + CVE-2019-19604 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-31.xml b/metadata/glsa/glsa-202003-31.xml new file mode 100644 index 000000000000..4dae6769b5e6 --- /dev/null +++ b/metadata/glsa/glsa-202003-31.xml @@ -0,0 +1,55 @@ + + + + gdb: Buffer overflow + A buffer overflow in gdb might allow a remote attacker to cause a + Denial of Service condition. + + gdb + 2020-03-15 + 2020-03-15 + 690582 + local, remote + + + 9.1 + 9.1 + + + +

gdb is the GNU project’s debugger, facilitating the analysis and + debugging of applications. The BFD library provides a uniform method of + accessing a variety of object file formats. +

+ + +

It was discovered that gdb didn’t properly validate the ELF section + sizes from input file. +

+ + +

A remote attacker could entice a user to open a specially crafted ELF + binary using gdb, possibly resulting in information disclosure or a + Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All gdb users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/gdb-9.1" + + + + + + CVE-2019-1010180 + + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-32.xml b/metadata/glsa/glsa-202003-32.xml new file mode 100644 index 000000000000..a4070273bd01 --- /dev/null +++ b/metadata/glsa/glsa-202003-32.xml @@ -0,0 +1,51 @@ + + + + Libgcrypt: Side-channel attack + A vulnerability in Libgcrypt could allow a local attacker to + recover sensitive information. + + libgcrypt + 2020-03-15 + 2020-03-15 + 693108 + local + + + 1.8.5 + 1.8.5 + + + +

Libgcrypt is a general purpose cryptographic library derived out of + GnuPG. +

+ + +

A timing attack was found in the way ECCDSA was implemented in + Libgcrypt. +

+ + +

A local man-in-the-middle attacker, during signature generation, could + possibly recover the private key. +

+ + +

There is no known workaround at this time.

+ + +

All Libgcrypt users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.8.5" + + + + + CVE-2019-13627 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-33.xml b/metadata/glsa/glsa-202003-33.xml new file mode 100644 index 000000000000..8d028e17b0d1 --- /dev/null +++ b/metadata/glsa/glsa-202003-33.xml @@ -0,0 +1,54 @@ + + + + GStreamer Base Plugins: Heap-based buffer overflow + A heap-based buffer overflow in GStreamer Base Plugins might allow + remote attackers to execute arbitrary code. + + gst-plugins-base + 2020-03-15 + 2020-03-15 + 701294 + remote + + + 1.14.5-r1 + 1.14.5-r1 + + + +

A well-groomed and well-maintained collection of GStreamer plug-ins and + elements, spanning the range of possible types of elements one would want + to write for GStreamer. +

+ + +

It was discovered that GStreamer Base Plugins did not correctly handle + certain malformed RTSP streams. +

+ + +

A remote attacker could entice a user to open a specially crafted RTSP + stream with a GStreamer application, possibly resulting in the execution + of arbitrary code or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All GStreamer Base Plugins users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-libs/gst-plugins-base-1.14.5-r1" + + + + + CVE-2019-9928 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-34.xml b/metadata/glsa/glsa-202003-34.xml new file mode 100644 index 000000000000..940fc5edd5db --- /dev/null +++ b/metadata/glsa/glsa-202003-34.xml @@ -0,0 +1,61 @@ + + + + Squid: Multiple vulnerabilities + Multiple vulnerabilities have been found in Squid, the worst of + which could lead to arbitrary code execution. + + squid + 2020-03-16 + 2020-03-16 + 699854 + 708296 + remote + + + 4.10 + 4.10 + + + +

Squid is a full-featured Web proxy cache designed to run on Unix + systems. It supports proxying and caching of HTTP, FTP, and other URLs, + as well as SSL support, cache hierarchies, transparent caching, access + control lists and many other features. +

+ + +

Multiple vulnerabilities have been discovered in Squid. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker, by sending a specially crafted request, could + possibly execute arbitrary code with the privileges of the process, + obtain sensitive information or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Squid users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/squid-4.10" + + + + + CVE-2019-12526 + CVE-2019-12528 + CVE-2019-18678 + CVE-2019-18679 + CVE-2020-8449 + CVE-2020-8450 + CVE-2020-8517 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-35.xml b/metadata/glsa/glsa-202003-35.xml new file mode 100644 index 000000000000..fa72b90a87d1 --- /dev/null +++ b/metadata/glsa/glsa-202003-35.xml @@ -0,0 +1,55 @@ + + + + ProFTPd: Multiple vulnerabilities + Multiple vulnerabilities have been found in ProFTPd, the worst of + which may lead to arbitrary code execution. + + proftpd + 2020-03-16 + 2020-03-16 + 699520 + 701814 + 710730 + remote + + + 1.3.6c + 1.3.6c + + + +

ProFTPD is an advanced and very configurable FTP server.

+ + +

Multiple vulnerabilities have been discovered in ProFTPd. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker, by interrupting the data transfer channel, could + possibly execute arbitrary code with the privileges of the process or + cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All ProFTPd users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.6c" + + + + + CVE-2019-18217 + CVE-2019-19269 + CVE-2020-9272 + CVE-2020-9273 + + BlueKnight + whissi + diff --git a/metadata/glsa/glsa-202003-36.xml b/metadata/glsa/glsa-202003-36.xml new file mode 100644 index 000000000000..77b24063e94f --- /dev/null +++ b/metadata/glsa/glsa-202003-36.xml @@ -0,0 +1,55 @@ + + + + libvorbis: Multiple vulnerabilities + Multiple vulnerabilities have been found in libvorbis, the worst of + which could result in a Denial of Service condition. + + libvorbis + 2020-03-16 + 2020-03-16 + 631646 + 699862 + local, remote + + + 1.3.6-r1 + 1.3.6-r1 + + + +

libvorbis is the reference implementation of the Xiph.org Ogg Vorbis + audio file format. It is used by many applications for playback of Ogg + Vorbis files. +

+ + +

Multiple vulnerabilities have been discovered in libvorbis. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker, by enticing the user to process a specially crafted + audio file, could possibly cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All libvorbis users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libvorbis-1.3.6-r1" + + + + + CVE-2017-14160 + CVE-2018-10392 + CVE-2018-10393 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-37.xml b/metadata/glsa/glsa-202003-37.xml new file mode 100644 index 000000000000..27963a656f92 --- /dev/null +++ b/metadata/glsa/glsa-202003-37.xml @@ -0,0 +1,63 @@ + + + + Mozilla Network Security Service: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mozilla Network + Security Service (NSS), the worst of which may lead to arbitrary code + execution. + + nss + 2020-03-16 + 2020-03-16 + 627534 + 676868 + 701840 + local, remote + + + 3.49 + 3.49 + + + +

The Mozilla Network Security Service (NSS) is a library implementing + security features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS + #12, S/MIME and X.509 certificates. +

+ + +

Multiple vulnerabilities have been discovered in Mozilla Network + Security Service (NSS). Please review the CVE identifiers referenced + below for details. +

+ + +

An attacker could execute arbitrary code, cause a Denial of Service + condition or have other unspecified impact. +

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Network Security Service (NSS) users should upgrade to the + latest version: +

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.49" + + + + + CVE-2017-11695 + CVE-2017-11696 + CVE-2017-11697 + CVE-2017-11698 + CVE-2018-18508 + CVE-2019-11745 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-38.xml b/metadata/glsa/glsa-202003-38.xml new file mode 100644 index 000000000000..0fe1b36c64ea --- /dev/null +++ b/metadata/glsa/glsa-202003-38.xml @@ -0,0 +1,52 @@ + + + + PECL Imagick: Arbitrary code execution + A vulnerability in Imagick PHP extension might allow an attacker to + execute arbitrary code. + + pecl-imagick + 2020-03-19 + 2020-03-19 + 687030 + remote + + + 3.4.4 + 3.4.4 + + + +

Imagick is a PHP extension to create and modify images using the + ImageMagick library. +

+ + +

An out-of-bounds write vulnerability was discovered in the Imagick PHP + extension. +

+ + +

A remote attacker, able to upload specially crafted images which will + get processed by Imagick, could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Imagick PHP extension users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/pecl-imagick-3.4.4" + + + + + CVE-2019-11037 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-39.xml b/metadata/glsa/glsa-202003-39.xml new file mode 100644 index 000000000000..3da65eb92d8d --- /dev/null +++ b/metadata/glsa/glsa-202003-39.xml @@ -0,0 +1,50 @@ + + + + phpMyAdmin: SQL injection + An SQL injection vulnerability in phpMyAdmin may allow attackers to + execute arbitrary SQL statements. + + phpmyadmin + 2020-03-19 + 2020-03-19 + 701830 + remote + + + 4.9.2 + 4.9.2 + + + +

phpMyAdmin is a web-based management tool for MySQL databases.

+ + +

PhpMyAdmin was vulnerable to an SQL injection attack through the + designer feature. +

+ + +

An authenticated remote attacker, by specifying a specially crafted + database/table name, could trigger an SQL injection attack. +

+ + +

There is no known workaround at this time.

+ + +

All phpMyAdmin users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-4.9.2" + + + + + CVE-2019-18622 + PMASA-2019-5 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-40.xml b/metadata/glsa/glsa-202003-40.xml new file mode 100644 index 000000000000..75c8ef9418fa --- /dev/null +++ b/metadata/glsa/glsa-202003-40.xml @@ -0,0 +1,54 @@ + + + + Cacti: Multiple vulnerabilities + Multiple vulnerabilities have been found in Cacti, the worst of + which could lead to the remote execution of arbitrary code. + + cacti + 2020-03-19 + 2020-03-19 + 702312 + 708938 + remote + + + 1.2.9 + 1.2.9 + + + +

Cacti is a complete frontend to rrdtool.

+ + +

Multiple vulnerabilities have been discovered in Cacti. Please review + the CVE identifiers referenced below for details. +

+ + +

Remote attackers could execute arbitrary code or bypass intended access + restrictions. +

+ + +

There is no known workaround at this time.

+ + +

All Cacti users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-1.2.9" + + + + + CVE-2019-16723 + CVE-2019-17357 + CVE-2019-17358 + CVE-2020-7106 + CVE-2020-7237 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-41.xml b/metadata/glsa/glsa-202003-41.xml new file mode 100644 index 000000000000..ac164d157735 --- /dev/null +++ b/metadata/glsa/glsa-202003-41.xml @@ -0,0 +1,48 @@ + + + + GNU FriBidi: Heap-based buffer overflow + A heap-based buffer overflow in GNU FriBidi might allow remote + attackers to execute arbitrary code. + + fribidi + 2020-03-19 + 2020-03-19 + 699338 + local, remote + + + 1.0.8 + 1.0.8 + + + +

The Free Implementation of the Unicode Bidirectional Algorithm.

+ + +

A heap-based buffer overflow vulnerability was found in GNU FriBidi.

+ + +

A remote attacker could possibly cause a memory corruption, execute + arbitrary code with the privileges of the process or cause a Denial of + Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All FriBidi users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/fribidi-1.0.8" + + + + + CVE-2019-18397 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-42.xml b/metadata/glsa/glsa-202003-42.xml new file mode 100644 index 000000000000..76a2944ee9c4 --- /dev/null +++ b/metadata/glsa/glsa-202003-42.xml @@ -0,0 +1,53 @@ + + + + libgit2: Multiple vulnerabilities + Multiple vulnerabilities have been found in libgit2, the worst of + which could result in the arbitrary execution of code. + + libgit2 + 2020-03-19 + 2020-03-19 + 702522 + local, remote + + + 0.28.4 + 0.28.4 + + + +

libgit2 is a portable, pure C implementation of the Git core methods + provided as a re-entrant linkable library with a solid API. +

+ + +

Multiple vulnerabilities have been discovered in libgit2. Please review + the CVE identifiers referenced below for details. +

+ + +

An attacker could possibly overwrite arbitrary paths, execute arbitrary + code, and overwrite files in the .git directory. +

+ + +

There is no known workaround at this time.

+ + +

All libgit2 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libgit2-0.28.4" + + + + + CVE-2019-1348 + CVE-2019-1350 + CVE-2019-1387 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-43.xml b/metadata/glsa/glsa-202003-43.xml new file mode 100644 index 000000000000..12f723cb9665 --- /dev/null +++ b/metadata/glsa/glsa-202003-43.xml @@ -0,0 +1,62 @@ + + + + Apache Tomcat: Multiple vulnerabilities + Multiple vulnerabilities have been found in Apache Tomcat, the + worst of which could lead to arbitrary code execution. + + tomcat + 2020-03-19 + 2020-03-20 + 692402 + 706208 + 710656 + remote + + + 8.5.51 + 7.0.100 + 8.5.51 + + + +

Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.

+ + +

Multiple vulnerabilities have been discovered in Apache Tomcat. Please + review the CVE identifiers referenced below for details. +

+ + +

An attacker could possibly smuggle HTTP requests or execute arbitrary + code. +

+ + +

There is no known workaround at this time.

+ + +

All Apache Tomcat 7.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.100:7" + + +

All Apache Tomcat 8.5.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.5.51:8.5" + + + + + CVE-2019-0221 + CVE-2019-12418 + CVE-2019-17563 + CVE-2020-1938 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-44.xml b/metadata/glsa/glsa-202003-44.xml new file mode 100644 index 000000000000..91ebcf2f6aca --- /dev/null +++ b/metadata/glsa/glsa-202003-44.xml @@ -0,0 +1,52 @@ + + + + Binary diff: Heap-based buffer overflow + A heap-based buffer overflow in Binary diff might allow remote + attackers to execute arbitrary code. + + bsdiff + 2020-03-19 + 2020-03-19 + 701848 + local, remote + + + 4.3-r4 + 4.3-r4 + + + +

bsdiff and bspatch are tools for building and applying patches to binary + files. +

+ + +

It was discovered that the implementation of bspatch did not check for a + negative value on numbers of bytes read from the diff and extra streams. +

+ + +

A remote attacker could entice a user to apply a specially crafted patch + using bspatch, possibly resulting in execution of arbitrary code with the + privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Binary diff users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/bsdiff-4.3-r4" + + + + + CVE-2014-9862 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-45.xml b/metadata/glsa/glsa-202003-45.xml new file mode 100644 index 000000000000..e436236d6878 --- /dev/null +++ b/metadata/glsa/glsa-202003-45.xml @@ -0,0 +1,49 @@ + + + + PyYAML: Arbitrary code execution + A flaw in PyYAML might allow attackers to execute arbitrary code. + pyyaml + 2020-03-19 + 2020-03-19 + 659348 + local, remote + + + 5.1 + 5.1 + + + +

PyYAML is a YAML parser and emitter for Python.

+ + +

It was found that using yaml.load() API on untrusted input could lead to + arbitrary code execution. +

+ + +

A remote attacker could entice a user to process specially crafted input + in an application using yaml.load() from PyYAML, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All PyYAML users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/pyyaml-5.1" + + + + + CVE-2017-18342 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-46.xml b/metadata/glsa/glsa-202003-46.xml new file mode 100644 index 000000000000..ae2d48c32026 --- /dev/null +++ b/metadata/glsa/glsa-202003-46.xml @@ -0,0 +1,51 @@ + + + + ClamAV: Multiple vulnerabilities + Multiple vulnerabilities have been found in ClamAV, the worst of + which could result in a Denial of Service condition. + + clamav + 2020-03-19 + 2020-03-19 + 702010 + 708424 + local, remote + + + 0.102.2 + 0.102.2 + + + +

ClamAV is a GPL virus scanner.

+ + +

Multiple vulnerabilities have been discovered in ClamAV. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could cause ClamAV to scan a specially crafted file, + possibly resulting in a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All ClamAV users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.102.2" + + + + + CVE-2019-15961 + CVE-2020-3123 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-47.xml b/metadata/glsa/glsa-202003-47.xml new file mode 100644 index 000000000000..e127121e070f --- /dev/null +++ b/metadata/glsa/glsa-202003-47.xml @@ -0,0 +1,52 @@ + + + + Exim: Heap-based buffer overflow + A vulnerability in Exim could allow a remote attacker to execute + arbitrary code. + + + 2020-03-20 + 2020-03-20 + 701282 + remote + + + 4.92.3 + 4.92.3 + + + +

Exim is a message transfer agent (MTA) designed to be a a highly + configurable, drop-in replacement for sendmail. +

+ + +

It was discovered that Exim incorrectly handled certain string + operations. +

+ + +

A remote attacker, able to connect to a vulnerable Exim instance, could + possibly execute arbitrary code with the privileges of the process or + cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Exim users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/exim-4.92.3" + + + + + CVE-2019-16928 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-48.xml b/metadata/glsa/glsa-202003-48.xml new file mode 100644 index 000000000000..94ecb6b4e6ef --- /dev/null +++ b/metadata/glsa/glsa-202003-48.xml @@ -0,0 +1,78 @@ + + + + Node.js: Multiple vulnerabilities + Multiple vulnerabilities have been found in Node.js, worst of which + could allow remote attackers to write arbitrary files. + + nodejs + 2020-03-20 + 2020-03-20 + 658074 + 665656 + 672136 + 679132 + 702988 + 708458 + local, remote + + + 10.19.0 + 12.15.0 + 12.15.0 + + + +

Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript + engine. +

+ + +

Multiple vulnerabilities have been discovered in Node.js. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly write arbitrary files, cause a Denial + of Service condition or can conduct HTTP request splitting attacks. +

+ + +

There is no known workaround at this time.

+ + +

All Node.js <12.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/nodejs-10.19.0" + + +

All Node.js 12.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/nodejs-12.15.0" + + + + + CVE-2018-12115 + CVE-2018-12116 + CVE-2018-12121 + CVE-2018-12122 + CVE-2018-12123 + CVE-2018-7161 + CVE-2018-7162 + CVE-2018-7164 + CVE-2018-7167 + CVE-2019-15604 + CVE-2019-15605 + CVE-2019-15606 + CVE-2019-16777 + CVE-2019-5737 + CVE-2019-5739 + + BlueKnight + whissi + diff --git a/metadata/glsa/glsa-202003-49.xml b/metadata/glsa/glsa-202003-49.xml new file mode 100644 index 000000000000..682453c993a0 --- /dev/null +++ b/metadata/glsa/glsa-202003-49.xml @@ -0,0 +1,50 @@ + + + + BlueZ: Security bypass + A vulnerability in BlueZ might allow remote attackers to bypass + security restrictions. + + bluez + 2020-03-25 + 2020-03-25 + 712292 + remote + + + 5.54 + 5.54 + + + +

Set of tools to manage Bluetooth devices for Linux.

+ + +

It was discovered that the HID and HOGP profiles implementations in + BlueZ did not specifically require bonding between the device and the + host. +

+ + +

A remote attacker with adjacent access could impersonate an existing HID + device, cause a Denial of Service condition or escalate privileges. +

+ + +

There is no known workaround at this time.

+ + +

All BlueZ users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/bluez-5.54" + + + + + CVE-2020-0556 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-50.xml b/metadata/glsa/glsa-202003-50.xml new file mode 100644 index 000000000000..36ab084c78c9 --- /dev/null +++ b/metadata/glsa/glsa-202003-50.xml @@ -0,0 +1,58 @@ + + + + Tor: Multiple vulnerabilities + Multiple vulnerabilities were found in Tor, the worst of which + could allow remote attackers to cause a Denial of Service condition. + + tor + 2020-03-25 + 2020-03-25 + 713238 + remote + + + 0.4.1.9 + 0.4.2.7 + 0.4.2.7 + + + +

Tor is an implementation of second generation Onion Routing, a + connection-oriented anonymizing communication service. +

+ + +

Multiple vulnerabilities have been discovered in Tor, and tor. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly cause a Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All Tor 0.4.1.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-vpn/tor-0.4.1.9" + + +

All Tor 0.4.2.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-vpn/tor-0.4.2.7" + + + + + CVE-2020-10592 + CVE-2020-10593 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-51.xml b/metadata/glsa/glsa-202003-51.xml new file mode 100644 index 000000000000..f8176070b409 --- /dev/null +++ b/metadata/glsa/glsa-202003-51.xml @@ -0,0 +1,54 @@ + + + + WeeChat: Multiple vulnerabilities + Multiple vulnerabilities have been found in WeeChat, the worst of + which could allow remote attackers to cause a Denial of Service condition. + + weechat + 2020-03-25 + 2020-03-25 + 709452 + 714086 + remote + + + 2.7.1 + 2.7.1 + + + +

Wee Enhanced Environment for Chat (WeeChat) is a light and extensible + console IRC client. +

+ + +

Multiple vulnerabilities have been discovered in WeeChat. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker, by sending a specially crafted IRC message, could + possibly cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All WeeChat users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/weechat-2.7.1" + + + + + CVE-2020-8955 + CVE-2020-9759 + CVE-2020-9760 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-52.xml b/metadata/glsa/glsa-202003-52.xml new file mode 100644 index 000000000000..aafebaff00af --- /dev/null +++ b/metadata/glsa/glsa-202003-52.xml @@ -0,0 +1,88 @@ + + + + Samba: Multiple vulnerabilities + Multiple vulnerabilities have been found in Samba, the worst of + which could lead to remote code execution. + + samba + 2020-03-25 + 2020-03-25 + 664316 + 672140 + 686036 + 693558 + 702928 + 706144 + remote + + + 4.9.18 + 4.10.13 + 4.11.6 + 4.11.6 + + + +

Samba is a suite of SMB and CIFS client/server programs.

+ + +

Multiple vulnerabilities have been discovered in Samba. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly execute arbitrary code, cause a Denial + of Service condition, conduct a man-in-the-middle attack, or obtain + sensitive information. +

+ + +

There is no known workaround at this time.

+ + +

All Samba 4.9.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-4.9.18" + + +

All Samba 4.10.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-4.10.13" + + +

All Samba 4.11.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-4.11.6" + + + + + CVE-2018-10858 + CVE-2018-10918 + CVE-2018-10919 + CVE-2018-1139 + CVE-2018-1140 + CVE-2018-14629 + CVE-2018-16841 + CVE-2018-16851 + CVE-2018-16852 + CVE-2018-16853 + CVE-2018-16857 + CVE-2018-16860 + CVE-2019-10197 + CVE-2019-14861 + CVE-2019-14870 + CVE-2019-14902 + CVE-2019-14907 + CVE-2019-19344 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-53.xml b/metadata/glsa/glsa-202003-53.xml new file mode 100644 index 000000000000..2f1a217d45c1 --- /dev/null +++ b/metadata/glsa/glsa-202003-53.xml @@ -0,0 +1,78 @@ + + + + Chromium, Google Chrome: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could allow remote attackers to execute + arbitrary code. + + chromium,google-chrome + 2020-03-25 + 2020-03-25 + 713282 + remote + + + 80.0.3987.149 + 80.0.3987.149 + + + 80.0.3987.149 + 80.0.3987.149 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ +

Google Chrome is one fast, simple, and secure browser for all your + devices. +

+ + +

Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifiers for details. +

+ + +

A remote attacker could entice a user to open a specially crafted HTML + or multimedia file using Chromium or Google Chrome, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-80.0.3987.149" + + +

All Google Chrome users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-80.0.3987.149" + + + + + CVE-2020-6422 + CVE-2020-6424 + CVE-2020-6425 + CVE-2020-6426 + CVE-2020-6427 + CVE-2020-6428 + CVE-2020-6429 + CVE-2020-6449 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-54.xml b/metadata/glsa/glsa-202003-54.xml new file mode 100644 index 000000000000..0e12b029b92b --- /dev/null +++ b/metadata/glsa/glsa-202003-54.xml @@ -0,0 +1,52 @@ + + + + Pure-FTPd: Multiple vulnerabilities + Multiple vulnerabilities have been found in Pure-FTPd, the worst of + which could allow remote attackers to cause a Denial of Service condition. + + pure-ftpd + 2020-03-25 + 2020-03-25 + 711124 + remote + + + 1.0.49-r2 + 1.0.49-r2 + + + +

Pure-FTPd is a fast, production-quality and standards-compliant FTP + server. +

+ + +

Multiple vulnerabilities have been discovered in Pure-FTPd. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly cause a Denial of Service condition or + cause an information disclosure. +

+ + +

There is no known workaround at this time.

+ + +

All Pure-FTPd users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/pure-ftpd-1.0.49-r2" + + + + + CVE-2020-9274 + CVE-2020-9365 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-55.xml b/metadata/glsa/glsa-202003-55.xml new file mode 100644 index 000000000000..681f03815876 --- /dev/null +++ b/metadata/glsa/glsa-202003-55.xml @@ -0,0 +1,49 @@ + + + + Zsh: Privilege escalation + A vulnerability in Zsh might allow an attacker to escalate + privileges. + + zsh + 2020-03-25 + 2020-03-25 + 711136 + local, remote + + + 5.8 + 5.8 + + + +

A shell designed for interactive use, although it is also a powerful + scripting language. +

+ + +

It was discovered that Zsh was insecure dropping privileges when + unsetting PRIVILEGED option. +

+ + +

An attacker could escalate privileges.

+ + +

There is no known workaround at this time.

+ + +

All Zsh users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-shells/zsh-5.8" + + + + + CVE-2019-20044 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-56.xml b/metadata/glsa/glsa-202003-56.xml new file mode 100644 index 000000000000..8f25345155e7 --- /dev/null +++ b/metadata/glsa/glsa-202003-56.xml @@ -0,0 +1,73 @@ + + + + Xen: Multiple vulnerabilities + Multiple vulnerabilities have been found in Xen, the worst of which + could allow for privilege escalation. + + xen + 2020-03-25 + 2020-03-25 + 686024 + 699048 + 699996 + 702644 + local + + + 4.12.0-r1 + 4.12.0-r1 + + + 4.12.0-r1 + 4.12.0-r1 + + + +

Xen is a bare-metal hypervisor.

+ + +

Multiple vulnerabilities have been discovered in Xen. Please review the + referenced CVE identifiers for details. +

+ + +

A local attacker could potentially gain privileges on the host system or + cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Xen users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.12.0-r1" + + + + + CVE-2018-12126 + CVE-2018-12127 + CVE-2018-12130 + CVE-2018-12207 + CVE-2018-12207 + CVE-2019-11091 + CVE-2019-11135 + CVE-2019-18420 + CVE-2019-18421 + CVE-2019-18423 + CVE-2019-18424 + CVE-2019-18425 + CVE-2019-19577 + CVE-2019-19578 + CVE-2019-19580 + CVE-2019-19581 + CVE-2019-19582 + CVE-2019-19583 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-57.xml b/metadata/glsa/glsa-202003-57.xml new file mode 100644 index 000000000000..507ece2ce63b --- /dev/null +++ b/metadata/glsa/glsa-202003-57.xml @@ -0,0 +1,78 @@ + + + + PHP: Multiple vulnerabilities + Multiple vulnerabilities have been found in PHP, the worst of which + could result in the execution of arbitrary shell commands. + + PHP + 2020-03-26 + 2020-03-26 + 671872 + 706168 + 710304 + 713484 + local, remote + + + 7.2.29 + 7.3.16 + 7.4.4 + 7.4.4 + + + +

PHP is an open source general-purpose scripting language that is + especially suited for web development. +

+ + +

Multiple vulnerabilities have been discovered in PHP. Please review the + CVE identifiers referenced below for details. +

+ + +

An attacker could possibly execute arbitrary shell commands, cause a + Denial of Service condition or obtain sensitive information. +

+ + +

There is no known workaround at this time.

+ + +

All PHP 7.2.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.2.29" + + +

All PHP 7.3.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.3.16" + + +

All PHP 7.4.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.4" + + + + + CVE-2018-19518 + CVE-2020-7059 + CVE-2020-7060 + CVE-2020-7061 + CVE-2020-7062 + CVE-2020-7063 + CVE-2020-7064 + CVE-2020-7065 + CVE-2020-7066 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-58.xml b/metadata/glsa/glsa-202003-58.xml new file mode 100644 index 000000000000..7c15220be493 --- /dev/null +++ b/metadata/glsa/glsa-202003-58.xml @@ -0,0 +1,56 @@ + + + + UnZip: User-assisted execution of arbitrary code + Multiple vulnerabilities have been found in UnZip, the worst of + which could result in the execution of arbitrary code. + + unzip + 2020-03-26 + 2020-03-26 + 647008 + 691566 + local, remote + + + 6.0_p25 + 6.0_p25 + + + +

Info-ZIP’s UnZip is a tool to list and extract files inside PKZIP + compressed files. +

+ + +

Multiple vulnerabilities have been discovered in UnZip. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to open a specially crafted ZIP + archive using UnZip, possibly resulting in execution of arbitrary code + with the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All UnZip users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/unzip-6.0_p25" + + + + + + CVE-2018-1000035 + + CVE-2019-13232 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-59.xml b/metadata/glsa/glsa-202003-59.xml new file mode 100644 index 000000000000..b0f7f3f83180 --- /dev/null +++ b/metadata/glsa/glsa-202003-59.xml @@ -0,0 +1,63 @@ + + + + libvpx: User-assisted execution of arbitrary code + Multiple vulnerabilities have been found in libvpx, the worst of + which could result in the execution of arbitrary code. + + libvpx + 2020-03-26 + 2020-03-26 + 701834 + local, remote + + + 1.7.0-r1 + 1.8.1 + 1.8.1 + + + +

libvpx is the VP8 codec SDK used to encode and decode video streams, + typically within a WebM format media file. +

+ + +

Multiple vulnerabilities have been discovered in libvpx. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to open a specially crafted media + file, possibly resulting in the execution of arbitrary code with the + privileges of the user running the application, or a Denial of Service. +

+ + +

There is no known workaround at this time.

+ + +

All libvpx 1.7.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libvpx-1.7.0-r1" + + +

All libvpx 1.8.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libvpx-1.8.1" + + + + + CVE-2019-9232 + CVE-2019-9325 + CVE-2019-9371 + CVE-2019-9433 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-60.xml b/metadata/glsa/glsa-202003-60.xml new file mode 100644 index 000000000000..28bde54884a3 --- /dev/null +++ b/metadata/glsa/glsa-202003-60.xml @@ -0,0 +1,60 @@ + + + + QtCore: Multiple vulnerabilities + Multiple vulnerabilities have been found in QtCore, the worst of + which could result in the execution of arbitrary code. + + qtcore + 2020-03-26 + 2020-03-26 + 699226 + 707354 + local, remote + + + 5.12.3-r2 + 5.13.2-r2 + 5.13.2-r2 + + + +

The Qt toolkit is a comprehensive C++ application development framework.

+ + +

Multiple vulnerabilities have been discovered in QtCore. Please review + the CVE identifiers referenced below for details. +

+ + +

An attacker could possibly execute arbitrary code with the privileges of + the process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All QtCore 5.12.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtcore-5.12.3-r2" + + +

All QtCore 5.13.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtcore-5.13.2-r2" + + + + + CVE-2019-18281 + CVE-2020-0569 + CVE-2020-0570 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-61.xml b/metadata/glsa/glsa-202003-61.xml new file mode 100644 index 000000000000..be2b54a87dcf --- /dev/null +++ b/metadata/glsa/glsa-202003-61.xml @@ -0,0 +1,52 @@ + + + + Adobe Flash Player: Remote execution of arbitrary code + A vulnerability in Adobe Flash Player might allow remote attackers + to execute arbitrary code. + + adobe-flash + 2020-03-26 + 2020-03-26 + 709728 + remote + + + 32.0.0.330 + 32.0.0.330 + + + +

The Adobe Flash Player is a renderer for the SWF file format, which is + commonly used to provide interactive websites. +

+ + +

A critical type confusion vulnerability was discovered in Adobe Flash + Player. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Adobe Flash users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-plugins/adobe-flash-32.0.0.330" + + + + + CVE-2020-3757 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-62.xml b/metadata/glsa/glsa-202003-62.xml new file mode 100644 index 000000000000..659c68b6d685 --- /dev/null +++ b/metadata/glsa/glsa-202003-62.xml @@ -0,0 +1,52 @@ + + + + GNU Screen: Buffer overflow + A buffer overflow in GNU Screen might allow remote attackers to + corrupt memory. + + screen + 2020-03-30 + 2020-03-30 + 708460 + remote + + + 4.8.0 + 4.8.0 + + + +

GNU Screen is a full-screen window manager that multiplexes a physical + terminal between several processes, typically interactive shells. +

+ + +

A buffer overflow was found in the way GNU Screen treated the special + escape OSC 49. +

+ + +

A remote attacker, by writing a specially crafted string of characters + to a GNU Screen window, could possibly corrupt memory or have other + unspecified impact. +

+ + +

There is no known workaround at this time.

+ + +

All GNU Screen users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-misc/screen-4.8.0" + + + + + CVE-2020-9366 + + BlueKnight + whissi + diff --git a/metadata/glsa/glsa-202003-63.xml b/metadata/glsa/glsa-202003-63.xml new file mode 100644 index 000000000000..475b97bc2874 --- /dev/null +++ b/metadata/glsa/glsa-202003-63.xml @@ -0,0 +1,53 @@ + + + + GNU IDN Library 2: Multiple vulnerabilities + Multiple vulnerabilities have been found in GNU IDN Library 2, the + worst of which could result in the remote execution of arbitrary code. + + libidn2 + 2020-03-30 + 2020-03-30 + 697752 + local, remote + + + 2.2.0 + 2.2.0 + + + +

GNU IDN Library 2 is an implementation of the IDNA2008 + TR46 + specifications (RFC 5890, RFC 5891, RFC 5892, RFC 5893, TR 46). +

+ + +

Multiple vulnerabilities have been discovered in GNU IDN Library 2. + Please review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could send specially crafted input, possibly resulting + in execution of arbitrary code with the privileges of the process, + impersonation of domains or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All GNU IDN Library 2 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/libidn2-2.2.0" + + + + + CVE-2019-12290 + CVE-2019-18224 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202003-64.xml b/metadata/glsa/glsa-202003-64.xml new file mode 100644 index 000000000000..1b7c239fd3ba --- /dev/null +++ b/metadata/glsa/glsa-202003-64.xml @@ -0,0 +1,59 @@ + + + + libxls: Multiple vulnerabilities + Multiple vulnerabilities have been found in libxls, the worst of + which could result in the arbitrary execution of code. + + libxls + 2020-03-30 + 2020-03-30 + 638336 + 674006 + local, remote + + + 1.5.2 + 1.5.2 + + + +

libxls is a C library for reading Excel files in the nasty old binary + OLE format, plus a command-line tool for converting XLS to CSV. +

+ + +

Multiple vulnerabilities have been discovered in libxls. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to process a specially crafted + Excel file using libxls, possibly resulting in execution of arbitrary + code with the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All libxls users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libxls-1.5.2" + + + + + CVE-2017-12110 + CVE-2017-12111 + CVE-2017-2896 + CVE-2017-2897 + CVE-2017-2919 + CVE-2018-20450 + CVE-2018-20452 + + BlueKnight + whissi + diff --git a/metadata/glsa/glsa-202003-65.xml b/metadata/glsa/glsa-202003-65.xml new file mode 100644 index 000000000000..2ca8be185357 --- /dev/null +++ b/metadata/glsa/glsa-202003-65.xml @@ -0,0 +1,63 @@ + + + + FFmpeg: Multiple vulnerabilities + Multiple vulnerabilities have been found in FFmpeg, the worst of + which allows remote attackers to execute arbitrary code. + + ffmpeg + 2020-03-30 + 2020-03-30 + 660924 + 692418 + 711144 + local, remote + + + 4.2.0 + 4 + + + +

FFmpeg is a complete, cross-platform solution to record, convert and + stream audio and video. +

+ + +

Multiple vulnerabilities have been discovered in FFmpeg. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user or automated system using FFmpeg + to process a specially crafted file, resulting in the execution of + arbitrary code or a Denial of Service. +

+ + +

There is no known workaround at this time.

+ + +

All FFmpeg 4.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-4.2.0" + + + + + CVE-2018-10001 + CVE-2018-6912 + CVE-2018-7557 + CVE-2018-7751 + CVE-2018-9841 + CVE-2019-12730 + CVE-2019-13312 + CVE-2019-13390 + CVE-2019-17539 + CVE-2019-17542 + + BlueKnight + whissi + diff --git a/metadata/glsa/glsa-202003-66.xml b/metadata/glsa/glsa-202003-66.xml new file mode 100644 index 000000000000..d1f66e504218 --- /dev/null +++ b/metadata/glsa/glsa-202003-66.xml @@ -0,0 +1,51 @@ + + + + QEMU: Multiple vulnerabilities + Multiple vulnerabilities have been found in QEMU, the worst of + which could result in the arbitrary execution of code. + + qemu + 2020-03-30 + 2020-03-30 + 709490 + 711334 + local + + + 4.2.0-r2 + 4.2.0-r2 + + + +

QEMU is a generic and open source machine emulator and virtualizer.

+ + +

Multiple vulnerabilities have been discovered in QEMU. Please review the + CVE identifiers referenced below for details. +

+ + +

An attacker could possibly execute arbitrary code with the privileges of + the process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All QEMU users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/qemu-4.2.0-r2" + + + + + CVE-2019-13164 + CVE-2020-8608 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202004-01.xml b/metadata/glsa/glsa-202004-01.xml new file mode 100644 index 000000000000..a88cde25a8a9 --- /dev/null +++ b/metadata/glsa/glsa-202004-01.xml @@ -0,0 +1,66 @@ + + + + HAProxy: Remote execution of arbitrary code + A vulnerability in HAProxy might lead to remote execution of + arbitrary code. + + haproxy + 2020-04-01 + 2020-04-01 + 701842 + remote + + + 1.8.23 + 1.9.13 + 2.0.10 + 2.0.10 + + + +

HAProxy is a TCP/HTTP reverse proxy for high availability environments.

+ + +

It was discovered that HAProxy incorrectly handled certain HTTP/2 + headers. +

+ + +

A remote attacker could send a specially crafted HTTP/2 header, possibly + resulting in execution of arbitrary code with the privileges of the + process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All HAProxy 1.8.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-1.8.23" + + +

All HAProxy 1.9.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-1.9.13" + + +

All HAProxy 2.0.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-2.0.10" + + + + + CVE-2019-19330 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202004-02.xml b/metadata/glsa/glsa-202004-02.xml new file mode 100644 index 000000000000..33129dd64c29 --- /dev/null +++ b/metadata/glsa/glsa-202004-02.xml @@ -0,0 +1,122 @@ + + + + VirtualBox: Multiple vulnerabilities + Multiple vulnerabilities have been found in VirtualBox, the worst + of which could allow an attacker to take control of VirtualBox. + + virtualbox + 2020-04-01 + 2020-04-01 + 714064 + local, remote + + + 5.2.36 + 6.0.16 + 6.1.2 + 6.1.2 + + + 5.2.36 + 6.0.16 + 6.1.2 + 6.1.2 + + + +

VirtualBox is a powerful virtualization product from Oracle.

+ + +

Multiple vulnerabilities have been discovered in VirtualBox. Please + review the CVE identifiers referenced below for details. +

+ + +

An attacker could take control of VirtualBox resulting in the execution + of arbitrary code with the privileges of the process, a Denial of Service + condition, or other unspecified impacts. +

+ + +

There is no known workaround at this time.

+ + +

All VirtualBox 5.2.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-5.2.36" + + +

All VirtualBox 6.0.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.0.16" + + +

All VirtualBox 6.1.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.2" + + +

All VirtualBox binary 5.2.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/virtualbox-bin-5.2.36" + + +

All VirtualBox binary 6.0.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/virtualbox-bin-6.0.16" + + +

All VirtualBox binary 6.1.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/virtualbox-bin-6.1.2" + + + + + CVE-2019-2926 + CVE-2019-2944 + CVE-2019-2984 + CVE-2019-3002 + CVE-2019-3005 + CVE-2019-3017 + CVE-2019-3021 + CVE-2019-3026 + CVE-2019-3028 + CVE-2019-3031 + CVE-2020-2674 + CVE-2020-2678 + CVE-2020-2681 + CVE-2020-2682 + CVE-2020-2689 + CVE-2020-2690 + CVE-2020-2691 + CVE-2020-2692 + CVE-2020-2693 + CVE-2020-2698 + CVE-2020-2702 + CVE-2020-2703 + CVE-2020-2704 + CVE-2020-2705 + CVE-2020-2725 + CVE-2020-2726 + CVE-2020-2727 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202004-03.xml b/metadata/glsa/glsa-202004-03.xml new file mode 100644 index 000000000000..66862b17b0e6 --- /dev/null +++ b/metadata/glsa/glsa-202004-03.xml @@ -0,0 +1,60 @@ + + + + GPL Ghostscript: Multiple vulnerabilities + Multiple vulnerabilities have been found in GPL Ghostscript, the + worst of which could result in the execution of arbitrary code. + + ghostscript + 2020-04-01 + 2020-04-01 + 676264 + 692106 + 693002 + local, remote + + + 9.28_rc4 + 9.28_rc4 + + + +

Ghostscript is an interpreter for the PostScript language and for PDF.

+ + +

Multiple vulnerabilities have been discovered in GPL Ghostscript. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to process a specially crafted + file using GPL Ghostscript, possibly resulting in execution of arbitrary + code with the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All GPL Ghostscript users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-text/ghostscript-gpl-9.28_rc4" + + + + + CVE-2019-10216 + CVE-2019-14811 + CVE-2019-14812 + CVE-2019-14813 + CVE-2019-14817 + CVE-2019-3835 + CVE-2019-3838 + CVE-2019-6116 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202004-04.xml b/metadata/glsa/glsa-202004-04.xml new file mode 100644 index 000000000000..aae687ae7b93 --- /dev/null +++ b/metadata/glsa/glsa-202004-04.xml @@ -0,0 +1,53 @@ + + + + Qt WebEngine: Arbitrary code execution + A heap use-after-free flaw in Qt WebEngine at worst might allow an + attacker to execute arbitrary code. + + qtwebengine + 2020-04-01 + 2020-04-01 + 699328 + local, remote + + + 5.14.1 + 5.14.1 + + + +

Library for rendering dynamic web content in Qt5 C++ and QML + applications. +

+ + +

A use-after-free vulnerability has been found in the audio component of + Qt WebEngine. +

+ + +

A remote attacker could entice a user to open a specially crafted media + file in an application linked against Qt WebEngine, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Qt WebEngine users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.14.1" + + + + + CVE-2019-13720 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202004-05.xml b/metadata/glsa/glsa-202004-05.xml new file mode 100644 index 000000000000..7b9d4af2f95b --- /dev/null +++ b/metadata/glsa/glsa-202004-05.xml @@ -0,0 +1,55 @@ + + + + ledger: Multiple vulnerabilities + Multiple vulnerabilities have been found in ledger, the worst of + which could result in the arbitrary execution of code. + + ledger + 2020-04-01 + 2020-04-01 + 627060 + remote + + + 3.1.2 + 3.1.2 + + + +

Ledger is a powerful, double-entry accounting system that is accessed + from the UNIX command-line. +

+ + +

Multiple vulnerabilities have been discovered in ledger. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to process a specially crafted + file using ledger, possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All ledger users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/ledger-3.1.2" + + + + + CVE-2017-12481 + CVE-2017-12482 + CVE-2017-2807 + CVE-2017-2808 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202004-06.xml b/metadata/glsa/glsa-202004-06.xml new file mode 100644 index 000000000000..5e8ca1511cbf --- /dev/null +++ b/metadata/glsa/glsa-202004-06.xml @@ -0,0 +1,49 @@ + + + + GnuTLS: DTLS protocol regression + A regression in GnuTLS breaks the security guarantees of the DTLS + protocol. + + gnutls + 2020-04-02 + 2020-04-02 + 715602 + local, remote + + + 3.6.13 + 3.6.13 + + + +

GnuTLS is an Open Source implementation of the TLS and SSL protocols.

+ + +

It was discovered that DTLS client did not contribute any randomness to + the DTLS negotiation. +

+ + +

Please review the referenced advisory for details.

+ + +

There is no known workaround at this time.

+ + +

All GnuTLS users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/gnutls-3.6.13" + + + + + + GNUTLS-SA-2020-03-31 + + + whissi + whissi + diff --git a/metadata/glsa/glsa-202004-07.xml b/metadata/glsa/glsa-202004-07.xml new file mode 100644 index 000000000000..cf8709bebe4e --- /dev/null +++ b/metadata/glsa/glsa-202004-07.xml @@ -0,0 +1,64 @@ + + + + Mozilla Firefox: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which could result in the arbitrary execution of code. + + firefox + 2020-04-04 + 2020-04-04 + 716098 + remote + + + 68.6.1 + 74.0.1 + 74.0.1 + + + +

Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. +

+ + +

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to view a specially crafted web + page, possibly resulting in the execution of arbitrary code with the + privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Firefox ESR users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-68.6.1" + + +

All Mozilla Firefox users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-74.0.1" + + + + + CVE-2020-6819 + CVE-2020-6820 + + MFSA-2020-11 + + + whissi + whissi + diff --git a/metadata/glsa/glsa-202004-08.xml b/metadata/glsa/glsa-202004-08.xml new file mode 100644 index 000000000000..2bccb96214e5 --- /dev/null +++ b/metadata/glsa/glsa-202004-08.xml @@ -0,0 +1,53 @@ + + + + libssh: Denial of Service + A vulnerability in libssh could allow a remote attacker to cause a + Denial of Service condition. + + libssh + 2020-04-10 + 2020-04-10 + 716788 + remote + + + 0.9.4 + 0.9.4 + + + +

libssh is a multiplatform C library implementing the SSHv2 protocol on + client and server side. +

+ + +

It was discovered that libssh could crash when AES-CTR ciphers are used.

+ + +

A remote attacker running a malicious client or server could possibly + crash the counterpart implemented with libssh and cause a Denial of + Service condition. +

+ + +

Disable AES-CTR ciphers. If you implement a server using libssh it is + recommended to use a prefork model so each session runs in an own + process. +

+ + +

All libssh users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.9.4" + + + + + CVE-2020-1730 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202004-09.xml b/metadata/glsa/glsa-202004-09.xml new file mode 100644 index 000000000000..90297ed5e841 --- /dev/null +++ b/metadata/glsa/glsa-202004-09.xml @@ -0,0 +1,97 @@ + + + + Chromium, Google Chrome: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could allow remote attackers to execute + arbitrary code. + + chrome,chromium + 2020-04-10 + 2020-04-10 + 715720 + 716612 + remote + + + 81.0.4044.92 + 81.0.4044.92 + + + 81.0.4044.92 + 81.0.4044.92 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ +

Google Chrome is one fast, simple, and secure browser for all your + devices. +

+ + +

Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifiers for details. +

+ + +

A remote attacker could entice a user to open a specially crafted HTML + or multimedia file using Chromium or Google Chrome, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-81.0.4044.92" + + +

All Google Chrome users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-81.0.4044.92" + + + + + CVE-2020-6423 + CVE-2020-6430 + CVE-2020-6431 + CVE-2020-6432 + CVE-2020-6433 + CVE-2020-6434 + CVE-2020-6435 + CVE-2020-6436 + CVE-2020-6437 + CVE-2020-6438 + CVE-2020-6439 + CVE-2020-6440 + CVE-2020-6441 + CVE-2020-6442 + CVE-2020-6443 + CVE-2020-6444 + CVE-2020-6445 + CVE-2020-6446 + CVE-2020-6447 + CVE-2020-6448 + CVE-2020-6450 + CVE-2020-6451 + CVE-2020-6452 + CVE-2020-6454 + CVE-2020-6455 + CVE-2020-6456 + + whissi + whissi + diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 166b262f78ad..5259482477da 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sat, 29 Feb 2020 17:08:53 +0000 +Sun, 12 Apr 2020 01:38:54 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 14ac9c2950b4..e60cae01f3fc 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -751af6f91da06f53265195cff434eb66a145af73 1574641117 2019-11-25T00:18:37+00:00 +f2cb9b0eb0e16fd065838568dbe36727be807027 1586556154 2020-04-10T22:02:34+00:00 -- cgit v1.2.3