From 691395139ec5ea80983f870451c53bb6fff8298a Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 30 Oct 2023 15:46:36 +0000 Subject: gentoo auto-resync : 30:10:2023 - 15:46:36 --- metadata/glsa/Manifest | 30 +++++++++++++------------- metadata/glsa/Manifest.files.gz | Bin 551527 -> 552160 bytes metadata/glsa/glsa-202310-17.xml | 43 +++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-202310-18.xml | 45 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-202310-19.xml | 44 ++++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-202310-20.xml | 45 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 8 files changed, 194 insertions(+), 17 deletions(-) create mode 100644 metadata/glsa/glsa-202310-17.xml create mode 100644 metadata/glsa/glsa-202310-18.xml create mode 100644 metadata/glsa/glsa-202310-19.xml create mode 100644 metadata/glsa/glsa-202310-20.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 86fd3f12d516..4b7a38f792a4 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 551527 BLAKE2B db64d10d2fa1122803097d484fee003fef693bdaf1bbc3e95adeb74bc10a4f4d9fb91c2a44ce8126e382ca58789a31168c226892f8e9b697446331bb0348d0ef SHA512 2574a3347157ae0bb1a2009e7010804d3b1b384faccb3d7bd553d8691f02c4ce971671af6ae20b2989ae24ed00352b3210d3b61e28abbc9963d54bcf5e71eb27 -TIMESTAMP 2023-10-30T09:10:00Z +MANIFEST Manifest.files.gz 552160 BLAKE2B c4a5477dbfb55c3bbe641438b3e9adf48fa50c0d3441ac98776b2554a171a4e603b690216aa384b9c720945f640c9a42d5bdc15ee8cebb6472ed148f81a03524 SHA512 92d0fedf6186bf9ffacb9ed55ab2129e7804756cf5b4d56d9a6de290ec38c4f69a9495d06d0f581ffecce1fad1e401d08bb1de2e4df369a23c39ca978499e608 +TIMESTAMP 2023-10-30T15:09:57Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmU/cuhfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmU/x0VfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klDpAg//RfjD9/+os2dkzr8e5EF//F2+MCaAgEEWV+SMfe8sU+d4xXl6ioVOtlFb -JatT/BML1zSUrSJ6ojy/UirG1Sio8sbHUoj4ZRaS+p9jSdxG4jxChvsdlCidJcHc -6pAKAqwmteF67Vq5AAp9A2bJs8IQlohSdCnTZXoiNFtKj09X0F5l5cEcvG98INFR -XQvtYWrwKrOEZ7Gm/yimaY/TMsot+DoBGVKgus/ByLmwEYNPNlMmrmvgaw4le41V -L69R0ZnQmVE65F/cNnXvd1CMgR3VBVS2J0rUz4W4zHzypSp/o5ZbZdY5TuphhwOB -EiHTJXxVP9raBbhUAjuRfKWaaJ8mBdFeyU9jgkR1uQPlTKLSQW30IpLnvP9p0pOY -FNBf6FnLW872vjenEzSOiho0SNJAwU2633zqQ0JdVPYGzyZ3mhYrLlrPvVIMBiHh -vW40b8zP+9NBfK9hllvtLyxAOlx7ByUGn7NYWdummrexZYu6YlumfM5d+fz/atoA -FnH4vnymn47u2iZpLSLS9VWS6bBQOA02Joh6DKu+DCWu3h8UEXRDRQmTGfkaK/44 -hwk8eN1oEEB9bRkyQuxsTIkPJXXxlZt5uzj0etAeViHRM5vkT5P8TfeS2rzveQ9n -74pMWIUZHRaa7JLuFUhL8NXPMM9j5p4vmIbSPzs2iHEcBsG1GTs= -=RxoY +klBozA//beKZo6QTORRDrOZPjnhG9n8t/HrsmnuyAYxaJmou9Pim0/TwwtBtE9P7 +mywDMODhx1Z4q6ho/ALPdNtNb+L95LVZvKQ910m2JIb/KDj0Zlz2sU6GuKPDMNcp +2nB6WI1+L4xbvvP58I1CB07k+oHoBnzr7mDQUkXKImexlNFXsXnBRZ3UaPYiYu0G +NW8UwnvybPTl0eWY3HmXGwjmpV1vBRzqzB/iYHrksQHp38FY9OoCy2Ex7EOrNb+j +fD/WfgZqVVN8A1FixrnKRvRImrkOE+4FgP7oPegyHHcs4cHZS+R0itRUMUej8frk +8eUS/XI1QA38eOheL2gia5dyeJ99Hv3pNC7AN2+v1HxptFUrxAQ29Wj383D0R6qC +iiY6aO9hAzUi8INGZVLQyCwmqx/iQwXbNvjV7rMZeljT9yfe9E1shvE9aMb1wEEQ +03oDmj9YzLH8L3BjWIxG/1paayFIbAAZlXKpNrFAEqE910NLqQE/l/AaikzAMgvC +HlwwhSleBY/urYyJEqxvfEYGnTBYgEqmVR2wRxNMnA6KdneUUxJNB6ipbqFpOr+S +afyrFxgdO04jb7zNHMKfI/tnOKa9OzCJcZsaFS/Kb77h7QlCtOTQiDlft5EXQjL8 +WjLGZEnSXAmDCKdiPv9sMkggTyQ6fI5T6NdrGN33wruJ6ve70gs= +=mAty -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz index 91ebb5d9dc28..184a203d91d6 100644 Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ diff --git a/metadata/glsa/glsa-202310-17.xml b/metadata/glsa/glsa-202310-17.xml new file mode 100644 index 000000000000..2bc9e20328f5 --- /dev/null +++ b/metadata/glsa/glsa-202310-17.xml @@ -0,0 +1,43 @@ + + + + UnZip: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in UnZip, the worst of which could lead to code execution. + unzip + 2023-10-30 + 2023-10-30 + 831190 + local + + + 6.0_p27 + 6.0_p27 + + + +

Info-ZIP’s UnZip is a tool to list and extract files inside PKZIP compressed files.

+ + +

Multiple vulnerabilities have been discovered in UnZip. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All UnZip users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/unzip-6.0_p27" + + + + CVE-2022-0529 + CVE-2022-0530 + + graaff + graaff + \ No newline at end of file diff --git a/metadata/glsa/glsa-202310-18.xml b/metadata/glsa/glsa-202310-18.xml new file mode 100644 index 000000000000..b66189f1dca0 --- /dev/null +++ b/metadata/glsa/glsa-202310-18.xml @@ -0,0 +1,45 @@ + + + + Rack: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging compontents. + rack + 2023-10-30 + 2023-10-30 + 884795 + remote + + + 2.2.3.1 + 2.2.3.1 + + + +

Rack is a modular Ruby web server interface.

+ + +

Multiple vulnerabilities have been discovered in Rack. Please review the CVE identifiers referenced below for details.

+ + +

A possible denial of service vulnerability was found in the multipart parsing component of Rack. + +A sequence injection vulnerability was found which could allow a possible shell escape in the Lint and CommonLogger components of Rack.

+ + +

There is no known workaround at this time.

+ + +

All Rack users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/rack-2.2.3.1" + + + + CVE-2022-30122 + CVE-2022-30123 + + graaff + graaff + \ No newline at end of file diff --git a/metadata/glsa/glsa-202310-19.xml b/metadata/glsa/glsa-202310-19.xml new file mode 100644 index 000000000000..c054d9841f8f --- /dev/null +++ b/metadata/glsa/glsa-202310-19.xml @@ -0,0 +1,44 @@ + + + + Dovecot: Privilege Escalation + A vulnerability has been discovered in Dovecot that can lead to a privilege escalation when master and non-master passdbs are used. + dovecot + 2023-10-30 + 2023-10-30 + 856733 + local and remote + + + 2.3.19.1-r1 + 2.3.19.1-r1 + + + +

Dovecot is an open source IMAP and POP3 email server.

+ + +

A vulnerability has been discovered in Dovecot. Please review the CVE identifier referenced below for details.

+ + +

When two passdb configuration entries exist in Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving master user authentication. + +Dovecot documentation does not advise against the use of passdb definitions which have the same driver and args settings. One such configuration would be where an administrator wishes to use the same pam configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.

+ + +

There is no known workaround at this time.

+ + +

All Dovecot users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.3.19.1-r1" + + + + CVE-2022-30550 + + graaff + graaff + \ No newline at end of file diff --git a/metadata/glsa/glsa-202310-20.xml b/metadata/glsa/glsa-202310-20.xml new file mode 100644 index 000000000000..09fddfed57dc --- /dev/null +++ b/metadata/glsa/glsa-202310-20.xml @@ -0,0 +1,45 @@ + + + + rxvt-unicode: Arbitrary Code Execution + A vulnerability has been discovered in rxvt-unicode where data written to the terminal can lead to code execution. + rxvt-unicode + 2023-10-30 + 2023-10-30 + 884787 + local and remote + + + 9.30 + 9.30 + + + +

rxvt-unicode is a clone of the well known terminal emulator rxvt.

+ + +

A vulnerability has been discovered in rxvt-unicode. Please review the CVE identifiers referenced below for details.

+ + +

in the Perl background extension, when an attacker can +control the data written to the user's terminal and certain options are set. + +The "background" extension is automatically loaded if certain X resources are set such as 'transparent' (see the full list at the top of src/perl/background[1]). So it is possible to be using this extension without realising it.

+ + +

There is no known workaround at this time.

+ + +

All rxvt-unicode users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/rxvt-unicode-9.30" + + + + CVE-2022-4170 + + graaff + graaff + \ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 00cffb1c3532..4fe089370ddb 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Mon, 30 Oct 2023 09:09:57 +0000 +Mon, 30 Oct 2023 15:09:54 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index e64bf8942b68..74d6c3070aed 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -9f1c7e1afafc090d1c9f5074a8f34ce83f4bf4af 1698295694 2023-10-26T04:48:14+00:00 +d12a82540d0c09c7cbfd5cec49458e7628226b4b 1698661209 2023-10-30T10:20:09+00:00 -- cgit v1.2.3