From 85261a4d217482e1c124937d57ec98a0aabaee59 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sun, 25 Sep 2022 17:34:04 +0100 Subject: gentoo auto-resync : 25:09:2022 - 17:34:03 --- metadata/glsa/Manifest | 30 +++++++++--------- metadata/glsa/Manifest.files.gz | Bin 525759 -> 527347 bytes metadata/glsa/glsa-202209-06.xml | 49 ++++++++++++++++++++++++++++++ metadata/glsa/glsa-202209-07.xml | 40 ++++++++++++++++++++++++ metadata/glsa/glsa-202209-08.xml | 41 +++++++++++++++++++++++++ metadata/glsa/glsa-202209-09.xml | 47 ++++++++++++++++++++++++++++ metadata/glsa/glsa-202209-10.xml | 40 ++++++++++++++++++++++++ metadata/glsa/glsa-202209-11.xml | 44 +++++++++++++++++++++++++++ metadata/glsa/glsa-202209-12.xml | 53 ++++++++++++++++++++++++++++++++ metadata/glsa/glsa-202209-13.xml | 42 +++++++++++++++++++++++++ metadata/glsa/glsa-202209-14.xml | 44 +++++++++++++++++++++++++++ metadata/glsa/glsa-202209-15.xml | 64 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 14 files changed, 481 insertions(+), 17 deletions(-) create mode 100644 metadata/glsa/glsa-202209-06.xml create mode 100644 metadata/glsa/glsa-202209-07.xml create mode 100644 metadata/glsa/glsa-202209-08.xml create mode 100644 metadata/glsa/glsa-202209-09.xml create mode 100644 metadata/glsa/glsa-202209-10.xml create mode 100644 metadata/glsa/glsa-202209-11.xml create mode 100644 metadata/glsa/glsa-202209-12.xml create mode 100644 metadata/glsa/glsa-202209-13.xml create mode 100644 metadata/glsa/glsa-202209-14.xml create mode 100644 metadata/glsa/glsa-202209-15.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 3d63a935101a..a29919ff1d8b 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 525759 BLAKE2B 487aaba91a7a713d59ac9586bbe0ffaeb7bf01fde9781422d78f1d1e009e745a8cea346fbefedc07f275060c3798240f56799ae9f182d10305c04a36eac8db25 SHA512 9ad37d1ae3ef248f0c465e37bce58b95e6f9da024c5d52c9ede183ff971546b15abed0e4dd4ca83a4f69fd2c722ad188eb583dd8d8337d8d99ae3e7c776b7da4 -TIMESTAMP 2022-09-25T09:40:00Z +MANIFEST Manifest.files.gz 527347 BLAKE2B 2a3ca4466b681cdb565e900ea1a740da53b44fbb53b587593768b40df60e0574c7bd692ef80c62c3eb717f2ded2eddd9f52d1600f669a4df4b5cd88371298781 SHA512 966d722a4e31cba37994e6aa7863ecd729a7c644c719a26094f88a8acb8e90825cffcd239a1f665ad159294f5377cc124a3c9da2f622fbf7561835a7bb02c3e7 +TIMESTAMP 2022-09-25T15:39:59Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmMwIfBfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmMwdk9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCUUxAAslFDlrd8yH0WOKxrv1r+O8J/5paEm3v5znX5Hf4BTe0h4wyZLzZ1JcXc -rd9CtFiDM6iZM4G/x53JfzIbgYy0pUWHffdDqlI0V9ZGCxfzgTu7vGnH0FrdjNE+ -JskW+NnyiY3K5bX/58GwVSzx70nANCTVSBCxIJ/Pq4wSLnzrPzpUTzhRX2dU6azO -cg4bmsNdahmU7s9g2lIB+aEVeU+80r3Wbw1kaP6Z2hOgVkkG1FrJAaQLjgsvbDua -HMJzl3inu4A331fVFHdPg7Z8gmYMufvekqSejro8zE4wFBSF5uctWFNfVqjSwRwX -2qp5T9dPjtMZWYupFNix64uehV7Btb9t/VSJWs4TZGAJI7FWhS7qokCQrx6jbfQd -xCgeBkYpi9X3PavL6RzP1VidxNPLLlXsXYkh0ne9SCdboLXg7eQBYY5ZNxMspNuY -zmaMj7i6NCImIN2ekzyLME2lSdk7/CUqJeFYmjrv4P/MduMxPrFkEEu3ZlKz3vMo -kSTNV3i9uuL5kPh+0KUMZIkuIv7QUf5w2is85nQqkBDAu57mbvx5wCD9UUZzvhYf -nQ8IJzMbfvfEXwESZGtQSBz8bb5t1iZNj8tg4bJBLSHDDZ4XfPg5xHMmoIgxTGc7 -4pNP51MKxdNmHkx2xyUGfKJqOdy4caHZ1fQOV4xZTc9BHx7p++o= -=Knom +klAjHQ/8CnfvUavmxxwHVLhJdivcEQYl3yvck89/E+3d1ovV67dQwiRMwka1obZO +CPRIi+w7m5VdOj4/UwBm9uuCGWEswYEHAWLphL6LktBbsYyU3bnp5o1fBUpqBGVX +n9guXnPQ03RxJYjQFcWGAn2d6VbJMoJ97d9vkSHjrYQg5UmnJ0aL10q4wDtOiKMY +tw3/pF9TM0WNlX0/z3hehD0urdPY4pjVkjW26GesjzZSam5mwlV6aLmrYcmIM2Rx +k4jF77TaOUJ43cy1ufhL05ygqOgwWM/4IO4XLICH50MDCLCDtEFLoPXydefE8rxQ +Kt9yTZo+NisAR5doQfWAUxJuNMkG1lArPAmZ0kaXWUECPN16T3or+e9WljXLhh76 +bCgn+samJLHKhVwEVVlXw3KEogmAbRU7mUgdM7LRc9vRMGpwaqCKn1TulQo1/u02 +OhHr6jHPX9r+dJYCP2Y4Dc389c2PuIvO5sWoopjgRgyK3icLEo2J//aQf8QgcZiZ +gLTjsyZm+hDFbRRaz3Cj4Mua4ARNEDWnt2avs2yuw0Y84MqtVJLYFPT/mKfzakyw +MfyGBpd/UuXSuMuCt8H0Oc1WfTPP474CgMPcKZhfLj6aywzqpe5Rg2GOLkJSEck9 +Swl3m+8Q/+TpsUI+NbOCTWGkpjfPXgF+9ySMfyjMnQSXCqhDU5I= +=AG4N -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz index 7ecc60fdbad4..269086cc58ee 100644 Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ diff --git a/metadata/glsa/glsa-202209-06.xml b/metadata/glsa/glsa-202209-06.xml new file mode 100644 index 000000000000..717b6c92accc --- /dev/null +++ b/metadata/glsa/glsa-202209-06.xml @@ -0,0 +1,49 @@ + + + + Rizin: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Rizin, the worst of which could lead to arbitrary code execution. + rizin + 2022-09-25 + 2022-09-25 + 861524 + 868999 + local and remote + + + 0.4.1 + 0.4.1 + + + +

Rizin is a reverse engineering framework for binary analysis.

+ + +

Multiple vulnerabilities have been discovered in Rizin. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Rizin users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/rizin-0.4.1" + + + + CVE-2022-34612 + CVE-2022-36039 + CVE-2022-36040 + CVE-2022-36041 + CVE-2022-36042 + CVE-2022-36043 + CVE-2022-36044 + + ajak + ajak + \ No newline at end of file diff --git a/metadata/glsa/glsa-202209-07.xml b/metadata/glsa/glsa-202209-07.xml new file mode 100644 index 000000000000..556fa69ed9a8 --- /dev/null +++ b/metadata/glsa/glsa-202209-07.xml @@ -0,0 +1,40 @@ + + + + Mrxvt: Arbitrary Code Execution + A vulnerability has been discovered in Mrxvt which could allow for arbitrary code execution + mrxvt + 2022-09-25 + 2022-09-25 + 791004 + local and remote + + + 0.5.4 + + + +

Mrxvt is a multi-tabbed rxvt clone with XFT, transparent background and CJK support.

+ + +

Mrxvt mishandles certain escape sequences, some of which allow for shell command execution.

+ + +

An attacker with sufficient access to write arbitrary text to the Mrxvt terminal could execute arbitrary code.

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for Mrxvt. We recommend that users remove it:

+ + + # emerge --ask --depclean "x11-terms/mrxvt" + + + + CVE-2021-33477 + + ajak + ajak + \ No newline at end of file diff --git a/metadata/glsa/glsa-202209-08.xml b/metadata/glsa/glsa-202209-08.xml new file mode 100644 index 000000000000..9687477405a8 --- /dev/null +++ b/metadata/glsa/glsa-202209-08.xml @@ -0,0 +1,41 @@ + + + + Smokeping: Multiple vulnerabilities + Multiple vulnerabilities have been discovered in Smokeping, the worst of which could result in root privilege escalation. + smokeping + 2022-09-25 + 2022-09-25 + 631140 + 602652 + local + + + 2.7.3-r1 + + + +

Smokeping is a powerful latency measurement tool

+ + +

Multiple vulnerabilities have been discovered in Smokeping. Please review the CVE identifiers referenced below for details.

+ + +

A local attacker which gains access to the smokeping user could gain root privileges.

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for Smokeping. We recommend that users remove it:

+ + + # emerge --ask --depclean "net-analyzer/smokeping" + + + + CVE-2017-20147 + + ajak + ajak + diff --git a/metadata/glsa/glsa-202209-09.xml b/metadata/glsa/glsa-202209-09.xml new file mode 100644 index 000000000000..83bd6e71ede3 --- /dev/null +++ b/metadata/glsa/glsa-202209-09.xml @@ -0,0 +1,47 @@ + + + + Smarty: Multiple vulnerabilities + Multiple vulnerabilities have been found in Smarty, the worst of which could result in remote code execution + smarty + 2022-09-25 + 2022-09-25 + 830980 + 845180 + 870100 + remote + + + 4.2.1 + 4.2.1 + + + +

Smarty is a template engine for PHP. The "template security" feature of Smarty is designed to help reduce the risk of a system compromise when you have untrusted parties editing templates.

+ + +

Multiple vulnerabilities have been discovered in Smarty. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Smarty users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/smarty-4.2.1" + + + + CVE-2018-25047 + CVE-2021-21408 + CVE-2021-29454 + CVE-2022-29221 + + ajak + ajak + \ No newline at end of file diff --git a/metadata/glsa/glsa-202209-10.xml b/metadata/glsa/glsa-202209-10.xml new file mode 100644 index 000000000000..9e9ae3a3bb95 --- /dev/null +++ b/metadata/glsa/glsa-202209-10.xml @@ -0,0 +1,40 @@ + + + + Logcheck: Root privilege escalation + A vulnerability has been discovered in Logcheck's ebuilds which could allow for root privilege escalation. + logcheck + 2022-09-25 + 2022-09-25 + 630752 + remote + + + 1.3.23 + + + +

Logcheck mails anomalies in the system logfiles to the administrator.

+ + +

The pkg_postinst phase of the Logcheck ebuilds recursively chown the /etc/logcheck and /var/lib/logcheck directories. If the logcheck adds hardlinks to other files in these directories, the chown call will follow the link and transfer ownership of any file to the logcheck user.

+ + +

A local attacker with access to the logcheck user could escalate to root privileges.

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for Logcheck. We recommend that users remove it:

+ + + # emerge --ask --depclean "app-admin/logcheck" + + + + CVE-2017-20148 + + ajak + ajak + \ No newline at end of file diff --git a/metadata/glsa/glsa-202209-11.xml b/metadata/glsa/glsa-202209-11.xml new file mode 100644 index 000000000000..d1599df5c764 --- /dev/null +++ b/metadata/glsa/glsa-202209-11.xml @@ -0,0 +1,44 @@ + + + + HarfBuzz: Multiple vulnerabilities + Multiple vulnerabilities have been discovered in HarfBuzz, the worst of which could result in arbitrary code execution. + harfbuzz + 2022-09-25 + 2022-09-25 + 830372 + 856049 + remote + + + 4.4.0 + 4.4.0 + + + +

HarfBuzz is an OpenType text shaping engine.

+ + +

Multiple vulnerabilities have been discovered in HarfBuzz. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All HarfBuzz users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/harfbuzz-4.4.0" + + + + CVE-2021-45931 + CVE-2022-33068 + + ajak + ajak + \ No newline at end of file diff --git a/metadata/glsa/glsa-202209-12.xml b/metadata/glsa/glsa-202209-12.xml new file mode 100644 index 000000000000..f7b8e7ebc453 --- /dev/null +++ b/metadata/glsa/glsa-202209-12.xml @@ -0,0 +1,53 @@ + + + + GRUB: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in GRUB, the worst of which may allow for secureboot bypass. + grub + 2022-09-25 + 2022-09-25 + 850535 + 835082 + local + + + 2.06 + 2.06 + + + +

GNU GRUB is a multiboot boot loader used by most Linux systems.

+ + +

Multiple vulnerabilities have been discovered in GRUB. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All GRUB users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-boot/grub-2.06-r3" + + +

After upgrading, make sure to run the grub-install command with options appropriate for your system. See the GRUB2 Gentoo Wiki page for directions. Your system will be vulnerable until this action is performed.

+ + + CVE-2021-3695 + CVE-2021-3696 + CVE-2021-3697 + CVE-2021-3981 + CVE-2022-28733 + CVE-2022-28734 + CVE-2022-28735 + CVE-2022-28736 + CVE-2022-28737 + + ajak + ajak + \ No newline at end of file diff --git a/metadata/glsa/glsa-202209-13.xml b/metadata/glsa/glsa-202209-13.xml new file mode 100644 index 000000000000..507d8dd2000e --- /dev/null +++ b/metadata/glsa/glsa-202209-13.xml @@ -0,0 +1,42 @@ + + + + libaacplus: Denial of Service + Multiple vulnerabilities have been discovered in libaacplus, the worst of which could result in denial of service. + libaacplus + 2022-09-25 + 2022-09-25 + 618000 + local and remote + + + 2.0.2-r3 + + + +

libaacplus is an HE-AAC+ v2 library, based on the reference implementation.

+ + +

Multiple vulnerabilities have been discovered in libaacplus. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued suport for libaacplus. We recommend that users remove it:

+ + + # emerge --ask --depclean "media-libs/libaacplus" + + + + CVE-2017-7603 + CVE-2017-7604 + CVE-2017-7605 + + ajak + ajak + \ No newline at end of file diff --git a/metadata/glsa/glsa-202209-14.xml b/metadata/glsa/glsa-202209-14.xml new file mode 100644 index 000000000000..eebe11b4cc67 --- /dev/null +++ b/metadata/glsa/glsa-202209-14.xml @@ -0,0 +1,44 @@ + + + + Fetchmail: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Fetchmail, the worst of which could result in email disclosure to third parties. + fetchmail + 2022-09-25 + 2022-09-25 + 810676 + 804921 + remote + + + 6.4.22 + 6.4.22 + + + +

Fetchmail is a remote mail retrieval and forwarding utility.

+ + +

Multiple vulnerabilities have been discovered in Fetchmail. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Fetchmail users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.4.22" + + + + CVE-2021-36386 + CVE-2021-39272 + + ajak + ajak + \ No newline at end of file diff --git a/metadata/glsa/glsa-202209-15.xml b/metadata/glsa/glsa-202209-15.xml new file mode 100644 index 000000000000..17ecb3f121ef --- /dev/null +++ b/metadata/glsa/glsa-202209-15.xml @@ -0,0 +1,64 @@ + + + + Oracle JDK/JRE: Multiple vulnerabilities + Multiple vulnerabilities have been found in Oracle JDK and JRE, the worst of which could result in the arbitrary execution of code. + oracle-jdk-bin,oracle-jre-bin + 2022-09-25 + 2022-09-25 + 732630 + 717638 + remote + + + 11.0.2 + + + 1.8.0.202 + + + +

Java Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in today's demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that today's applications require.

+ + +

Multiple vulnerabilities have been discovered in Oracle's JDK and JRE software suites. Please review the CVE identifiers referenced below for details.

+ + +

Certain uses of untrusted data by Oracle JDK and JRE could result in arbitrary code execution.

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for the Oracle JDK and JRE. We recommend that users remove it, and use dev-java/openjdk, dev-java/openjdk-bin, or dev-java/openjdk-jre-bin instead:

+ + + # emerge --ask --depclean "dev-java/oracle-jre-bin" + # emerge --ask --depclean "dev-java/oracle-jdk-bin" + + + + CVE-2020-2585 + CVE-2020-2755 + CVE-2020-2756 + CVE-2020-2757 + CVE-2020-2773 + CVE-2020-2781 + CVE-2020-2800 + CVE-2020-2803 + CVE-2020-2805 + CVE-2020-14556 + CVE-2020-14562 + CVE-2020-14573 + CVE-2020-14577 + CVE-2020-14578 + CVE-2020-14579 + CVE-2020-14581 + CVE-2020-14583 + CVE-2020-14593 + CVE-2020-14621 + CVE-2020-14664 + + ajak + ajak + \ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 56e5fa0002e2..c168cb574c68 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sun, 25 Sep 2022 09:39:58 +0000 +Sun, 25 Sep 2022 15:39:56 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 86aa630a77f5..e8679a795959 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -7771cafe7bc8660946ac9740c02f8106d63660c7 1662520070 2022-09-07T03:07:50+00:00 +2570332a2b988e5bec8319e9b7bcfceb39048f5d 1664114157 2022-09-25T13:55:57+00:00 -- cgit v1.2.3