From 957235cf19a691360c720f7913672adda4258ed0 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sun, 7 Oct 2018 11:03:14 +0100 Subject: gentoo resync : 07.10.2018 --- metadata/glsa/Manifest | 30 +++++----- metadata/glsa/Manifest.files.gz | Bin 428048 -> 428688 bytes metadata/glsa/glsa-201810-01.xml | 115 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-201810-02.xml | 59 ++++++++++++++++++++ metadata/glsa/glsa-201810-03.xml | 49 +++++++++++++++++ metadata/glsa/glsa-201810-04.xml | 76 ++++++++++++++++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 8 files changed, 316 insertions(+), 17 deletions(-) create mode 100644 metadata/glsa/glsa-201810-01.xml create mode 100644 metadata/glsa/glsa-201810-02.xml create mode 100644 metadata/glsa/glsa-201810-03.xml create mode 100644 metadata/glsa/glsa-201810-04.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 6f5bd9aa2648..8c5348102f55 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 428048 BLAKE2B 5834bbfc1927ee7e2cae3faeae917bb164749c31d96c4c2668b07723f350b9742d5ef21ebbf7f78fbff1cc985eb00ece32e39d04e065bfb0d6824a4107935d0a SHA512 038811f6891b17d7f2be8dde22716fa2af520867cd5808ca4a095d817a75e7d94ee52dc46317f62740ddbc4cd55248f9f02d26404d1805e220ae95187a8b3764 -TIMESTAMP 2018-09-30T09:38:32Z +MANIFEST Manifest.files.gz 428688 BLAKE2B ad7b0e93dc8d25ffce2b6b151e2b2f9d3f4644e2e0bd01b04b2cf32db642d1d55604ebfba538d50e5bffd72012f36cafeebb5fa8b059c51e9495a17ed7d24e61 SHA512 38eef2b8a964d52745f651dc5c44cb508b253654c94f1704d61e63093636d75a72c2f7e2db78f40261fe9fecdede9dacd2401b62f42b01813651f01c9fe87245 +TIMESTAMP 2018-10-07T09:08:39Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAluwmZhfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlu5zRdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klDJARAAh0z1anjPsytfUjKeRgnvIu+i02utg9a9WYiG612J3d5UTXaygQRqozJ2 -bPBi2/1jAvtrRERcxHncKO439qZQqwTTYToeXeN87afmAtk2ZNb0XOhdRwl3pZVk -Gn8SxtqQVUyPWTXvI+lO2fys4JUEC+goWbIhAp+UNCxlVNXwwJ0HsfjDEEx4L6kA -nCyrR4P5Dj73BWxIX9N4hPBFo4kv6YNABFbOXqzBiGEr+rtdgl3rUgkWipywHTRQ -JapTC4j49JJG5aXR+jXhEdGTilo5fSepOcAunIvQtXSaVL0NBLJgPbMcCwhU/zlB -lJSqjjn4NwPTxQ3IAknB8homdfXCfsqK9gPUeOwXGKk1v4UM4o8zBOHU9DvDgNKh -UNCv2EQulcpLqkauc+XbAMa8p7ILNODXw2DMNE38FhflmvVdkHXejoJ05ThvAedX -TVUtfw5HJaV9SHgcwhb6kZjAk2tkZgnF0aDFW+qNNmlQRuivOTQ2XzmswQslbx2R -3tSSXHKAEvZUugBITvmMYr20fPAoKVLapblSTSBb/UqUIWhbJLd684/zCXC3zhq6 -Ko7ns7/7HrSu3WBUBzs0aYt3f//0kTudChygow2ZZVRA4NfbW/w7nKKsS61KT0ux -fFjoYaP9G6D4KaL666KAWM8FPbTSt1qTjoi7DHnoDT3qAQwbmaE= -=MhTS +klAvZhAArNAbUYnMpMArimd1S2hFpCTziOUiqu1V9fc4XSwsfgo0Ho05PKzJaA+i +AA6FZwaN8QJPxuXZDCci2Yf2nXTtYHUDr+PPL2ETb/P9iDdsnWIpgy3/zW5vdEJK +Ad2C8a6Hdcad0hhE5h1xkHx2FwTcOyjyl97/p726W464sTeLCrMs2SIRjFbPzTrs +mT5MEaUm3ChYYcGWhPqWfqKA+OPpJ9U85+xg4HVGDDEzI5s5jjSfMex4lMiPdtBq +q7St1k276FTc5GYKeQA+f+fvtzKcTajD/heVR9ZEBS6mRzA154d7U+tMAGth6CvU +boNW7Bl21PQejpYlpCpz3W1n3xZxAG/atSfODLxeP55JuSLFuizgxQJQy4BHkWrA +P6IEI0lVTXWg378PFrcOmq6cWoi9YfKPjJ/lkNbBg8XBFjQlcwhK6IGcnL9+XEeZ +TAf2+Adi+Nj/aM7B+37LNVmVrsTe/Ncl3NqFlrjjT/mC1rfHW19T+ijrJQwqwFhH +9t+M0OKr7EXAzaOtLtgyiwOvr39GAIl/c3OD4KlVwY7Grr8gMUTlzpPcS+1aycJw +DUMMsKZ2FFmRpEO0TMsbrR8bOmc2xoIwGVrgkuxIecodppGFjkGW4VNtN7h5tHtb +8CeyFCiZQHF/XqfGSBdII9QSg7JkNe1zvmY+4zUlvSp3Ar6pxu0= +=edFR -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz index efd7310b81fc..aab66931c134 100644 Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ diff --git a/metadata/glsa/glsa-201810-01.xml b/metadata/glsa/glsa-201810-01.xml new file mode 100644 index 000000000000..ebe9c30ed5f3 --- /dev/null +++ b/metadata/glsa/glsa-201810-01.xml @@ -0,0 +1,115 @@ + + + + Mozilla Firefox: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which may allow execution of arbitrary code. + + firefox + 2018-10-02 + 2018-10-02 + 650422 + 657976 + 659432 + 665496 + 666760 + 667612 + remote + + + 60.2.2 + 60.2.2 + + + 60.2.2 + 60.2.2 + + + +

Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. +

+ + +

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the referenced CVE identifiers for details. +

+ + +

A remote attacker could entice a user to view a specially crafted web + page, possibly resulting in the execution of arbitrary code with the + privileges of the process or a Denial of Service condition. Furthermore, + a remote attacker may be able to perform Man-in-the-Middle attacks, + obtain sensitive information, spoof the address bar, conduct clickjacking + attacks, bypass security restrictions and protection mechanisms, or have + other unspecified impact. +

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Firefox users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-60.2.2" + + +

All Mozilla Firefox binary users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-60.2.2" + + + + + CVE-2017-16541 + CVE-2018-12358 + CVE-2018-12359 + CVE-2018-12360 + CVE-2018-12361 + CVE-2018-12362 + CVE-2018-12363 + CVE-2018-12364 + CVE-2018-12365 + CVE-2018-12366 + CVE-2018-12367 + CVE-2018-12368 + CVE-2018-12369 + CVE-2018-12370 + CVE-2018-12371 + CVE-2018-12376 + CVE-2018-12377 + CVE-2018-12378 + CVE-2018-12379 + CVE-2018-12381 + CVE-2018-12383 + CVE-2018-12385 + CVE-2018-12386 + CVE-2018-12387 + CVE-2018-5125 + CVE-2018-5127 + CVE-2018-5129 + CVE-2018-5130 + CVE-2018-5131 + CVE-2018-5144 + CVE-2018-5150 + CVE-2018-5154 + CVE-2018-5155 + CVE-2018-5156 + CVE-2018-5157 + CVE-2018-5158 + CVE-2018-5159 + CVE-2018-5168 + CVE-2018-5178 + CVE-2018-5183 + CVE-2018-5186 + CVE-2018-5187 + CVE-2018-5188 + CVE-2018-6126 + + whissi + irishluck83 + diff --git a/metadata/glsa/glsa-201810-02.xml b/metadata/glsa/glsa-201810-02.xml new file mode 100644 index 000000000000..20bc31cf4a1d --- /dev/null +++ b/metadata/glsa/glsa-201810-02.xml @@ -0,0 +1,59 @@ + + + + SoX: Multiple vulnerabilities + Multiple vulnerabilities have been found in SoX, the worst of which + may lead to a Denial of Service condition. + + sox + 2018-10-06 + 2018-10-06 + 626702 + 627570 + 634450 + 634814 + remote + + + 14.4.2-r1 + 14.4.2-r1 + + + +

SoX is a command line utility that can convert various formats of + computer audio files in to other formats. +

+ + +

Multiple vulnerabilities have been discovered in SoX. Please review the + referenced CVE identifiers for details. +

+ + +

A remote attacker, by enticing a user to process a crafted WAV, HCOM, + SND, or AIFF file, could cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All SoX users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/sox-14.4.2-r1" + + + + CVE-2017-11332 + CVE-2017-11358 + CVE-2017-11359 + CVE-2017-15370 + CVE-2017-15371 + CVE-2017-15372 + CVE-2017-15642 + + BlueKnight + irishluck83 + diff --git a/metadata/glsa/glsa-201810-03.xml b/metadata/glsa/glsa-201810-03.xml new file mode 100644 index 000000000000..9165083ac1cb --- /dev/null +++ b/metadata/glsa/glsa-201810-03.xml @@ -0,0 +1,49 @@ + + + + OpenSSH: User enumeration vulnerability + A vulnerability in OpenSSH might allow remote attackers to + determine valid usernames. + + openssh + 2018-10-06 + 2018-10-06 + 664264 + remote + + + 7.7_p1-r8 + 7.7_p1-r8 + + + +

OpenSSH is a complete SSH protocol implementation that includes SFTP + client and server support. +

+ + +

It was discovered that OpenSSH was prone to a user enumeration + vulnerability. +

+ + +

A remote attacker could conduct user enumeration.

+ + +

There is no known workaround at this time.

+ + +

All OpenSSH users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openssh-7.7_p1-r8" + + + + + CVE-2018-15473 + + whissi + whissi + diff --git a/metadata/glsa/glsa-201810-04.xml b/metadata/glsa/glsa-201810-04.xml new file mode 100644 index 000000000000..8b1b96e811df --- /dev/null +++ b/metadata/glsa/glsa-201810-04.xml @@ -0,0 +1,76 @@ + + + + ImageMagick: Security hardening + Due to multiple vulnerabilities in various coders used by + ImageMagick, Gentoo Linux now installs a policy.xml file which will + restrict coder usage by default. + + imagemagick + 2018-10-06 + 2018-10-06 + 664236 + local, remote + + + 6.9.10.10-r1 + 7.0.8.10-r1 + 6.9.10.10-r1 + 7.0.8.10-r1 + + + +

ImageMagick is a collection of tools and libraries for many image + formats. +

+ + +

If you process an image with ImageMagick and don’t validate the file + before (e.g. check magic byte), ImageMagick will call any coders found in + the given file. So if ImageMagick will find Ghostscript for example, it + will call Ghostscript. +

+ +

Due to multiple -dSAFER sandbox bypass vulnerabilities in Ghostscript, + this can lead to arbitrary code execution. +

+ +

To mitigate this problem we install a policy.xml file by default which + will disable PS, EPS, PDF, and XPS coders. +

+ + +

A remote attacker, by enticing a user to process a specially crafted + image file, could execute arbitrary code with the privileges of the + process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All ImageMagick 6 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-gfx/imagemagick-6.9.10.10-r1" + + +

All ImageMagick 7 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-gfx/imagemagick-7.0.8.10-r1" + + + + + Ghostscript contains + multiple -dSAFER sandbox bypass vulnerabilities (VU#332928) + + + whissi + whissi + diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index bc54edd0cd8e..4b5c84dd0035 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sun, 30 Sep 2018 09:38:28 +0000 +Sun, 07 Oct 2018 09:08:36 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 48b67b89a28e..6add75c1308d 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -369717e703607f113d1aa3954217fedba2e18a69 1534973538 2018-08-22T21:32:18+00:00 +b914ac7ce64b6f61d701c5cf4173dd03fafdca0e 1538845801 2018-10-06T17:10:01+00:00 -- cgit v1.2.3