From 9ee6d97c2883d42f204a533a8bc1f4562df778fb Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Wed, 16 Sep 2020 09:32:48 +0100 Subject: gentoo resync : 16.09.2020 --- metadata/glsa/Manifest | 30 ++++++++--------- metadata/glsa/Manifest.files.gz | Bin 483364 -> 485271 bytes metadata/glsa/glsa-202009-01.xml | 49 ++++++++++++++++++++++++++++ metadata/glsa/glsa-202009-02.xml | 52 ++++++++++++++++++++++++++++++ metadata/glsa/glsa-202009-03.xml | 68 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-202009-04.xml | 44 +++++++++++++++++++++++++ metadata/glsa/glsa-202009-05.xml | 50 ++++++++++++++++++++++++++++ metadata/glsa/glsa-202009-06.xml | 44 +++++++++++++++++++++++++ metadata/glsa/glsa-202009-07.xml | 47 +++++++++++++++++++++++++++ metadata/glsa/glsa-202009-08.xml | 49 ++++++++++++++++++++++++++++ metadata/glsa/glsa-202009-09.xml | 53 ++++++++++++++++++++++++++++++ metadata/glsa/glsa-202009-10.xml | 67 ++++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-202009-11.xml | 48 +++++++++++++++++++++++++++ metadata/glsa/glsa-202009-12.xml | 51 +++++++++++++++++++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 16 files changed, 639 insertions(+), 17 deletions(-) create mode 100644 metadata/glsa/glsa-202009-01.xml create mode 100644 metadata/glsa/glsa-202009-02.xml create mode 100644 metadata/glsa/glsa-202009-03.xml create mode 100644 metadata/glsa/glsa-202009-04.xml create mode 100644 metadata/glsa/glsa-202009-05.xml create mode 100644 metadata/glsa/glsa-202009-06.xml create mode 100644 metadata/glsa/glsa-202009-07.xml create mode 100644 metadata/glsa/glsa-202009-08.xml create mode 100644 metadata/glsa/glsa-202009-09.xml create mode 100644 metadata/glsa/glsa-202009-10.xml create mode 100644 metadata/glsa/glsa-202009-11.xml create mode 100644 metadata/glsa/glsa-202009-12.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 954a48c6a013..f2ecd5c95463 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 483364 BLAKE2B 60cb97b03631cf8e2ae2dc903bd9513cac6afc60670d0423e1cab2611545e32583d3cb6ec2628b442c618e39c0dfdf0a41a4e059ac3f323c3c8841b043b7d7cf SHA512 fb8ac7dcc2d9321108b64db583eaeee4a860f2b22afca3fbbd447088e69446c3286299604418071d8c2b233df8f2a4fc97ca2f2a7cc68829b3f5c007c7214a87 -TIMESTAMP 2020-09-02T12:38:34Z +MANIFEST Manifest.files.gz 485271 BLAKE2B 4eb8988705304f2e383081a3133de4ec8449e5f0f46de62a4f4c2c2af6353817ee8ec26fe0ae3fd4c8426b8050e7c0de9c3059ab313f7900ebd16aafc208995f SHA512 fa3aa9f4ae7a8c7e47f52390c6374a7742be939c44aa7705cde67726e11710429dacc0c2688d754eb68f752d311d29aaf6454c0cefcd866c171ec1f1a33d76df +TIMESTAMP 2020-09-16T01:38:38Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl9PkkpfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl9hbJ5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klDPzQ//T3T681/eHoAPg4b/QKVB+/3J5EERVYoJcK+9jO9o9FF13k8nJ052Wysa -d2RHZ7FnVCwLv45hhzqz1bnKcCJkvNB9m4L3mIWTKLoNZLoNN4MOU0Ynrio92CMT -3TAOViLTtglSOUWrEL2speNZoc1hwxMjGeLUZ6TIWKKKfY+oP5miM8Z/DMsMCY61 -9z4xaBP9DjCmOvhdvcuQCk+OOu1bBlQc/uEKhGXUC8DffwYL4JJooNskHEmzO771 -UImbjGurYXPgqBTdF8MRPjrJVM3u1cP1a3sVBwvjQ4mDSDFcNuEwu5hsk2yVqQVS -+hSTHoHdDybAb/EF68UPqRsVl2En4H5hMKiR4Civr7dMO1mR5ft0U0wN9k1y+Bmg -VZhAOhWPdPZ1X5/P3Jioz11HfFt9o3Y8Pw7pHMDL6hWqwndmVoYZjosPvya9NYEn -sRxBaxiiYnxG153ZP5tVM5vcNciKQ6/aMs9bDWOWSlibObzaZTR/WFRIO2oBub3z -8E0k/KDKeqwjJu7PLg4/ah1UzColwE4L+mDC4Xm/5/aZbXSeLPN4+kiIQ2mNWZmc -NITiZcDUaKmJO7eaofcEcvQw5cpJ0211vswgOZYxqJnuAzG2EurtPYDfgmrTg2Lb -Wb8D69VJDmh5Xe5/7+oVlyFGeWHr7NAyV3r+c6GaHPHm5c6iE5s= -=ysAp +klC8bxAArYD/yxcxrDjQv3QpmRz771WKUVFXwKO6YAeRXAc2KKbQrriw1zeCt0HE +Q92apAATteZyaMujwavguLbsWnM7SLBgwbX7OSNneAUEFlmdl7UaNFGD912nC4dd +LmMYGmUMDOktt6PP0PeO8n6tLM+kFNBi/0oyqT0GNjLGlTwBeCJId0ULvz8QAFi1 +8c2MY7rCEYqfs1hm+EbA/W2oOtu4evAtOapPsroIPSDa2HoABOtG3Vpha8WzMxjA +ADspaTmSl+wQUltmsB+dkRStUqF4mZTuC/Lt8jsSh7cTBI5sRj6tCB7mtQFdV76F +oKT7uOBIF116d2UnY+lOytXwOt+gNUyepbt5UGPH7DENK1TF4Ljjy7ptbDSnZGJ6 +oVM0qjmHu3TrzxvghHnG3ZIMTODamUq8XRbi6IovBCosLuizMOQKlGYVRLjV5K6k +gDsRgwgzYlGDPulnzadGNM6HsugQGBUeom1bzhyVFiBPByjBrUP4/i6fu648Pm0y +B/i+zNJTI2xpU1ZrxNoWSrp7sd78U/5RgiHrBsD7ZL/pV7e0MkaNHqJ3V5p9UnRb +UdPIWC0Of2aKUZ1ntaXqNmOqnA48Gm87mmOodJnx2v8jBkF5WqZ+UZwMZIGJrCIn +kOmPozoA5lqAjD1Qe41oTxIYFxikPU9CuQ1E4Z9yE/C+JMiKM+c= +=+FyX -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz index 900daea608e2..3bdc6fcc838a 100644 Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ diff --git a/metadata/glsa/glsa-202009-01.xml b/metadata/glsa/glsa-202009-01.xml new file mode 100644 index 000000000000..0bb5e7ea2a7c --- /dev/null +++ b/metadata/glsa/glsa-202009-01.xml @@ -0,0 +1,49 @@ + + + + GnuTLS: Denial of service + A flaw was found in GnuTLS, possibly allowing a Denial of Service + condition. + + gnutls + 2020-09-06 + 2020-09-06 + 740390 + local, remote + + + 3.6.15 + 3.6.15 + + + +

GnuTLS is an Open Source implementation of the TLS and SSL protocols.

+ + +

It was found that GnuTLS didn’t handle “no_renegotiation” alert + properly. +

+ + +

A remote attacker could entice a user to connect to a malicious TLS + endpoint using an application linked against GnuTLS, possibly resulting + in a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All GnuTLS users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/gnutls-3.6.15" + + + + CVE-2020-24659 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202009-02.xml b/metadata/glsa/glsa-202009-02.xml new file mode 100644 index 000000000000..72f3601248a3 --- /dev/null +++ b/metadata/glsa/glsa-202009-02.xml @@ -0,0 +1,52 @@ + + + + Dovecot: Multiple vulnerabilities + Multiple vulnerabilities have been found in Dovecot, the worst of + which could allow remote attackers to cause a Denial of Service condition. + + dovecot + 2020-09-06 + 2020-09-06 + 736617 + remote + + + 2.3.11.3 + 2.3.11.3 + + + +

Dovecot is an open source IMAP and POP3 email server.

+ + +

It was discovered that Dovecot incorrectly handled deeply nested MIME + parts, incorrectly handled memory when using NTLM, and incorrectly + handled zero-length messages. +

+ + +

A remote attacker could send a specially crafted mail or send specially + crafted authentication requests possibly resulting in a Denial of Service + condition. +

+ + +

There is no known workaround at this time.

+ + +

All Dovecot users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.3.11.3" + + + + CVE-2020-12100 + CVE-2020-12673 + CVE-2020-12674 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202009-03.xml b/metadata/glsa/glsa-202009-03.xml new file mode 100644 index 000000000000..fe967a8a1eb8 --- /dev/null +++ b/metadata/glsa/glsa-202009-03.xml @@ -0,0 +1,68 @@ + + + + Chromium, Google Chrome: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + + chromium,google-chrome + 2020-09-10 + 2020-09-10 + 741312 + local, remote + + + 85.0.4183.102 + 85.0.4183.102 + + + 85.0.4183.102 + 85.0.4183.102 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ +

Google Chrome is one fast, simple, and secure browser for all your + devices. +

+ + +

Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-85.0.4183.102" + + +

All Google Chrome users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-85.0.4183.102" + + + + CVE-2020-15959 + CVE-2020-6573 + CVE-2020-6575 + CVE-2020-6576 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202009-04.xml b/metadata/glsa/glsa-202009-04.xml new file mode 100644 index 000000000000..c3a3e40d2dba --- /dev/null +++ b/metadata/glsa/glsa-202009-04.xml @@ -0,0 +1,44 @@ + + + + Qt GUI: Buffer overflow + Qt GUI has a buffer overflow with unspecified impact. + qtgui + 2020-09-13 + 2020-09-13 + 736924 + local, remote + + + 5.14.2-r1 + 5.14.2-r1 + + + +

The GUI module and platform plugins for the Qt5 framework.

+ + +

It was discovered that Qt GUI’s XBM parser did not properly handle X + BitMap files. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Qt GUI users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtgui-5.14.2-r1" + + + + CVE-2020-17507 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202009-05.xml b/metadata/glsa/glsa-202009-05.xml new file mode 100644 index 000000000000..6ae334f3e7dd --- /dev/null +++ b/metadata/glsa/glsa-202009-05.xml @@ -0,0 +1,50 @@ + + + + GStreamer RTSP Server: Denial of service + A vulnerability in GStreamer RTSP Server could lead to a Denial of + Service condition. + + gst-rtsp-server + 2020-09-13 + 2020-09-13 + 715100 + local, remote + + + 1.16.2 + 1.16.2 + + + +

RTSP server library based on GStreamer.

+ + +

It was discovered that GStreamer RTSP Server did not properly handle + authentication. +

+ + +

A remote attacker, by sending specially crafted authentication requests, + could possibly cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All GStreamer RTSP Server users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-libs/gst-rtsp-server-1.16.2" + + + + + CVE-2020-6095 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202009-06.xml b/metadata/glsa/glsa-202009-06.xml new file mode 100644 index 000000000000..4b5a2bdb6342 --- /dev/null +++ b/metadata/glsa/glsa-202009-06.xml @@ -0,0 +1,44 @@ + + + + GNOME File Roller: Directory traversal + A vulnerability in GNOME File Roller could lead to a directory + traversal attack. + + file-roller + 2020-09-13 + 2020-09-13 + 717362 + local, remote + + + 3.36.3 + 3.36.3 + + + +

File Roller is an archive manager for the GNOME desktop environment.

+ + +

It was discovered that GNOME File Roller incorrectly handled symlinks.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All GNOME File Roller users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/file-roller-3.36.3" + + + + CVE-2020-11736 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202009-07.xml b/metadata/glsa/glsa-202009-07.xml new file mode 100644 index 000000000000..7722f7890932 --- /dev/null +++ b/metadata/glsa/glsa-202009-07.xml @@ -0,0 +1,47 @@ + + + + Perl DBI: Multiple vulnerabilities + Multiple vulnerabilities have been found in the Perl module DBI, + the worst of which could result in a Denial of Service condition. + + dbi + 2020-09-13 + 2020-09-13 + 732636 + local + + + 1.643.0 + 1.643.0 + + + +

A database access module for the Perl programming language.

+ + +

Multiple vulnerabilities have been discovered in the Perl module DBI. + Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Perl DBI module users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-perl/DBI-1.643.0" + + + + CVE-2020-14392 + CVE-2020-14393 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202009-08.xml b/metadata/glsa/glsa-202009-08.xml new file mode 100644 index 000000000000..f95557751113 --- /dev/null +++ b/metadata/glsa/glsa-202009-08.xml @@ -0,0 +1,49 @@ + + + + GNOME Shell: Information disclosure + An information disclosure vulnerability in GNOME Shell might allow + local attackers to obtain sensitive information. + + gnome-shell + 2020-09-13 + 2020-09-13 + 736802 + local + + + 3.34.5-r1 + 3.34.5-r1 + + + +

GNOME Shell provides core user interface functions for the GNOME 3 + desktop, like switching to windows and launching applications. +

+ + +

It was discovered that GNOME Shell incorrectly handled the login screen + password dialog. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All GNOME Shell users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=gnome-base/gnome-shell-3.34.5-r1" + + + + CVE-2020-17489 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202009-09.xml b/metadata/glsa/glsa-202009-09.xml new file mode 100644 index 000000000000..4716f54af843 --- /dev/null +++ b/metadata/glsa/glsa-202009-09.xml @@ -0,0 +1,53 @@ + + + + Nextcloud Desktop Sync client: Multiple vulnerabilities + Multiple vulnerabilities have been found in Nextcloud Desktop Sync + client, the worst of which may allow execution of arbitrary code. + + nextcloud-client + 2020-09-13 + 2020-09-13 + 736649 + remote + + + 2.6.5 + 2.6.5 + + + +

Nextcloud Desktop Sync client can synchronize one or more directories to + Nextcloud server. +

+ + +

Multiple vulnerabilities have been discovered in Nextcloud Desktop Sync + client. Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Nextcloud Desktop Sync client users should upgrade to the latest + version: +

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/nextcloud-client-2.6.5" + + + + + CVE-2020-8189 + CVE-2020-8224 + CVE-2020-8227 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202009-10.xml b/metadata/glsa/glsa-202009-10.xml new file mode 100644 index 000000000000..3ff0e04b3374 --- /dev/null +++ b/metadata/glsa/glsa-202009-10.xml @@ -0,0 +1,67 @@ + + + + PHP: Denial of service + A vulnerabilities in PHP could lead to a Denial of Service + condition. + + PHP + 2020-09-13 + 2020-09-13 + 736158 + local, remote + + + 7.2.33 + 7.3.21 + 7.4.9 + 7.2.33 + 7.3.21 + 7.4.9 + + + +

PHP is an open source general-purpose scripting language that is + especially suited for web development. +

+ + +

It was discovered that PHP did not properly handle PHAR files.

+ + +

A remote attacker could entice a user to open a specially crafted PHAR + file using PHP, possibly allowing attacker to obtain sensitive + information or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All PHP 7.2 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.2.33" + + +

All PHP 7.3 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.3.21" + + +

All PHP 7.4 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.9" + + + + CVE-2020-7068 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202009-11.xml b/metadata/glsa/glsa-202009-11.xml new file mode 100644 index 000000000000..0db2968196ad --- /dev/null +++ b/metadata/glsa/glsa-202009-11.xml @@ -0,0 +1,48 @@ + + + + ProFTPD: Denial of service + A vulnerability in ProFTPD could lead to a Denial of Service + condition. + + proftpd + 2020-09-13 + 2020-09-13 + 733376 + local, remote + + + 1.3.7a + 1.3.7a + + + +

ProFTPD is an advanced and very configurable FTP server.

+ + +

It was found that ProFTPD did not properly handle invalid SCP commands.

+ + +

An authenticated remote attacker could issue invalid SCP commands, + possibly resulting in a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All ProFTPD users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.7a" + + + + Invalid SCP + command leads to null pointer dereference + + + whissi + whissi + diff --git a/metadata/glsa/glsa-202009-12.xml b/metadata/glsa/glsa-202009-12.xml new file mode 100644 index 000000000000..a29860260437 --- /dev/null +++ b/metadata/glsa/glsa-202009-12.xml @@ -0,0 +1,51 @@ + + + + ZeroMQ: Denial of service + A vulnerability in ZeroMQ could lead to a Denial of Service + condition. + + zeromq + 2020-09-13 + 2020-09-13 + 740574 + local, remote + + + 4.3.3 + 4.3.3 + + + +

Looks like an embeddable networking library but acts like a concurrency + framework. +

+ + +

It was discovered that ZeroMQ does not properly handle connecting peers + before a handshake is completed. +

+ + +

An unauthenticated remote attacker able to connect to a ZeroMQ endpoint, + even with CURVE encryption/authentication enabled, can cause a Denial of + Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All ZeroMQ users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/zeromq-4.3.3" + + + + CVE-2020-15166 + + whissi + whissi + diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 0d602e3dd4cf..c2e62f15eacb 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Wed, 02 Sep 2020 12:38:30 +0000 +Wed, 16 Sep 2020 01:38:35 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 1a7e9cc72562..fd63cfbeda80 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -ea9671c73a3b7457c7e4487c1c538557855dfa44 1598822050 2020-08-30T21:14:10+00:00 +7204454a89cbf14c4905c5fdedcd66553a95e8aa 1600040174 2020-09-13T23:36:14+00:00 -- cgit v1.2.3