From abaa75b10f899ada8dd05b23cc03205064394bc6 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Fri, 22 Jan 2021 20:28:19 +0000 Subject: gentoo resync : 22.01.2021 --- metadata/glsa/Manifest | 30 ++++---- metadata/glsa/Manifest.files.gz | Bin 494188 -> 496888 bytes metadata/glsa/glsa-202101-01.xml | 54 ++++++++++++++ metadata/glsa/glsa-202101-02.xml | 50 +++++++++++++ metadata/glsa/glsa-202101-03.xml | 49 +++++++++++++ metadata/glsa/glsa-202101-04.xml | 83 ++++++++++++++++++++++ metadata/glsa/glsa-202101-05.xml | 77 ++++++++++++++++++++ metadata/glsa/glsa-202101-06.xml | 49 +++++++++++++ metadata/glsa/glsa-202101-07.xml | 69 ++++++++++++++++++ metadata/glsa/glsa-202101-08.xml | 48 +++++++++++++ metadata/glsa/glsa-202101-09.xml | 147 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-202101-10.xml | 58 +++++++++++++++ metadata/glsa/glsa-202101-11.xml | 63 +++++++++++++++++ metadata/glsa/glsa-202101-12.xml | 51 ++++++++++++++ metadata/glsa/glsa-202101-13.xml | 91 ++++++++++++++++++++++++ metadata/glsa/glsa-202101-14.xml | 67 ++++++++++++++++++ metadata/glsa/glsa-202101-15.xml | 70 +++++++++++++++++++ metadata/glsa/glsa-202101-16.xml | 48 +++++++++++++ metadata/glsa/glsa-202101-17.xml | 58 +++++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 21 files changed, 1149 insertions(+), 17 deletions(-) create mode 100644 metadata/glsa/glsa-202101-01.xml create mode 100644 metadata/glsa/glsa-202101-02.xml create mode 100644 metadata/glsa/glsa-202101-03.xml create mode 100644 metadata/glsa/glsa-202101-04.xml create mode 100644 metadata/glsa/glsa-202101-05.xml create mode 100644 metadata/glsa/glsa-202101-06.xml create mode 100644 metadata/glsa/glsa-202101-07.xml create mode 100644 metadata/glsa/glsa-202101-08.xml create mode 100644 metadata/glsa/glsa-202101-09.xml create mode 100644 metadata/glsa/glsa-202101-10.xml create mode 100644 metadata/glsa/glsa-202101-11.xml create mode 100644 metadata/glsa/glsa-202101-12.xml create mode 100644 metadata/glsa/glsa-202101-13.xml create mode 100644 metadata/glsa/glsa-202101-14.xml create mode 100644 metadata/glsa/glsa-202101-15.xml create mode 100644 metadata/glsa/glsa-202101-16.xml create mode 100644 metadata/glsa/glsa-202101-17.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 9bd09d923bc5..807eb9d9b2ba 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 494188 BLAKE2B 06bbe4de83e86ba40cd9d32af0f5c629f7193a7b2d45313f5bbf32584c1872d72e37301ba735e9b855e0277581de211e930f66477a0bb84e9dd623fe6440fecc SHA512 f1a00ed1160522175a46c088034a8eb2afd13d41fa33354a8d74917618abeaa144f3c942f458ca2dc736b92823fe045919c4edbd9749f72b8ea031e46de95411 -TIMESTAMP 2021-01-08T11:08:39Z +MANIFEST Manifest.files.gz 496888 BLAKE2B 9a8e48e705b83d0db366e4888a292cde78b191857d846a370c8c9908479c42c700f1d323d98e4aa4d9b6c2e0d3a80723d6cf76b125a273f90c8452ccb8f52fcf SHA512 d3e9efddd34ec46cab11f602c4a7b71480efc08ed49372d92ba27d45fdaf8129db8b52a169483e512d968a24c9a22f50140b178eb538444bb6200ee4eec5ef81 +TIMESTAMP 2021-01-22T20:08:39Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl/4PTdfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmALMMdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klB45w/6A6Z7aOSRFL3fcr0UkgxjbJh6uM3zckeQsi13pI+/7xQWnhE/pFDA/Xos -kE3kKKc50xFtlIskjPs01Nb1Tz+KwDPyBY0GRzuoX8kyNYH7xTkSkOpqwn6Pa0eI -rGSySsu8TJH/cEKYcwX7whp42j4idUnrcZgGghENXm1yuill7LYzeVXuMhmCaHdX -FGOyvkj6jF6ZJufQRT+ScvMkc2B6x20h7w1a216/QHwUSCyzxiCIqQh6DvF65BbG -vclgDzas/ViUpEPn0TWNcGMKBNZvNrmEHWELB3BnPY/TLJVAeFNAgyoQoS7kFKJw -3TazOFDxXQzj9qKU64yil6IyHBWNSpPqFI2t345b+MM1ejY8TX8iengiLqDPgHVk -Q66n73nt2Ae3P5ATNE0UTN7od95o0lmjmlNUoxXpXjoro6hTLCae+CI5YsAz5kBL -mncdvP2ykC8lVXa6IYXj8kYgJ6xxLK9Z205N53ZgR2P6hE5H3Hx2tnZfn9ihY/ws -H1CU3G4JNSucHrAA15AVLRLP2qzgO3DoxL0Q6RGL7Q56+vrqodJ7XeeVo9OVUubB -FKZ92Ap9ur7mJ1qcyGi6m4hHYanbLR302//MdBh6wM7TyLvzl4F33U9E55GGvHT1 -PrlTYhiOtL9WLIi3kMu9PSlWqspmdl4YucrJeaUC3J9wLvLqKio= -=8UXH +klC88Q//X2h0rP3NYa0rA8lySWj21hExpd6/llu7LS18xkxy3t7T9SG17c7CxY8z +TTWPoQm0Ck9li0rKVfo5/GJL5gtL4jqEKWBUcfGECIzymm7ouwxn9XF8HfziX5YB +TbuZYFjemEbmPBHclDtOxS10sxuN4GL9g/yef9kBwST1bGPZBfksNIBllaqz19VW +P5bdRYoglf2LoH9Hp7VbppJAmyJPCEbJfsN5xvL0giqlR5V44JjRnfsh0RE1ni5I +Om+WilXAuyDH55a3jTZzX2IrGic5q1N7JIrTI/3/wjf8GY/ecIgtJQMpijNrcHEb +sW4OsfnbgTICm5QBLjx8IR0cFE3DQ1PkcfEJyHuStoNq2q10dIpvRdIV2dv5JeJ6 +Jy85jnXeGfXkD6PG2VoHdgqGhYmtzUoCNmyRvtIKJFXUfUoZ1Qer8kogO5xctzo5 +ro6JOuM8/vUhyyOSs7Nn08uwZ7pLTifo5omDX/pVElTxT6NQ+51Rig9ty/OQrkdt +5n+gIRdj81ntikW4pGOPOjfqt95epN2znjxapGLiw+01wWvp4YBr3OLTDCoObTxT +l0heXWC3+RVZ6Cm1CCoDdEYopn5fAuVPWG7FZ48KdZ00n5zwnHNIBbvSYb8+ahp3 +9ZlXb0dbyw0uSEtPBb7CWgEKKnH33BMoleap1KUvQfeJPzp3lLA= +=2FTv -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz index 20ab6831b3d6..ab29e0fa0273 100644 Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ diff --git a/metadata/glsa/glsa-202101-01.xml b/metadata/glsa/glsa-202101-01.xml new file mode 100644 index 000000000000..c5890e4772fa --- /dev/null +++ b/metadata/glsa/glsa-202101-01.xml @@ -0,0 +1,54 @@ + + + + Dovecot: Multiple vulnerabilities + Multiple vulnerabilities have been found in Dovecot, the worst of + which could allow remote attackers to cause a Denial of Service condition. + + dovecot + 2021-01-10 + 2021-01-10 + 763525 + local, remote + + + 2.3.13 + 2.3.13 + + + +

Dovecot is an open source IMAP and POP3 email server.

+ + +

Multiple vulnerabilities have been discovered in Dovecot. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could send a specially crafted mail or send a + specially crafted IMAP command possibly resulting in a Denial of Service + condition or an authenticated remote attacker might be able to discover + the file system directory structure and access other users’ emails. +

+ + +

The information disclosure vulnerability can be mitigated by disabling + IMAP hibernation feature which isn’t enabled by default. +

+ + +

All Dovecot users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.3.13" + + + + + CVE-2020-24386 + CVE-2020-25275 + + whissi + whissi + diff --git a/metadata/glsa/glsa-202101-02.xml b/metadata/glsa/glsa-202101-02.xml new file mode 100644 index 000000000000..3f021e488b95 --- /dev/null +++ b/metadata/glsa/glsa-202101-02.xml @@ -0,0 +1,50 @@ + + + + Firejail: Multiple vulnerabilities + Multiple vulnerabilities have been found in Firejail, the worst of + which could result in the arbitrary execution of code. + + firejail + 2021-01-10 + 2021-01-10 + 736816 + remote + + + 0.9.64 + 0.9.64 + + + +

A SUID program that reduces the risk of security breaches by restricting + the running environment of untrusted applications using Linux namespaces + and seccomp-bpf. +

+ + +

Multiple vulnerabilities have been discovered in Firejail. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Firejail users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/firejail-0.9.64" + + + + CVE-2020-17367 + CVE-2020-17368 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-03.xml b/metadata/glsa/glsa-202101-03.xml new file mode 100644 index 000000000000..1202c1ba25c3 --- /dev/null +++ b/metadata/glsa/glsa-202101-03.xml @@ -0,0 +1,49 @@ + + + + ipmitool: Multiple vulnerabilities + A buffer overflow in ipmitool might allow remote attacker(s) to + execute arbitrary code. + + ipmitool + 2021-01-10 + 2021-01-10 + 708436 + remote + + + 1.8.18_p20201004-r1 + 1.8.18_p20201004-r1 + + + +

Utility for controlling IPMI enabled devices.

+ + +

Multiple vulnerabilities have been discovered in ipmiool. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All ipmitool users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=sys-apps/ipmitool-1.8.18_p20201004-r1" + + + + CVE-2020-5208 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-04.xml b/metadata/glsa/glsa-202101-04.xml new file mode 100644 index 000000000000..c2d23f52d15c --- /dev/null +++ b/metadata/glsa/glsa-202101-04.xml @@ -0,0 +1,83 @@ + + + + Mozilla Firefox: Remote code execution + A use-after-free in Mozilla Firefox's SCTP handling may allow + remote code execution. + + firefox,thunderbird + 2021-01-10 + 2021-01-10 + 764161 + remote + + + 78.6.1 + 84.0.2 + 84.0.2 + + + 78.6.1 + 84.0.2 + 84.0.2 + + + +

Mozilla Firefox is a popular open-source web browser from the Mozilla + project. +

+ + +

A use-after-free bug was discovered in Mozilla Firefox’s handling of + SCTP. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Firefox ESR users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/firefox-78.6.1:0/esr78" + + +

All Firefox ESR binary users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/firefox-bin-78.6.1:0/esr78" + + +

All Firefox users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-84.0.2" + + +

All Firefox binary users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-84.0.2" + + + + + CVE-2020-16044 + + MFSA-2021-01 + + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-05.xml b/metadata/glsa/glsa-202101-05.xml new file mode 100644 index 000000000000..ced5846cab6d --- /dev/null +++ b/metadata/glsa/glsa-202101-05.xml @@ -0,0 +1,77 @@ + + + + Chromium, Google Chrome: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + + google-chrome,chromium + 2021-01-10 + 2021-01-10 + 764251 + remote + + + 87.0.4280.141 + 87.0.4280.141 + + + 87.0.4280.141 + 87.0.4280.141 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ +

Google Chrome is one fast, simple, and secure browser for all your + devices. +

+ + +

Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-87.0.4280.141" + + +

All Google Chrome users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-87.0.4280.141" + + + + CVE-2020-15995 + CVE-2020-16043 + CVE-2021-21106 + CVE-2021-21107 + CVE-2021-21108 + CVE-2021-21109 + CVE-2021-21110 + CVE-2021-21111 + CVE-2021-21112 + CVE-2021-21113 + CVE-2021-21114 + CVE-2021-21115 + CVE-2021-21116 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-06.xml b/metadata/glsa/glsa-202101-06.xml new file mode 100644 index 000000000000..efa0c4ddc2f8 --- /dev/null +++ b/metadata/glsa/glsa-202101-06.xml @@ -0,0 +1,49 @@ + + + + Ark: Symlink vulnerability + Ark was found to allow arbitrary file overwrite, possibly allowing + arbitrary code execution. + + ark + 2021-01-11 + 2021-01-11 + 743959 + remote + + + 20.04.3-r2 + 20.04.3-r2 + + + +

Ark is a graphical file compression/decompression utility with support + for multiple formats. +

+ + +

KDE Ark did not fully verify symlinks contained within tar archives.

+ + +

A remote attacker could entice a user to open a specially crafted tar + archive using KDE Ark, possibly resulting in execution of arbitrary code + with the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All KDE Ark users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-apps/ark-20.04.3-r2" + + + + CVE-2020-24654 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-07.xml b/metadata/glsa/glsa-202101-07.xml new file mode 100644 index 000000000000..14b6b1ae8c7b --- /dev/null +++ b/metadata/glsa/glsa-202101-07.xml @@ -0,0 +1,69 @@ + + + + NodeJS: Multiple vulnerabilities + Multiple vulnerabilities have been found in NodeJS, the worst of + which could result in the arbitrary execution of code. + + nodejs + 2021-01-11 + 2021-01-11 + 726836 + 731654 + 742893 + 754942 + 763588 + remote + + + 15.5.1 + 14.15.1 + 12.20.1 + 15.5.1 + + + +

Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript + engine. +

+ + +

Multiple vulnerabilities have been discovered in NodeJS. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All NodeJS 15 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/nodejs-15.5.1" + + +

All NodeJS 14 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/nodejs-14.15.1" + + + + + CVE-2020-15095 + CVE-2020-8172 + CVE-2020-8174 + CVE-2020-8201 + CVE-2020-8251 + CVE-2020-8265 + CVE-2020-8277 + CVE-2020-8287 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-08.xml b/metadata/glsa/glsa-202101-08.xml new file mode 100644 index 000000000000..64adcec9d255 --- /dev/null +++ b/metadata/glsa/glsa-202101-08.xml @@ -0,0 +1,48 @@ + + + + Pillow: Multiple vulnerabilities + Multiple vulnerabilities have been found in Pillow, the worst of + which could result in a Denial of Service condition. + + pillow + 2021-01-11 + 2021-01-11 + 763210 + remote + + + 8.1.0 + 8.1.0 + + + +

Python Imaging Library (fork)

+ + +

Multiple vulnerabilities have been discovered in Pillow. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Pillow users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/pillow-8.1.0" + + + + CVE-2020-35653 + CVE-2020-35654 + CVE-2020-35655 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-09.xml b/metadata/glsa/glsa-202101-09.xml new file mode 100644 index 000000000000..a5a9f5605e0e --- /dev/null +++ b/metadata/glsa/glsa-202101-09.xml @@ -0,0 +1,147 @@ + + + + VirtualBox: Multiple vulnerabilities + Multiple vulnerabilities have been found in VirtualBox, the worst + of which could allow an attacker to take control of VirtualBox. + + virtualbox + 2021-01-12 + 2021-01-12 + 714064 + 717626 + 717782 + 733924 + remote + + + 6.1.12 + 6.0.24 + 6.1.12 + + + +

VirtualBox is a powerful virtualization product from Oracle.

+ + +

Multiple vulnerabilities have been discovered in VirtualBox. Please + review the CVE identifiers referenced below for details. +

+ + +

An attacker could take control of VirtualBox resulting in the execution + of arbitrary code with the privileges of the process, a Denial of Service + condition, or other unspecified impacts. +

+ + +

There is no known workaround at this time.

+ + +

All Virtualbox 6.0.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/virtualbox-6.0.24:0/6.0" + + +

All Virtualbox 6.1.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/virtualbox-6.1.12:0/6.1" + + + + CVE-2019-2848 + CVE-2019-2850 + CVE-2019-2859 + CVE-2019-2863 + CVE-2019-2864 + CVE-2019-2865 + CVE-2019-2866 + CVE-2019-2867 + CVE-2019-2873 + CVE-2019-2874 + CVE-2019-2875 + CVE-2019-2876 + CVE-2019-2877 + CVE-2019-2926 + CVE-2019-2944 + CVE-2019-2984 + CVE-2019-3002 + CVE-2019-3005 + CVE-2019-3017 + CVE-2019-3021 + CVE-2019-3026 + CVE-2019-3028 + CVE-2019-3031 + CVE-2020-14628 + CVE-2020-14629 + CVE-2020-14646 + CVE-2020-14647 + CVE-2020-14648 + CVE-2020-14649 + CVE-2020-14650 + CVE-2020-14673 + CVE-2020-14674 + CVE-2020-14675 + CVE-2020-14676 + CVE-2020-14677 + CVE-2020-14694 + CVE-2020-14695 + CVE-2020-14698 + CVE-2020-14699 + CVE-2020-14700 + CVE-2020-14703 + CVE-2020-14704 + CVE-2020-14707 + CVE-2020-14711 + CVE-2020-14712 + CVE-2020-14713 + CVE-2020-14714 + CVE-2020-14715 + CVE-2020-2575 + CVE-2020-2674 + CVE-2020-2678 + CVE-2020-2681 + CVE-2020-2682 + CVE-2020-2689 + CVE-2020-2690 + CVE-2020-2691 + CVE-2020-2692 + CVE-2020-2693 + CVE-2020-2698 + CVE-2020-2701 + CVE-2020-2702 + CVE-2020-2703 + CVE-2020-2704 + CVE-2020-2705 + CVE-2020-2725 + CVE-2020-2726 + CVE-2020-2727 + CVE-2020-2741 + CVE-2020-2742 + CVE-2020-2743 + CVE-2020-2748 + CVE-2020-2758 + CVE-2020-2894 + CVE-2020-2902 + CVE-2020-2905 + CVE-2020-2907 + CVE-2020-2908 + CVE-2020-2909 + CVE-2020-2910 + CVE-2020-2911 + CVE-2020-2913 + CVE-2020-2914 + CVE-2020-2929 + CVE-2020-2951 + CVE-2020-2958 + CVE-2020-2959 + + BlueKnight + sam_c + diff --git a/metadata/glsa/glsa-202101-10.xml b/metadata/glsa/glsa-202101-10.xml new file mode 100644 index 000000000000..8abb71de9859 --- /dev/null +++ b/metadata/glsa/glsa-202101-10.xml @@ -0,0 +1,58 @@ + + + + Asterisk: Multiple vulnerabilities + Multiple vulnerabilities have been found in Asterisk, the worst of + which could result in a Denial of Service condition. + + asterisk + 2021-01-12 + 2021-01-12 + 753269 + 761313 + remote + + + 13.38.1 + 13.38.1 + + + +

A Modular Open Source PBX System.

+ + +

Multiple vulnerabilities have been discovered in Asterisk. Please review + the security advisories referenced below for details. +

+ + +

An attacker could cause a possible Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All Asterisk users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-13.38.1" + + + + + AST-2020-001 + + + AST-2020-002 + + + AST-2020-003 + + + AST-2020-004 + + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-11.xml b/metadata/glsa/glsa-202101-11.xml new file mode 100644 index 000000000000..317df24d34d7 --- /dev/null +++ b/metadata/glsa/glsa-202101-11.xml @@ -0,0 +1,63 @@ + + + + Zabbix: Root privilege escalation + Multiple vulnerabilities were discovered in Gentoo's ebuild for + Zabbix which could lead to root privilege escalation. + + zabbix + 2021-01-21 + 2021-01-21 + 629882 + 629884 + local + + + 3.0.30 + 4.0.18 + 4.4.6 + + + +

Zabbix is software for monitoring applications, networks, and servers.

+ + +

It was discovered that Gentoo’s Zabbix ebuild did not properly set + permissions or placed the pid file in an unsafe directory. +

+ + +

A local attacker could escalate privileges.

+ + +

There is no known workaround at this time.

+ + +

All Zabbix 3.0.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=net-analyzer/zabbix-3.0.30:0/3.0" + + +

All Zabbix 4.0.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=net-analyzer/zabbix-4.0.18:0/4.0" + + +

All other Zabbix users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/zabbix-4.4.6" + + + + + BlueKnight + b-man + diff --git a/metadata/glsa/glsa-202101-12.xml b/metadata/glsa/glsa-202101-12.xml new file mode 100644 index 000000000000..10de65bdd4a6 --- /dev/null +++ b/metadata/glsa/glsa-202101-12.xml @@ -0,0 +1,51 @@ + + + + Wireshark: Multiple vulnerabilities + Multiple vulnerabilities have been found in Wireshark, the worst of + which could result in a Denial of Service condition. + + wireshark + 2021-01-22 + 2021-01-22 + 759541 + 760800 + remote + + + 3.4.2 + 3.4.2 + + + +

Wireshark is a network protocol analyzer formerly known as ethereal.

+ + +

Multiple vulnerabilities have been discovered in Wireshark. Please + review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Wireshark users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-3.4.2" + + + + CVE-2020-26418 + CVE-2020-26419 + CVE-2020-26420 + CVE-2020-26421 + CVE-2020-26422 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-13.xml b/metadata/glsa/glsa-202101-13.xml new file mode 100644 index 000000000000..e5c9507b0d3a --- /dev/null +++ b/metadata/glsa/glsa-202101-13.xml @@ -0,0 +1,91 @@ + + + + Chromium, Google Chrome: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + + google-chrome,chromium + 2021-01-22 + 2021-01-22 + 766207 + remote + + + 88.0.4324.96 + 88.0.4324.96 + + + 88.0.4324.96 + 88.0.4324.96 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ +

Google Chrome is one fast, simple, and secure browser for all your + devices. +

+ + +

Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-88.0.4324.96" + + +

All Google Chrome users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-88.0.4324.96" + + + + + CVE-2020-16044 + CVE-2021-21117 + CVE-2021-21118 + CVE-2021-21119 + CVE-2021-21120 + CVE-2021-21121 + CVE-2021-21122 + CVE-2021-21123 + CVE-2021-21124 + CVE-2021-21125 + CVE-2021-21126 + CVE-2021-21127 + CVE-2021-21128 + CVE-2021-21129 + CVE-2021-21130 + CVE-2021-21131 + CVE-2021-21132 + CVE-2021-21133 + CVE-2021-21134 + CVE-2021-21135 + CVE-2021-21136 + CVE-2021-21137 + CVE-2021-21138 + CVE-2021-21139 + CVE-2021-21140 + CVE-2021-21141 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-14.xml b/metadata/glsa/glsa-202101-14.xml new file mode 100644 index 000000000000..f8ce93e509b1 --- /dev/null +++ b/metadata/glsa/glsa-202101-14.xml @@ -0,0 +1,67 @@ + + + + Mozilla Thunderbird: Remote code execution + Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could result in the arbitrary execution of code. + + thunderbird + 2021-01-22 + 2021-01-22 + 765088 + remote + + + 78.6.1 + 78.6.1 + + + 78.6.1 + 78.6.1 + + + +

Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. +

+ + +

A use-after-free bug was discovered in Mozilla Thunderbird handling of + SCTP. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Thunderbird users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-78.6.1" + + +

All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-78.6.1" + + + + CVE-2020-16044 + + MFSA-2021-02 + + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-15.xml b/metadata/glsa/glsa-202101-15.xml new file mode 100644 index 000000000000..3762d3444f79 --- /dev/null +++ b/metadata/glsa/glsa-202101-15.xml @@ -0,0 +1,70 @@ + + + + VirtualBox: Multiple vulnerabilities + Multiple vulnerabilities have been found in VirtualBox, the worst + of which could result in privilege escalation. + + virtualbox + 2021-01-22 + 2021-01-22 + 750782 + 766348 + remote + + + 6.1.18 + 6.1.18 + + + +

VirtualBox is a powerful virtualization product from Oracle.

+ + +

Multiple vulnerabilities have been discovered in VirtualBox. Please + review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All VirtualBox users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.18" + + + + CVE-2020-14872 + CVE-2020-14881 + CVE-2020-14884 + CVE-2020-14885 + CVE-2020-14886 + CVE-2020-14889 + CVE-2020-14892 + CVE-2021-2073 + CVE-2021-2074 + CVE-2021-2086 + CVE-2021-2111 + CVE-2021-2112 + CVE-2021-2119 + CVE-2021-2120 + CVE-2021-2121 + CVE-2021-2123 + CVE-2021-2124 + CVE-2021-2125 + CVE-2021-2126 + CVE-2021-2127 + CVE-2021-2128 + CVE-2021-2129 + CVE-2021-2130 + CVE-2021-2131 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-16.xml b/metadata/glsa/glsa-202101-16.xml new file mode 100644 index 000000000000..2f7ed9ee6712 --- /dev/null +++ b/metadata/glsa/glsa-202101-16.xml @@ -0,0 +1,48 @@ + + + + KDE Connect: Denial of service + A vulnerability in KDE Connect could lead to a Denial of Service + condition. + + kde-connect + 2021-01-22 + 2021-01-22 + 746401 + remote + + + 20.04.3-r1 + 20.04.3-r1 + + + +

KDE Connect is a project that enables all your devices to communicate + with each other. +

+ + +

Multiple issues causing excessive resource consumption were found in KDE + Connect. +

+ + +

An attacker could cause a possible Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All KDE Connect users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-misc/kdeconnect-20.04.3-r1" + + + + CVE-2020-26164 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202101-17.xml b/metadata/glsa/glsa-202101-17.xml new file mode 100644 index 000000000000..9fd515383c4c --- /dev/null +++ b/metadata/glsa/glsa-202101-17.xml @@ -0,0 +1,58 @@ + + + + Dnsmasq: Multiple vulnerabilities + Multiple vulnerabilities have been found in Dnsmasq, the worst of + which may allow remote attackers to execute arbitrary code. + + dnsmasq + 2021-01-22 + 2021-01-22 + 766126 + local, remote + + + 2.83 + 2.83 + + + +

Dnsmasq is a lightweight and easily-configurable DNS forwarder and DHCP + server. +

+ + +

Multiple vulnerabilities have been discovered in Dnsmasq. Please review + the references below for details. +

+ + +

An attacker, by sending specially crafted DNS replies, could possibly + execute arbitrary code with the privileges of the process, perform a + cache poisoning attack or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Dnsmasq users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.83" + + + + + CVE-2020-25681 + CVE-2020-25682 + CVE-2020-25683 + CVE-2020-25684 + CVE-2020-25685 + CVE-2020-25686 + CVE-2020-25687 + + whissi + whissi + diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 81201ed971ce..a5dbbef5e51f 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Fri, 08 Jan 2021 11:08:36 +0000 +Fri, 22 Jan 2021 20:08:35 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 53f93d093df4..55000c1dfc6e 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -ea35db4303f80b8dc5f6dffe7a6c3111e9e37b5a 1608819368 2020-12-24T14:16:08+00:00 +fc457c57148901f04674f1d427ad8bb280eb3c72 1611338159 2021-01-22T17:55:59+00:00 -- cgit v1.2.3