From fab95e98818bada1626a7723a1348f4e920d25e0 Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@koprulu.sector>
Date: Mon, 26 Feb 2024 17:40:44 +0000
Subject: gentoo auto-resync : 26:02:2024 - 17:40:44

---
 metadata/glsa/Manifest           |  30 ++++++++++++++--------------
 metadata/glsa/Manifest.files.gz  | Bin 568221 -> 568857 bytes
 metadata/glsa/glsa-202402-30.xml |  41 ++++++++++++++++++++++++++++++++++++++
 metadata/glsa/glsa-202402-31.xml |  42 +++++++++++++++++++++++++++++++++++++++
 metadata/glsa/glsa-202402-32.xml |  42 +++++++++++++++++++++++++++++++++++++++
 metadata/glsa/glsa-202402-33.xml |  42 +++++++++++++++++++++++++++++++++++++++
 metadata/glsa/timestamp.chk      |   2 +-
 metadata/glsa/timestamp.commit   |   2 +-
 8 files changed, 184 insertions(+), 17 deletions(-)
 create mode 100644 metadata/glsa/glsa-202402-30.xml
 create mode 100644 metadata/glsa/glsa-202402-31.xml
 create mode 100644 metadata/glsa/glsa-202402-32.xml
 create mode 100644 metadata/glsa/glsa-202402-33.xml

(limited to 'metadata/glsa')

diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 88f2ee1e85a2..35dd72151f71 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 568221 BLAKE2B 8f70bf43815708ae4e34084aeeb908cbb07c74f33084a5345ae24a2a1d88665ee206e530983bb7b10b059cf4f0cc00d0b4aa10090458fe84f565d50f5c1d6fe8 SHA512 08ebbb1997fa25a896326e1231819e34a12f02b0554afb445aa41a5a47fb79fa02b9ff381be55d26790e6b3e665e1a44794ecd7f40c313404336dc49092f2784
-TIMESTAMP 2024-02-26T11:10:29Z
+MANIFEST Manifest.files.gz 568857 BLAKE2B 3245112eec6eb35ca0b855048eea8002cf65ccd53a28c4af4110fbef17d60dd028aee42fe6b60bbf7af5eb73808427ccba2380fef9fd878a9610d3a4ac6fa768 SHA512 55c8331108f9309c5f35ec5a5b557ed996109510020ffe87fc35423b14ac96cb6fd4a34939962d28e76ac865a08a653e85827a101b97b37685b376e404c242d3
+TIMESTAMP 2024-02-26T17:10:26Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmXccaVfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmXcxgJfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klDSDA//QcAHEKJaqbeh7/y0rXgjm8u+rFp8emLAvx5CmqKVfzP4vpjgpDgQ2XsB
-mQJbK58CIxTPV6muFVSDXpnmVhX5eLXqWevDQRLw3EYwrTRtKpAPleX9C5C0bHsy
-X/DrfE4RhO+e8W/6QtmJSntUcSk7fIf0bQr65Zyu6M4KMP2VKL8vbOZb5jTCmuRV
-UMjGxKm8E4+7E0wDzFWpahL8+GO1mUxwH0vPDQeZhwEJanHcmXvG9Inu7/nZSp/7
-M7AP/sfODkV/ptW7A6r2z2QL/uUmYsIM4Bx+tvOLmkVBQ865o6LRAKRpi6fiRiG5
-w4S2r9OXlBNj4jZqZ+hNL1P8louEbjrzlrp2iZao220TfCf8oTcl1YOd7EiwoYEe
-U+l3dxXkcWou2nD3haJikp9fhflZ7cdup54rp8aTVDL5UhtSLTnLvUWIyzwqavRh
-3iNmrmDSlHM7GcqbFzZKs9eu8zAEtqRhBO8j05NwJVacRK1AS9v5Nvuy9ZrNzUaA
-/a2XBkCUGNpSnRY2e4vT9rLNKUv7MCNlD9VhxU0T1PPkH/pipn2nJlA/PCyZMEYw
-93PYF97NvJSGh+PIJAFncLgrfi/TFyyqoyap+H1YGIQIK37+p+R2c300F73Klmgg
-4nXw1ZcjN5T7kARNg4nSLDkNkWF7yb4GDjYCMMw8HsXZeDfeEOI=
-=7r6C
+klCdSRAApjcYHInFFFd9elwB0s8rwR0VuWJsqYw/1A7LbxjWFWezF4x02Kmoidfj
+Fo2fynhhA6fChRa+r4YggvY4C2RriOo0bZRGxpaCX9j6lsCvoeKXS4iBQ0gjEXEC
+cax7gpvHo1xLuBgr4sqLPrSRw5RKal1eNKjbal/ODWSKiKGHJEBbddgKLTyOkWEA
+GgADenrC+cp5l/YwCBP8c/ATqrQSV5sv9dMkHLNnF7cCaMrQ2wA2QH8RJtOEP3b6
+LEgxtZOe1MeguIPdTo6ov1Y296VhoMtC3r9I7eZsJIiDsSWR33iWBSgk8naK2QOn
+5bAFU2QPekSPwnw43yMjUGqqyXPt7TDvAaGPtJA+bt6ghsTmtSIQaORFnWM0PBlu
+QPjGDGI4Xbr2dTcDwahOVCAkHEtSC9npblXrF28cul+v0VG2mVEORRmZg6iTp6yp
+nhEG1hNsp5/Pa0pPMWdA2TGsbnvDOHdtjNfsSAQSyP/6onbJsB4QFNaL83Ww+6Yg
+BIBpkSKDpJeqkjBJqfbmeupHKvPwFghWJZU+lsj2RdjmXatsCa4z8isDkbLDrSFn
+KsBohmOdlV5tkEY1V0k1UYgCagSCoAlPi7pam6ggJlMM5ZoPDYLD2IKar5BvyAYF
+BsImZ8uo7BT2NqZ9hHrXHNsjJPGTfctamdPDlpyB7ZeUBP/Eexc=
+=6vcu
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index c19e1c398af6..c7a067f9f4f8 100644
Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ
diff --git a/metadata/glsa/glsa-202402-30.xml b/metadata/glsa/glsa-202402-30.xml
new file mode 100644
index 000000000000..74d9fc5d705b
--- /dev/null
+++ b/metadata/glsa/glsa-202402-30.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-30">
+    <title>Glances: Arbitrary Code Execution</title>
+    <synopsis>A vulnerability has been found in Glances which may lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">glances</product>
+    <announced>2024-02-26</announced>
+    <revised count="1">2024-02-26</revised>
+    <bug>791565</bug>
+    <access>remote</access>
+    <affected>
+        <package name="sys-process/glances" auto="yes" arch="*">
+            <unaffected range="ge">3.1.7</unaffected>
+            <vulnerable range="lt">3.1.7</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Glances is an open-source system cross-platform monitoring tool. It allows real-time monitoring of various aspects of your system such as CPU, memory, disk, network usage etc.</p>
+    </background>
+    <description>
+        <p>A vulnerability in XML parsing may lead to a variety of XML attacks.</p>
+    </description>
+    <impact type="normal">
+        <p>A vulnerability in XML parsing may lead to a variety of XML attacks.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Glances users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-process/glances-3.1.7"
+        </code>
+    </resolution>
+    <references>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-26T12:07:09.643689Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-26T12:07:09.650874Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-31.xml b/metadata/glsa/glsa-202402-31.xml
new file mode 100644
index 000000000000..b428da9ddfd4
--- /dev/null
+++ b/metadata/glsa/glsa-202402-31.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-31">
+    <title>GNU Aspell: Heap Buffer Overflow</title>
+    <synopsis>A vulnerability has been discovered in GNU Aspell which leads to a heap buffer overflow.</synopsis>
+    <product type="ebuild">aspell</product>
+    <announced>2024-02-26</announced>
+    <revised count="1">2024-02-26</revised>
+    <bug>803113</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-text/aspell" auto="yes" arch="*">
+            <unaffected range="ge">0.60.8-r3</unaffected>
+            <vulnerable range="lt">0.60.8-r3</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>GNU Aspell is a popular spell-checker. Dictionaries are available for many languages.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in GNU Aspell. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>GNU Aspell has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list)</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All aspell users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-text/aspell-0.60.8-r3"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-25051">CVE-2019-25051</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-26T12:30:16.027845Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-26T12:30:16.031079Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-32.xml b/metadata/glsa/glsa-202402-32.xml
new file mode 100644
index 000000000000..e5b64a52ae6a
--- /dev/null
+++ b/metadata/glsa/glsa-202402-32.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-32">
+    <title>btrbk: Remote Code Execution</title>
+    <synopsis>A vulnerability has been discovered in btrbk which can lead to remote code execution.</synopsis>
+    <product type="ebuild">btrbk</product>
+    <announced>2024-02-26</announced>
+    <revised count="1">2024-02-26</revised>
+    <bug>806962</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-backup/btrbk" auto="yes" arch="*">
+            <unaffected range="ge">0.31.2</unaffected>
+            <vulnerable range="lt">0.31.2</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>btrbk is a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in btrbk. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Specialy crafted commands may be executed without being propely checked. Applies to remote hosts filtering ssh commands using ssh_filter_btrbk.sh in authorized_keys.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All btrbk users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-backup/btrbk-0.31.2"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38173">CVE-2021-38173</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-26T12:53:03.371210Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-26T12:53:03.375893Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202402-33.xml b/metadata/glsa/glsa-202402-33.xml
new file mode 100644
index 000000000000..237f071fc360
--- /dev/null
+++ b/metadata/glsa/glsa-202402-33.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-33">
+    <title>PyYAML: Arbitrary Code Execution</title>
+    <synopsis>A vulnerability has been found in PyYAML which can lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">pyyaml</product>
+    <announced>2024-02-26</announced>
+    <revised count="1">2024-02-26</revised>
+    <bug>766228</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-python/pyyaml" auto="yes" arch="*">
+            <unaffected range="ge">5.4</unaffected>
+            <vulnerable range="lt">5.4</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>PyYAML is a YAML parser and emitter for Python.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in PyYAML. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All PyYAML users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-python/pyyaml-5.4"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14343">CVE-2020-14343</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-26T15:44:41.690132Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-26T15:44:41.694949Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 23ad9c62246b..ef8d78c183d1 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Mon, 26 Feb 2024 11:10:26 +0000
+Mon, 26 Feb 2024 17:10:22 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index aba5d7f04e40..639d43ccf0d3 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-298891ab7459c571f1ff699a7004c22ee0cb3595 1708533988 2024-02-21T16:46:28+00:00
+e549b151411e283e5129e0b82b21b1fc7c93bcd7 1708962306 2024-02-26T15:45:06+00:00
-- 
cgit v1.2.3