diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2024-09-22 14:47:12 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2024-09-22 14:47:12 +0100 |
| commit | 1802160f23e91c618b3c7379fd99127682cfce19 (patch) | |
| tree | 094c5349b2f0bd88633709f2f1ad322398475815 /metadata/glsa | |
| parent | 439c34b3917f0757b9c83eb64a687cac0d477140 (diff) | |
gentoo auto-resync : 22:09:2024 - 14:47:12
Diffstat (limited to 'metadata/glsa')
23 files changed, 981 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 739eb97753d0..a550fd9e9d40 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 585357 BLAKE2B 90b484a7cfadba26e75b941b109643027b5530ea0e0da6565b28a1492ef9b8c6cfc7254e54f18ef93a17f476c8c87b2c8309fbac1afa85d144cc4d664931e811 SHA512 f5bbc1b0b0163958f91ecc02b4f0422622112ac5c642a105fef46e39550fd8622a03abd647b830a766a072ad993d41863d2d1d5ca05368f5af8d868f03aaeae4 -TIMESTAMP 2024-09-21T12:45:04Z +MANIFEST Manifest.files.gz 588370 BLAKE2B f495c00819858399f9c4e7652d637570436f076630fa2fc4800ddf34885210fb91bd7c12f91ce7ade4940796d66018d85520a5d35b7b1ff8f652e76f28f1d4ba SHA512 38849dbaf4ed005f716f199bf64f2a61c41194f77e951006c230efe4b69c16d6588767174dbd0d98bbc887c6a3d43322070c6d8dc4011f90da0a8dbec61db515 +TIMESTAMP 2024-09-22T13:10:10Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmbuv9JfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmbwFzJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klAxQg/7BWIIw42JEWbqkuhIyYKSt22zURSYAnZwDZjBzxN/vvAEE+Io2HbAMGdz -4R1vm6qC6ZxXjhhSY8gECL4Nc+oliuhvVI4UAOWxUdd9QxXrgD2nAaHfiQQ/n/z6 -trJzuxhNIHv/PqWItZJAsH8hz05hkSKxtUYRz0Qq2gs3rBm7mKh30fwpbLaZ+jv5 -HJJ01f7uMVV1J8oH8qr4GUAVsr/p7KE9IWw4IJlZLhrctrP+VREs03DIjWSUKp4L -tn4Frg716Va/kqxoJ+DlHWdXM1qEooGZyFZoAKAj1Y7MV8WAnRLirBBpakkp29HK -PokXsaJMiEQfd94rNNyPOyclzDOFp81b/1JDF9UIPL8ug3sL5k8dZSjmjNEpZ5a8 -3a+E0mqbDwyoBYSIUxgzH7giIzgULfyXXzU8zSV+KT9hOQr7mvCUzDwDQ2fIZ8rZ -DjvsEqG+jxmJ0RKjooqfrrkQymNpmD1h6DJAdllWu+lo4bcVUe+9sqKwOKtelMhp -SmTbin6vo3zvS91TtrbZsKXal1FTbogRA3IB8TlnzSeqZEbJhS7n9dfDsAcMG1Fp -KID6DSBkeGSXpocoKa1sFw0bxBjBze4pKV26pdy834ZZm/Q2IcJXdiumB4g5lqs9 -AqS7k5nj6TDl9wq5TMdJUVFC7jMKp3yb2gJKXNfGbbdVm3yuPYE= -=blAc +klA20xAAm4+QfioTVgk6zRcE+E+rlx5N9s3F1rFf/Ad0k9oqcBCWIQ8g8C6jWEoY +nrz6o0RYXeUEqXHFMRE/rVKXa6ngYhbWlLuJHxFWXd5Y7VDvGoi9fPpYTl8bBEDe +Xdyea8LlzYjTIzfXtyUzwxf5ouKdi87GQuUiKuVJiOaKz1nHeKLkclZ1DhuKBPu9 +46fOYe9bhSco4C1zpG+smM25IUQfdDxX10K6PHgexbiejpDDvtagIqucxuzq2Ack +cSKQhYJ3l5yxxSARnSpjW+i5FoXqa7xffLgdtbOHjRJeOPEuunnbT12VhAiQauVn +Wv5vBjIYSI64OJVglRAWG92YiwkKtlwWLJuc4cfhs3ZYGaY6CtJtTEsN+Q9pO4Y0 +BQW3ZQuviqkVlUO2dC9E7+HXwCvED9w05GC0bfOrYhlb5ZzXLbzpA28FO0Bztadh +UdIoR3d27f5BTstFMcum8dcdcxC7oSTQuHtPLcU23WCEIkdUCW9FeJNI0qCef3yc +3BWb6Pt6HkKyVZIRRu7VLQYJGH4AdpLC3H5gL32MesivxLpI2gzQKfW/U0cRsWvr +9/vOhOaeM30xbF64PqOIF0XIfkAKWsds+ktyFpyTmLKwvowyb+5pmDolb3wYS2p5 +ajLsZ28mqtWupQFSncmqM+u5GO9GNwsQ/4JzPDSYX3vPtjMjXRU= +=SrJU -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 0e491fc1977a..1c5c3851b1f5 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202409-01.xml b/metadata/glsa/glsa-202409-01.xml new file mode 100644 index 000000000000..34f747f52bce --- /dev/null +++ b/metadata/glsa/glsa-202409-01.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-01"> + <title>Portage: Unverified PGP Signatures</title> + <synopsis>A vulnerability has been discovered in Portage, where PGP signatures would not be verified.</synopsis> + <product type="ebuild">portage</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>905356</bug> + <access>local</access> + <affected> + <package name="sys-apps/portage" auto="yes" arch="*"> + <unaffected range="ge">3.0.47</unaffected> + <vulnerable range="lt">3.0.47</vulnerable> + </package> + </affected> + <background> + <p>Portage is the default Gentoo package management system.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Portage. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>When using the webrsync mechanism to sync the tree the PGP signatures that protect the integrity of the data in the tree would not be verified. This would allow a man-in-the-middle attack to inject arbitrary content into the tree.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Portage users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/portage-3.0.47" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-20021">CVE-2016-20021</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T05:36:27.160412Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T05:36:27.162654Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-02.xml b/metadata/glsa/glsa-202409-02.xml new file mode 100644 index 000000000000..03de057fcfd8 --- /dev/null +++ b/metadata/glsa/glsa-202409-02.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-02"> + <title>PostgreSQL: Privilege Escalation</title> + <synopsis>A vulnerability has been discovered in PostgreSQL, which can lead to privilege escalation.</synopsis> + <product type="ebuild">postgresql</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>937573</bug> + <access>local and remote</access> + <affected> + <package name="dev-db/postgresql" auto="yes" arch="*"> + <unaffected range="ge" slot="12">12.20</unaffected> + <unaffected range="ge" slot="13">13.16</unaffected> + <unaffected range="ge" slot="14">14.13</unaffected> + <unaffected range="ge" slot="15">15.8</unaffected> + <unaffected range="ge" slot="16">16.4</unaffected> + <vulnerable range="lt" slot="12">12.20</vulnerable> + <vulnerable range="lt" slot="13">13.16</vulnerable> + <vulnerable range="lt" slot="14">14.13</vulnerable> + <vulnerable range="lt" slot="15">15.8</vulnerable> + <vulnerable range="lt" slot="16">16.4</vulnerable> + </package> + </affected> + <background> + <p>PostgreSQL is an open source object-relational database management system.</p> + </background> + <description> + <p>A vulnerability has been discovered in PostgreSQL. Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="high"> + <p>An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PostgreSQL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.20:12" + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.16:13" + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.13:14" + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-15.8:15" + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.4:16" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7348">CVE-2024-7348</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T05:47:12.326843Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T05:47:12.329535Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-03.xml b/metadata/glsa/glsa-202409-03.xml new file mode 100644 index 000000000000..b7b8bb6e36e8 --- /dev/null +++ b/metadata/glsa/glsa-202409-03.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-03"> + <title>GPL Ghostscript: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in GPL Ghostscript, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">ghostscript-gpl</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>932125</bug> + <access>remote</access> + <affected> + <package name="app-text/ghostscript-gpl" auto="yes" arch="*"> + <unaffected range="ge">10.03.1</unaffected> + <vulnerable range="lt">10.03.1</vulnerable> + </package> + </affected> + <background> + <p>Ghostscript is an interpreter for the PostScript language and for PDF.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GPL Ghostscript users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-10.03.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-52722">CVE-2023-52722</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-29510">CVE-2024-29510</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-33869">CVE-2024-33869</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-33870">CVE-2024-33870</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-33871">CVE-2024-33871</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T05:52:02.744888Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T05:52:02.747684Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-04.xml b/metadata/glsa/glsa-202409-04.xml new file mode 100644 index 000000000000..8751d3df6459 --- /dev/null +++ b/metadata/glsa/glsa-202409-04.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-04"> + <title>calibre: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in calibre, the worst of which could lead to remote code execution.</synopsis> + <product type="ebuild">calibre</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>918429</bug> + <bug>936961</bug> + <access>local and remote</access> + <affected> + <package name="app-text/calibre" auto="yes" arch="*"> + <unaffected range="ge">7.16.0</unaffected> + <vulnerable range="lt">7.16.0</vulnerable> + </package> + </affected> + <background> + <p>calibre is a powerful and easy to use e-book manager.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in calibre. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All calibre users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/calibre-7.16.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46303">CVE-2023-46303</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6781">CVE-2024-6781</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6782">CVE-2024-6782</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7008">CVE-2024-7008</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7009">CVE-2024-7009</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T05:54:09.323646Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T05:54:09.325619Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-05.xml b/metadata/glsa/glsa-202409-05.xml new file mode 100644 index 000000000000..866c0e2164c8 --- /dev/null +++ b/metadata/glsa/glsa-202409-05.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-05"> + <title>PJSIP: Heap Buffer Overflow</title> + <synopsis>A vulnerability has been discovered in PJSIP, which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">pjproject</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>917463</bug> + <access>local and remote</access> + <affected> + <package name="net-libs/pjproject" auto="yes" arch="*"> + <unaffected range="ge">2.13.1</unaffected> + <vulnerable range="lt">2.13.1</vulnerable> + </package> + </affected> + <background> + <p>PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE.</p> + </background> + <description> + <p>Please review the CVE identifier referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the CVE identifier referenced below for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PJSIP users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/pjproject-2.13.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-27585">CVE-2023-27585</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T06:00:28.996175Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T06:00:28.999302Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-06.xml b/metadata/glsa/glsa-202409-06.xml new file mode 100644 index 000000000000..2657dc655f94 --- /dev/null +++ b/metadata/glsa/glsa-202409-06.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-06"> + <title>file: Stack Buffer Overread</title> + <synopsis>A vulnerability has been discovered in file, which could lead to a denial of service.</synopsis> + <product type="ebuild">file</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>918554</bug> + <access>remote</access> + <affected> + <package name="sys-apps/file" auto="yes" arch="*"> + <unaffected range="ge">5.42</unaffected> + <vulnerable range="lt">5.42</vulnerable> + </package> + </affected> + <background> + <p>The file utility attempts to identify a file’s format by scanning binary data for patterns.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in file. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>File has an stack-based buffer over-read in file_copystr in funcs.c.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All file users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/file-5.42" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-48554">CVE-2022-48554</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T06:04:59.257322Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T06:04:59.260356Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-07.xml b/metadata/glsa/glsa-202409-07.xml new file mode 100644 index 000000000000..da0b0bd2f782 --- /dev/null +++ b/metadata/glsa/glsa-202409-07.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-07"> + <title>Rust: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Rust, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">rust,rust-bin</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>890371</bug> + <bug>911685</bug> + <access>remote</access> + <affected> + <package name="dev-lang/rust" auto="yes" arch="*"> + <unaffected range="ge">1.71.1</unaffected> + <vulnerable range="lt">1.71.1</vulnerable> + </package> + <package name="dev-lang/rust-bin" auto="yes" arch="*"> + <unaffected range="ge">1.71.1</unaffected> + <vulnerable range="lt">1.71.1</vulnerable> + </package> + </affected> + <background> + <p>A systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Rust. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Rust binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/rust-bin-1.71.1" + </code> + + <p>All Rust users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/rust-1.71.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46176">CVE-2022-46176</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38497">CVE-2023-38497</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T06:09:00.541000Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T06:09:00.543705Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-08.xml b/metadata/glsa/glsa-202409-08.xml new file mode 100644 index 000000000000..9057b54f01e8 --- /dev/null +++ b/metadata/glsa/glsa-202409-08.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-08"> + <title>OpenVPN: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in OpenVPN, the worst of which could lead to information disclosure.</synopsis> + <product type="ebuild">openvpn</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>835514</bug> + <bug>917272</bug> + <access>remote</access> + <affected> + <package name="net-vpn/openvpn" auto="yes" arch="*"> + <unaffected range="ge">2.6.7</unaffected> + <vulnerable range="lt">2.6.7</vulnerable> + </package> + </affected> + <background> + <p>OpenVPN is a multi-platform, full-featured SSL VPN solution.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenVPN. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenVPN users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-vpn/openvpn-2.6.7" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0547">CVE-2022-0547</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46849">CVE-2023-46849</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46850">CVE-2023-46850</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T06:34:37.212666Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T06:34:37.215160Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-09.xml b/metadata/glsa/glsa-202409-09.xml new file mode 100644 index 000000000000..3fbc0d2ad492 --- /dev/null +++ b/metadata/glsa/glsa-202409-09.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-09"> + <title>Exo: Arbitrary Code Execution</title> + <synopsis>A vulnerability has been discovered in Exo, which can lead to arbitrary code execution.</synopsis> + <product type="ebuild">exo</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>851201</bug> + <access>remote</access> + <affected> + <package name="xfce-base/exo" auto="yes" arch="*"> + <unaffected range="ge">4.17.2</unaffected> + <vulnerable range="lt">4.17.2</vulnerable> + </package> + </affected> + <background> + <p>Exo is an Xfce library targeted at application development, originally developed by os-cillation. It contains various custom widgets and APIs extending the functionality of GLib and GTK. It also has some helper applications that are used throughout the entire Xfce desktop to manage preferred applications and edit .desktop files.</p> + </background> + <description> + <p>A vulnerability has been discovered in Exo. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Exo executes remote desktop files which may lead to unexpected arbitrary code execution.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Exo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=xfce-base/exo-4.17.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32278">CVE-2022-32278</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T06:39:07.184860Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T06:39:07.187259Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-10.xml b/metadata/glsa/glsa-202409-10.xml new file mode 100644 index 000000000000..0ed4d14222b3 --- /dev/null +++ b/metadata/glsa/glsa-202409-10.xml @@ -0,0 +1,83 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-10"> + <title>Xen: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Xen, the worst of which could lead to privilege escalation.</synopsis> + <product type="ebuild">xen</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>918669</bug> + <bug>921355</bug> + <bug>923741</bug> + <bug>928620</bug> + <bug>929038</bug> + <access>remote</access> + <affected> + <package name="app-emulation/xen" auto="yes" arch="*"> + <unaffected range="ge">4.17.4</unaffected> + <vulnerable range="lt">4.17.4</vulnerable> + </package> + </affected> + <background> + <p>Xen is a bare-metal hypervisor.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Xen users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.17.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4949">CVE-2022-4949</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42336">CVE-2022-42336</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28746">CVE-2023-28746</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34319">CVE-2023-34319</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34320">CVE-2023-34320</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34321">CVE-2023-34321</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34322">CVE-2023-34322</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34323">CVE-2023-34323</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34324">CVE-2023-34324</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34325">CVE-2023-34325</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34327">CVE-2023-34327</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34328">CVE-2023-34328</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46835">CVE-2023-46835</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46836">CVE-2023-46836</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46837">CVE-2023-46837</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46839">CVE-2023-46839</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46840">CVE-2023-46840</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46841">CVE-2023-46841</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46842">CVE-2023-46842</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2193">CVE-2024-2193</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-31142">CVE-2024-31142</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-431.html">XSA-431</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-432.html">XSA-432</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-436.html">XSA-436</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-437.html">XSA-437</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-438.html">XSA-438</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-439.html">XSA-439</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-440.html">XSA-440</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-441.html">XSA-441</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-442.html">XSA-442</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-447.html">XSA-447</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-449.html">XSA-449</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-450.html">XSA-450</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-451.html">XSA-451</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-452.html">XSA-452</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-453.html">XSA-453</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-454.html">XSA-454</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-455.html">XSA-455</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T06:41:59.700785Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T06:41:59.703837Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-11.xml b/metadata/glsa/glsa-202409-11.xml new file mode 100644 index 000000000000..af31b005f8d1 --- /dev/null +++ b/metadata/glsa/glsa-202409-11.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-11"> + <title>Oracle VirtualBox: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Oracle VirtualBox, the worst of which could lead to privilege escalation.</synopsis> + <product type="ebuild">virtualbox</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>918524</bug> + <access>remote</access> + <affected> + <package name="app-emulation/virtualbox" auto="yes" arch="*"> + <unaffected range="ge">7.0.12</unaffected> + <vulnerable range="lt">7.0.12</vulnerable> + </package> + </affected> + <background> + <p>VirtualBox is a powerful virtualization product from Oracle.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Oracle VirtualBox. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Oracle VirtualBox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-7.0.12" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22098">CVE-2023-22098</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22099">CVE-2023-22099</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22100">CVE-2023-22100</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T06:56:15.978186Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T06:56:15.982430Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-12.xml b/metadata/glsa/glsa-202409-12.xml new file mode 100644 index 000000000000..2eb42e1d8665 --- /dev/null +++ b/metadata/glsa/glsa-202409-12.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-12"> + <title>pypy, pypy3: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in pypy and pypy3, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">pypy,pypy-exe,pypy-exe-bin,pypy3</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>741496</bug> + <bug>741560</bug> + <bug>774114</bug> + <bug>782520</bug> + <access>local</access> + <affected> + <package name="dev-python/pypy" auto="yes" arch="*"> + <unaffected range="ge">7.3.3_p37_p1-r1</unaffected> + <vulnerable range="lt">7.3.3_p37_p1-r1</vulnerable> + </package> + <package name="dev-python/pypy-exe" auto="yes" arch="*"> + <unaffected range="ge">7.3.2</unaffected> + <vulnerable range="lt">7.3.2</vulnerable> + </package> + <package name="dev-python/pypy-exe-bin" auto="yes" arch="*"> + <vulnerable range="lt">7.3.2</vulnerable> + </package> + <package name="dev-python/pypy3" auto="yes" arch="*"> + <unaffected range="ge">7.3.3_p37_p1-r1</unaffected> + <vulnerable range="lt">7.3.3_p37_p1-r1</vulnerable> + </package> + </affected> + <background> + <p>A fast, compliant alternative implementation of the Python language.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in pypy. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All pypy users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/pypy-7.3.3_p37_p1-r1" + # emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-7.3.2" + # emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-bin-7.3.2" + </code> + + <p>All pypy3 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/pypy3-7.3.3_p37_p1-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27619">CVE-2020-27619</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T06:59:11.659897Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T06:59:11.662062Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-13.xml b/metadata/glsa/glsa-202409-13.xml new file mode 100644 index 000000000000..75d6b45d312f --- /dev/null +++ b/metadata/glsa/glsa-202409-13.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-13"> + <title>gst-plugins-good: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in gst-plugins-good, the worst of which could lead to denial of service or arbitrary code execution.</synopsis> + <product type="ebuild">gst-plugins-good</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>859418</bug> + <access>local and remote</access> + <affected> + <package name="media-libs/gst-plugins-good" auto="yes" arch="*"> + <unaffected range="ge">1.20.3</unaffected> + <vulnerable range="lt">1.20.3</vulnerable> + </package> + </affected> + <background> + <p>gst-plugins-good contains a set of plugins for the GStreamer open source multimedia framework.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in gst-plugins-good. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All gst-plugins-good users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-good-1.20.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1920">CVE-2022-1920</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1921">CVE-2022-1921</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1922">CVE-2022-1922</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1923">CVE-2022-1923</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1924">CVE-2022-1924</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1925">CVE-2022-1925</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2122">CVE-2022-2122</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T07:13:16.567438Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T07:13:16.570171Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-14.xml b/metadata/glsa/glsa-202409-14.xml new file mode 100644 index 000000000000..3b6f53f12f0d --- /dev/null +++ b/metadata/glsa/glsa-202409-14.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-14"> + <title>Mbed TLS: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could lead to information disclosure or denial of service.</synopsis> + <product type="ebuild">mbedtls</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>886001</bug> + <bug>923279</bug> + <access>local and remote</access> + <affected> + <package name="net-libs/mbedtls" auto="yes" arch="*"> + <unaffected range="ge">2.28.7</unaffected> + <vulnerable range="lt">2.28.7</vulnerable> + </package> + </affected> + <background> + <p>Mbed TLS (previously PolarSSL) is an “easy to understand, use, integrate and expand” implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mbed TLS. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mbed TLS users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/mbedtls-2.28.7" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46392">CVE-2022-46392</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46393">CVE-2022-46393</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43615">CVE-2023-43615</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45199">CVE-2023-45199</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23170">CVE-2024-23170</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23775">CVE-2024-23775</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T07:17:18.324977Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T07:17:18.327589Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-15.xml b/metadata/glsa/glsa-202409-15.xml new file mode 100644 index 000000000000..343078a82ddc --- /dev/null +++ b/metadata/glsa/glsa-202409-15.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-15"> + <title>stb: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in stb, the worst of which lead to a denial of service.</synopsis> + <product type="ebuild">stb</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>818556</bug> + <access>local</access> + <affected> + <package name="dev-libs/stb" auto="yes" arch="*"> + <unaffected range="ge">20240201</unaffected> + <vulnerable range="lt">20240201</vulnerable> + </package> + </affected> + <background> + <p>A set of single-file public domain (or MIT licensed) libraries for C/C++</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in stb. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All stb users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/stb-20240201" + </code> + + <p>Note that stb is included at compile time, so all packages that depend on it should also be reinstalled. If you have app-portage/gentoolkit installed you can use:</p> + + <code> + # emerge --ask --verbose $( equery depends dev-libs/stb | sed 's/^/=/' ) + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28021">CVE-2021-28021</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37789">CVE-2021-37789</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42715">CVE-2021-42715</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42716">CVE-2021-42716</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28041">CVE-2022-28041</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28042">CVE-2022-28042</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28048">CVE-2022-28048</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T07:19:29.592096Z">graaff</metadata> + <metadata tag="submitter" timestamp="2024-09-22T07:19:29.595210Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-16.xml b/metadata/glsa/glsa-202409-16.xml new file mode 100644 index 000000000000..45eee08d99bf --- /dev/null +++ b/metadata/glsa/glsa-202409-16.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-16"> + <title>Slurm: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Slurm, the worst of which could result in privilege escalation or code execution.</synopsis> + <product type="ebuild">slurm</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>631552</bug> + <bug>920104</bug> + <access>remote</access> + <affected> + <package name="sys-cluster/slurm" auto="yes" arch="*"> + <vulnerable range="le">22.05.3</vulnerable> + </package> + </affected> + <background> + <p>Slurm is a highly scalable resource manager.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Slurm. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for Slurm. We recommend that users unmerge it:</p> + + <code> + # emerge --ask --depclean "sys-cluster/slurm" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36770">CVE-2020-36770</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49933">CVE-2023-49933</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49934">CVE-2023-49934</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49935">CVE-2023-49935</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49936">CVE-2023-49936</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49937">CVE-2023-49937</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49938">CVE-2023-49938</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T07:39:27.768375Z">ajak</metadata> + <metadata tag="submitter" timestamp="2024-09-22T07:39:27.772433Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-17.xml b/metadata/glsa/glsa-202409-17.xml new file mode 100644 index 000000000000..a675f311b112 --- /dev/null +++ b/metadata/glsa/glsa-202409-17.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-17"> + <title>VLC: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in VLC, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">vlc</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>788226</bug> + <bug>883943</bug> + <bug>917274</bug> + <access>remote</access> + <affected> + <package name="media-video/vlc" auto="yes" arch="*"> + <unaffected range="ge">3.0.20</unaffected> + <vulnerable range="lt">3.0.20</vulnerable> + </package> + </affected> + <background> + <p>VLC is a cross-platform media player and streaming server.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in VLC. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All VLC users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vlc-3.0.20" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41325">CVE-2022-41325</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T07:58:11.321369Z">ajak</metadata> + <metadata tag="submitter" timestamp="2024-09-22T07:58:11.324218Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-18.xml b/metadata/glsa/glsa-202409-18.xml new file mode 100644 index 000000000000..6345445d100e --- /dev/null +++ b/metadata/glsa/glsa-202409-18.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-18"> + <title>liblouis: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in liblouis, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">liblouis</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>905298</bug> + <access>remote</access> + <affected> + <package name="dev-libs/liblouis" auto="yes" arch="*"> + <unaffected range="ge">3.25.0</unaffected> + <vulnerable range="lt">3.25.0</vulnerable> + </package> + </affected> + <background> + <p>liblouis is an open-source braille translator and back-translator.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in liblouis. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All liblouis users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/liblouis-3.25.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-26767">CVE-2023-26767</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-26768">CVE-2023-26768</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-26769">CVE-2023-26769</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T08:30:59.018458Z">ajak</metadata> + <metadata tag="submitter" timestamp="2024-09-22T08:30:59.022181Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202409-19.xml b/metadata/glsa/glsa-202409-19.xml new file mode 100644 index 000000000000..9fb9874f912e --- /dev/null +++ b/metadata/glsa/glsa-202409-19.xml @@ -0,0 +1,72 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202409-19"> + <title>Emacs, org-mode: Command Execution Vulnerability</title> + <synopsis>A vulnerability has been found in Emacs and org-mode which could result in arbitrary code execution.</synopsis> + <product type="ebuild">emacs,org-mode</product> + <announced>2024-09-22</announced> + <revised count="1">2024-09-22</revised> + <bug>934736</bug> + <access>local</access> + <affected> + <package name="app-editors/emacs" auto="yes" arch="*"> + <unaffected range="ge" slot="26">26.3-r19</unaffected> + <unaffected range="ge" slot="27">27.2-r17</unaffected> + <unaffected range="ge" slot="28">28.2-r13</unaffected> + <unaffected range="ge" slot="29">29.3-r3</unaffected> + <vulnerable range="lt" slot="26">26.3-r19</vulnerable> + <vulnerable range="lt" slot="27">27.2-r17</vulnerable> + <vulnerable range="lt" slot="28">28.2-r13</vulnerable> + <vulnerable range="lt" slot="29">29.3-r3</vulnerable> + </package> + <package name="app-emacs/org-mode" auto="yes" arch="*"> + <unaffected range="ge">9.7.5</unaffected> + <vulnerable range="lt">9.7.5</vulnerable> + </package> + </affected> + <background> + <p>Emacs is the extensible, customizable, self-documenting real-time display editor. org-mode is an Emacs mode for notes and project planning.</p> + </background> + <description> + <p>%(...) link abbreviations could specify unsafe functions.</p> + </description> + <impact type="high"> + <p>Opening a malicious org-mode file could result in arbitrary code execution.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Emacs users should upgrade to the latest version according to the installed slot, one of:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/emacs-26.3-r19:26" + </code> + + <p>Alternatively:</p> + + <code> + # emerge --ask --oneshot --verbose ">=app-editors/emacs-27.2-r17:27" + </code> + + <code> + # emerge --ask --oneshot --verbose ">=app-editors/emacs-28.2-r13:28" + </code> + + <code> + # emerge --ask --oneshot --verbose ">=app-editors/emacs-29.3-r3:29" + </code> + + <p>All org-mode users should upgrade to the latest package:</p> + + <code> + # emerge --ask --oneshot --verbose ">=app-emacs/org-mode-9.7.5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-39331">CVE-2024-39331</uri> + </references> + <metadata tag="requester" timestamp="2024-09-22T09:04:08.173072Z">ajak</metadata> + <metadata tag="submitter" timestamp="2024-09-22T09:04:08.176708Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 2bdef974b683..134d4c8a885f 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sat, 21 Sep 2024 12:39:56 +0000 +Sun, 22 Sep 2024 13:10:05 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 295e40287b6d..fb54db6a96f5 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -7bcc5ebd7295c3c12ac47de41519dc019b4ba538 1723530188 2024-08-13T06:23:08Z +c5244efc38e02f2f0af5af93f3b49a15bf368da2 1726995862 2024-09-22T09:04:22Z |