diff options
author | V3n3RiX <venerix@koprulu.sector> | 2023-05-03 17:26:08 +0100 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2023-05-03 17:26:08 +0100 |
commit | 3cf27339901a7ca15df33f6ea134daa93888d5d0 (patch) | |
tree | d0f451df94a8ce90e3e81be8816e5f3ed8e62138 /metadata/glsa | |
parent | f6a034d922bf54efeaa781fcb5388b325b90d945 (diff) |
gentoo auto-resync : 03:05:2023 - 17:26:08
Diffstat (limited to 'metadata/glsa')
-rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
-rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 541169 -> 543888 bytes | |||
-rw-r--r-- | metadata/glsa/glsa-202305-07.xml | 42 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-08.xml | 44 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-09.xml | 42 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-10.xml | 143 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-11.xml | 49 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-12.xml | 42 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-13.xml | 68 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-14.xml | 42 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-15.xml | 68 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-16.xml | 155 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-17.xml | 56 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-18.xml | 44 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-19.xml | 51 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-20.xml | 42 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-21.xml | 42 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-22.xml | 45 | ||||
-rw-r--r-- | metadata/glsa/glsa-202305-23.xml | 65 | ||||
-rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
-rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
21 files changed, 1057 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index aef754899f8c..38723649af72 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 541169 BLAKE2B 04ddea7633f5279cfe3dc609178287731e78b26b0d04d296fb468f9943b71ce950dfa6d434af7c4eaed9b918e6c40b290caa51ffda6e4d3b91f1a49601405d8e SHA512 2a71312a2085359f0dbd859a945e0f1893e1d3b869018adaeab33289a72db7e82cc588308dfb1286ac4c794d6c6138ed4dedafa4afbabcaf7ef0514cde7b6820 -TIMESTAMP 2023-05-03T09:39:39Z +MANIFEST Manifest.files.gz 543888 BLAKE2B 086be039b2492a206323b75c8d1a8c08cdf31c2fe2e08f902e3700fc585c0319af276d12436ba1ba5c8a1ea22ced8cee550bb804838c202489f371cc48e18e03 SHA512 a642abd36a43fa7a71aaa3ad66ad69b85d000aa101f2ed17ffec19bfa6f96356463e72244f2ffd41ff948a43d39d9cfb1936eb14f9667d502dfcb6563e225a11 +TIMESTAMP 2023-05-03T15:39:42Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmRSK9tfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmRSgD5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klDt8A/+OvEa+RWrPtwlLfqN+n11+CmTL/l9qnP1MzWpH8AsNpj2tKenTczWeILR -rPGvdZrH/izJpm/AQOkKw1FQPjKwHQSmicwg452z48nzFIDm/TrEFr1h5U7h7Jdd -e9iSVXF9H55G9L67MKp7JgfuUuBvRTbuN+bfCT0nIm2UxiS/iG6B8J9HNR3bW2sZ -fOoc0sfRXS5zyxlnopEzvDyYEG27uZw61P53SdkH4IUPydcVP1SyF0mOWAxep9MY -27Wrp5uLP3mOam8hz6niiwYGJSiyR0ihjHLgbt3d0lBeVF5Tn/EGtQzg++J3lZnd -TGy+30YqKYZtagP3SPL6DB/v3As4M3iESBt7GpG6q1kyH5Q8I023EWnirkNNm5aS -C2EEi2/T66QuylK8+Ga73VcVi+JzK3yF05oi2bwZOFScO8q0bxW0my9YTgof5zkM -Y7XX8GT8N+sa/TdSiIPI8O9nu/aG35zYYzKAPzeiG+lXljAPrrIJAaOU9hH6AvOW -mEyDuMfDAm78Q0J3Wmf6CwhE6mhMEh6yt+KqCH21jtW6VXMpKluFzJmeBb/kCHNt -FfJXKFLJV7+nghbjApf8QUxDeDXNu1suJmJvOhsCJK9xmzwq26fk2A9jf/kY53mn -ua55TdDfvh3NMRgoum8U/Yj0w3Vg2Jw9KJqqtim9IDYvM0AUqXQ= -=2BJl +klBYthAAii4etgzaDjruUCNjwjU87jmH3IF87D+oNHuiKqqkgs+NSaQlD9dt7OqM +vloyPw78OPGk1K3mNFEN3VNlMJPzTUFFOYRgw/xPgG+uJXJH+jHqcpwzq6C9MGkx +F5j+K7zgIvwjQeWGv+YiUC/r00EPlmYMVYhnSphsZlED6pawW9/AkZ/ae17/oemT +zRin79ikwFizOXcqw2/GrNzvISVlZmzXJmgAff1TKJ18wRpiuc98to/pmhxLAI+V +ROXFjt/k15wwiJEK6cm5OWfWE4QEfHcWaBPOUrfg8XbUwZLzpQA3q5tTiV0jioPq +OwzSCQqrNIRFLPZAanzVRx1oqGH54vug1xExSIHWZcetZVNbzN7xfaCH86V5Y/Gi +VrMhbN6dsG9S9xN/d1y09qauWLiJqFnlwD64Br138K+y/3eB+7rA813/I59YoBLW +qgEMgV3gUI1jz/zO21hCqJHK3sWdcVjUFHV+3DgqisM+gCq6O9zSlo4KXF0boChz +ovuY2zc34oJo8mJs/emA6uwjVnkaPMoObSj8Nme5iEN78G7j/aoMPPQLGtQc422X +2vobefZNxUqP+zMLRA44teteJFwvCFTbmtLU6H1o0SxXAmCWeLsAQsLfygmguoNG +oe3MhQW0fjVMZv2Zgz6SQrVhyHYpcxZZt4YWsdtQTuKy7wqTOzk= +=Mm5T -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 1c03b8466681..df1dab65675f 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202305-07.xml b/metadata/glsa/glsa-202305-07.xml new file mode 100644 index 000000000000..ea0624a6d193 --- /dev/null +++ b/metadata/glsa/glsa-202305-07.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-07"> + <title>slixmpp: Insufficient Certificate Validation</title> + <synopsis>A vulnerability has been discovered in slixmpp which can result in successful man-in-the-middle attacks.</synopsis> + <product type="ebuild">slixmpp</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>881181</bug> + <access>remote</access> + <affected> + <package name="dev-python/slixmpp" auto="yes" arch="*"> + <unaffected range="ge">1.8.3</unaffected> + <vulnerable range="lt">1.8.3</vulnerable> + </package> + </affected> + <background> + <p>slixmpp is a Python 3 library for XMPP.</p> + </background> + <description> + <p>slixmpp does not validate hostnames in certificates used by connected servers.</p> + </description> + <impact type="low"> + <p>An attacker could perform a man-in-the-middle attack on users' connections to servers with slixmpp.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All slixmpp users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --upgrade --verbose ">=dev-python/slixmpp-1.8.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45197">CVE-2022-45197</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T09:47:07.895475Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T09:47:07.900775Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-08.xml b/metadata/glsa/glsa-202305-08.xml new file mode 100644 index 000000000000..4bc05bd57073 --- /dev/null +++ b/metadata/glsa/glsa-202305-08.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-08"> + <title>D-Bus: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in D-Bus, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">dbus</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>875518</bug> + <access>remote</access> + <affected> + <package name="sys-apps/dbus" auto="yes" arch="*"> + <unaffected range="ge">1.14.4</unaffected> + <vulnerable range="lt">1.14.4</vulnerable> + </package> + </affected> + <background> + <p>D-Bus is a daemon providing a framework for applications to communicate with one another.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in D-Bus. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All D-Bus users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.14.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42010">CVE-2022-42010</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42011">CVE-2022-42011</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42012">CVE-2022-42012</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T09:52:25.396421Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T09:52:25.399162Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-09.xml b/metadata/glsa/glsa-202305-09.xml new file mode 100644 index 000000000000..9bf31f312e2f --- /dev/null +++ b/metadata/glsa/glsa-202305-09.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-09"> + <title>syslog-ng: Denial of Service</title> + <synopsis>A denial of service vulnerability was discovered in rsyslog related to syslog input over the network.</synopsis> + <product type="ebuild">syslog-ng</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>891941</bug> + <access>remote</access> + <affected> + <package name="app-admin/syslog-ng" auto="yes" arch="*"> + <unaffected range="ge">3.38.1</unaffected> + <vulnerable range="lt">3.38.1</vulnerable> + </package> + </affected> + <background> + <p>syslog replacement with advanced filtering features.</p> + </background> + <description> + <p>An integer overflow in the RFC3164 parser allows remote attackers to cause a denial of service via crafted syslog input that is mishandled by the tcp or network function.</p> + </description> + <impact type="normal"> + <p>Attackers with access to input syslogs over syslog-ng's network functionality can cause a denial of service.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All syslog-ng users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.38.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38725">CVE-2022-38725</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T09:52:45.897422Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T09:52:45.899984Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-10.xml b/metadata/glsa/glsa-202305-10.xml new file mode 100644 index 000000000000..02f988fa3669 --- /dev/null +++ b/metadata/glsa/glsa-202305-10.xml @@ -0,0 +1,143 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-10"> + <title>Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution.</synopsis> + <product type="ebuild">chromium,chromium-bin,google-chrome,microsoft-edge</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>876855</bug> + <bug>878825</bug> + <bug>883031</bug> + <bug>883697</bug> + <bug>885851</bug> + <bug>890726</bug> + <bug>886479</bug> + <bug>890728</bug> + <bug>891501</bug> + <bug>891503</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">109.0.5414.74-r1</unaffected> + <vulnerable range="lt">109.0.5414.74-r1</vulnerable> + </package> + <package name="www-client/chromium-bin" auto="yes" arch="*"> + <unaffected range="ge">109.0.5414.74</unaffected> + <vulnerable range="lt">109.0.5414.74</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">109.0.5414.74</unaffected> + <vulnerable range="lt">109.0.5414.74</vulnerable> + </package> + <package name="www-client/microsoft-edge" auto="yes" arch="*"> + <unaffected range="ge">109.0.1518.61</unaffected> + <vulnerable range="lt">109.0.1518.61</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
+
+Google Chrome is one fast, simple, and secure browser for all your devices.
+
+Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium, Google Chrome, Microsoft Edge. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/chromium-109.0.5414.74-r1" + </code> + + <p>All Chromium binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/chromium-bin-109.0.5414.74" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/google-chrome-109.0.5414.74" + </code> + + <p>All Microsoft Edge users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-109.0.1518.61" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3445">CVE-2022-3445</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3446">CVE-2022-3446</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3447">CVE-2022-3447</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3448">CVE-2022-3448</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3449">CVE-2022-3449</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3450">CVE-2022-3450</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3723">CVE-2022-3723</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4135">CVE-2022-4135</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4174">CVE-2022-4174</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4175">CVE-2022-4175</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4176">CVE-2022-4176</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4177">CVE-2022-4177</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4178">CVE-2022-4178</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4179">CVE-2022-4179</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4180">CVE-2022-4180</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4181">CVE-2022-4181</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4182">CVE-2022-4182</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4183">CVE-2022-4183</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4184">CVE-2022-4184</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4185">CVE-2022-4185</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4186">CVE-2022-4186</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4187">CVE-2022-4187</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4188">CVE-2022-4188</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4189">CVE-2022-4189</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4190">CVE-2022-4190</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4191">CVE-2022-4191</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4192">CVE-2022-4192</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4193">CVE-2022-4193</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4194">CVE-2022-4194</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4195">CVE-2022-4195</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4436">CVE-2022-4436</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4437">CVE-2022-4437</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4438">CVE-2022-4438</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4439">CVE-2022-4439</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4440">CVE-2022-4440</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41115">CVE-2022-41115</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44688">CVE-2022-44688</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44708">CVE-2022-44708</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0128">CVE-2023-0128</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0129">CVE-2023-0129</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0130">CVE-2023-0130</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0131">CVE-2023-0131</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0132">CVE-2023-0132</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0133">CVE-2023-0133</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0134">CVE-2023-0134</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0135">CVE-2023-0135</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0136">CVE-2023-0136</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0137">CVE-2023-0137</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0138">CVE-2023-0138</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0139">CVE-2023-0139</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0140">CVE-2023-0140</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0141">CVE-2023-0141</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21719">CVE-2023-21719</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21775">CVE-2023-21775</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21795">CVE-2023-21795</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21796">CVE-2023-21796</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T09:53:05.056143Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T09:53:05.059084Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-11.xml b/metadata/glsa/glsa-202305-11.xml new file mode 100644 index 000000000000..5b7a54c72d9a --- /dev/null +++ b/metadata/glsa/glsa-202305-11.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-11"> + <title>Tor: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Tor, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">tor</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>808681</bug> + <bug>852821</bug> + <bug>890618</bug> + <access>remote</access> + <affected> + <package name="net-vpn/tor" auto="yes" arch="*"> + <unaffected range="ge">0.4.7.13</unaffected> + <vulnerable range="lt">0.4.7.13</vulnerable> + </package> + </affected> + <background> + <p>Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Tor. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Tor users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-vpn/tor-0.4.7.13" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38385">CVE-2021-38385</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-33903">CVE-2022-33903</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-23589">CVE-2023-23589</uri> + <uri>TROVE-2021-007</uri> + <uri>TROVE-2022-001</uri> + <uri>TROVE-2022-002</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T09:53:19.845731Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T09:53:19.850253Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-12.xml b/metadata/glsa/glsa-202305-12.xml new file mode 100644 index 000000000000..4522165ae54f --- /dev/null +++ b/metadata/glsa/glsa-202305-12.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-12"> + <title>sudo: Root Privilege Escalation</title> + <synopsis>A vulnerability has been discovered in sudo which could result in root privilege escalation.</synopsis> + <product type="ebuild">sudo</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>891335</bug> + <access>remote</access> + <affected> + <package name="app-admin/sudo" auto="yes" arch="*"> + <unaffected range="ge">1.9.12_p2</unaffected> + <vulnerable range="lt">1.9.12_p2</vulnerable> + </package> + </affected> + <background> + <p>sudo allows a system administrator to give users the ability to run commands as other users.</p> + </background> + <description> + <p>The sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process.</p> + </description> + <impact type="high"> + <p>The improper processing of user's environment variables could lead to the editing of arbitrary files as root, potentially leading to root privilege escalation.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All sudo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.12_p2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22809">CVE-2023-22809</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T09:53:34.200622Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T09:53:34.205155Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-13.xml b/metadata/glsa/glsa-202305-13.xml new file mode 100644 index 000000000000..31de2ec7a134 --- /dev/null +++ b/metadata/glsa/glsa-202305-13.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-13"> + <title>Mozilla Thunderbird: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">thunderbird,thunderbird-bin</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>885815</bug> + <bug>891217</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">102.7.0</unaffected> + <vulnerable range="lt">102.7.0</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">102.7.0</unaffected> + <vulnerable range="lt">102.7.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the Mozilla project.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.7.0" + </code> + + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.7.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46871">CVE-2022-46871</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46872">CVE-2022-46872</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46874">CVE-2022-46874</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46875">CVE-2022-46875</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46877">CVE-2022-46877</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46878">CVE-2022-46878</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46880">CVE-2022-46880</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46881">CVE-2022-46881</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46882">CVE-2022-46882</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-23598">CVE-2023-23598</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-23599">CVE-2023-23599</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-23601">CVE-2023-23601</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-23602">CVE-2023-23602</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-23603">CVE-2023-23603</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-23605">CVE-2023-23605</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T10:03:08.414596Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T10:03:08.419037Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-14.xml b/metadata/glsa/glsa-202305-14.xml new file mode 100644 index 000000000000..f42e1eb0ac47 --- /dev/null +++ b/metadata/glsa/glsa-202305-14.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-14"> + <title>uptimed: Root Privilege Escalation</title> + <synopsis>A vulnerability has been discovered in uptimed which could result in root privilege escalation.</synopsis> + <product type="ebuild">uptimed</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>630810</bug> + <access>remote</access> + <affected> + <package name="app-misc/uptimed" auto="yes" arch="*"> + <unaffected range="ge">0.4.6-r1</unaffected> + <vulnerable range="lt">0.4.6-r1</vulnerable> + </package> + </affected> + <background> + <p>uptimed is a system uptime record daemon that keeps track of your highest uptimes.</p> + </background> + <description> + <p>Via unnecessary file ownership modifications in the pkg_postinst ebuild phase, the uptimed user could change arbitrary files to be owned by the uptimed user at emerge-time.</p> + </description> + <impact type="high"> + <p>The uptimed user could achieve root privileges when the uptimed package is emerged.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All uptimed users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-misc/uptimed-0.4.6-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36657">CVE-2020-36657</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T10:03:26.877508Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T10:03:26.880820Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-15.xml b/metadata/glsa/glsa-202305-15.xml new file mode 100644 index 000000000000..7fa92d4c0221 --- /dev/null +++ b/metadata/glsa/glsa-202305-15.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-15"> + <title>systemd: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in systemd, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">systemd,systemd-tmpfiles,systemd-utils,udev</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>880547</bug> + <bug>830967</bug> + <access>remote</access> + <affected> + <package name="sys-apps/systemd" auto="yes" arch="*"> + <unaffected range="ge">251.3</unaffected> + <vulnerable range="lt">251.3</vulnerable> + </package> + <package name="sys-apps/systemd-tmpfiles" auto="yes" arch="*"> + <vulnerable range="None">None</vulnerable> + </package> + <package name="sys-apps/systemd-utils" auto="yes" arch="*"> + <unaffected range="ge">251.3</unaffected> + <vulnerable range="lt">251.3</vulnerable> + </package> + <package name="sys-fs/udev" auto="yes" arch="*"> + <vulnerable range="None">None</vulnerable> + </package> + </affected> + <background> + <p>A system and service manager.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in systemd. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All systemd users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/systemd-251.3" + </code> + + <p>All systemd-utils users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/systemd-utils-251.3" + </code> + + <p>Gentoo has discontinued support for sys-apps/systemd-tmpfiles, sys-boot/systemd-boot, and sys-fs/udev. See the 2022-04-19-systemd-utils news item. Users should unmerge it in favor of sys-apps/systemd-utils on non-systemd systems:</p> + + <code> + # emerge --ask --depclean --verbose "sys-apps/systemd-tmpfiles" "sys-boot/systemd-boot" "sys-fs/udev" + # emerge --ask --verbose --oneshot ">=sys-apps/systemd-utils-251.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3997">CVE-2021-3997</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3821">CVE-2022-3821</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T10:03:45.135890Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T10:03:45.140859Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-16.xml b/metadata/glsa/glsa-202305-16.xml new file mode 100644 index 000000000000..4f71e42cd375 --- /dev/null +++ b/metadata/glsa/glsa-202305-16.xml @@ -0,0 +1,155 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-16"> + <title>Vim, gVim: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">gvim,vim,vim-core</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>851231</bug> + <bug>861092</bug> + <bug>869359</bug> + <bug>879257</bug> + <bug>883681</bug> + <bug>889730</bug> + <access>remote</access> + <affected> + <package name="app-editors/gvim" auto="yes" arch="*"> + <unaffected range="ge">9.0.1157</unaffected> + <vulnerable range="lt">9.0.1157</vulnerable> + </package> + <package name="app-editors/vim" auto="yes" arch="*"> + <unaffected range="ge">9.0.1157</unaffected> + <vulnerable range="lt">9.0.1157</vulnerable> + </package> + <package name="app-editors/vim-core" auto="yes" arch="*"> + <unaffected range="ge">9.0.1157</unaffected> + <vulnerable range="lt">9.0.1157</vulnerable> + </package> + </affected> + <background> + <p>Vim is an efficient, highly configurable improved version of the classic ‘vi’ text editor. gVim is the GUI version of Vim.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Vim, gVim. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Vim users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/vim-9.0.1157" + </code> + + <p>All gVim users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/gvim-9.0.1157" + </code> + + <p>All vim-core users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/vim-core-9.0.1157" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1154">CVE-2022-1154</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1160">CVE-2022-1160</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1381">CVE-2022-1381</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1420">CVE-2022-1420</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1616">CVE-2022-1616</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1619">CVE-2022-1619</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1620">CVE-2022-1620</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1621">CVE-2022-1621</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1629">CVE-2022-1629</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1674">CVE-2022-1674</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1720">CVE-2022-1720</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1725">CVE-2022-1725</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1733">CVE-2022-1733</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1735">CVE-2022-1735</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1769">CVE-2022-1769</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1771">CVE-2022-1771</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1785">CVE-2022-1785</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1796">CVE-2022-1796</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1851">CVE-2022-1851</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1886">CVE-2022-1886</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1897">CVE-2022-1897</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1898">CVE-2022-1898</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1927">CVE-2022-1927</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1942">CVE-2022-1942</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1968">CVE-2022-1968</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2000">CVE-2022-2000</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2042">CVE-2022-2042</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2124">CVE-2022-2124</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2125">CVE-2022-2125</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2126">CVE-2022-2126</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2129">CVE-2022-2129</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2175">CVE-2022-2175</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2182">CVE-2022-2182</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2183">CVE-2022-2183</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2206">CVE-2022-2206</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2207">CVE-2022-2207</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2208">CVE-2022-2208</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2210">CVE-2022-2210</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2231">CVE-2022-2231</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2257">CVE-2022-2257</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2264">CVE-2022-2264</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2284">CVE-2022-2284</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2285">CVE-2022-2285</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2286">CVE-2022-2286</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2287">CVE-2022-2287</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2288">CVE-2022-2288</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2289">CVE-2022-2289</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2304">CVE-2022-2304</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2343">CVE-2022-2343</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2344">CVE-2022-2344</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2345">CVE-2022-2345</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2522">CVE-2022-2522</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2816">CVE-2022-2816</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2817">CVE-2022-2817</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2819">CVE-2022-2819</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2845">CVE-2022-2845</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2849">CVE-2022-2849</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2862">CVE-2022-2862</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2874">CVE-2022-2874</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2889">CVE-2022-2889</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2923">CVE-2022-2923</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2946">CVE-2022-2946</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2980">CVE-2022-2980</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2982">CVE-2022-2982</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3016">CVE-2022-3016</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3099">CVE-2022-3099</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3134">CVE-2022-3134</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3153">CVE-2022-3153</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3234">CVE-2022-3234</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3235">CVE-2022-3235</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3256">CVE-2022-3256</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3278">CVE-2022-3278</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3296">CVE-2022-3296</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3297">CVE-2022-3297</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3324">CVE-2022-3324</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3352">CVE-2022-3352</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3491">CVE-2022-3491</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3520">CVE-2022-3520</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3591">CVE-2022-3591</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3705">CVE-2022-3705</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4141">CVE-2022-4141</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4292">CVE-2022-4292</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4293">CVE-2022-4293</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47024">CVE-2022-47024</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0049">CVE-2023-0049</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0051">CVE-2023-0051</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0054">CVE-2023-0054</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T10:03:57.350349Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T10:03:57.353137Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-17.xml b/metadata/glsa/glsa-202305-17.xml new file mode 100644 index 000000000000..579fc43f15d6 --- /dev/null +++ b/metadata/glsa/glsa-202305-17.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-17"> + <title>libsdl: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libsdl, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">libsdl</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>692388</bug> + <bug>836665</bug> + <bug>861809</bug> + <access>remote</access> + <affected> + <package name="media-libs/libsdl" auto="yes" arch="*"> + <unaffected range="ge">1.2.15_p20221201</unaffected> + <vulnerable range="lt">1.2.15_p20221201</vulnerable> + </package> + </affected> + <background> + <p>Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in SDL. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libsdl users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libsdl-1.2.15_p20221201" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7572">CVE-2019-7572</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7573">CVE-2019-7573</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7574">CVE-2019-7574</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7575">CVE-2019-7575</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7576">CVE-2019-7576</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7577">CVE-2019-7577</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7578">CVE-2019-7578</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7635">CVE-2019-7635</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7636">CVE-2019-7636</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7638">CVE-2019-7638</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13616">CVE-2019-13616</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33657">CVE-2021-33657</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34568">CVE-2022-34568</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T10:04:10.572876Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T10:04:10.575693Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-18.xml b/metadata/glsa/glsa-202305-18.xml new file mode 100644 index 000000000000..8a572e5fecde --- /dev/null +++ b/metadata/glsa/glsa-202305-18.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-18"> + <title>libsdl2: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libsdl2, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">libsdl2</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>836665</bug> + <bug>890614</bug> + <access>remote</access> + <affected> + <package name="media-libs/libsdl2" auto="yes" arch="*"> + <unaffected range="ge">2.26.0</unaffected> + <vulnerable range="lt">2.26.0</vulnerable> + </package> + </affected> + <background> + <p>Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libsdl2. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libsdl2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libsdl2-2.26.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33657">CVE-2021-33657</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4743">CVE-2022-4743</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T10:04:24.467262Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T10:04:24.470744Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-19.xml b/metadata/glsa/glsa-202305-19.xml new file mode 100644 index 000000000000..be46977da997 --- /dev/null +++ b/metadata/glsa/glsa-202305-19.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-19"> + <title>Firejail: Local Privilege Escalation</title> + <synopsis>A vulnerability has been discovered in Firejail which could result in local root privilege escalation.</synopsis> + <product type="ebuild">firejail,firejail-lts</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>850748</bug> + <access>remote</access> + <affected> + <package name="sys-apps/firejail" auto="yes" arch="*"> + <unaffected range="ge">0.9.70</unaffected> + <vulnerable range="lt">0.9.70</vulnerable> + </package> + <package name="sys-apps/firejail-lts" auto="yes" arch="*"> + <vulnerable range="None">None</vulnerable> + </package> + </affected> + <background> + <p>A SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.</p> + </background> + <description> + <p>Firejail does not sufficiently validate the user's environment prior to using it as the root user when using the --join command line option.</p> + </description> + <impact type="normal"> + <p>An unprivileged user can exploit this vulnerability to achieve local root privileges.</p> + </impact> + <workaround> + <p>System administrators can mitigate this vulnerability via adding either "force-nonewprivs yes" or "join no" to the Firejail configuration file in /etc/firejail/firejail.config.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for sys-apps/firejail-lts. Users should unmerge it in favor of sys-apps/firejail:</p> + + <code> + # emerge --ask --depclean --verbose "sys-apps/firejail-lts" + # emerge --ask --verbose "sys-apps/firejail" + </code> + + <p>All Firejail users should upgrade to the latest version:</p> + + <code> + # emerge --ask --oneshot --verbose ">=sys-apps/firejail-0.9.70" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31214">CVE-2022-31214</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T10:04:36.994181Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T10:04:36.999752Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-20.xml b/metadata/glsa/glsa-202305-20.xml new file mode 100644 index 000000000000..bd23dda9c1cb --- /dev/null +++ b/metadata/glsa/glsa-202305-20.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-20"> + <title>libapreq2: Buffer Overflow</title> + <synopsis>A buffer overflow vulnerability has been discovered in libapreq2 which could result in denial of service.</synopsis> + <product type="ebuild">libapreq2</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>866536</bug> + <access>remote</access> + <affected> + <package name="www-apache/libapreq2" auto="yes" arch="*"> + <unaffected range="ge">2.17</unaffected> + <vulnerable range="lt">2.17</vulnerable> + </package> + </affected> + <background> + <p>libapreq is a shared library with associated modules for manipulating client request data via the Apache API.</p> + </background> + <description> + <p>TODO</p> + </description> + <impact type="low"> + <p>An attacker could submit a crafted multipart form to trigger the buffer overflow and cause a denial of service.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libapreq2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/libapreq2-2.17" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22728">CVE-2022-22728</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T10:05:03.532537Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T10:05:03.535300Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-21.xml b/metadata/glsa/glsa-202305-21.xml new file mode 100644 index 000000000000..2fff2cab64ad --- /dev/null +++ b/metadata/glsa/glsa-202305-21.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-21"> + <title>Cairo: Buffer Overflow Vulnerability</title> + <synopsis>A buffer overflow vulnerability has been discovered in Cairo which could result in denial of service.</synopsis> + <product type="ebuild">cairo</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>777123</bug> + <access>remote</access> + <affected> + <package name="x11-libs/cairo" auto="yes" arch="*"> + <unaffected range="ge">1.17.6</unaffected> + <vulnerable range="lt">1.17.6</vulnerable> + </package> + </affected> + <background> + <p>Cairo is a 2D vector graphics library with cross-device output support.</p> + </background> + <description> + <p>An attacker with the ability to provide input to Cairo's image-compositor can cause a buffer overwrite.</p> + </description> + <impact type="normal"> + <p>Malicious input to Cairo's image-compositor can result in denial of service of the application using such Cairo functionality.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Cairo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/cairo-1.17.6" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35492">CVE-2020-35492</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T10:32:09.444977Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T10:32:09.447930Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-22.xml b/metadata/glsa/glsa-202305-22.xml new file mode 100644 index 000000000000..7498701d25eb --- /dev/null +++ b/metadata/glsa/glsa-202305-22.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-22"> + <title>ISC DHCP: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in ISC DHCP, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">dhcp</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>875521</bug> + <bug>792324</bug> + <access>remote</access> + <affected> + <package name="net-misc/dhcp" auto="yes" arch="*"> + <unaffected range="ge">4.4.3_p1</unaffected> + <vulnerable range="lt">4.4.3_p1</vulnerable> + </package> + </affected> + <background> + <p>ISC DHCP is ISC's reference implementation of all aspects of the Dynamic Host Configuration Protocol.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ISC DHCP. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ISC DHCP users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/dhcp-4.4.3_p1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25217">CVE-2021-25217</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2928">CVE-2022-2928</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2929">CVE-2022-2929</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T10:32:25.223781Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T10:32:25.226672Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202305-23.xml b/metadata/glsa/glsa-202305-23.xml new file mode 100644 index 000000000000..6d921e29970f --- /dev/null +++ b/metadata/glsa/glsa-202305-23.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202305-23"> + <title>Lua: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Lua, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">lua</product> + <announced>2023-05-03</announced> + <revised count="1">2023-05-03</revised> + <bug>837521</bug> + <bug>831053</bug> + <bug>520480</bug> + <access>remote</access> + <affected> + <package name="dev-lang/lua" auto="yes" arch="*"> + <unaffected range="ge" slot="5.4">5.4.4-r103</unaffected> + <unaffected range="ge" slot="5.2">5.2.3</unaffected> + <unaffected range="ge" slot="5.1">5.1.5-r200</unaffected> + <vulnerable range="lt" slot="5.4">5.4.4-r103</vulnerable> + <vulnerable range="lt" slot="5.2">5.2.3</vulnerable> + <vulnerable range="lt" slot="5.1">5.1.5-r200</vulnerable> + <vulnerable range="None">None</vulnerable> + </package> + </affected> + <background> + <p>Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Lua. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Lua 5.1 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/lua-5.1.5-r200" + </code> + + <p>All Lua 5.3 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/lua-5.2.3" + </code> + + <p>All Lua 5.4 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/lua-5.4.4-r103" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5461">CVE-2014-5461</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44647">CVE-2021-44647</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28805">CVE-2022-28805</uri> + </references> + <metadata tag="requester" timestamp="2023-05-03T10:32:55.745234Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-05-03T10:32:55.751034Z">sam</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index d82f0bf9f814..22ec29cab17e 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Wed, 03 May 2023 09:39:36 +0000 +Wed, 03 May 2023 15:39:39 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 27fdda67f379..22d6e004bfa9 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -5f136da08cc28aa97d67b66cdaeb4c59046fd70d 1683106306 2023-05-03T09:31:46+00:00 +9481b5e54d9a028a3f651d96ca46efd05ac1b3a6 1683110025 2023-05-03T10:33:45+00:00 |