gentoo auto-resync : 02:01:2024 - 20:57:46

5 files changed, 64 insertions, 17 deletions

diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 5c5656946097..6b16de838a07 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 558197 BLAKE2B dde0fd5bc1749affc0b48b285b7ab9bd0a7216628f650cd3cbf0e6b2a1788ebd2dc667afbfee3491b42c071ba583d8c7e204468384a8f639b22206d6cbf47903 SHA512 6a3cf3862910d3680e54853c513e07b7a7d791fa5a5732653e79584f351498dd0ac5f7c244cf38dd9920afd7da27fd2c1e7a51770500da41d964a2a5ddd6ec92
-TIMESTAMP 2024-01-02T14:09:54Z
+MANIFEST Manifest.files.gz 558359 BLAKE2B 6ff1dd9354455ed7f338ae06c477ce7dac2990bd3eb84868668c9a4fbd7666355ff69ec8cc4598c2a46dd5fe56b3f952413e3b68af3b33b6da19c6f37d97ca70 SHA512 a6deeae40717b5176fe6030ff10537898379202450dfebbf026b789aa8ed1701f446b152e2bf3cf3f8b391bac2576b9612ea9a4cf4d35ad7cc3d262e8dfa0010
+TIMESTAMP 2024-01-02T20:10:00Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmWUGTJfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmWUbZhfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klBH4BAAhVAlV/ou9s5O1/wbLMT6lxHxhmkXC1NA64nKu4fiZg20p2POZvOXS0NM
-DpBMVHH0tTd0xvSSiNqFYZkx/k/LHtQSS6YwkdM+15DhhUrbB46TakVUkhFUUr2y
-8JG47FlWXxcKKXcxqxdvdtNYexggyHhq2QmRPwlnxbMq98/bTSGIpzEh8pok6VeG
-IrVtEVR9MZ0c+Ye4I/KuzlngCM4I61DpoHAjbPNkmGVpkBI0B+TD/7JNjewa7I8a
-SshfzS26r3ZOs9TtbDM7/jsumg8Ty3Ic2eRFIqRKPiveWlx7utXlweRcHxhXsVHB
-By0JQMUE2ACWCk135JQrKg4BYZe1aB0mkXoJt5outsXs+0HcWAmFiw6K61PJ9Nxj
-Es7mbaeE1BYN90j7YzNOVCL6UVkiMN3QneNG7ieAIpwWAuKhUDn2bWpIgpom6k2w
-ofSimSASw55lJtBPEZ5VNA0hOWbuzWQK9+x9A02iTZ1rSXrBnOXOpy2ZcJ6pCsgd
-JwM7+Wfm36n4H8vyv1U93jXMtwJjq4WYUFXBkSl8Un4GFLUAZ697gdcOW+cqrTch
-VSm0SM1J2OSDmffq0qK5Ou5kklkirkIJdqNXvqdxbExdzTGIYReGSaNWrsG/wiYC
-WstYW1w614kisOTvq82zasBIH6dYlcNOeUHOL63s6pRCoV9AN+E=
-=HJtc
+klAHLRAAomZSIykxvnL3Gy2ChTZJ0GR7MwT6CghWpcnJK8IzEVfSJneesKvaM23z
+7lAfp9kULbagVqDZHbu58cK30h6KJmc2qeapuiVhYoKgQts6Y3YLJjJRdPZhGzcw
+oz4P3Fj6v1vb4M1UnZ75sj3CHa/yNuzrlh39E9QBsOBWUkUmkhVnCDgvxE/uRpxS
+KQc4xAfXJy7ZuoU51VPyEKbnO8xMwFrUjRP2BLdPHnlpsIlSGt8DOTO0xsBO5Hta
+7FkvOX+a+nFwr/psJA8VRyqtg1ZeiprbsxODAwV3MJYXWkft0p9SSwvvregg/E9h
+SkofwmLtrrCh2jwX5hzKDMJjUDctqn3K26XZwDyvNBDFDGMTT5W87GpfwmVv1wup
+Ivg71xkcVrsiHVbFzPz3A8NxwC88qwoznlRdYKVgneAxszHPlYGsm2FfyncvNqdT
+ck6BaPiFyv/rjc0kFNWRZG6ciHi4mSK92Pm++nv74MscEKU2mJhQiVM2QgqmG5H/
+WrrYhNHTpfLw2bpPXRtUXrBeStkppZ81AD+1CcEAVDAnaUJ+2eBCACWPomxLooxW
+eOai+euP0x7+WGUSGD2wH98qdISzlwkRS/yVdME4Hd8EIRukv4gBKzEOxMHZBKiM
+Al/zS10i9DTmF2T8ZLjAmX/AAHRH429wMQJfjmGUFKIPl3CyJfs=
+=kC8w
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index c1be36f2d992..e9d3a995cb72 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202401-01.xml b/metadata/glsa/glsa-202401-01.xml
new file mode 100644
index 000000000000..0909c59e0bbf
--- /dev/null
+++ b/metadata/glsa/glsa-202401-01.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202401-01">
+    <title>Joblib: Arbitrary Code Execution</title>
+    <synopsis>A vulnerability has been found in Joblib which allows for arbitrary code execution.</synopsis>
+    <product type="ebuild">joblib</product>
+    <announced>2024-01-02</announced>
+    <revised count="1">2024-01-02</revised>
+    <bug>873151</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-python/joblib" auto="yes" arch="*">
+            <unaffected range="ge">1.2.0</unaffected>
+            <vulnerable range="lt">1.2.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Joblib is a set of tools to provide lightweight pipelining in Python. In particular:

+

+1. transparent disk-caching of functions and lazy re-evaluation (memoize pattern)

+2. easy simple parallel computing

+

+Joblib is optimized to be fast and robust on large data in particular and has specific optimizations for numpy arrays.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in Joblib. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Joblib is vulnerable to arbitrary code execution via the pre_dispatch flag in Parallel() class due to the eval() statement.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Joblib users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-python/joblib-1.2.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21797">CVE-2022-21797</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-01-02T14:38:14.200471Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-01-02T14:38:14.202528Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 6fa290cb022a..d000d28dfbe0 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Tue, 02 Jan 2024 14:09:50 +0000
+Tue, 02 Jan 2024 20:09:57 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 352527083875..4f7a75657ddb 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-3dfe782899716a3480c9481c69bca8c231c663a7 1703730129 2023-12-28T02:22:09+00:00
+086ee91647926ad5550f1443e004b5f5d1bda7fc 1704206331 2024-01-02T14:38:51+00:00