diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2021-07-17 19:04:28 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2021-07-17 19:04:28 +0100 |
| commit | 514d1bbe260df2521fe60f1a3ec87cfcfde1a829 (patch) | |
| tree | 555c194dbeb0fb2ac4ad3cde7c0f6a80fd330ce2 /metadata/glsa | |
| parent | 4df3bf9762850b34cd1ead5c80374d1a0fc3362e (diff) | |
gentoo resync : 17.07.2021
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 513815 -> 515403 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-202107-18.xml | 2 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202107-31.xml | 49 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202107-32.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202107-33.xml | 62 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202107-34.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202107-35.xml | 47 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202107-36.xml | 50 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202107-37.xml | 53 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202107-38.xml | 54 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202107-39.xml | 59 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202107-40.xml | 56 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
15 files changed, 552 insertions, 18 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 29379dfcc71a..dae4120315e4 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 513815 BLAKE2B c9341c70c451176624067442c934e00b2746cd12e3817b856dc0f8fd8c41edcf12efea2ca7042e862fd64a6f5fc4c391e4bdeab74017bbb63dda51c5ff0fcf2a SHA512 6745132a386e572818d7fd992a7f2ef031ba828e3e48360c5a4f3b3160c32f4e65e615769109aebc74bb29d44c91864e25ff06783231a9b67785a728877e9e1d -TIMESTAMP 2021-07-12T07:09:00Z +MANIFEST Manifest.files.gz 515403 BLAKE2B 2c3efe7a5a7d2ab8e90e9b1bd7118eceae943d57d96054bc9b9f1f28ce3625d956a0ef4b37dc99a8f53983d4cb1c230b5d63cdaf2310372c379209c8703ec67f SHA512 3314ee13046d68813f7a4f6d648d5b31496fb976d5d8456229403081e0e0f9369fa83c271c4d6eb3dbe296b3a72758271782ca5d805b74a5deaa07e14742bafb +TIMESTAMP 2021-07-17T17:39:10Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmDr6oxfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmDzFb5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klBPRQ/9EcSbkFNNsrrJbsDGdKEnzgbOn+Wr9RNajghqM1MAYNkZ1LnBYt4UDc6S -KJOM9kbrtVXvyBu88jpIabBJG3NuPhvB/mpQnzPxkux6bO6q1da+h2DMf5hgNL+N -Er5r3FI1WWHIJ7ECLej2jowXcuyTHSQOpWoSXm9X8uMhBMHDYygf2EB7yinxfxa4 -ZoJwm9FJn7SX+YhQpS4aZSQ3cVSHEe1hF59HWGcj5Dz5g93/pJwxl+EolQvtsHPE -zX/CybqINK4RPouccjZJPyGVcuwCVuaWc2vTlQullbKq0RwkAJgn9oFRYCxxZgTN -IT9YbBsB5i2Bwfj9/l/NVJYQ3BMzkicpoJoSTTYsKXBX+PZJeUxo+ozfqOrbEZmq -aE0Ag3k/fTVaabjFqUm4sJD+F3FR06nT0SsSUMJCC5zotqgiuyYOGJJ9ew7ywQEr -gSmVsUbWS0PC+PaldHuLAAuPe8S4lfsssLQsOe9q35rmjuxGO3Y1di/AEt028eJt -HL321clXyXE95Px+5pd7cDRfKv+Z6pre907zAuzMzbmzg81iZuAectOmCNgC4yqT -80/VqQZSYpsURIFyBIFBUeGIyp9pk5YP3KOk8OPMMOk6mmhHW3pDW424VWPjVtfO -GMg46I5+78fC5BhkBNu5geidmyh8xuTz91VD7MB26WBMEtaVzcI= -=UXqP +klDTaRAAiEapxlJpnLp5i442vw3FGhXvzblQCEiX/58EfEx0FZ/OsnvkGWhC55p5 +7SUCZNE0doIskdzXItmenbaWy+BBmzWtqMTSkt3mMDddxt9ElaU1LWlr9XefH/BM +sjlwAJfeJndyw60i7JMTETTjX3scBM+Z9wP8n0uyuiLFQQ0kNM8DrwxyKOlEV5Fy +xQv9DieSnnPaMiQZ+yLuZQM4lpiwTEToGjs9MgC2d032AL9G1TiZFFjFYRcaJWKS +mhZeGUHUI81VYa93a7yeHCYC6fE19S0bsg+KPccyMYcxa4e3UwebT+zNPWQHA50c +89YLMVAGTIgR7qweUzfgDOM2M5Si1Rj1gtq442Hg78p+uoE9gdKicAxyW9qiMBBs +LkgD5HMM6+x/x2VwdNHszYPfbKKJX5Av52KSLqy2hX8fHZAvSIIogxQftr2SJqsU +/OIZKqzgksB/masJn6BdDGrE/EyeyoQxSeXTgfHrytOzWaZkTnnSZmoF2aLEQf5y +H6gB7PyCQgCw5rtPc/eyl0Zhu1FXwq9soK4a6BJW0WCQHL0AWdM/xR7P7ZTJKc2e +haCmlIBwxbWtk1656Zm/JcEgOvsgkYrH+g8RBtD3UtMgOWpXS+TSM1HEslM6rgkL +1hFP5bztPPwgcs0vHkwVy9bm0y9t4vgCDibxJ/1M94WlFvUHG14= +=jtEe -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 2302cd653bc1..0db27d5d926b 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202107-18.xml b/metadata/glsa/glsa-202107-18.xml index f05d598c50b4..2b65f114639a 100644 --- a/metadata/glsa/glsa-202107-18.xml +++ b/metadata/glsa/glsa-202107-18.xml @@ -32,7 +32,7 @@ </workaround> <resolution> <p>Gentoo has discontinued support for BladeEnc. We recommend that users - unmerge ssvnc: + unmerge it: </p> <code> diff --git a/metadata/glsa/glsa-202107-31.xml b/metadata/glsa/glsa-202107-31.xml new file mode 100644 index 000000000000..77846b9839bb --- /dev/null +++ b/metadata/glsa/glsa-202107-31.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-31"> + <title>polkit: Privilege escalation</title> + <synopsis>A vulnerability in polkit could lead to local root privilege + escalation. + </synopsis> + <product type="ebuild">polkit</product> + <announced>2021-07-13</announced> + <revised count="1">2021-07-13</revised> + <bug>794052</bug> + <access>local</access> + <affected> + <package name="sys-auth/polkit" auto="yes" arch="*"> + <unaffected range="ge">0.119</unaffected> + <vulnerable range="lt">0.119</vulnerable> + </package> + </affected> + <background> + <p>polkit is a toolkit for managing policies related to unprivileged + processes communicating with privileged process. + </p> + </background> + <description> + <p>The function polkit_system_bus_name_get_creds_sync() was called without + checking for error, and as such temporarily treats the authentication + request as coming from root. + </p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All polkit users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-auth/polkit-0.119" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3560">CVE-2021-3560</uri> + </references> + <metadata tag="requester" timestamp="2021-07-13T00:16:39Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-13T02:29:59Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-32.xml b/metadata/glsa/glsa-202107-32.xml new file mode 100644 index 000000000000..1471ab62487f --- /dev/null +++ b/metadata/glsa/glsa-202107-32.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-32"> + <title>Apache Thrift: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Apache Thrift, the + worst of which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">thrift</product> + <announced>2021-07-14</announced> + <revised count="1">2021-07-14</revised> + <bug>761409</bug> + <bug>770145</bug> + <access>remote</access> + <affected> + <package name="dev-python/thrift" auto="yes" arch="*"> + <unaffected range="ge">0.14.1</unaffected> + <vulnerable range="lt">0.14.1</vulnerable> + </package> + </affected> + <background> + <p>Apache Thrift is a software framework that combines a software stack + with a code generation engine to build services that work efficiently and + seamlessly between many languages. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Apache Thrift. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Apache Thrift users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/thrift-0.14.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-0205">CVE-2019-0205</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-0210">CVE-2019-0210</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13949">CVE-2020-13949</uri> + </references> + <metadata tag="requester" timestamp="2021-07-08T01:05:35Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-14T03:10:06Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-33.xml b/metadata/glsa/glsa-202107-33.xml new file mode 100644 index 000000000000..ab54702ebb12 --- /dev/null +++ b/metadata/glsa/glsa-202107-33.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-33"> + <title>Pillow: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Pillow, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">pillow</product> + <announced>2021-07-14</announced> + <revised count="1">2021-07-14</revised> + <bug>773559</bug> + <bug>774387</bug> + <bug>779760</bug> + <access>remote</access> + <affected> + <package name="dev-python/pillow" auto="yes" arch="*"> + <unaffected range="ge">8.2.0</unaffected> + <vulnerable range="lt">8.2.0</vulnerable> + </package> + </affected> + <background> + <p>Python Imaging Library (fork)</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Pillow. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Pillow users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/pillow-8.2.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25287">CVE-2021-25287</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25288">CVE-2021-25288</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25289">CVE-2021-25289</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25290">CVE-2021-25290</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25291">CVE-2021-25291</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25292">CVE-2021-25292</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25293">CVE-2021-25293</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-27921">CVE-2021-27921</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-27922">CVE-2021-27922</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-27923">CVE-2021-27923</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28675">CVE-2021-28675</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28676">CVE-2021-28676</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28677">CVE-2021-28677</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28678">CVE-2021-28678</uri> + </references> + <metadata tag="requester" timestamp="2021-07-13T01:09:21Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-14T03:15:19Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-34.xml b/metadata/glsa/glsa-202107-34.xml new file mode 100644 index 000000000000..45507b800ec2 --- /dev/null +++ b/metadata/glsa/glsa-202107-34.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-34"> + <title>FluidSynth: Remote code execution</title> + <synopsis>A vulnerability was found in FluidSynth that could result in remote + code execution. + </synopsis> + <product type="ebuild">fluidsynth</product> + <announced>2021-07-15</announced> + <revised count="1">2021-07-15</revised> + <bug>782700</bug> + <access>remote</access> + <affected> + <package name="media-sound/fluidsynth" auto="yes" arch="*"> + <unaffected range="ge">2.2.0</unaffected> + <vulnerable range="lt">2.2.0</vulnerable> + </package> + </affected> + <background> + <p>FluidSynth is a real-time synthesizer based on the Soundfont 2 + specifications. + </p> + </background> + <description> + <p>FluidSynth contains a use-after-free in sfloader/fluid_sffile.c which + occurs when parsing Soundfile 2 files. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted + Soundfont 2 file using FluidSynth, possibly resulting in execution of + arbitrary code with the privileges of the process or a Denial of Service + condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All FluidSynth users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/fluidsynth-2.2.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28421">CVE-2021-28421</uri> + </references> + <metadata tag="requester" timestamp="2021-07-14T23:27:29Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-15T05:12:31Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-35.xml b/metadata/glsa/glsa-202107-35.xml new file mode 100644 index 000000000000..392ebaa6e18e --- /dev/null +++ b/metadata/glsa/glsa-202107-35.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-35"> + <title>OpenSCAD: Buffer overflow</title> + <synopsis>A buffer overflow in OpenSCAD might allow remote attacker(s) to + execute arbitrary code. + </synopsis> + <product type="ebuild">openscad</product> + <announced>2021-07-15</announced> + <revised count="1">2021-07-15</revised> + <bug>773217</bug> + <access>remote</access> + <affected> + <package name="media-gfx/openscad" auto="yes" arch="*"> + <unaffected range="ge">2021.01</unaffected> + <vulnerable range="lt">2021.01</vulnerable> + </package> + </affected> + <background> + <p>OpenSCAD is the programmer’s solid 3D CAD modeller.</p> + </background> + <description> + <p>A buffer overflow exists in OpenSCAD when parsing STL files.</p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted STL + file using OpenSCAD, possibly resulting in execution of arbitrary code + with the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenSCAD users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/openscad-2021.01" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28599">CVE-2020-28599</uri> + </references> + <metadata tag="requester" timestamp="2021-07-14T23:34:45Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-15T05:18:07Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-36.xml b/metadata/glsa/glsa-202107-36.xml new file mode 100644 index 000000000000..f5fc80d84489 --- /dev/null +++ b/metadata/glsa/glsa-202107-36.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-36"> + <title>urllib3: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in urllib3, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">urllib3</product> + <announced>2021-07-15</announced> + <revised count="1">2021-07-15</revised> + <bug>776421</bug> + <bug>799413</bug> + <access>remote</access> + <affected> + <package name="dev-python/urllib3" auto="yes" arch="*"> + <unaffected range="ge">1.26.5</unaffected> + <vulnerable range="lt">1.26.5</vulnerable> + </package> + </affected> + <background> + <p>The urllib3 library is an HTTP library with thread-safe connection + pooling, file post, and more. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in urllib3. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All urllib3 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/urllib3-1.26.5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28363">CVE-2021-28363</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33503">CVE-2021-33503</uri> + </references> + <metadata tag="requester" timestamp="2021-07-13T14:50:16Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-15T05:20:38Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-37.xml b/metadata/glsa/glsa-202107-37.xml new file mode 100644 index 000000000000..649bc79dcaa8 --- /dev/null +++ b/metadata/glsa/glsa-202107-37.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-37"> + <title>Apache Commons Collections: Remote code execution</title> + <synopsis>Apache Commons Collections unsafely deserializes untrusted input, + potentially resulting in arbitrary code execution. + </synopsis> + <product type="ebuild">commons-collections</product> + <announced>2021-07-16</announced> + <revised count="1">2021-07-16</revised> + <bug>739348</bug> + <access>remote</access> + <affected> + <package name="dev-java/commons-collections" auto="yes" arch="*"> + <unaffected range="ge">3.2.2</unaffected> + <vulnerable range="lt">3.2.2</vulnerable> + </package> + </affected> + <background> + <p>Apache Commons Collections extends the JCF classes with new interfaces, + implementations and utilities. + </p> + </background> + <description> + <p>Some classes in the Apache Commons Collections functor package + deserialized potentially untrusted input by default. + </p> + </description> + <impact type="normal"> + <p>Deserializing untrusted input using Apache Commons Collections could + result in remote code execution. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Apache Commons Collections users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=dev-java/commons-collections-3.2.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-15708">CVE-2017-15708</uri> + </references> + <metadata tag="requester" timestamp="2021-07-14T23:32:40Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-16T04:11:42Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-38.xml b/metadata/glsa/glsa-202107-38.xml new file mode 100644 index 000000000000..f727464eb5b8 --- /dev/null +++ b/metadata/glsa/glsa-202107-38.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-38"> + <title>Apache: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Apache, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">apache</product> + <announced>2021-07-17</announced> + <revised count="1">2021-07-17</revised> + <bug>795231</bug> + <access>remote</access> + <affected> + <package name="www-servers/apache" auto="yes" arch="*"> + <unaffected range="ge">2.4.48</unaffected> + <vulnerable range="lt">2.4.48</vulnerable> + </package> + </affected> + <background> + <p>The Apache HTTP server is one of the most popular web servers on the + Internet. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Apache. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Apache users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.48" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17567">CVE-2019-17567</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13950">CVE-2020-13950</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35452">CVE-2020-35452</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-26690">CVE-2021-26690</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-26691">CVE-2021-26691</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30641">CVE-2021-30641</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31618">CVE-2021-31618</uri> + </references> + <metadata tag="requester" timestamp="2021-07-17T03:52:42Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-17T04:57:02Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-39.xml b/metadata/glsa/glsa-202107-39.xml new file mode 100644 index 000000000000..42a2dbf5f8e6 --- /dev/null +++ b/metadata/glsa/glsa-202107-39.xml @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-39"> + <title>Apache Commons FileUpload: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Apache Commons + FileUpload, the worst of which could result in a Denial of Service + condition. + </synopsis> + <product type="ebuild">commons-fileupload</product> + <announced>2021-07-17</announced> + <revised count="1">2021-07-17</revised> + <bug>739350</bug> + <access>remote</access> + <affected> + <package name="dev-java/commons-fileupload" auto="yes" arch="*"> + <vulnerable range="le">1.3</vulnerable> + </package> + </affected> + <background> + <p>The Apache Commons FileUpload package makes it easy to add robust, + high-performance, file upload capability to your servlets and web + applications. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Apache Commons + FileUpload. Please review the CVE identifiers referenced below for + details. + </p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for Apache Commons FileUpload. We + recommend that users unmerge it: + </p> + + <code> + # emerge --ask --depclean "dev-java/commons-fileupload" + </code> + + <p>NOTE: The Gentoo developer(s) maintaining Apache Commons FileUpload have + discontinued support at this time. It may be possible that a new Gentoo + developer will update Apache Commons FileUpload at a later date. We do + not have a suggestion for a replacement at this time. + </p> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2013-0248">CVE-2013-0248</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2014-0050">CVE-2014-0050</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-3092">CVE-2016-3092</uri> + </references> + <metadata tag="requester" timestamp="2021-07-17T04:04:02Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-17T05:07:31Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-40.xml b/metadata/glsa/glsa-202107-40.xml new file mode 100644 index 000000000000..3ad90ee21f0a --- /dev/null +++ b/metadata/glsa/glsa-202107-40.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-40"> + <title>MediaWiki: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in MediaWiki, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">mediawiki</product> + <announced>2021-07-17</announced> + <revised count="1">2021-07-17</revised> + <bug>780654</bug> + <bug>797661</bug> + <access>remote</access> + <affected> + <package name="www-apps/mediawiki" auto="yes" arch="*"> + <unaffected range="ge">1.36.1</unaffected> + <vulnerable range="lt">1.36.1</vulnerable> + </package> + </affected> + <background> + <p>MediaWiki is a collaborative editing software used by large projects + such as Wikipedia. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in MediaWiki. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All MediaWiki users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.36.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30152">CVE-2021-30152</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30154">CVE-2021-30154</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30155">CVE-2021-30155</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30157">CVE-2021-30157</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30158">CVE-2021-30158</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30159">CVE-2021-30159</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30458">CVE-2021-30458</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35197">CVE-2021-35197</uri> + </references> + <metadata tag="requester" timestamp="2021-07-17T03:41:24Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-17T05:10:27Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 80697622a60d..598a38ee3e84 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Mon, 12 Jul 2021 07:08:55 +0000 +Sat, 17 Jul 2021 17:39:07 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 33b059e9fdb6..4a0f4bdf44a0 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -cabcc55894eaeb6351c50c95fa8ce6eb111a368b 1626058189 2021-07-12T02:49:49+00:00 +8869d4a8d53cf7ba0e777627877b7a395ba645d6 1626498718 2021-07-17T05:11:58+00:00 |