gentoo auto-resync : 08:10:2023 - 12:03:01

author: V3n3RiX <venerix@koprulu.sector> 2023-10-08 12:03:01 +0100
committer: V3n3RiX <venerix@koprulu.sector> 2023-10-08 12:03:01 +0100
commit: 522fa4e6f267ba688a264ceec8d6c79663b61219 (patch)
tree: 67895f3a8243148309fbd841dabba28c37f4ed4a /metadata/glsa
parent: 32c16465e56b0122cf6e5a4625e9c7b56b107b07 (diff)
9 files changed, 257 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index cb6b22cf7832..566ebfb63739 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 549618 BLAKE2B df3cca5309face77ad600cd7dd41da5c8d5969140f0f882439af0839721ca14a3e2ddda207c25ab4f6c4bb766db6e715560df951e539d7cc21ac6c04098c804d SHA512 fecd1787120b073b451d8a3eda16e7b1d80f65213749758b8dc28dd7adb7911c5d678553c3d79c9868d343fd46ecb5e858110be9deff13b5fe735cee99c77036
-TIMESTAMP 2023-10-08T04:41:03Z
+MANIFEST Manifest.files.gz 550416 BLAKE2B 8daa7d9fd115f3b8248d5fb12e0f3047ff161fdf5d6ff06f848034f145e6c2f0f1765efe15949bf8eff4a3b2178b4d8b9a1abe65c9694fc27bf198a8004c89a5 SHA512 e812335526c7fc4f64e02c36ba94af59187ddf08798353595dbad095830168de4147fac9000185628bdd4a237896ae327812a50a084262aef0296d0d1f2280d8
+TIMESTAMP 2023-10-08T10:40:20Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmUiMt9fFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmUihxRfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klCWTxAAtqB0g5KCHCEBfVW+ivqrbkK0hDLUWD4RfHg3whtM2beEcRCFnJ0yBSGx
-vTTolXveH7dEph7imqPnIZjG9p/tNOumMB0Ps3QNz10HfsAQnXLEsCP+0kOhpWQl
-+KlOdThpgzN+F4Zzmg1DcjfWGRivfNVk3M7L7CetBzy+rEgMsvXnb2TZ+u3E63RF
-VrCw71u38WEkdfFaKvKTLlhLyG9San7KoIvSy2b4cjYOif4nWqtrCmQ7jtW3ePht
-KBiBQT3i2iwZK84ApHtBuEvISBuPQjkmtJ93M3a54RiRio46akreEHuMcDE2jTKw
-vCsLLsM/eooO8R5bKPitCWTmoyVMUFEiZHUgY2bXFVD0l22nR+qaLabtxeXnDbYn
-Q/a0Vu4vOF3srijkYxiH+bfUxUhpDM50LiubTv576A4O0HMLULTy7jeiNDrOn+t7
-TjGiduW2qhKCb4Fh+6p86vkhEW12Fe9YlixGS9ITt+z29vbVa+t+5n1tCB/CACci
-NXoB19fy6j1AcqsKM3x6uvEZ6G/UFxjrNahbMKHLeZr3GlgA1Vp7ezI8BzuV0pR0
-VfgUmgXOaXYU2R+0sb5fTefmipMdG3YJrxc5Bj9U15kz703whRKL/AWPikIRQTtr
-fvAreV8TqMTa1NdDq+la1rIMP3AaeJXmo1xWctgw30aH5sylxBA=
-=HbnN
+klDOzQ//RurU2NJc7qKD4y5nLkS6x1BqIxquxp2YDkww42FVQVUDNjjVQbvnO9lB
+EuU/u9MEyX8CH1LFcF/Z67WI7cYloYLSknQzjuk0QVS4ExHh3Ypwew3uYz6IJkjF
+3fwjN5kdMPVXLVSjrDhjvNa2SfJgmk7Cy5inKojxYbwMV6MQ08B/KEblvt4aTN7L
+S9Hp1NqDkKaCfIsgArXhJglaxLpqk3BUuIGlNuuvHI/KtVAY38Bk7SLFexfTZtUy
+fHcUd1FWFGKMKH1ZyFzer72pldlbIx/Gxd7prjIKDsa/zoEIVDC+MiBonSsCsejo
+liPY0EkJmIy80x0LwII7adCfJmmWJWTd8xbVkgOQOAS0bQdJbnWT+WyJ+AhHfz3K
+rFTmldTwisqPWyd6wcstkBjPC+gMnGytTDUNzC+vRRMCJKJyfTDG/f+yjXaVLwQS
+5VvuuHXR9xsDWcfRr9kiWzQhgSz2NUOtw6ds5rT2TFj9HWgC2YlbQmz7nQmzn3Pm
+vKid4OENf8lUJ9W+exTia25wpEghlwUzDGcbNCxX3TMy/P5VQnHf0gXalfaiOqKR
+X22Hlj0stKIpOyCn/g+OzVRtBl8TPB093Z2gy2ujpQjTi7at0Kw0ro6zNnWrIhI/
+qZX67sGkxdoxNvT30tCdyrqdvhgPFDYbw//sp58Z6ON2Ib2ZT0I=
+=vEMt
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index a7e06bb28b43..35a0f4a48909 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202310-05.xml b/metadata/glsa/glsa-202310-05.xml
new file mode 100644
index 000000000000..ece4c31499a2
--- /dev/null
+++ b/metadata/glsa/glsa-202310-05.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-05">
+    <title>dav1d: Denial of Service</title>
+    <synopsis>A vulnerability has been found in dav1d which could result in denial of service.</synopsis>
+    <product type="ebuild">dav1d</product>
+    <announced>2023-10-08</announced>
+    <revised count="1">2023-10-08</revised>
+    <bug>906107</bug>
+    <access>remote</access>
+    <affected>
+        <package name="media-libs/dav1d" auto="yes" arch="*">
+            <unaffected range="ge">1.2.0</unaffected>
+            <vulnerable range="lt">1.2.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>dav1d is an AV1 decoder.</p>
+    </background>
+    <description>
+        <p>In some circumstances, dav1d might treat an invalid frame as valid, resulting in a crash.</p>
+    </description>
+    <impact type="low">
+        <p>Malformed frame data can result in a denial of service.</p>
+    </impact>
+    <workaround>
+        <p>Users should avoid parsing untrusted video with dav1d.</p>
+    </workaround>
+    <resolution>
+        <p>All dav1d users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=media-libs/dav1d-1.2.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32570">CVE-2023-32570</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-08T05:41:28.434632Z">ajak</metadata>
+    <metadata tag="submitter" timestamp="2023-10-08T05:41:28.437198Z">sam</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202310-06.xml b/metadata/glsa/glsa-202310-06.xml
new file mode 100644
index 000000000000..233f58d051c2
--- /dev/null
+++ b/metadata/glsa/glsa-202310-06.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-06">
+    <title>Heimdal: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Heimdal, the worst of which could lead to remote code execution on a KDC.</synopsis>
+    <product type="ebuild">heimdal</product>
+    <announced>2023-10-08</announced>
+    <revised count="1">2023-10-08</revised>
+    <bug>881429</bug>
+    <bug>893722</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-crypt/heimdal" auto="yes" arch="*">
+            <unaffected range="ge">7.8.0-r1</unaffected>
+            <vulnerable range="lt">7.8.0-r1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Heimdal is a free implementation of Kerberos 5.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Heimdal, the worst of which could lead to remote code execution on a Kerberos Domain Controller.
+
+Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Cross-realm trust vulnerability in Heimdal users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-crypt/heimdal-7.8.0-r1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14870">CVE-2019-14870</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44758">CVE-2021-44758</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3437">CVE-2022-3437</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3671">CVE-2022-3671</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41916">CVE-2022-41916</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42898">CVE-2022-42898</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44640">CVE-2022-44640</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44758">CVE-2022-44758</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45142">CVE-2022-45142</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-08T06:51:59.537471Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-10-08T06:51:59.541301Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202310-07.xml b/metadata/glsa/glsa-202310-07.xml
new file mode 100644
index 000000000000..8e2c7029ab67
--- /dev/null
+++ b/metadata/glsa/glsa-202310-07.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-07">
+    <title>Oracle VirtualBox: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in VirtualBox, leading to compomise of VirtualBox.</synopsis>
+    <product type="ebuild">virtualbox</product>
+    <announced>2023-10-08</announced>
+    <revised count="1">2023-10-08</revised>
+    <bug>891327</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-emulation/virtualbox" auto="yes" arch="*">
+            <unaffected range="ge">7.0.6</unaffected>
+            <unaffected range="ge">6.1.46</unaffected>
+            <vulnerable range="lt">7.0.6</vulnerable>
+            <vulnerable range="lt">6.1.46</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>VirtualBox is a powerful virtualization product from Oracle.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Oracle VirtualBox, the worst of which may lead to VirtualBox compromise by an attacker with network access.
+
+Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Oracle VirtualBox users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-7.0.6"
+        </code>
+        
+        <p>If you still need to use VirtualBox 6:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.46" "=app-emulation/virtualbox-6*"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21884">CVE-2023-21884</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21885">CVE-2023-21885</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21886">CVE-2023-21886</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21889">CVE-2023-21889</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21898">CVE-2023-21898</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21899">CVE-2023-21899</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-08T07:06:19.159874Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-10-08T07:06:19.162195Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202310-08.xml b/metadata/glsa/glsa-202310-08.xml
new file mode 100644
index 000000000000..3b79a879099d
--- /dev/null
+++ b/metadata/glsa/glsa-202310-08.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-08">
+    <title>man-db: privilege escalation</title>
+    <synopsis>A root privilege escalation through setuid executable and cron job has been discovered in man-db.</synopsis>
+    <product type="ebuild">man-db</product>
+    <announced>2023-10-08</announced>
+    <revised count="1">2023-10-08</revised>
+    <bug>662438</bug>
+    <access>remote</access>
+    <affected>
+        <package name="sys-apps/man-db" auto="yes" arch="*">
+            <unaffected range="ge">2.8.5</unaffected>
+            <vulnerable range="lt">2.8.5</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>man-db is a man replacement that utilizes BerkeleyDB instead of flat files.</p>
+    </background>
+    <description>
+        <p>A root privilege escalation through setuid executable and cron job has been discovered in man-db. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>A local user with access to the man user or group can elevate privileges to root.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All man-db users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-apps/man-db-2.8.5"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-25078">CVE-2018-25078</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-08T07:25:53.857649Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-10-08T07:25:53.860912Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202310-09.xml b/metadata/glsa/glsa-202310-09.xml
new file mode 100644
index 000000000000..a04fa2e6dd1f
--- /dev/null
+++ b/metadata/glsa/glsa-202310-09.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202310-09">
+    <title>c-ares: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in c-ares the worst of which could result in Denial of Service.</synopsis>
+    <product type="ebuild">c-ares</product>
+    <announced>2023-10-08</announced>
+    <revised count="1">2023-10-08</revised>
+    <bug>906964</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-dns/c-ares" auto="yes" arch="*">
+            <unaffected range="ge">1.19.1</unaffected>
+            <vulnerable range="lt">1.19.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>c-ares is a C library for asynchronous DNS requests (including name resolves).</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in c-ares. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All c-ares users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-dns/c-ares-1.19.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31124">CVE-2023-31124</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31130">CVE-2023-31130</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31147">CVE-2023-31147</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32067">CVE-2023-32067</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-10-08T07:28:06.690774Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-10-08T07:28:06.694172Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 9e971dd1d06d..355d897295a6 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sun, 08 Oct 2023 04:40:59 +0000
+Sun, 08 Oct 2023 10:40:16 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index d43c424dd71e..8595f147afc5 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-78441d962cbe20f36c819692b8c5ea5befbaf0be 1696416594 2023-10-04T10:49:54+00:00
+e13b4705e37d564cf7d1830379f6550fae91f021 1696750201 2023-10-08T07:30:01+00:00
author	V3n3RiX <venerix@koprulu.sector>	2023-10-08 12:03:01 +0100
committer	V3n3RiX <venerix@koprulu.sector>	2023-10-08 12:03:01 +0100
commit	522fa4e6f267ba688a264ceec8d6c79663b61219 (patch)
tree	67895f3a8243148309fbd841dabba28c37f4ed4a /metadata/glsa
parent	32c16465e56b0122cf6e5a4625e9c7b56b107b07 (diff)