gentoo resync : 03.07.2021

author: V3n3RiX <venerix@redcorelinux.org> 2021-07-03 22:39:47 +0100
committer: V3n3RiX <venerix@redcorelinux.org> 2021-07-03 22:39:47 +0100
commit: 7f0ccc917c7abe6223784c703d86cd14755691fb (patch)
tree: 8c6793f68896b341e22f33d7e6cef88e481f4a8b /metadata/glsa
parent: 9aa80713372911cec499b3adb2cd746790920916 (diff)
8 files changed, 226 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 07d31a8ba2e9..7ed09b67e1cd 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 509049 BLAKE2B e2b5c0e25d30cb613bf6b26a404bdd5c9ecf1ebe0f765c98e65b5c6abb8c3367dc1f4e8d19e68c1568e7e055e9c4617562aea2e0f52899586498178621fa32fa SHA512 460ef918d52020ec8e54fc6c17e54e0f11f0e50117f6c87479422f3fc3f4face3581664544e8cbcb8fc1265b88f7145a0e90a36cd8e1acef5b7908d625bdb379
-TIMESTAMP 2021-06-29T08:38:59Z
+MANIFEST Manifest.files.gz 509689 BLAKE2B 008f2727db3daaad82d33cf5bd9a0f31dfe5f022adbb31b1f1fb412a0b82ff9436ee7889f7c470eb35b1631c3d998e632afcda789463ed2e8d9369bfa67f44de SHA512 7b3c6332ef44039841113d497a4cacf9d24a61b0ec7037af206ebc290571ee789c5cbc956bb71b0437250e5d305759a3f91ed4d82c58a810e1f909f68efb5647
+TIMESTAMP 2021-07-03T21:09:08Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmDa3CNfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmDg0fRfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klB7ZQ//WksVQnrmRv+qdJNZZgwKbzjQoXr6+orLfiiwWkIEyIczrozNJB9ewItd
-qnfHzBrOSVW9ecahX+pR14Ggt+5F4uOuhh+zzq9urH3cP1XPSIoz2nuhz/ObZP7T
-60gH+R5Eur6yLN9WNj9+9M8N/EsmnCCSoEXJrqAgwi55hcqpsWLAXLPD9xgL4dTp
-sKHs+1gncf4FUbsq+Lmwo8AWMORQ+PG8HCq2X+b7ujEmRQhd1nGFAZJMh53dHZ0S
-ad+FZGlrMA6JM+4YrKiwFxuj0RPMZqDHuCSehcXDYtHJ33gtwCfQ0vIoX4h7cUL2
-3f+qPMmwo2JvVomdqXmE0nlVvlqnQN9dn3tnURWcT5C1JjmsoYUxl1PJo1fmfDcP
-k7IyYpJRvZTxN0WGmbkTlPOl7xZFtQKFs/GpSqxzQIGIDHeLEmn+HQbZJcQJCNMh
-VghvMiTBhovaNPuzCQMInDysqIxapGVw2Np8enK2pGfgv2vrkDHyOD2mYc2DhZzF
-nTr6vC2KAT1r2wyCPereWrqpT5vQNQkkhlLK9ELucKuj9u1dEGqIO0UhKROa2pQP
-bvt69/wE8qt+0PFAGEb/CM9tx6KpbiejWX16FTTfS7YXXKxXG//4hSIxVSizBing
-tpi+X20NbsNk7cQdO9H/58xnRd+ZodYAzJ5HNx43J0cr8G0HoS0=
-=ocC6
+klC53xAAknouPnB60yx83ThXuzlN+9Vj4dgYO7RJTX4ZcNX2MTfUqUJOt+BlP14L
+eu3HSQe5QxbZY/yqoVfwnHYfiMmgqiO35FufpuboXQLpQyO9P3CY5zkHIiZk2Mlb
+L+zGB/wgFouq/nz4v/Q+FmMxdYrfM94sIDC3VeQkgp0ZBKd5tMKq2Op2ZSSP59z/
+Xi2sAJXQjhCkEgPn+bFqX4BqE25QyGUG4f/90FFP4gbidRp7sKtRi3Tpgn9soh/e
+UtcuUHgN3UMJlhU8p/LZZU0FUR16Ca42L6KliUbyUkt235ONc5qWWaXdZvjaiWko
+COpur7pmfTJs3kaLRM5wbdh3Sg8XbLmn6aYwQ0mLSu4ocE8kIDVrzrwo116g0NMk
+nXMNismb2whxAnTTwkWVapyzSgqKfhkC1fPrsIpQew6MSBN4FC1edV7xI1fl5n8U
+g109EzhTEIeqH9bjUHtyKAV6iQXRY5q5VY2iul0DyPTL7u0B7zYR+b/EdKYEtww+
+TT4Dg4hP5MgknuR6ERBtg0hEWxRkYAjRAyxLxUMElIB8zLHd2aUKcb95zzgZsJx1
+huJE68E1Pv5kJ2DXBDUR1qY/Y/zUZhGDo7AO00AWJtE1Qd+YhSLEuD6D4+/lvZmh
+Mc5oUwCq3bNlHE8gKDrb5ioeFmqG/j4ZuKokJ+FWF7lFZ4i0oAQ=
+=/mfk
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index ae5404fb42ac..92b8d40924f6 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202107-01.xml b/metadata/glsa/glsa-202107-01.xml
new file mode 100644
index 000000000000..032f9797ab47
--- /dev/null
+++ b/metadata/glsa/glsa-202107-01.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202107-01">
+  <title>corosync: Denial of service</title>
+  <synopsis>A vulnerability in corosync could lead to a Denial of Service
+    condition.
+  </synopsis>
+  <product type="ebuild">corosync</product>
+  <announced>2021-07-03</announced>
+  <revised count="1">2021-07-03</revised>
+  <bug>658354</bug>
+  <access>remote</access>
+  <affected>
+    <package name="sys-cluster/corosync" auto="yes" arch="*">
+      <unaffected range="ge">3.0.4</unaffected>
+      <vulnerable range="lt">3.0.4</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The Corosync Cluster Engine is a Group Communication System with
+      additional features for implementing high availability within
+      applications.
+    </p>
+  </background>
+  <description>
+    <p>It was discovered that corosync allowed an unauthenticated user to cause
+      a Denial of Service by application crash.
+    </p>
+  </description>
+  <impact type="low">
+    <p>A remote attacker could send a malicious crafted packet, possibly
+      resulting in a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All corosync users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-cluster/corosync-3.0.4"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1084">CVE-2018-1084</uri>
+  </references>
+  <metadata tag="requester" timestamp="2021-05-26T21:04:45Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2021-07-03T01:25:30Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202107-02.xml b/metadata/glsa/glsa-202107-02.xml
new file mode 100644
index 000000000000..befac3c0b718
--- /dev/null
+++ b/metadata/glsa/glsa-202107-02.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202107-02">
+  <title>FreeImage: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in FreeImage, the worst of
+    which could result in a Denial of Service condition.
+  </synopsis>
+  <product type="ebuild">freeimage</product>
+  <announced>2021-07-03</announced>
+  <revised count="1">2021-07-03</revised>
+  <bug>701850</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="media-libs/freeimage" auto="yes" arch="*">
+      <unaffected range="ge">3.18.0-r2</unaffected>
+      <vulnerable range="lt">3.18.0-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>FreeImage is an Open Source library project for developers who would
+      like to support popular graphics image formats like PNG, BMP, JPEG, TIFF
+      and others as needed by today’s multimedia applications.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in FreeImage. Please
+      review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="low">
+    <p>A remote attacker, by enticing a user to process a specially crafted
+      image file, could possibly cause a Denial of Service condition or other
+      unspecified impact.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All FreeImage users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-libs/freeimage-3.18.0-r2"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12211">CVE-2019-12211</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12213">CVE-2019-12213</uri>
+  </references>
+  <metadata tag="requester" timestamp="2021-05-26T21:35:01Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2021-07-03T02:48:33Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202107-03.xml b/metadata/glsa/glsa-202107-03.xml
new file mode 100644
index 000000000000..2de2f6eb5941
--- /dev/null
+++ b/metadata/glsa/glsa-202107-03.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202107-03">
+  <title>libqb: Insecure temporary file</title>
+  <synopsis>An insecure temporary file usage has been reported in libqb
+    possibly allowing local code execution.
+  </synopsis>
+  <product type="ebuild">libqb</product>
+  <announced>2021-07-03</announced>
+  <revised count="1">2021-07-03</revised>
+  <bug>699860</bug>
+  <access>local</access>
+  <affected>
+    <package name="sys-cluster/libqb" auto="yes" arch="*">
+      <unaffected range="ge">1.0.5</unaffected>
+      <vulnerable range="lt">1.0.5</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>libqb is a library with the primary purpose of providing
+      high-performance, reusable features for client-server architecture, such
+      as logging, tracing, inter-process communication (IPC), and polling.
+    </p>
+  </background>
+  <description>
+    <p>It was discovered that libqb used predictable filenames (under /dev/shm
+      and /tmp) without O_EXCL.
+    </p>
+  </description>
+  <impact type="high">
+    <p>A local attacker could perform symlink attacks to overwrite arbitrary
+      files with the privileges of the user running the application linked
+      against libqb.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All libqb users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-cluster/libqb-1.0.5"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12779">CVE-2019-12779</uri>
+  </references>
+  <metadata tag="requester" timestamp="2021-05-26T21:28:24Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2021-07-03T03:11:34Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202107-04.xml b/metadata/glsa/glsa-202107-04.xml
new file mode 100644
index 000000000000..45df46de44a8
--- /dev/null
+++ b/metadata/glsa/glsa-202107-04.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202107-04">
+  <title>Graphviz: Multiple vulnerabilities
+  </title>
+  <synopsis>Multiple vulnerabilities have been found in Graphviz, the worst of
+    which could result in the arbitrary execution of code.
+  </synopsis>
+  <product type="ebuild">Graphviz</product>
+  <announced>2021-07-03</announced>
+  <revised count="1">2021-07-03</revised>
+  <bug>684844</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="media-gfx/graphviz" auto="yes" arch="*">
+      <unaffected range="ge">2.47.1</unaffected>
+      <vulnerable range="lt">2.47.1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Graphviz is an open source graph visualization software.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Graphviz. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to process a specially crafted
+      file using Graphviz, possibly resulting in execution of arbitrary code
+      with the privileges of the process or a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Graphviz users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-gfx/graphviz-2.47.1"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9904">CVE-2019-9904</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-18032">CVE-2020-18032</uri>
+  </references>
+  <metadata tag="requester" timestamp="2021-05-26T21:13:28Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2021-07-03T03:32:10Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 60425fcd4e03..1fe8be64523e 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Tue, 29 Jun 2021 08:38:55 +0000
+Sat, 03 Jul 2021 21:09:05 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 46585d116878..0fbb29b111c8 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-7711e73ed3ea72c507190aff24d27f011094dffd 1622062693 2021-05-26T20:58:13+00:00
+d293bbd455c078508ed7f2ca6e48c2cebbf19c5c 1625283274 2021-07-03T03:34:34+00:00
author	V3n3RiX <venerix@redcorelinux.org>	2021-07-03 22:39:47 +0100
committer	V3n3RiX <venerix@redcorelinux.org>	2021-07-03 22:39:47 +0100
commit	7f0ccc917c7abe6223784c703d86cd14755691fb (patch)
tree	8c6793f68896b341e22f33d7e6cef88e481f4a8b /metadata/glsa
parent	9aa80713372911cec499b3adb2cd746790920916 (diff)