gentoo auto-resync : 16:01:2024 - 17:29:23

6 files changed, 103 insertions, 17 deletions

diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 2738866ad95f..9f54219c1342 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 561691 BLAKE2B 6e43060375613f4e3dd8c40a3bb2f48594d6afe024617aa4079d36973378d2580bcd71be7d9251c255ea01668b9f06899743502cd8d1d2d14c66ce680967fd04 SHA512 cd6174222e897e48ed9420c05367694fcf6b82da900082de9879767a18c01c6716855f9545e9f81a0d76b089ac711084901ca3fbade24ecd36536553074eb538
-TIMESTAMP 2024-01-16T10:40:09Z
+MANIFEST Manifest.files.gz 562011 BLAKE2B 4f303bfa2201afa25d92c6de3ee0b20c33a55df26101444f3a60a5c7551ad29bbf2b4a0ea12786f5c698395abed552f9c00010c60be13643dabbf13f4cc8bebe SHA512 5627c638c07440b1a865e6a00253907199dfeb4a109a0da198bbe5312fad4cc04c4fe2d7e89ba479739fbfe5cadee585c3f001e6dd0b8484b386e2646fb8d5ae
+TIMESTAMP 2024-01-16T16:40:15Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmWmXQlfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmWmsW9fFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klCVbQ/9GSqeRb0Kg+7aldYZuZjURP+lhQZ0XzfO2SWtp3gGS55I2kcEJgmDXnYM
-e1pbi+6GNvityog1OOo5mMuUoVpUaXyaIMGkNQtG98mbyLBQ93wEau7cTJgg2hBg
-/eFftr7d56+ZgfJy4FTYi3FhL8MOe9dHhPkDHqEZuRj6lLz7rfqMJO3pLx6p4ZMZ
-vEUNDOQrMcrvqS1/XDBRFcFDWCxaP6hiSUtX+lO+zudf3em4j65sgaEIhadvaJQF
-0GNBa4I/gC6E+sVFPVfAQEgdogmbuZvP0i5QN1FYXET1Y+ygZKEhMRFeq05k5xSh
-ftKzl4fd9YMaM8WSxWHBLW+Nyc9OJM8m6T8MIIkDCdaHH9vGLAztYPk6iGGoxMp7
-ldTy/HCfhMgd92/yZ0AyzTwOo2emPRh2mDzxMU2YysPSsFjiEMOwi0Xx6FgiJaRJ
-JCNXkBdh08QUL+1j6zOYnoJgCX1rAKiPVDtfW8Iy33iu+ecgETRNSQmT7knLVJSG
-0dptjf3P2DNMNNOjMeZYbSxiVxc44mZ1Rzf787QQCEgp2Gi7anPxZPfM+3OtbD4G
-f2oYT+HayBh8YRMwLlmEbBO0Rm2Ky5ePNtZi4YI4v/1yjvpnxzgsb4ReuT9psiqs
-Lh0paTZkmutXth6NZBiFcUmGeIrXzPdXExCA5rUI0BnUADIUFsQ=
-=S4aI
+klAJaw/+KRZ+yKfJwpZSMgIY8D33k+pTy5T1M2SPnfTvtIKiEElPZ9CiNuYq+X35
++b8kv9g+FbQlTAN/nXRlc526v/BoA6ZkoeVsE+gFjoYzcqfy0UNMWJTmXxV/h+OH
+3uNx+hLTU9dIA2nM+DtA539CXoq/q8jkXKmeoAmZZKbtv86l67z5DMjXEDQQ6NsM
+YyuGjeCj2xpIGMo39Puq8S7PYbQMdx2bTJpAWxvIW2ZwCaI0KLGnpnmwCJqzUhd9
+2w6BX46tnsJKefLy/RMtzdlUteTp7VNSewc/3NYcSwK09fgzcm1euyS63nE6XSTR
+g9VTdBRIyimhcnCPQBGy1kLgDd4Bc8iWLiT6jWSt8im66z+wxRx3KVwxc0h1zIL2
+u/GGnw4b3iuID4pEHr0XenOvHz01veahkqMaNt8UF1div0Vqd4c+HhJi4M8bg+9L
+2o71D+NHaax5t1z9j7slL+5qF4pxyC+8DFKQE6+YiiVtPunh34dMQ7orASFbDWyd
+znTy2ylgHKAFWHIhW5dix7GAUDZsZtFLrp51YLy03KWrsAEHYbsNt+R3DHhrlQzn
+DqZ+uqhstLooZnCoAiqd/n0nSTdgHd0a288mpHS2cZ4SRiXby+1j0PRu6fLmnprH
+fQZCXW9Iuu8W54mnAkk/iGN2FIS68eehYC7qj8VF0XfgD8KwUL0=
+=u47Z
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index bc0cc6ee29c9..09208ae46cb9 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202401-23.xml b/metadata/glsa/glsa-202401-23.xml
new file mode 100644
index 000000000000..240a1ffe3225
--- /dev/null
+++ b/metadata/glsa/glsa-202401-23.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202401-23">
+    <title>libuv: Buffer Overread</title>
+    <synopsis>A buffer overread vulnerability has been found in libuv.</synopsis>
+    <product type="ebuild">libuv</product>
+    <announced>2024-01-16</announced>
+    <revised count="1">2024-01-16</revised>
+    <bug>800986</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-libs/libuv" auto="yes" arch="*">
+            <unaffected range="ge">1.41.1</unaffected>
+            <vulnerable range="lt">1.41.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>libuv is a multi-platform support library with a focus on asynchronous I/O.</p>
+    </background>
+    <description>
+        <p>libuv fails to ensure that a pointer lies within the bounds of a defined buffer in the uv__idna_toascii() function before reading and manipulating the memory at that address.</p>
+    </description>
+    <impact type="low">
+        <p>The overread can result in information disclosure or application crash.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All libuv users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-libs/libuv-1.41.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22918">CVE-2021-22918</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-01-16T12:19:14.656272Z">ajak</metadata>
+    <metadata tag="submitter" timestamp="2024-01-16T12:19:14.662177Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202401-24.xml b/metadata/glsa/glsa-202401-24.xml
new file mode 100644
index 000000000000..24d0c28c7e3f
--- /dev/null
+++ b/metadata/glsa/glsa-202401-24.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202401-24">
+    <title>Nettle: Denial of Service</title>
+    <synopsis>Multiple denial of service vulnerabilities have been discovered in Nettle.</synopsis>
+    <product type="ebuild">nettle</product>
+    <announced>2024-01-16</announced>
+    <revised count="1">2024-01-16</revised>
+    <bug>806839</bug>
+    <bug>907673</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-libs/nettle" auto="yes" arch="*">
+            <unaffected range="ge">3.9.1</unaffected>
+            <vulnerable range="lt">3.9.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Nettle. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>A flaw was found in the way nettle&#39;s RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Nettle users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-libs/nettle-3.9.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3580">CVE-2021-3580</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36660">CVE-2023-36660</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-01-16T13:42:42.515739Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-01-16T13:42:42.518143Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index d45606c98f66..0196528303a2 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Tue, 16 Jan 2024 10:40:06 +0000
+Tue, 16 Jan 2024 16:40:12 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 4420bdea32e0..7899102bc495 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-9cdf086497a5ec3652db4ca75fc899675aa0af77 1705334181 2024-01-15T15:56:21+00:00
+9948613604a215d86e6a6c8ec06c466da8195f4c 1705412593 2024-01-16T13:43:13+00:00