diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2018-12-24 14:11:38 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2018-12-24 14:11:38 +0000 |
| commit | de49812990871e1705b64051c35161d5e6400269 (patch) | |
| tree | 5e1e8fcb0ff4579dbd22a1bfee28a6b97dc8aaeb /metadata/glsa | |
| parent | 536c3711867ec947c1738f2c4b96f22e4863322d (diff) | |
gentoo resync : 24.12.2018
Diffstat (limited to 'metadata/glsa')
29 files changed, 1578 insertions, 18 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 66be81562320..4ad4dd7fd115 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 431078 BLAKE2B a37fcfee71256f9d40f60594c0e23daa5c659172c73db4acde25cfdd707e9c953c72c601225f03add857a3a4cd00dd0e4d133ce2a5780bc2e304faaa458a4319 SHA512 34e61d1ae19c99e2490f0ce5a8c731b8cbbf25f056f7432c3433599c2ba70347a4dc032b240a0b1d37227f95691c4c78e3d496bae3d66dff4167de8de8693f5d -TIMESTAMP 2018-11-18T08:38:36Z +MANIFEST Manifest.files.gz 434883 BLAKE2B 437fd719358cb224888b8071f01d60b1548cd1a82f20093903aa74e9fe63671e56f03a20ed426aae11e7d6fdd7027beb57804429044781bc9dc3557ccbbcb5a8 SHA512 16828091dc592888ea79b76c0a3e0ec358317e4c345386d11d12983b85a84ed74ba2d650d8af4f0f90a313afdad1a7fd1808666df2dca69ee70f2802b663b733 +TIMESTAMP 2018-12-24T12:38:37Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlvxJQxfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlwg001fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klAQNA/+LYW4R8jPLBp08Reh78sEkHJSZMNLmPt6DYCqB6ao31iMkwo+5nZj/TxI -VJ+n56iXlY7hm2EvU/SOnta0rONG6QMxFPrOgDMsYsT9o1Qk/ybodPJifB+HW+M9 -pDmuMIyr+hJgYsc/udiEI0t6lT6V83f4DZIbVzt4kHk9VYPYXrj4VpcvQVI3uy1H -yy3Akdb3zSOeR7gOam0WvWDfFnGD2oeNmR1wp+qpYuHsSvfrSlx0hJtrFUS21teL -WFso2irh0whV8FqvpHFgA8E7/OX/qNmoEy/6gzWWMhz5McoO6/NX9+FS65lP+PFw -Ee/DGREMtG0rv0RdwuncsSpRscF/myzo//d394VWFQSVUCS+una6OrGyPOmkYAUh -Dk7cF/skISpOGqbts9aPlJrNwxH1fmEXpBZoeqvlm2VXjaKGYTkQNCcjYuGEuouz -RvPbIB5dSEdYM+EWDBHbamixdYscx/RtL8vi1Y2nLnR50M82lKy5zG65VEh21RSl -r00r7eHJBS7la9XcNqH4Wj6UAF2aUVI8knYRWfK5tg8yzJYbDSVXIYjmUYHfBkBo -JdZX2xTnkxm7FqgM7SjojFMWyfgwBp5lGWjzaR40+zXoLnN3fxFjAxE8rxaCdO7h -gsiteLC0/G3AtxTqEXh/3HtmWktyQDv3Uq6QGAeTRZ7Pjsqcm7s= -=KWRB +klD2fA/+Mt4p7KROekLVq9HOgIgdDD+/hFUAs5tYJr23IPJ+6LYiP4J3UyN4D13V +lzK9GLnnuyWJDAAPZNsFCPltdO0z90YBrMegKUP1WnZe+Px0oXyPQNIlK4ccesfv +Tr/6k31JZ18fULHCH21Zr+U1TS0Gx6J7V+P+WV6qr7OchkRAoENcnW2gJuAtbmmm +9RCHsICYRL2lFRaGGJq2KlVHlMosLetqF6ATeQIjHWHpZDQaxXpMdYo+9JDqp7dM +w9THEXHeiJFG6QKqaDMNvduac8zm/wTqk35Q+F4ueE7zndo4wx45tz6CJZt0eqEx +EJ4J5GTdzqQ0LOD0dJHjbBcg93eF+dCpQQHhAQ4nqiZre196ZirDMEBka1JDeX9W +rkeCzxKrVKfi3l3udbRxVEM88fi3DB9Mf3u4cwvR2q586KZkZRblGjSII/NMtJJW +dLPklyjA/O1b7w1mNO3de/yiDlTz5S27/ovB/WzbBPTsCyxAUKu6Xii5Y69iqLV4 +qyx4SvGNztlf2bOs3G6o6cGfkH5C3BeIqL0GVfahqF8eti/UvAgNIDlR/uzWBwVl +s6HmzaKioaz/Oh4vzR9WOKxtPDfnbfkNrAqA8x/AJXS3gLk5cbWmM1RKRnDq7JjU +XlZUdy627zUiqHQ5ROz0FuvGf0ddKJTO2DNRmy0Eu4tagv+XYAk= +=YM9t -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex f7610bd56006..5d40da810995 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-201805-14.xml b/metadata/glsa/glsa-201805-14.xml index 3199c6204d0b..31c73fc72867 100644 --- a/metadata/glsa/glsa-201805-14.xml +++ b/metadata/glsa/glsa-201805-14.xml @@ -44,7 +44,6 @@ </resolution> <references> <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1120">CVE-2018-1120</uri> - <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1121">CVE-2018-1121</uri> <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1122">CVE-2018-1122</uri> <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1123">CVE-2018-1123</uri> <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1124">CVE-2018-1124</uri> diff --git a/metadata/glsa/glsa-201811-10.xml b/metadata/glsa/glsa-201811-10.xml new file mode 100644 index 000000000000..6a170b56f670 --- /dev/null +++ b/metadata/glsa/glsa-201811-10.xml @@ -0,0 +1,96 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-10"> + <title>Chromium: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which allows remote attackers to execute arbitrary + code. + </synopsis> + <product type="ebuild">chromium</product> + <announced>2018-11-23</announced> + <revised count="1">2018-11-23</revised> + <bug>665340</bug> + <bug>666502</bug> + <bug>668986</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">70.0.3538.67</unaffected> + <vulnerable range="lt">70.0.3538.67</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifiers and Google Chrome + Releases for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could execute arbitrary code, escalate privileges, + cause a heap buffer overflow, obtain sensitive information, or spoof a + URL. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-70.0.3538.67" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16065">CVE-2018-16065</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16066">CVE-2018-16066</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16067">CVE-2018-16067</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16068">CVE-2018-16068</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16069">CVE-2018-16069</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16070">CVE-2018-16070</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16071">CVE-2018-16071</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16072">CVE-2018-16072</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16073">CVE-2018-16073</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16074">CVE-2018-16074</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16075">CVE-2018-16075</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16076">CVE-2018-16076</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16077">CVE-2018-16077</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16078">CVE-2018-16078</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16079">CVE-2018-16079</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16080">CVE-2018-16080</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16081">CVE-2018-16081</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16082">CVE-2018-16082</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16083">CVE-2018-16083</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16084">CVE-2018-16084</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16085">CVE-2018-16085</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16086">CVE-2018-16086</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16087">CVE-2018-16087</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16088">CVE-2018-16088</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17462">CVE-2018-17462</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17463">CVE-2018-17463</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17464">CVE-2018-17464</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17465">CVE-2018-17465</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17466">CVE-2018-17466</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17467">CVE-2018-17467</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17468">CVE-2018-17468</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17469">CVE-2018-17469</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17470">CVE-2018-17470</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17471">CVE-2018-17471</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17472">CVE-2018-17472</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17473">CVE-2018-17473</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17474">CVE-2018-17474</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17475">CVE-2018-17475</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17476">CVE-2018-17476</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17477">CVE-2018-17477</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5179">CVE-2018-5179</uri> + </references> + <metadata tag="requester" timestamp="2018-11-09T23:47:46Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2018-11-23T17:59:02Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-11.xml b/metadata/glsa/glsa-201811-11.xml new file mode 100644 index 000000000000..8412907a0271 --- /dev/null +++ b/metadata/glsa/glsa-201811-11.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-11"> + <title>Asterisk: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Asterisk, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">asterisk</product> + <announced>2018-11-24</announced> + <revised count="1">2018-11-24</revised> + <bug>636972</bug> + <bug>645710</bug> + <bug>668848</bug> + <access>remote</access> + <affected> + <package name="net-misc/asterisk" auto="yes" arch="*"> + <unaffected range="ge">13.23.1</unaffected> + <vulnerable range="lt">13.23.1</vulnerable> + </package> + </affected> + <background> + <p>A Modular Open Source PBX System.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Asterisk. Please review + the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could cause a Denial of Service condition or conduct + information gathering. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Asterisk users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-13.23.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16671">CVE-2017-16671</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16672">CVE-2017-16672</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17850">CVE-2017-17850</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12227">CVE-2018-12227</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17281">CVE-2018-17281</uri> + </references> + <metadata tag="requester" timestamp="2018-11-13T01:09:36Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2018-11-24T19:44:57Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-12.xml b/metadata/glsa/glsa-201811-12.xml new file mode 100644 index 000000000000..884021ffa325 --- /dev/null +++ b/metadata/glsa/glsa-201811-12.xml @@ -0,0 +1,85 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-12"> + <title>GPL Ghostscript: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in GPL Ghostscript, the + worst of which could result in the execution of arbitrary code. + </synopsis> + <product type="ebuild">ghostscript</product> + <announced>2018-11-24</announced> + <revised count="1">2018-11-24</revised> + <bug>618820</bug> + <bug>626418</bug> + <bug>635426</bug> + <bug>655404</bug> + <bug>668846</bug> + <bug>671732</bug> + <access>remote</access> + <affected> + <package name="app-text/ghostscript-gpl" auto="yes" arch="*"> + <unaffected range="ge">9.26</unaffected> + <vulnerable range="lt">9.26</vulnerable> + </package> + </affected> + <background> + <p>Ghostscript is an interpreter for the PostScript language and for PDF.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GPL Ghostscript. Please + review the CVE identifiers referenced below for additional information. + </p> + </description> + <impact type="normal"> + <p>A context-dependent attacker could entice a user to open a specially + crafted PostScript file or PDF document using GPL Ghostscript possibly + resulting in the execution of arbitrary code with the privileges of the + process, a Denial of Service condition, or other unspecified impacts, + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GPL Ghostscript users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-9.26" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11714">CVE-2017-11714</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-7948">CVE-2017-7948</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9610">CVE-2017-9610</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9611">CVE-2017-9611</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9612">CVE-2017-9612</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9618">CVE-2017-9618</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9619">CVE-2017-9619</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9620">CVE-2017-9620</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9726">CVE-2017-9726</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9727">CVE-2017-9727</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9739">CVE-2017-9739</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9740">CVE-2017-9740</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-9835">CVE-2017-9835</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10194">CVE-2018-10194</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-15908">CVE-2018-15908</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-15909">CVE-2018-15909</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-15910">CVE-2018-15910</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-15911">CVE-2018-15911</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16509">CVE-2018-16509</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16510">CVE-2018-16510</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16511">CVE-2018-16511</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16513">CVE-2018-16513</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16539">CVE-2018-16539</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16540">CVE-2018-16540</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16541">CVE-2018-16541</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16542">CVE-2018-16542</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16543">CVE-2018-16543</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16585">CVE-2018-16585</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16802">CVE-2018-16802</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18284">CVE-2018-18284</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19409">CVE-2018-19409</uri> + </references> + <metadata tag="requester" timestamp="2018-11-23T18:50:20Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-11-24T19:47:44Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-13.xml b/metadata/glsa/glsa-201811-13.xml new file mode 100644 index 000000000000..8878b70ffa3d --- /dev/null +++ b/metadata/glsa/glsa-201811-13.xml @@ -0,0 +1,113 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-13"> + <title>Mozilla Thunderbird: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could lead to the execution of arbitrary code. + </synopsis> + <product type="ebuild">mozilla,thunderbird</product> + <announced>2018-11-24</announced> + <revised count="1">2018-11-24</revised> + <bug>651862</bug> + <bug>656092</bug> + <bug>660342</bug> + <bug>669960</bug> + <bug>670102</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">60.3.0</unaffected> + <vulnerable range="lt">60.3.0</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">60.3.0</unaffected> + <vulnerable range="lt">60.3.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the referenced Mozilla Foundation Security Advisories and + CVE identifiers below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker may be able to execute arbitrary code, cause a Denial + of Service condition, obtain sensitive information, or conduct Cross-Site + Request Forgery (CSRF). + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-60.3.0" + </code> + + <p>All Thunderbird binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-60.3.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16541">CVE-2017-16541</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12359">CVE-2018-12359</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12360">CVE-2018-12360</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12361">CVE-2018-12361</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12362">CVE-2018-12362</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12363">CVE-2018-12363</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12364">CVE-2018-12364</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12365">CVE-2018-12365</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12366">CVE-2018-12366</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12367">CVE-2018-12367</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12371">CVE-2018-12371</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12372">CVE-2018-12372</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12373">CVE-2018-12373</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12374">CVE-2018-12374</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12376">CVE-2018-12376</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12377">CVE-2018-12377</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12378">CVE-2018-12378</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12379">CVE-2018-12379</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12383">CVE-2018-12383</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12385">CVE-2018-12385</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12389">CVE-2018-12389</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12390">CVE-2018-12390</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12391">CVE-2018-12391</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12392">CVE-2018-12392</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12393">CVE-2018-12393</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5125">CVE-2018-5125</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5127">CVE-2018-5127</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5129">CVE-2018-5129</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5144">CVE-2018-5144</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5145">CVE-2018-5145</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5146">CVE-2018-5146</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5150">CVE-2018-5150</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5154">CVE-2018-5154</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5155">CVE-2018-5155</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5156">CVE-2018-5156</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5159">CVE-2018-5159</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5161">CVE-2018-5161</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5162">CVE-2018-5162</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5168">CVE-2018-5168</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5170">CVE-2018-5170</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5178">CVE-2018-5178</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5183">CVE-2018-5183</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5184">CVE-2018-5184</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5185">CVE-2018-5185</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5187">CVE-2018-5187</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5188">CVE-2018-5188</uri> + </references> + <metadata tag="requester" timestamp="2018-11-16T10:50:04Z">whissi</metadata> + <metadata tag="submitter" timestamp="2018-11-24T19:51:04Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-14.xml b/metadata/glsa/glsa-201811-14.xml new file mode 100644 index 000000000000..ed1a2af2cfcf --- /dev/null +++ b/metadata/glsa/glsa-201811-14.xml @@ -0,0 +1,76 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-14"> + <title>Exiv2: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Exiv2, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">exiv2</product> + <announced>2018-11-24</announced> + <revised count="1">2018-11-24</revised> + <bug>647810</bug> + <bug>647812</bug> + <bug>647816</bug> + <bug>652822</bug> + <bug>655842</bug> + <bug>655958</bug> + <bug>658236</bug> + <access>remote</access> + <affected> + <package name="media-gfx/exiv2" auto="yes" arch="*"> + <unaffected range="ge">0.26_p20180811-r3</unaffected> + <vulnerable range="lt">0.26_p20180811-r3</vulnerable> + </package> + </affected> + <background> + <p>Exiv2 is a C++ library and a command line utility to manage image + metadata. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Exiv2. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could cause a Denial of Service condition or obtain + sensitive information via a specially crafted file. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Exiv2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-gfx/exiv2-0.26_p20180811-r3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17723">CVE-2017-17723</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17724">CVE-2017-17724</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10780">CVE-2018-10780</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10958">CVE-2018-10958</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10998">CVE-2018-10998</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10999">CVE-2018-10999</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11037">CVE-2018-11037</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11531">CVE-2018-11531</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12264">CVE-2018-12264</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12265">CVE-2018-12265</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5772">CVE-2018-5772</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8976">CVE-2018-8976</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8977">CVE-2018-8977</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9144">CVE-2018-9144</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9145">CVE-2018-9145</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9146">CVE-2018-9146</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9303">CVE-2018-9303</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9304">CVE-2018-9304</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9305">CVE-2018-9305</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9306">CVE-2018-9306</uri> + </references> + <metadata tag="requester" timestamp="2018-11-13T06:49:12Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2018-11-24T21:44:28Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-15.xml b/metadata/glsa/glsa-201811-15.xml new file mode 100644 index 000000000000..9bc3a33123f6 --- /dev/null +++ b/metadata/glsa/glsa-201811-15.xml @@ -0,0 +1,75 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-15"> + <title>MuPDF: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in MuPDF, the worst of + which could allow the remote execution of arbitrary code. + </synopsis> + <product type="ebuild">mupdf</product> + <announced>2018-11-26</announced> + <revised count="1">2018-11-26</revised> + <bug>634678</bug> + <bug>646010</bug> + <bug>651828</bug> + <bug>658618</bug> + <access>remote</access> + <affected> + <package name="app-text/mupdf" auto="yes" arch="*"> + <unaffected range="ge">1.13.0</unaffected> + <vulnerable range="lt">1.13.0</vulnerable> + </package> + </affected> + <background> + <p>A lightweight PDF, XPS, and E-book viewer.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in MuPDF. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by enticing a user to process a specially crafted + file, could possibly execute arbitrary code, cause a Denial of Service + condition, or have other unspecified impacts. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All MuPDF users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/mupdf-1.13.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-15587">CVE-2017-15587</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17858">CVE-2017-17858</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000036"> + CVE-2018-1000036 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000037"> + CVE-2018-1000037 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000038"> + CVE-2018-1000038 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000039"> + CVE-2018-1000039 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000040"> + CVE-2018-1000040 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000051"> + CVE-2018-1000051 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5686">CVE-2018-5686</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6187">CVE-2018-6187</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6192">CVE-2018-6192</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6544">CVE-2018-6544</uri> + </references> + <metadata tag="requester" timestamp="2018-11-24T21:59:01Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-11-26T18:08:44Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-16.xml b/metadata/glsa/glsa-201811-16.xml new file mode 100644 index 000000000000..84dd194857e5 --- /dev/null +++ b/metadata/glsa/glsa-201811-16.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-16"> + <title>strongSwan: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in strongSwan, the worst + of which could lead to a Denial of Service condition. + </synopsis> + <product type="ebuild">strongswan</product> + <announced>2018-11-26</announced> + <revised count="1">2018-11-26</revised> + <bug>648610</bug> + <bug>656338</bug> + <bug>658230</bug> + <bug>668862</bug> + <access>remote</access> + <affected> + <package name="net-vpn/strongswan" auto="yes" arch="*"> + <unaffected range="ge">5.7.1</unaffected> + <vulnerable range="lt">5.7.1</vulnerable> + </package> + </affected> + <background> + <p>strongSwan is an IPSec implementation for Linux.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in strongSwan. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could cause a Denial of Service condition or + impersonate a user. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All strongSwan users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-vpn/strongswan-5.7.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10811">CVE-2018-10811</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16151">CVE-2018-16151</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16152">CVE-2018-16152</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17540">CVE-2018-17540</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5388">CVE-2018-5388</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6459">CVE-2018-6459</uri> + </references> + <metadata tag="requester" timestamp="2018-11-15T12:36:55Z">whissi</metadata> + <metadata tag="submitter" timestamp="2018-11-26T18:35:58Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-17.xml b/metadata/glsa/glsa-201811-17.xml new file mode 100644 index 000000000000..252a12c83dba --- /dev/null +++ b/metadata/glsa/glsa-201811-17.xml @@ -0,0 +1,81 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-17"> + <title>Binutils: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Binutils, the worst of + which may allow remote attackers to cause a Denial of Service condition. + </synopsis> + <product type="ebuild">binutils</product> + <announced>2018-11-27</announced> + <revised count="1">2018-11-27</revised> + <bug>634196</bug> + <bug>637642</bug> + <bug>639692</bug> + <bug>639768</bug> + <bug>647798</bug> + <bug>649690</bug> + <access>remote</access> + <affected> + <package name="sys-devel/binutils" auto="yes" arch="*"> + <unaffected range="ge">2.30-r2</unaffected> + <vulnerable range="lt">2.30-r2</vulnerable> + </package> + </affected> + <background> + <p>The GNU Binutils are a collection of tools to create, modify and analyse + binary files. Many of the files use BFD, the Binary File Descriptor + library, to do low-level manipulation. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Binutils. Please review + the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by enticing a user to compile/execute a specially + crafted ELF, object, PE, or binary file, could possibly cause a Denial of + Service condition or have other unspecified impacts. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Binutils users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.30-r2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14933">CVE-2017-14933</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16826">CVE-2017-16826</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16827">CVE-2017-16827</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16828">CVE-2017-16828</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16829">CVE-2017-16829</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16830">CVE-2017-16830</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16831">CVE-2017-16831</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16832">CVE-2017-16832</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17080">CVE-2017-17080</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17121">CVE-2017-17121</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17122">CVE-2017-17122</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17123">CVE-2017-17123</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17124">CVE-2017-17124</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17125">CVE-2017-17125</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17126">CVE-2017-17126</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6543">CVE-2018-6543</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6759">CVE-2018-6759</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6872">CVE-2018-6872</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7208">CVE-2018-7208</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7568">CVE-2018-7568</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7569">CVE-2018-7569</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7570">CVE-2018-7570</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7642">CVE-2018-7642</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7643">CVE-2018-7643</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8945">CVE-2018-8945</uri> + </references> + <metadata tag="requester" timestamp="2018-11-24T22:06:12Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-11-27T02:00:21Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-18.xml b/metadata/glsa/glsa-201811-18.xml new file mode 100644 index 000000000000..b69d0f0ebc34 --- /dev/null +++ b/metadata/glsa/glsa-201811-18.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-18"> + <title>Tablib: Arbitrary command execution</title> + <synopsis>A vulnerability in Tablib might allow remote attackers to execute + arbitrary python commands. + </synopsis> + <product type="ebuild">tablib</product> + <announced>2018-11-27</announced> + <revised count="1">2018-11-27</revised> + <bug>621884</bug> + <access>remote</access> + <affected> + <package name="dev-python/tablib" auto="yes" arch="*"> + <unaffected range="ge">0.12.1</unaffected> + <vulnerable range="lt">0.12.1</vulnerable> + </package> + </affected> + <background> + <p>Tablib is an MIT Licensed format-agnostic tabular dataset library, + written in Python. It allows you to import, export, and manipulate + tabular data sets. + </p> + </background> + <description> + <p>A vulnerability was discovered in Tablib’s Databook loading + functionality, due to improper input validation. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by enticing the user to process a specially crafted + Databook via YAML, could possibly execute arbitrary python commands with + the privilege of the process. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Tablib users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/tablib-0.12.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2810">CVE-2017-2810</uri> + </references> + <metadata tag="requester" timestamp="2018-11-24T22:46:04Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-11-27T02:02:33Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-19.xml b/metadata/glsa/glsa-201811-19.xml new file mode 100644 index 000000000000..d4a6a1ca3efb --- /dev/null +++ b/metadata/glsa/glsa-201811-19.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-19"> + <title>Libav: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Libav, the worst of + which may allow a Denial of Service condition. + </synopsis> + <product type="ebuild">libav</product> + <announced>2018-11-27</announced> + <revised count="1">2018-11-27</revised> + <bug>637458</bug> + <access>remote</access> + <affected> + <package name="media-video/libav" auto="yes" arch="*"> + <unaffected range="ge">12.3</unaffected> + <vulnerable range="lt">12.3</vulnerable> + </package> + </affected> + <background> + <p>Libav is a complete solution to record, convert and stream audio and + video. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Libav. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, via a crafted Smacker stream, could cause a Denial of + Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Libav users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/libav-12.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16803">CVE-2017-16803</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-7862">CVE-2017-7862</uri> + </references> + <metadata tag="requester" timestamp="2018-11-24T23:08:51Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-11-27T02:04:05Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-20.xml b/metadata/glsa/glsa-201811-20.xml new file mode 100644 index 000000000000..ac3e7b0d2894 --- /dev/null +++ b/metadata/glsa/glsa-201811-20.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-20"> + <title>spice-gtk: Remote code execution</title> + <synopsis>A vulnerability in spice-gtk could allow an attacker to remotely + execute arbitrary code. + </synopsis> + <product type="ebuild">spice-gtk</product> + <announced>2018-11-27</announced> + <revised count="1">2018-11-27</revised> + <bug>650878</bug> + <access>local, remote</access> + <affected> + <package name="net-misc/spice-gtk" auto="yes" arch="*"> + <unaffected range="ge">0.34</unaffected> + <vulnerable range="lt">0.34</vulnerable> + </package> + </affected> + <background> + <p>spice-gtk is a set of GObject and Gtk objects for connecting to Spice + servers and a client GUI. + </p> + </background> + <description> + <p>A vulnerability was found in spice-gtk client due to the incorrect use + of integer types and missing overflow checks. + </p> + </description> + <impact type="normal"> + <p>An attacker, by enticing the user to join a malicious server, could + remotely execute arbitrary code or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All spice-gtk users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/spice-gtk-0.34" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12194">CVE-2017-12194</uri> + </references> + <metadata tag="requester" timestamp="2018-11-24T22:29:36Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-11-27T02:05:55Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-21.xml b/metadata/glsa/glsa-201811-21.xml new file mode 100644 index 000000000000..043d61a724ff --- /dev/null +++ b/metadata/glsa/glsa-201811-21.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-21"> + <title>OpenSSL: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in OpenSSL, the worst of + which may lead to a Denial of Service condition. + </synopsis> + <product type="ebuild">openssl</product> + <announced>2018-11-28</announced> + <revised count="1">2018-11-28</revised> + <bug>651730</bug> + <bug>653434</bug> + <access>remote</access> + <affected> + <package name="dev-libs/openssl" auto="yes" arch="*"> + <unaffected range="ge">1.0.2o</unaffected> + <vulnerable range="lt">1.0.2o</vulnerable> + </package> + </affected> + <background> + <p>OpenSSL is a robust, commercial-grade, and full-featured toolkit for the + Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenSSL. Please review + the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could cause a Denial of Service condition, obtain + private keying material, or gain access to sensitive information. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenSSL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2o" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-0733">CVE-2018-0733</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-0737">CVE-2018-0737</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-0739">CVE-2018-0739</uri> + </references> + <metadata tag="requester" timestamp="2018-11-25T03:10:27Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-11-28T22:43:29Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-22.xml b/metadata/glsa/glsa-201811-22.xml new file mode 100644 index 000000000000..9095c67e0ca8 --- /dev/null +++ b/metadata/glsa/glsa-201811-22.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-22"> + <title>RPM: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in RPM, the worst of which + could allow a remote attacker to escalate privileges. + </synopsis> + <product type="ebuild">rpm</product> + <announced>2018-11-28</announced> + <revised count="1">2018-11-28</revised> + <bug>533740</bug> + <bug>638636</bug> + <access>remote</access> + <affected> + <package name="app-arch/rpm" auto="yes" arch="*"> + <unaffected range="ge">4.14.1</unaffected> + <vulnerable range="lt">4.14.1</vulnerable> + </package> + </affected> + <background> + <p>The Red Hat Package Manager (RPM) is a command line driven package + management system capable of installing, uninstalling, verifying, + querying, and updating computer software packages. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in RPM. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by enticing the user to process a specially crafted + RPM file, could escalate privileges, execute arbitrary code, or cause a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All RPM users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/rpm-4.14.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2013-6435">CVE-2013-6435</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2014-8118">CVE-2014-8118</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-7501">CVE-2017-7501</uri> + </references> + <metadata tag="requester" timestamp="2018-11-25T01:24:35Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-11-28T22:52:35Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-23.xml b/metadata/glsa/glsa-201811-23.xml new file mode 100644 index 000000000000..0d34b1b9a6c4 --- /dev/null +++ b/metadata/glsa/glsa-201811-23.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-23"> + <title>libsndfile: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libsndfile, the worst + of which might allow remote attackers to cause a Denial of Service + condition. + </synopsis> + <product type="ebuild">libsndfile</product> + <announced>2018-11-30</announced> + <revised count="1">2018-11-30</revised> + <bug>618016</bug> + <bug>624814</bug> + <bug>627152</bug> + <bug>631634</bug> + <bug>660452</bug> + <access>remote</access> + <affected> + <package name="media-libs/libsndfile" auto="yes" arch="*"> + <unaffected range="ge">1.0.28-r4</unaffected> + <vulnerable range="lt">1.0.28-r4</vulnerable> + </package> + </affected> + <background> + <p>libsndfile is a C library for reading and writing files containing + sampled sound. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libsndfile. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by enticing a user to open a specially crafted file, + could cause a Denial of Service condition or have other unspecified + impacts. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libsndfile users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libsndfile-1.0.28-r4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12562">CVE-2017-12562</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14634">CVE-2017-14634</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-6892">CVE-2017-6892</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-8361">CVE-2017-8361</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-8362">CVE-2017-8362</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-8363">CVE-2017-8363</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-8365">CVE-2017-8365</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-13139">CVE-2018-13139</uri> + </references> + <metadata tag="requester" timestamp="2018-11-25T00:29:50Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-11-30T08:52:15Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-24.xml b/metadata/glsa/glsa-201811-24.xml new file mode 100644 index 000000000000..212d0afcbe45 --- /dev/null +++ b/metadata/glsa/glsa-201811-24.xml @@ -0,0 +1,94 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-24"> + <title>PostgreSQL: SQL injection</title> + <synopsis>A SQL injection in PostgreSQL may allow attackers to execute + arbitrary SQL statements. + </synopsis> + <product type="ebuild">postgresql</product> + <announced>2018-11-30</announced> + <revised count="2">2018-12-03</revised> + <bug>670724</bug> + <access>remote</access> + <affected> + <package name="dev-db/postgresql" auto="yes" arch="*"> + <unaffected range="ge" slot="9.3">9.3.25</unaffected> + <unaffected range="ge" slot="9.4">9.4.20</unaffected> + <unaffected range="ge" slot="9.5">9.5.15</unaffected> + <unaffected range="ge" slot="9.6">9.6.11</unaffected> + <unaffected range="ge" slot="10">10.6</unaffected> + <unaffected range="ge" slot="11">11.1</unaffected> + <vulnerable range="lt" slot="9.3">9.3.25</vulnerable> + <vulnerable range="lt" slot="9.4">9.4.20</vulnerable> + <vulnerable range="lt" slot="9.5">9.5.15</vulnerable> + <vulnerable range="lt" slot="9.6">9.6.11</vulnerable> + <vulnerable range="lt" slot="10">10.6</vulnerable> + <vulnerable range="lt" slot="11">11.1</vulnerable> + </package> + </affected> + <background> + <p>PostgreSQL is an open source object-relational database management + system. + </p> + </background> + <description> + <p>A vulnerability was discovered in PostgreSQL’s pg_upgrade and pg_dump.</p> + </description> + <impact type="normal"> + <p>An attacker, by enticing a user to process a specially crafted trigger + definition, can execute arbitrary SQL statements with superuser + privileges. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PostgreSQL 9.3.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.25" + </code> + + <p>All PostgreSQL 9.4.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.20" + </code> + + <p>All PostgreSQL 9.5.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.15" + </code> + + <p>All PostgreSQL 9.6.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.11" + </code> + + <p>All PostgreSQL 10.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.6" + </code> + + <p>All PostgreSQL 11.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16850">CVE-2018-16850</uri> + </references> + <metadata tag="requester" timestamp="2018-11-29T21:19:15Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-12-03T19:06:05Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201812-01.xml b/metadata/glsa/glsa-201812-01.xml new file mode 100644 index 000000000000..7ad1abf85e77 --- /dev/null +++ b/metadata/glsa/glsa-201812-01.xml @@ -0,0 +1,82 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201812-01"> + <title>PHP: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in PHP, the worst of which + could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">php</product> + <announced>2018-12-02</announced> + <revised count="3">2018-12-03</revised> + <bug>658092</bug> + <bug>666256</bug> + <access>local, remote</access> + <affected> + <package name="dev-lang/php" auto="yes" arch="*"> + <unaffected range="ge" slot="5.6">5.6.38</unaffected> + <unaffected range="ge" slot="7.0">7.0.32</unaffected> + <unaffected range="ge" slot="7.1">7.1.22</unaffected> + <unaffected range="ge" slot="7.2">7.2.10</unaffected> + <vulnerable range="lt" slot="5.6">5.6.38</vulnerable> + <vulnerable range="lt" slot="7.0">7.0.32</vulnerable> + <vulnerable range="lt" slot="7.1">7.1.22</vulnerable> + <vulnerable range="lt" slot="7.2">7.2.10</vulnerable> + </package> + </affected> + <background> + <p>PHP is an open source general-purpose scripting language that is + especially suited for web development. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PHP. Please review the + referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a Denial of Service condition or obtain + sensitive information. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PHP 5.6.X users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-5.6.38" + </code> + + <p>All PHP 7.0.X users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.0.32" + </code> + + <p>All PHP 7.1.X users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.1.22" + </code> + + <p>All PHP 7.2.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.2.10" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10545">CVE-2018-10545</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10546">CVE-2018-10546</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10548">CVE-2018-10548</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10549">CVE-2018-10549</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17082">CVE-2018-17082</uri> + </references> + <metadata tag="requester" timestamp="2018-11-25T02:00:06Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-12-03T19:04:03Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201812-02.xml b/metadata/glsa/glsa-201812-02.xml new file mode 100644 index 000000000000..b4cd500b400d --- /dev/null +++ b/metadata/glsa/glsa-201812-02.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201812-02"> + <title>ConnMan: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in ConnMan, the worst of + which could result in the remote execution of code. + </synopsis> + <product type="ebuild">connman</product> + <announced>2018-12-02</announced> + <revised count="1">2018-12-02</revised> + <bug>628566</bug> + <bug>630028</bug> + <access>remote</access> + <affected> + <package name="net-misc/connman" auto="yes" arch="*"> + <unaffected range="ge">1.35-r1</unaffected> + <vulnerable range="lt">1.35-r1</vulnerable> + </package> + </affected> + <background> + <p>ConnMan provides a daemon for managing Internet connections.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ConnMan. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, via a crafted DNS packet, could remotely execute code + or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ConnMan users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/connman-1.35-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12865">CVE-2017-12865</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-5716">CVE-2017-5716</uri> + </references> + <metadata tag="requester" timestamp="2018-11-25T04:29:34Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-12-02T15:46:16Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201812-03.xml b/metadata/glsa/glsa-201812-03.xml new file mode 100644 index 000000000000..859d27b0cf4a --- /dev/null +++ b/metadata/glsa/glsa-201812-03.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201812-03"> + <title>Nagios: Privilege escalation</title> + <synopsis>A vulnerability in Nagios allows local users to escalate + privileges. + </synopsis> + <product type="ebuild">nagios</product> + <announced>2018-12-02</announced> + <revised count="1">2018-12-02</revised> + <bug>629380</bug> + <access>local</access> + <affected> + <package name="net-analyzer/nagios-core" auto="yes" arch="*"> + <unaffected range="ge">4.3.4</unaffected> + <vulnerable range="lt">4.3.4</vulnerable> + </package> + </affected> + <background> + <p>Nagios is an open source host, service and network monitoring program.</p> + </background> + <description> + <p>A vulnerability in Nagios was discovered due to the improper handling of + configuration files which can be owned by a non-root user. + </p> + </description> + <impact type="normal"> + <p>A local attacker can escalate privileges to root by leveraging access to + a non-root owned configuration file. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Nagios users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/nagios-core-4.3.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14312">CVE-2017-14312</uri> + </references> + <metadata tag="requester" timestamp="2018-11-24T23:02:56Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-12-02T15:48:26Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201812-04.xml b/metadata/glsa/glsa-201812-04.xml new file mode 100644 index 000000000000..11749f2722a8 --- /dev/null +++ b/metadata/glsa/glsa-201812-04.xml @@ -0,0 +1,74 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201812-04"> + <title>WebkitGTK+: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in WebKitGTK+, the worst + of which may lead to arbitrary code execution. + </synopsis> + <product type="ebuild">webkitgtk</product> + <announced>2018-12-02</announced> + <revised count="1">2018-12-02</revised> + <bug>667892</bug> + <access>remote</access> + <affected> + <package name="net-libs/webkit-gtk" auto="yes" arch="*"> + <unaffected range="ge">2.22.0</unaffected> + <vulnerable range="lt">2.22.0</vulnerable> + </package> + </affected> + <background> + <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, from hybrid + HTML/CSS applications to full-fledged web browsers. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please + review the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could execute arbitrary commands or cause a Denial of + Service condition via maliciously crafted web content. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All WebkitGTK+ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.22.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4191">CVE-2018-4191</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4197">CVE-2018-4197</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4207">CVE-2018-4207</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4208">CVE-2018-4208</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4209">CVE-2018-4209</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4210">CVE-2018-4210</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4212">CVE-2018-4212</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4213">CVE-2018-4213</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4299">CVE-2018-4299</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4306">CVE-2018-4306</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4309">CVE-2018-4309</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4311">CVE-2018-4311</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4312">CVE-2018-4312</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4314">CVE-2018-4314</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4315">CVE-2018-4315</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4316">CVE-2018-4316</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4317">CVE-2018-4317</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4318">CVE-2018-4318</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4319">CVE-2018-4319</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4323">CVE-2018-4323</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4328">CVE-2018-4328</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4358">CVE-2018-4358</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4359">CVE-2018-4359</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4361">CVE-2018-4361</uri> + </references> + <metadata tag="requester" timestamp="2018-11-24T23:17:09Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-12-02T15:50:31Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201812-05.xml b/metadata/glsa/glsa-201812-05.xml new file mode 100644 index 000000000000..a40c55455c52 --- /dev/null +++ b/metadata/glsa/glsa-201812-05.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201812-05"> + <title>EDE: Privilege escalation</title> + <synopsis>A vulnerability in EDE could result in privilege escalation.</synopsis> + <product type="ebuild">ede, emacs</product> + <announced>2018-12-06</announced> + <revised count="1">2018-12-06</revised> + <bug>398241</bug> + <access>local</access> + <affected> + <package name="app-xemacs/ede" auto="yes" arch="*"> + <unaffected range="ge">1.07</unaffected> + <vulnerable range="lt">1.07</vulnerable> + </package> + </affected> + <background> + <p>A package that simplifies the task of creating, building, and debugging + large programs with Emacs. It provides some of the features of an IDE, or + Integrated Development Environment, in Emacs. + </p> + </background> + <description> + <p>An untrusted search path vulnerability was discovered in EDE.</p> + </description> + <impact type="normal"> + <p>A local attacker could escalate his privileges via a specially crafted + Lisp expression in a Project.ede file in the directory or a parent + directory of an opened file. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All EDE users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-xemacs/ede-1.07" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2012-0035">CVE-2012-0035</uri> + </references> + <metadata tag="requester" timestamp="2018-12-03T22:46:03Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-12-06T22:01:41Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201812-06.xml b/metadata/glsa/glsa-201812-06.xml new file mode 100644 index 000000000000..6cae9b0ffc5e --- /dev/null +++ b/metadata/glsa/glsa-201812-06.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201812-06"> + <title>CouchDB: Multiple vulnerabilities </title> + <synopsis>Multiple vulnerabilities have been found in CouchDB, the worst of + which could lead to the remote execution of code. + </synopsis> + <product type="ebuild">couchdb</product> + <announced>2018-12-15</announced> + <revised count="1">2018-12-15</revised> + <bug>630796</bug> + <bug>660908</bug> + <bug>663164</bug> + <access>remote</access> + <affected> + <package name="dev-db/couchdb" auto="yes" arch="*"> + <vulnerable range="le">2.1.2</vulnerable> + </package> + </affected> + <background> + <p>Apache CouchDB is a distributed, fault-tolerant and schema-free + document-oriented database. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in CouchDB. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could execute arbitrary code or escalate privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for CouchDB and recommends that users + unmerge the package: + </p> + + <code> + # emerge --unmerge "dev-db/couchdb" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11769">CVE-2018-11769</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8007">CVE-2018-8007</uri> + </references> + <metadata tag="requester" timestamp="2018-12-11T17:40:03Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-12-15T20:07:59Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201812-07.xml b/metadata/glsa/glsa-201812-07.xml new file mode 100644 index 000000000000..85756596a16c --- /dev/null +++ b/metadata/glsa/glsa-201812-07.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201812-07"> + <title>SpamAssassin: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in SpamAssassin, the worst + of which may lead to remote code execution. + </synopsis> + <product type="ebuild">spamassassin</product> + <announced>2018-12-15</announced> + <revised count="1">2018-12-15</revised> + <bug>666348</bug> + <access>remote</access> + <affected> + <package name="mail-filter/spamassassin" auto="yes" arch="*"> + <unaffected range="ge">3.4.2-r2</unaffected> + <vulnerable range="lt">3.4.2-r2</vulnerable> + </package> + </affected> + <background> + <p>SpamAssassin is an extensible email filter used to identify junk email.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in SpamAssassin. Please + review the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could execute arbitrary code, escalate privileges, or + cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All SpamAssassin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-filter/spamassassin-3.4.2-r2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-1238">CVE-2016-1238</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-15705">CVE-2017-15705</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11780">CVE-2018-11780</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11781">CVE-2018-11781</uri> + </references> + <metadata tag="requester" timestamp="2018-12-12T22:44:21Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-12-15T20:09:55Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201812-08.xml b/metadata/glsa/glsa-201812-08.xml new file mode 100644 index 000000000000..b7bbb1f774aa --- /dev/null +++ b/metadata/glsa/glsa-201812-08.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201812-08"> + <title>Scala: Privilege escalation</title> + <synopsis>A vulnerability in Scala could result in privilege escalation.</synopsis> + <product type="ebuild">scala</product> + <announced>2018-12-15</announced> + <revised count="1">2018-12-15</revised> + <bug>637940</bug> + <access>local</access> + <affected> + <package name="dev-lang/scala" auto="yes" arch="*"> + <unaffected range="ge">2.12.4</unaffected> + <vulnerable range="lt">2.12.4</vulnerable> + </package> + </affected> + <background> + <p>Scala combines object-oriented and functional programming in one + concise, high-level language. + </p> + </background> + <description> + <p>It was discovered that Scala’s compilation daemon does not properly + manage permissions for private files. + </p> + </description> + <impact type="normal"> + <p>A local attacker could escalate privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Scala users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/scala-2.12.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-15288">CVE-2017-15288</uri> + </references> + <metadata tag="requester" timestamp="2018-12-02T21:21:35Z">b-man</metadata> + <metadata tag="submitter" timestamp="2018-12-15T20:11:15Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201812-09.xml b/metadata/glsa/glsa-201812-09.xml new file mode 100644 index 000000000000..e8bfec595a2f --- /dev/null +++ b/metadata/glsa/glsa-201812-09.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201812-09"> + <title>Go: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Go, the worst which + could lead to the execution of arbitrary code. + </synopsis> + <product type="ebuild">go</product> + <announced>2018-12-21</announced> + <revised count="1">2018-12-21</revised> + <bug>673234</bug> + <access>remote</access> + <affected> + <package name="dev-lang/go" auto="yes" arch="*"> + <unaffected range="ge">1.10.7</unaffected> + <vulnerable range="lt">1.10.7</vulnerable> + </package> + </affected> + <background> + <p>Go is an open source programming language that makes it easy to build + simple, reliable, and efficient software. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Go. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could cause arbitrary code execution by passing + specially crafted Go packages the ‘go get -u’ command. + </p> + + <p>The remote attacker could also craft pathological inputs causing a CPU + based Denial of Service condition via the crypto/x509 package. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Go users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/go-1.10.7" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16873">CVE-2018-16873</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16874">CVE-2018-16874</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16875">CVE-2018-16875</uri> + </references> + <metadata tag="requester" timestamp="2018-12-20T18:21:42Z">Zlogene</metadata> + <metadata tag="submitter" timestamp="2018-12-21T11:58:46Z">Zlogene</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 78275940bcba..c1d7f511533e 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sun, 18 Nov 2018 08:38:33 +0000 +Mon, 24 Dec 2018 12:38:34 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 222bb03a9e88..15938ec9fb67 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -d0ed5c4d9d5a03355ab534b5784906e0956ea022 1541809004 2018-11-10T00:16:44+00:00 +50b59faac05c76419ff9b3a69d1e89f8a5c99678 1545393597 2018-12-21T11:59:57+00:00 |