diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2023-01-11 11:44:03 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2023-01-11 11:44:03 +0000 |
| commit | df26c7469c1f2af2e643d43e2e32a6c9142e4885 (patch) | |
| tree | 1beee9b11d06bfcc69d1d6c8ab00566f8633aec1 /metadata/glsa | |
| parent | ad391b961414c99124b93cb86695c04bd8d57937 (diff) | |
gentoo auto-resync : 11:01:2023 - 11:44:03
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 538785 -> 540216 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-202301-01.xml | 72 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202301-02.xml | 46 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202301-03.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202301-04.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202301-05.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202301-06.xml | 43 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202301-07.xml | 43 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202301-08.xml | 62 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202301-09.xml | 44 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
13 files changed, 453 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index eef2cd89d97c..2bffa8002138 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 538785 BLAKE2B a42e589b6c2be5ab4486b79822a326a12b3725dbc28e32cbb116cd453b6899511ab2026524f136171407f678f9acafd852f1a2a245b8caed5bad581d2eb86337 SHA512 8ff81ddfe9cd2569ab4fe6eabe9daf23f1f66918aba5cae55ff8241b2bb330fac90cb5595df81455bfa98b51ed1c6e965c73508fe1b662e752525e3e27b52956 -TIMESTAMP 2023-01-11T04:39:44Z +MANIFEST Manifest.files.gz 540216 BLAKE2B d30aef090eaffb1f3ce91f96dfcc44f7a5d1a954885fba68126dee1aa21a3de740e45dd7106f5d3ba2b51e48eda29870b954e2a90cc8bfa9dc1ac93912daadef SHA512 f9ff42d8d58ea6e6bae5d32f95af7bcddc333ce0478d31cfefb14e85c8d99eaf4d3d9a0802c961e3f7e7d8f3696894cb1d1d0e81db3807d1796858a550f0351f +TIMESTAMP 2023-01-11T11:09:43Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmO+PZBfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmO+mPdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCv2RAAirTJSdX4HztsJYVE8qHBhdZVtFra5fnhGK/xROj5vwk2Svk7C/NneO/v -PKYSbDrkUj1MGekX5BlfFXiANQ9EYj4R8+ZBIjHWFSnrD23s1exWS3lZcxpvOuuh -bJL5i1niQG0/sZ2jOv1kTPHmPsMT4LheCAfNobIm1sOOFYwMMALLmBea+qUDGor0 -704OU7mOKoe5yPpVp0ObaNGmDoZ+HKEpQa+uxDKXnjX+S76RuH90AiiiRowXpuT0 -xnbn48jlpXedwOAA1Lc46Mau9gbPpnUTay6Dr7wBmRShmDmNBEHQS4/pYQkqVZvH -o+JklFB5NGWlpGqFD5uG1vDaocZil1il7RKuvS2biSic9JO2grqiogPX/1shhoED -M6gQnW9MxvTn7bGdsEbJl2z3ixcO2gx3qdeAlu2TDYPHIt+mJ/iIUvoW2iKdUKoF -I/HRWhN6gA+EVmuIOK+z9Fc3EZ54yFD5sK0PWeL0iLfcgiOoOiDEPkRgrlH1i63g -YUfrq6NJW6xPGXvO+3SUq1O7Rh+LsTSJ5SapNJE71fHicsh6aK2JXVfo5GnC4JIl -097y68oqY/7LPHXuw6Hip18wU6ZUL8v0g7eJC8biF8huzWWkrQm4JKmBmZhKlwSv -bZlaFcoJkwpBAPc8NDbQ8AsHwg2fQYAZ3fylNMBoaDTPSVLs1E4= -=FtQm +klA0JBAAtEf+CAu6lyg5fpTSCZYpd6ovEY3iRVl7lpMlkf+5P94cFLnXel6JUc5G +PC55XP8sXiLjk9oPi6SjW5lWYLIPcJVhVYBgvY/QgnVyyDaecYw20aqhRyWLCqxF +fPiqFd+NS6KctBsgS/8nBDzZC68TVGgTTvb/PulknIsJjHSRNDD3jhEaNXaHyymd +sGdVymx/DvhTetPYCODvNB7HwddlB0FGBY8QQIse/msoaYsSA67ImTsLBgFfpjRT +iZUCDvk3RHTfPdM6UFKZne93lcK1Fhgidxcx7qcS2Wco3uqBembDpw2PtE/iNH1x +N4uNG0aKpaPQikNChuA70MC4jB8qNTqLSt6k6m2DM2rJy7Sh6Bfijvxy+KP7Zp/6 +oaISkReb3SB4mGmQAZOfwkB7lh/WwLZdfrH5mbjMOeyqsWy/MVvacDv+lKfVRCpY +iUoErTFr3F3WuAmL9n8lv9GT+5g1ZfpGFOogewxcDrsWshHOl3ey7K2RhjG6dGvX +ljuEmJ9Q6wCx/+qtKtIQm0URxa6NT/sjISFmwDo1LuMADUYVmVgNBc7AMn/KHB/+ +HbyQ5JVaowZAcfkxT+w2B5gsEDO1Cm7B1HrHddmLCcsnmaRi6mFyRuGdYwmYHEQ2 +/P1S1S9XQoYjVyA9vGPSVNZGWML2EEOu2PT+r7BHdhVMfm/pzcE= +=qHIS -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 5677e1e6d089..a630e1c41ed4 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202301-01.xml b/metadata/glsa/glsa-202301-01.xml new file mode 100644 index 000000000000..70ca0247214c --- /dev/null +++ b/metadata/glsa/glsa-202301-01.xml @@ -0,0 +1,72 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202301-01"> + <title>NTFS-3G: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in NTFS-3G, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">ntfs3g</product> + <announced>2023-01-11</announced> + <revised count="1">2023-01-11</revised> + <bug>878885</bug> + <bug>847598</bug> + <bug>811156</bug> + <access>remote</access> + <affected> + <package name="sys-fs/ntfs3g" auto="yes" arch="*"> + <unaffected range="ge">2022.10.3</unaffected> + <vulnerable range="lt">2022.10.3</vulnerable> + </package> + </affected> + <background> + <p>NTFS-3G is a stable, full-featured, read-write NTFS driver for various operating systems.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in NTFS-3G. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All NTFS-3G users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/ntfs3g-2022.10.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33285">CVE-2021-33285</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33286">CVE-2021-33286</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33287">CVE-2021-33287</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33289">CVE-2021-33289</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35266">CVE-2021-35266</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35267">CVE-2021-35267</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35268">CVE-2021-35268</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35269">CVE-2021-35269</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39251">CVE-2021-39251</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39252">CVE-2021-39252</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39253">CVE-2021-39253</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39254">CVE-2021-39254</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39255">CVE-2021-39255</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39256">CVE-2021-39256</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39257">CVE-2021-39257</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39258">CVE-2021-39258</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39259">CVE-2021-39259</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39260">CVE-2021-39260</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39261">CVE-2021-39261</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39262">CVE-2021-39262</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39263">CVE-2021-39263</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30783">CVE-2022-30783</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30784">CVE-2022-30784</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30785">CVE-2022-30785</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30786">CVE-2022-30786</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30787">CVE-2022-30787</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30788">CVE-2022-30788</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30789">CVE-2022-30789</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40284">CVE-2022-40284</uri> + </references> + <metadata tag="requester" timestamp="2023-01-11T05:15:14.346677Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-01-11T05:15:14.351130Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202301-02.xml b/metadata/glsa/glsa-202301-02.xml new file mode 100644 index 000000000000..c0474688c143 --- /dev/null +++ b/metadata/glsa/glsa-202301-02.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202301-02"> + <title>Twisted: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Twisted, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">twisted</product> + <announced>2023-01-11</announced> + <revised count="1">2023-01-11</revised> + <bug>878499</bug> + <bug>834542</bug> + <bug>832875</bug> + <access>remote</access> + <affected> + <package name="dev-python/twisted" auto="yes" arch="*"> + <unaffected range="ge">22.10.0</unaffected> + <vulnerable range="lt">22.10.0</vulnerable> + </package> + </affected> + <background> + <p>Twisted is an asynchronous networking framework written in Python.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Twisted. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Twisted users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/twisted-22.10.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21712">CVE-2022-21712</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21716">CVE-2022-21716</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39348">CVE-2022-39348</uri> + </references> + <metadata tag="requester" timestamp="2023-01-11T05:16:16.479507Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-01-11T05:16:16.483411Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202301-03.xml b/metadata/glsa/glsa-202301-03.xml new file mode 100644 index 000000000000..638c1289373c --- /dev/null +++ b/metadata/glsa/glsa-202301-03.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202301-03"> + <title>scikit-learn: Denial of Service</title> + <synopsis>A vulnerability was found in scikit-learn which could result in denial of service.</synopsis> + <product type="ebuild">scikit-learn</product> + <announced>2023-01-11</announced> + <revised count="1">2023-01-11</revised> + <bug>758323</bug> + <access>remote</access> + <affected> + <package name="sci-libs/scikit-learn" auto="yes" arch="*"> + <unaffected range="ge">1.1.1</unaffected> + <vulnerable range="lt">1.1.1</vulnerable> + </package> + </affected> + <background> + <p>scikit-learn is a machine learning library for Python.</p> + </background> + <description> + <p>When supplied with a crafted model SVM, predict() can result in a null pointer dereference.</p> + </description> + <impact type="low"> + <p>An attcker capable of providing a crafted model to scikit-learn can result in denial of service.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All scikit-learn users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-libs/scikit-learn-1.1.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28975">CVE-2020-28975</uri> + </references> + <metadata tag="requester" timestamp="2023-01-11T05:16:33.475780Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-01-11T05:16:33.478230Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202301-04.xml b/metadata/glsa/glsa-202301-04.xml new file mode 100644 index 000000000000..fe8451696aa2 --- /dev/null +++ b/metadata/glsa/glsa-202301-04.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202301-04"> + <title>jupyter_core: Arbitrary Code Execution</title> + <synopsis>A vulnerability has been discovered in jupyter_core which could allow for the execution of code as another user.</synopsis> + <product type="ebuild">jupyter_core</product> + <announced>2023-01-11</announced> + <revised count="1">2023-01-11</revised> + <bug>878497</bug> + <access>remote</access> + <affected> + <package name="dev-python/jupyter_core" auto="yes" arch="*"> + <unaffected range="ge">4.11.2</unaffected> + <vulnerable range="lt">4.11.2</vulnerable> + </package> + </affected> + <background> + <p>jupyter_core contains core Jupyter functionality.</p> + </background> + <description> + <p>jupyter_core trusts files for execution in the current working directory without validating ownership of those files.</p> + </description> + <impact type="high"> + <p>By writing to a directory that is used a the current working directory for jupyter_core by another user, users can elevate privileges to those of another user.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All jupyter_core users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/jupyter_core-4.11.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39286">CVE-2022-39286</uri> + </references> + <metadata tag="requester" timestamp="2023-01-11T05:17:05.951365Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-01-11T05:17:05.954259Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202301-05.xml b/metadata/glsa/glsa-202301-05.xml new file mode 100644 index 000000000000..2aa72064076d --- /dev/null +++ b/metadata/glsa/glsa-202301-05.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202301-05"> + <title>Apache Commons Text: Arbitrary Code Execution</title> + <synopsis>A vulnerability has been discovered in Apache Commons Text which could result in arbitrary code execution.</synopsis> + <product type="ebuild">commons-text</product> + <announced>2023-01-11</announced> + <revised count="1">2023-01-11</revised> + <bug>877577</bug> + <access>remote</access> + <affected> + <package name="dev-java/commons-text" auto="yes" arch="*"> + <unaffected range="ge">1.10.0</unaffected> + <vulnerable range="lt">1.10.0</vulnerable> + </package> + </affected> + <background> + <p>Apache Commons Text is a library focused on algorithms working on strings.</p> + </background> + <description> + <p>Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. The set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.</p> + </description> + <impact type="high"> + <p>Crafted input to Apache Commons Text could trigger remote code execution.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Apache Commons Text users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/commons-text-1.10.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42889">CVE-2022-42889</uri> + </references> + <metadata tag="requester" timestamp="2023-01-11T05:18:10.785619Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-01-11T05:18:10.790088Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202301-06.xml b/metadata/glsa/glsa-202301-06.xml new file mode 100644 index 000000000000..3bc783307940 --- /dev/null +++ b/metadata/glsa/glsa-202301-06.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202301-06"> + <title>liblouis: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in liblouis, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">liblouis</product> + <announced>2023-01-11</announced> + <revised count="1">2023-01-11</revised> + <bug>835093</bug> + <access>remote</access> + <affected> + <package name="dev-libs/liblouis" auto="yes" arch="*"> + <unaffected range="ge">3.22.0</unaffected> + <vulnerable range="lt">3.22.0</vulnerable> + </package> + </affected> + <background> + <p>liblouis is an open-source braille translator and back-translator.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in liblouis. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All liblouis users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/liblouis-3.22.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26981">CVE-2022-26981</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31783">CVE-2022-31783</uri> + </references> + <metadata tag="requester" timestamp="2023-01-11T05:18:26.543131Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-01-11T05:18:26.546170Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202301-07.xml b/metadata/glsa/glsa-202301-07.xml new file mode 100644 index 000000000000..432c14e7f6ff --- /dev/null +++ b/metadata/glsa/glsa-202301-07.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202301-07"> + <title>Alpine: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Alpine, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">alpine</product> + <announced>2023-01-11</announced> + <revised count="1">2023-01-11</revised> + <bug>807613</bug> + <access>remote</access> + <affected> + <package name="mail-client/alpine" auto="yes" arch="*"> + <unaffected range="ge">2.25</unaffected> + <vulnerable range="lt">2.25</vulnerable> + </package> + </affected> + <background> + <p>Alpine is an easy to use text-based based mail and news client.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Alpine. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Alpine users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/alpine-2.25" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38370">CVE-2021-38370</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46853">CVE-2021-46853</uri> + </references> + <metadata tag="requester" timestamp="2023-01-11T05:18:50.361361Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-01-11T05:18:50.363738Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202301-08.xml b/metadata/glsa/glsa-202301-08.xml new file mode 100644 index 000000000000..0eeadca35f79 --- /dev/null +++ b/metadata/glsa/glsa-202301-08.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202301-08"> + <title>Mbed TLS: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">mbedtls</product> + <announced>2023-01-11</announced> + <revised count="1">2023-01-11</revised> + <bug>857813</bug> + <bug>829660</bug> + <bug>801376</bug> + <bug>778254</bug> + <bug>764317</bug> + <bug>740108</bug> + <bug>730752</bug> + <access>remote</access> + <affected> + <package name="net-libs/mbedtls" auto="yes" arch="*"> + <unaffected range="ge">2.28.1</unaffected> + <vulnerable range="lt">2.28.1</vulnerable> + </package> + </affected> + <background> + <p>Mbed TLS (previously PolarSSL) is an “easy to understand, use, integrate and expand” implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mbed TLS. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mbed TLS users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/mbedtls-2.28.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16150">CVE-2020-16150</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36421">CVE-2020-36421</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36422">CVE-2020-36422</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36423">CVE-2020-36423</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36424">CVE-2020-36424</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36425">CVE-2020-36425</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36426">CVE-2020-36426</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36475">CVE-2020-36475</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36476">CVE-2020-36476</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36477">CVE-2020-36477</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36478">CVE-2020-36478</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-43666">CVE-2021-43666</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44732">CVE-2021-44732</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45450">CVE-2021-45450</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35409">CVE-2022-35409</uri> + </references> + <metadata tag="requester" timestamp="2023-01-11T05:19:06.415631Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-01-11T05:19:06.418706Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202301-09.xml b/metadata/glsa/glsa-202301-09.xml new file mode 100644 index 000000000000..eb192eec70b8 --- /dev/null +++ b/metadata/glsa/glsa-202301-09.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202301-09"> + <title>protobuf-java: Denial of Service</title> + <synopsis>A vulnerability has been discovered in protobuf-java which could result in denial of service.</synopsis> + <product type="ebuild">protobuf-java</product> + <announced>2023-01-11</announced> + <revised count="1">2023-01-11</revised> + <bug>876903</bug> + <access>remote</access> + <affected> + <package name="dev-java/protobuf-java" auto="yes" arch="*"> + <unaffected range="ge">3.20.3</unaffected> + <vulnerable range="lt">3.20.3</vulnerable> + </package> + </affected> + <background> + <p>protobuf-java contains the Java bindings for Google's Protocol Buffers.</p> + </background> + <description> + <p>Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.</p> + </description> + <impact type="low"> + <p>Crafted input can trigger a denial of service via long garbage collection pauses.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All protobuf-java users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/protobuf-java-3.20.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3171">CVE-2022-3171</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3509">CVE-2022-3509</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3510">CVE-2022-3510</uri> + </references> + <metadata tag="requester" timestamp="2023-01-11T05:19:53.039305Z">ajak</metadata> + <metadata tag="submitter" timestamp="2023-01-11T05:19:53.043563Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 7a5bafde29f1..91ee526ab49f 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Wed, 11 Jan 2023 04:39:39 +0000 +Wed, 11 Jan 2023 11:09:41 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 861b82ee26e2..e80ce1ae2cf5 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -b95962b57e3a2b7645af0491db5baf8f15b6b69d 1672253964 2022-12-28T18:59:24+00:00 +da9b5483883fcc611753d44d34c0ede9188ce21c 1673414531 2023-01-11T05:22:11+00:00 |