diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2020-06-21 17:50:24 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2020-06-21 17:50:24 +0100 |
| commit | feb0daf81d888e9160f9f94502de09b66f2a63fd (patch) | |
| tree | b6e5c40ce2abef3da27ed50a023153f475e0ddef /metadata/glsa | |
| parent | 9452a6e87b6c2c70513bc47a2470bf9f1168920e (diff) | |
gentoo resync : 21.06.2020
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 467478 -> 469221 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-202006-13.xml | 48 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202006-14.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202006-15.xml | 48 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202006-16.xml | 46 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202006-17.xml | 62 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202006-18.xml | 48 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202006-19.xml | 68 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202006-20.xml | 49 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202006-21.xml | 63 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202006-22.xml | 96 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202006-23.xml | 50 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
15 files changed, 647 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 576d87c190a3..0ed418e0af93 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 467478 BLAKE2B f84f56d6f84d28d53ec12df6c1c9b351ab47c5a1f49b61ce8622c5db679861e27d7ce25da735464bfef3bcee4dd60d3b2993b39f3e35242be74b9c6a4dd0b4bf SHA512 88d1586b65d21522de591f657953bb9f61f8b1cce30f3dadef48927eb3f8eb3a3d2f22090d280a08a48c5e888e6fdd1b407f88d87a09782817743b4b23e2c92e -TIMESTAMP 2020-06-13T09:08:29Z +MANIFEST Manifest.files.gz 469221 BLAKE2B ceeb5e3ff11ecad175899479757b8424d4d844fbe59abeeee4a4b37448f6dfffdc8ded3f1362c29de1347def4ee57e7dcf15cbd83f40a9103e7b370e3a3097d7 SHA512 06b8c8870a2821eeebd3c9cbc9c92177635bbaa84ef8cdb537ff7ec57048cf77711fd0d737d476fd8724d0474477b8411e09d5263aca5af221eea2a2cd8fc8a3 +TIMESTAMP 2020-06-21T11:38:29Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl7kl41fFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl7vRrVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klAmmg/+Jm295pzRFIchRjP2pTiXNnhc3h05wSjXK0IBL9I8cMNqrlHHpLEJpmSB -jcjbdsm8+xXPnRv/m1tTAeusHoGKWOfLQ0Z6F2M5/XoJfjigUlCbL2/wES7+FflM -/mKfFWtHWn4UiqouSpudqmnRqPb+2aOHPOge+NV6NY1jDIXb+v58f6OGvlcF+QUt -QyVu1IDWEBsPA1uRbsUujsRBf8L5X6HdN0glgTnTdlMNQ8eCAGqsr/NWbS0tNeTC -4CMuH++A673UiXX+M4Gh8IJ3uiO97XEFKXDQGBvuVQU9b6yBMdAmyMFzl3KWSiKe -dmqMxtohPkassGhnMf5qTQZ5jeK3lAbUYG6395h3zye/ZURNe2InbLfByr8sdhxV -kdcg5KM58/+uwXFsdNzzj4KIdTrPqe5bLYsvVeyznxc3hpvtoVKJTfeXO+wfLaP6 -dRbAdlsHd3sIDIfrkZXQHtjhtfLvrbA1hFTIirTsK++QTJyawNcf8/MiJhU4ROX3 -ax8/Mf8i/YeTBFfllkJ63uf4KgaziVJJzYKZIXfFwIVwNC5MqIspWdss/AH89G/m -PO0D8H34b2ii4Y1RY9vP1ZdpqqFKLwacILYhqKEA3Ra7MgH+9D7a5P01PVAXZ2o/ -xb67ERgTVQ/BSXgS5WhnDuMYSBQevaDfQFTCFlmCdlkiFFIHSYA= -=PMMM +klAh+hAAtNZ9jtU/9lytqA7E1WGywHwORbcCrRnFNij83LtAF/yPwAeOysFDwhuh +i2gF3spsNR6wb+tz6TTFuRUWsiWn+XekW9buaHr/20GkjoIYtES7BswHwwinMxxB +BxwpVY+x3EvmWX7ra8bqAsL1RulfERwAXosUbIMP0W7Med7EFpsYqmSAlxTiGMpa +R0GP5RxBfhnF4+PKT0zxoTbGhqRJPLIcqJdojry2TNVs0vocKumBfCQZG8E/hatN +dgRCz961+C4o/z/XAvQXK483tCPdlIk7URCwYwuaqd0HQMDTaBZQi2RVi8rcqPA1 +0aUUWMBXMb2/cFjuqzlpuxTLMPyICSKgcPZ5w/VHOxIpcafnbz5AUSqA6AysqFRH +17D3sa8n4x/eMaE72ZO/mLmUPc5icBe36Fwi4fErzrY5jOoU3YIP2ng2xuc67IGe +GxFKJIF8/7Jr8Y4a+2pFX3i4x38U3mo8USDQ9mHW+SbU5ex2sTOB0KIN3sB3OR1e +qqZNduNIisZXq+OVt5qNchLHflp0apYt+vuPSbynBH6sOtH+0gS2nMRpUQ4nHT3T +yM7EPqPAdEXwNIkbyDXC4B5+1/Mr4nY6Y9BzQK0O6CGTWuFaXSmiIQ6iy0NdRiEj +JZOdPujjB2ZPiaGqGQtq43LzOXKyPatTkMo8ITy8V51u6i0XEqE= +=DUAj -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 14677ebaa92f..9077094066b3 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202006-13.xml b/metadata/glsa/glsa-202006-13.xml new file mode 100644 index 000000000000..42eeba52e22f --- /dev/null +++ b/metadata/glsa/glsa-202006-13.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202006-13"> + <title>json-c: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in json-c, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">json-c</product> + <announced>2020-06-15</announced> + <revised count="1">2020-06-15</revised> + <bug>722150</bug> + <access>remote</access> + <affected> + <package name="dev-libs/json-c" auto="yes" arch="*"> + <unaffected range="ge">0.14-r3</unaffected> + <vulnerable range="lt">0.14-r3</vulnerable> + </package> + </affected> + <background> + <p>json-c is a JSON implementation in C.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in json-c. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote/local attacker could send a specially crafted file possibly + resulting in a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All json-c users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/json-c-0.14-r3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12762">CVE-2020-12762</uri> + </references> + <metadata tag="requester" timestamp="2020-05-20T15:54:46Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-06-15T15:44:00Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202006-14.xml b/metadata/glsa/glsa-202006-14.xml new file mode 100644 index 000000000000..46fb4e114549 --- /dev/null +++ b/metadata/glsa/glsa-202006-14.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202006-14"> + <title>PEAR Archive_Tar: Remote code execution vulnerability</title> + <synopsis>A buffer overflow in the PEAR module Archive_Tar might allow local + or remote attacker(s) to execute arbitrary code. + </synopsis> + <product type="ebuild">archive_tar</product> + <announced>2020-06-15</announced> + <revised count="1">2020-06-15</revised> + <bug>675576</bug> + <access>local, remote</access> + <affected> + <package name="dev-php/PEAR-Archive_Tar" auto="yes" arch="*"> + <unaffected range="ge">1.4.5</unaffected> + <vulnerable range="lt">1.4.5</vulnerable> + </package> + </affected> + <background> + <p>This class provides handling of tar files in PHP.</p> + </background> + <description> + <p>An issue was discovered in the PEAR module Archive_Tar’s handling of + file paths within Tar achives. + </p> + </description> + <impact type="normal"> + <p>A local or remote attacker could possibly execute arbitrary code with + the privileges of the process. + </p> + </impact> + <workaround> + <p>Avoid handling untrusted Tar files with this package until you have + upgraded to a non-vulnerable version. + </p> + </workaround> + <resolution> + <p>All PEAR-Archive_Tar users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Archive_Tar-1.4.5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000888"> + CVE-2018-1000888 + </uri> + </references> + <metadata tag="requester" timestamp="2020-05-22T00:11:26Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2020-06-15T15:46:02Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202006-15.xml b/metadata/glsa/glsa-202006-15.xml new file mode 100644 index 000000000000..9fbb52de8eb4 --- /dev/null +++ b/metadata/glsa/glsa-202006-15.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202006-15"> + <title>OpenConnect: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in OpenConnect, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">openconnect</product> + <announced>2020-06-15</announced> + <revised count="1">2020-06-15</revised> + <bug>719108</bug> + <bug>722740</bug> + <access>remote</access> + <affected> + <package name="net-vpn/openconnect" auto="yes" arch="*"> + <unaffected range="ge">8.09-r1</unaffected> + <vulnerable range="lt">8.09-r1</vulnerable> + </package> + </affected> + <background> + <p>OpenConnect is a free client for Cisco AnyConnect SSL VPN software.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenConnect. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenConnect users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-vpn/openconnect-8.09-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12105">CVE-2020-12105</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12823">CVE-2020-12823</uri> + </references> + <metadata tag="requester" timestamp="2020-05-23T13:25:13Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-06-15T15:47:01Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202006-16.xml b/metadata/glsa/glsa-202006-16.xml new file mode 100644 index 000000000000..a652c18c2802 --- /dev/null +++ b/metadata/glsa/glsa-202006-16.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202006-16"> + <title>PCRE2: Denial of service</title> + <synopsis>A vulnerability in PCRE2 could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">pcre2</product> + <announced>2020-06-15</announced> + <revised count="1">2020-06-15</revised> + <bug>717800</bug> + <access>local, remote</access> + <affected> + <package name="net-libs/pcre2" auto="yes" arch="*"> + <unaffected range="ge">10.34</unaffected> + <vulnerable range="lt">10.34</vulnerable> + </package> + </affected> + <background> + <p>PCRE2 is a project based on PCRE (Perl Compatible Regular Expressions) + which has a new and revised API. + </p> + </background> + <description> + <p>PCRE2 has a flaw when handling JIT-compiled regex using the \X pattern.</p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PCRE2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/pcre2-10.34" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20454">CVE-2019-20454</uri> + </references> + <metadata tag="requester" timestamp="2020-05-12T14:41:37Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-06-15T15:48:59Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202006-17.xml b/metadata/glsa/glsa-202006-17.xml new file mode 100644 index 000000000000..95c9c6dd1af0 --- /dev/null +++ b/metadata/glsa/glsa-202006-17.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202006-17"> + <title>FAAD2: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in FAAD2, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">faad2</product> + <announced>2020-06-15</announced> + <revised count="1">2020-06-15</revised> + <bug>695540</bug> + <access>local, remote</access> + <affected> + <package name="media-libs/faad2" auto="yes" arch="*"> + <unaffected range="ge">2.9.0</unaffected> + <vulnerable range="lt">2.9.0</vulnerable> + </package> + </affected> + <background> + <p>FAAD2 is an open source MPEG-4 and MPEG-2 AAC decoder.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in FAAD2. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All FAAD2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/faad2-2.9.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19502">CVE-2018-19502</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19503">CVE-2018-19503</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19504">CVE-2018-19504</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20194">CVE-2018-20194</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20195">CVE-2018-20195</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20196">CVE-2018-20196</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20197">CVE-2018-20197</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20198">CVE-2018-20198</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20199">CVE-2018-20199</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20357">CVE-2018-20357</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20358">CVE-2018-20358</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20359">CVE-2018-20359</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20360">CVE-2018-20360</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20361">CVE-2018-20361</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20362">CVE-2018-20362</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15296">CVE-2019-15296</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6956">CVE-2019-6956</uri> + </references> + <metadata tag="requester" timestamp="2020-05-22T01:42:00Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2020-06-15T15:50:03Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202006-18.xml b/metadata/glsa/glsa-202006-18.xml new file mode 100644 index 000000000000..ad77d145a25c --- /dev/null +++ b/metadata/glsa/glsa-202006-18.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202006-18"> + <title>Bubblewrap: Arbitrary code execution</title> + <synopsis>Bubblewrap misuses temporary directories allowing local code + execution. + </synopsis> + <product type="ebuild">bubblerwrap</product> + <announced>2020-06-15</announced> + <revised count="1">2020-06-15</revised> + <bug>686114</bug> + <access>local</access> + <affected> + <package name="sys-apps/bubblewrap" auto="yes" arch="*"> + <unaffected range="ge">0.4.1</unaffected> + <vulnerable range="lt">0.4.1</vulnerable> + </package> + </affected> + <background> + <p>Bubblewrap is an unprivileged sandboxing tool namespaces-powered + chroot-like solution. + </p> + </background> + <description> + <p>Bubblewrap misuses temporary directories in /tmp as a mount point.</p> + </description> + <impact type="normal"> + <p>This flaw may allow possible execution of code or prevention of running + Bubblewrap. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Bubblewrap users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/bubblewrap-0.4.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12439">CVE-2019-12439</uri> + </references> + <metadata tag="requester" timestamp="2020-05-25T21:13:31Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-06-15T15:51:19Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202006-19.xml b/metadata/glsa/glsa-202006-19.xml new file mode 100644 index 000000000000..4f2140b8c1a2 --- /dev/null +++ b/metadata/glsa/glsa-202006-19.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202006-19"> + <title>Mozilla Thunderbird: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">thunderbird</product> + <announced>2020-06-15</announced> + <revised count="1">2020-06-15</revised> + <bug>727118</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">68.9.0</unaffected> + <vulnerable range="lt">68.9.0</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">68.9.0</unaffected> + <vulnerable range="lt">68.9.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-68.9.0" + </code> + + <p>All Mozilla Thunderbird binary users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-68.9.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12398">CVE-2020-12398</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12405">CVE-2020-12405</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12406">CVE-2020-12406</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12410">CVE-2020-12410</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/"> + MFSA-2020-22 + </uri> + </references> + <metadata tag="requester" timestamp="2020-06-04T22:44:05Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-06-15T15:52:20Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202006-20.xml b/metadata/glsa/glsa-202006-20.xml new file mode 100644 index 000000000000..690bfee258f4 --- /dev/null +++ b/metadata/glsa/glsa-202006-20.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202006-20"> + <title>Asterisk: Root privilege escalation</title> + <synopsis>A vulnerability was discovered in Asterisk which may allow local + attackers to gain root privileges. + </synopsis> + <product type="ebuild">asterisk</product> + <announced>2020-06-15</announced> + <revised count="1">2020-06-15</revised> + <bug>602722</bug> + <access>local</access> + <affected> + <package name="net-misc/asterisk" auto="yes" arch="*"> + <unaffected range="ge">13.32.0-r1</unaffected> + <vulnerable range="lt">13.32.0-r1</vulnerable> + </package> + </affected> + <background> + <p>A Modular Open Source PBX System.</p> + </background> + <description> + <p>It was discovered that Gentoo’s Asterisk ebuild does not properly set + permissions on its data directories. This only affects OpenRC systems, as + the flaw was exploitable via the init script. + </p> + </description> + <impact type="high"> + <p>A local attacker could escalate privileges.</p> + </impact> + <workaround> + <p>Users should ensure the proper permissions are set as discussed in the + referenced bugs. Do not run /etc/init.d/asterisk checkperms. + </p> + </workaround> + <resolution> + <p>All Asterisk users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-13.32.0-r1" + </code> + + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2020-05-15T11:13:35Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-06-15T15:53:36Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202006-21.xml b/metadata/glsa/glsa-202006-21.xml new file mode 100644 index 000000000000..ac2c137808f1 --- /dev/null +++ b/metadata/glsa/glsa-202006-21.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202006-21"> + <title>Apache Tomcat: Remote code execution</title> + <synopsis>A vulnerability has been discovered in Apache Tomcat which could + result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">tomcat</product> + <announced>2020-06-15</announced> + <revised count="1">2020-06-15</revised> + <bug>724344</bug> + <access>remote</access> + <affected> + <package name="www-servers/tomcat" auto="yes" arch="*"> + <unaffected range="ge" slot="7">7.0.104</unaffected> + <unaffected range="ge" slot="8.5">8.5.55</unaffected> + <vulnerable range="lt" slot="7">7.0.104</vulnerable> + <vulnerable range="lt" slot="8.5">8.5.55</vulnerable> + </package> + </affected> + <background> + <p>Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.</p> + </background> + <description> + <p>Apache Tomcat improperly handles deserialization of files under specific + circumstances. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Apache Tomcat 7.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.104" + </code> + + <p>All Apache Tomcat 8.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.5.55" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9484">CVE-2020-9484</uri> + <uri link="https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104"> + Upstream advisory (7) + </uri> + <uri link="https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55"> + Upstream advisory (8.5) + </uri> + </references> + <metadata tag="requester" timestamp="2020-05-25T12:42:10Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-06-15T15:55:34Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202006-22.xml b/metadata/glsa/glsa-202006-22.xml new file mode 100644 index 000000000000..82046e4ece12 --- /dev/null +++ b/metadata/glsa/glsa-202006-22.xml @@ -0,0 +1,96 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202006-22"> + <title>OpenJDK, IcedTea: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in OpenJDK and IcedTea, + the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">icedtea</product> + <announced>2020-06-15</announced> + <revised count="1">2020-06-15</revised> + <bug>718720</bug> + <bug>720690</bug> + <access>remote</access> + <affected> + <package name="dev-java/openjdk-bin" auto="yes" arch="*"> + <unaffected range="ge">8.252_p09</unaffected> + <vulnerable range="lt">8.252_p09</vulnerable> + </package> + <package name="dev-java/openjdk-jre-bin" auto="yes" arch="*"> + <unaffected range="ge">8.252_p09</unaffected> + <vulnerable range="lt">8.252_p09</vulnerable> + </package> + <package name="dev-java/icedtea-bin" auto="yes" arch="*"> + <unaffected range="ge">3.16.0</unaffected> + <vulnerable range="lt">3.16.0</vulnerable> + </package> + </affected> + <background> + <p>OpenJDK is a free and open-source implementation of the Java Platform, + Standard Edition. + </p> + + <p>IcedTea’s aim is to provide OpenJDK in a form suitable for easy + configuration, compilation and distribution with the primary goal of + allowing inclusion in GNU/Linux distributions. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenJDK and IcedTea. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenJDK binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-8.252_p09" + </code> + + <p>All OpenJDK JRE binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=dev-java/openjdk-jre-bin-8.252_p09" + </code> + + <p>All IcedTea binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-3.16.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2585">CVE-2020-2585</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2585">CVE-2020-2585</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2755">CVE-2020-2755</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2755">CVE-2020-2755</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2756">CVE-2020-2756</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2756">CVE-2020-2756</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2757">CVE-2020-2757</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2757">CVE-2020-2757</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2773">CVE-2020-2773</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2773">CVE-2020-2773</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2781">CVE-2020-2781</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2781">CVE-2020-2781</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2800">CVE-2020-2800</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2800">CVE-2020-2800</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2803">CVE-2020-2803</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2803">CVE-2020-2803</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2805">CVE-2020-2805</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2805">CVE-2020-2805</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2830">CVE-2020-2830</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2830">CVE-2020-2830</uri> + </references> + <metadata tag="requester" timestamp="2020-05-14T21:46:41Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-06-15T15:56:40Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202006-23.xml b/metadata/glsa/glsa-202006-23.xml new file mode 100644 index 000000000000..7fb7e375cbc8 --- /dev/null +++ b/metadata/glsa/glsa-202006-23.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202006-23"> + <title>Cyrus IMAP Server: Access restriction bypass</title> + <synopsis>An error in Cyrus IMAP Server allows mailboxes to be created with + administrative privileges. + </synopsis> + <product type="ebuild">cyrusimap</product> + <announced>2020-06-15</announced> + <revised count="1">2020-06-15</revised> + <bug>703630</bug> + <access>remote</access> + <affected> + <package name="net-mail/cyrus-imapd" auto="yes" arch="*"> + <unaffected range="ge">3.0.13</unaffected> + <vulnerable range="lt">3.0.13</vulnerable> + </package> + </affected> + <background> + <p>The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail + server. + </p> + </background> + <description> + <p>An issue was discovered in Cyrus IMAP Server where sieve script + uploading is excessively trusted. + </p> + </description> + <impact type="normal"> + <p>A user can use a sieve script to create any mailbox with administrator + privileges. + </p> + </impact> + <workaround> + <p>Disable sieve script uploading until the upgrade is complete.</p> + </workaround> + <resolution> + <p>All Cyrus IMAP Server users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-3.0.13" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19783">CVE-2019-19783</uri> + </references> + <metadata tag="requester" timestamp="2020-05-22T07:13:03Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-06-15T15:58:17Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 88cdcb72a7ae..03b6be48b1f2 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sat, 13 Jun 2020 09:08:26 +0000 +Sun, 21 Jun 2020 11:38:26 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index ee8db8673cd1..4906fc32ac0a 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -d201bee5ad23e8472de3397c356e66a559081d7f 1592013107 2020-06-13T01:51:47+00:00 +f51c88fbf8e00dbbe6f151e02b823400a85889ba 1592236707 2020-06-15T15:58:27+00:00 |