diff options
Diffstat (limited to 'metadata/glsa')
-rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
-rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 529253 -> 530688 bytes | |||
-rw-r--r-- | metadata/glsa/glsa-202210-01.xml | 42 | ||||
-rw-r--r-- | metadata/glsa/glsa-202210-02.xml | 54 | ||||
-rw-r--r-- | metadata/glsa/glsa-202210-03.xml | 45 | ||||
-rw-r--r-- | metadata/glsa/glsa-202210-04.xml | 68 | ||||
-rw-r--r-- | metadata/glsa/glsa-202210-05.xml | 43 | ||||
-rw-r--r-- | metadata/glsa/glsa-202210-06.xml | 60 | ||||
-rw-r--r-- | metadata/glsa/glsa-202210-07.xml | 42 | ||||
-rw-r--r-- | metadata/glsa/glsa-202210-08.xml | 54 | ||||
-rw-r--r-- | metadata/glsa/glsa-202210-09.xml | 76 | ||||
-rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
-rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
13 files changed, 501 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 3e1ed0d4c377..29507e64c1b8 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 529253 BLAKE2B 4870d0ebed8f73802444d2a3e204d4fe556355a8b2b4d4ffdd695d17206e94777c458bc34f39aee9fe92a996aea872cf895c73e601729b57032c40785dea2d65 SHA512 ca03ae189444f830ef68a97bf0be8dd0ed5045d9010eaead8695ce26c0591587965b16cbf215850d4c87fa27139a325c616d08f336a7213ad4483bb7e1f46baa -TIMESTAMP 2022-10-16T12:09:56Z +MANIFEST Manifest.files.gz 530688 BLAKE2B 1384754019a41108cd5a577394c6aafe7ddaa1600e86ddd30f667b8ffcd2a271d1d63c110dd32bcc5d2cdf57213dc2ed2ad65288c00d7dd764fc88a2a5ad121f SHA512 08bf73bc99a66d9fbe7dcf764826772bf00488ab216fa1e39298dffc1fef683f7a82d65031193ede26cf629f7bb21ac7a709099a37a9c6772e7b4eacbf503986 +TIMESTAMP 2022-10-16T18:10:01Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmNL9JRfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmNMSPlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klD1mQ/+Iok03XkCw3XVb+Njx4cOHDlc25rZR50S96m4m4pwGTw5PwgEhN1rKkFe -hFHUeaW37tSB05m+eq1mFbEsEewGpmsN/L5iuSb+qAjVnUsZb8ma67CaJgN7qBP8 -MvblOlRjLvk5XH9dehDzNHHbHCBU/IrUipHJhg1J8mNCQca/W2x5k/2LKPdiwu0J -IY03jGJ1EntfkCGV9aYHGtzb8A1WXyOPYqeAQ2w903lBW5tkdjTdUqqrt3mS3Zmd -VZ9LsnXrnyzF+MOXe9z7WPRcFTwbewBaB3IpYVH/9YteeqXDuvdGDSQ/hTc0jfIX -uy0vNwRLn8cVM94Ioxb6jaQ3INW72Vu7ElKvpK+1ldYSz7mDkjN/QzdmfbNIUDKy -9YtTrORusAkCofRgZl193qmj8pKiWBX/xMkgMp+xP/LFPo2p5g7C3deiMTMdtr6F -ITCvZtpwmfmAm7X1Rz+kz6BIkmt/kvH8IhaBZGI1oKnUECzMv9b3new+cWbaFfuM -hk/mFkiPL8TwXHlZmNvkAEkSj+9614VG57Zr7opLfaB1fNxXBejJyKTTimUFqAKv -+G46tp8PHnEaddz50Dp3/c5Fj03WnqVinFRqdGKhtpSV/3R00q4qdf6+1Wv6vtXi -DPZHoAktOpRDpO1NPCGKzgIVXC2ftSt+qLfaisN1Ew1H+noxsq8= -=kXn7 +klAkmw/+LmSS+VRSjYTarqnXxlgpcCO9tClWogjb36GwNz5DeyuBs1rekdhVe6tK +j8+TasEcSi1B+NVaRfWA0PA+8TFaGTCXwEZkIYELVFdPymiksKvXgK941WzaY1Ax +Vwjeyjc5mszWIH1AfTmkyYHgY7hjSrnuksbXERBZWSatU0/s7utB9Kb245mxVerN +QI/jTQ9x90SOW1ABMwDKotOYEqV1cwnZGH6XKALUluydly30ma2gI6DZwFBfy2eP +nHz6mbQpUz7HRmNs5MywnBd3tUcQEqXokIX1KF1PFKjDEpC3jgUQVQITwBMHjSlG +Bo4pI4tlO7d4MPEv4s4tUiEazRijQJNR8Hu2fHlaER1FHQN687tWbAG2iSH1zGZM +gAffDtIBLxWP+sHp68hCH9degrnMW3Deku+mXuc9ciLXqxAu6ZkK7hPEZwpfebIX +Z+JtRk/YmAwz5bmK+HkvVDk3uNoPzYt/s5fqE3urGxUXo44ysOjR9yN2579VgJ/u +8qlvkNakJBNzSzC/QnJyrkn7F99QUaAGzEqtFnEmaXZZGUsW7QjhgcytYSE0lu/G +XsTiDYWfyRoZDAHfBlIDFP2oEo5XIXGVi28jQkzpXs+x1RDbpioZvA8zkP+BL7Hc +Ir6aSZM4mMYNJEjVW4dQKbR5EqW9eriV4+HCR7xL9aDNHi3y+f0= +=Q42P -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 9e732764b3d4..6b89b5ea51db 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202210-01.xml b/metadata/glsa/glsa-202210-01.xml new file mode 100644 index 000000000000..2fdb25ec8e09 --- /dev/null +++ b/metadata/glsa/glsa-202210-01.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-01"> + <title>Open Asset Import Library ("assimp"): Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Open Asset Import Library, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">assimp</product> + <announced>2022-10-16</announced> + <revised count="1">2022-10-16</revised> + <bug>830374</bug> + <access>remote</access> + <affected> + <package name="media-libs/assimp" auto="yes" arch="*"> + <unaffected range="ge">5.2.2</unaffected> + <vulnerable range="lt">5.2.2</vulnerable> + </package> + </affected> + <background> + <p>Open Asset Import Library is a library to import and export various 3d-model-formats including scene-post-processing to generate missing render data.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Fetchmail, the worst of which could result in email disclosure to third parties.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Open Asset Import Library users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/assimp-5.2.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45948">CVE-2021-45948</uri> + </references> + <metadata tag="requester" timestamp="2022-10-16T14:26:28.704832Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-16T14:26:28.710311Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-02.xml b/metadata/glsa/glsa-202210-02.xml new file mode 100644 index 000000000000..517756557064 --- /dev/null +++ b/metadata/glsa/glsa-202210-02.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-02"> + <title>OpenSSL: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in OpenSSL, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">openssl</product> + <announced>2022-10-16</announced> + <revised count="1">2022-10-16</revised> + <bug>741570</bug> + <bug>809980</bug> + <bug>832339</bug> + <bug>835343</bug> + <bug>842489</bug> + <bug>856592</bug> + <access>remote</access> + <affected> + <package name="dev-libs/openssl" auto="yes" arch="*"> + <unaffected range="ge">1.1.1q</unaffected> + <vulnerable range="lt">1.1.1q</vulnerable> + </package> + </affected> + <background> + <p>OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenSSL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.1.1q" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1968">CVE-2020-1968</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3711">CVE-2021-3711</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3712">CVE-2021-3712</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4160">CVE-2021-4160</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0778">CVE-2022-0778</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1292">CVE-2022-1292</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1473">CVE-2022-1473</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2097">CVE-2022-2097</uri> + </references> + <metadata tag="requester" timestamp="2022-10-16T14:27:07.365886Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-16T14:27:07.370780Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202210-03.xml b/metadata/glsa/glsa-202210-03.xml new file mode 100644 index 000000000000..22e5f517c9fc --- /dev/null +++ b/metadata/glsa/glsa-202210-03.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-03"> + <title>libxml2: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in libxml2, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">libxml2</product> + <announced>2022-10-16</announced> + <revised count="1">2022-10-16</revised> + <bug>833809</bug> + <bug>842261</bug> + <bug>865727</bug> + <access>remote</access> + <affected> + <package name="dev-libs/libxml2" auto="yes" arch="*"> + <unaffected range="ge">2.10.2</unaffected> + <vulnerable range="lt">2.10.2</vulnerable> + </package> + </affected> + <background> + <p>libxml2 is the XML C parser and toolkit developed for the GNOME project.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libxml2. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libxml2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.10.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23308">CVE-2022-23308</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29824">CVE-2022-29824</uri> + </references> + <metadata tag="requester" timestamp="2022-10-16T14:40:08.100268Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-16T14:40:08.111318Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-04.xml b/metadata/glsa/glsa-202210-04.xml new file mode 100644 index 000000000000..78e40dcfbbeb --- /dev/null +++ b/metadata/glsa/glsa-202210-04.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-04"> + <title>Wireshark: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Wireshark, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">wireshark</product> + <announced>2022-10-16</announced> + <revised count="1">2022-10-16</revised> + <bug>802216</bug> + <bug>824474</bug> + <bug>830343</bug> + <bug>833294</bug> + <bug>869140</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/wireshark" auto="yes" arch="*"> + <unaffected range="ge">3.6.8</unaffected> + <vulnerable range="lt">3.6.8</vulnerable> + </package> + </affected> + <background> + <p>Wireshark is a versatile network protocol analyzer.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Wireshark users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-3.6.8" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4181">CVE-2021-4181</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4182">CVE-2021-4182</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4183">CVE-2021-4183</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4184">CVE-2021-4184</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4185">CVE-2021-4185</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4186">CVE-2021-4186</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4190">CVE-2021-4190</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22235">CVE-2021-22235</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39920">CVE-2021-39920</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39921">CVE-2021-39921</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39922">CVE-2021-39922</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39924">CVE-2021-39924</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39925">CVE-2021-39925</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39926">CVE-2021-39926</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39928">CVE-2021-39928</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39929">CVE-2021-39929</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0581">CVE-2022-0581</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0582">CVE-2022-0582</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0583">CVE-2022-0583</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0585">CVE-2022-0585</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0586">CVE-2022-0586</uri> + <uri>WNPA-SEC-2021-06</uri> + <uri>WNPA-SEC-2022-06</uri> + </references> + <metadata tag="requester" timestamp="2022-10-16T14:40:26.419748Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-16T14:40:26.423750Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-05.xml b/metadata/glsa/glsa-202210-05.xml new file mode 100644 index 000000000000..ef3f45395091 --- /dev/null +++ b/metadata/glsa/glsa-202210-05.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-05"> + <title>virglrenderer: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in virglrenderer, the worst of which could result in remote code execution.</synopsis> + <product type="ebuild">virglrenderer</product> + <announced>2022-10-16</announced> + <revised count="1">2022-10-16</revised> + <bug>866821</bug> + <access>remote</access> + <affected> + <package name="media-libs/virglrenderer" auto="yes" arch="*"> + <unaffected range="ge">0.10.1</unaffected> + <vulnerable range="lt">0.10.1</vulnerable> + </package> + </affected> + <background> + <p>A virtual 3D GPU library, that allows the guest operating system to use the host GPU to accelerate 3D rendering.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in virglrenderer. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All virglrenderer users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/virglrenderer-0.10.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0135">CVE-2022-0135</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0175">CVE-2022-0175</uri> + </references> + <metadata tag="requester" timestamp="2022-10-16T14:41:23.560398Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-16T14:41:23.564666Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-06.xml b/metadata/glsa/glsa-202210-06.xml new file mode 100644 index 000000000000..2133f4bfc472 --- /dev/null +++ b/metadata/glsa/glsa-202210-06.xml @@ -0,0 +1,60 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-06"> + <title>libvirt: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in libvirt, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">libvirt,libvirt-python</product> + <announced>2022-10-16</announced> + <revised count="1">2022-10-16</revised> + <bug>746119</bug> + <bug>799713</bug> + <bug>812317</bug> + <bug>836128</bug> + <access>remote</access> + <affected> + <package name="app-emulation/libvirt" auto="yes" arch="*"> + <unaffected range="ge">8.2.0</unaffected> + <vulnerable range="lt">8.2.0</vulnerable> + </package> + <package name="dev-python/libvirt-python" auto="yes" arch="*"> + <unaffected range="ge">8.2.0</unaffected> + <vulnerable range="lt">8.2.0</vulnerable> + </package> + </affected> + <background> + <p>libvirt is a C toolkit for manipulating virtual machines.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libvirt. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libvirt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/libvirt-8.2.0" + </code> + + <p>All libvirt-python users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/libvirt-python-8.2.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14339">CVE-2020-14339</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25637">CVE-2020-25637</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3631">CVE-2021-3631</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3667">CVE-2021-3667</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0897">CVE-2022-0897</uri> + </references> + <metadata tag="requester" timestamp="2022-10-16T14:42:10.219617Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-16T14:42:10.224150Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-07.xml b/metadata/glsa/glsa-202210-07.xml new file mode 100644 index 000000000000..23531d82ae8d --- /dev/null +++ b/metadata/glsa/glsa-202210-07.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-07"> + <title>Deluge: Cross-Site Scripting</title> + <synopsis>A vulnerability has been found in Deluge which could result in XSS.</synopsis> + <product type="ebuild">deluge</product> + <announced>2022-10-16</announced> + <revised count="1">2022-10-16</revised> + <bug>866842</bug> + <access>remote</access> + <affected> + <package name="net-p2p/deluge" auto="yes" arch="*"> + <unaffected range="ge">2.1.1</unaffected> + <vulnerable range="lt">2.1.1</vulnerable> + </package> + </affected> + <background> + <p>Deluge is a BitTorrent client.</p> + </background> + <description> + <p>Deluge does not sufficiently sanitize crafted torrent file data, leading to the application interpreting untrusted data as HTML.</p> + </description> + <impact type="low"> + <p>An attacker can achieve XSS via a crafted torrent file.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Deluge users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/deluge-2.1.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3427">CVE-2021-3427</uri> + </references> + <metadata tag="requester" timestamp="2022-10-16T14:42:29.766021Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-16T14:42:29.770310Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-08.xml b/metadata/glsa/glsa-202210-08.xml new file mode 100644 index 000000000000..258553a8b88c --- /dev/null +++ b/metadata/glsa/glsa-202210-08.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-08"> + <title>Tcpreplay: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Tcpreplay, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">tcpreplay</product> + <announced>2022-10-16</announced> + <revised count="1">2022-10-16</revised> + <bug>833139</bug> + <bug>836240</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/tcpreplay" auto="yes" arch="*"> + <unaffected range="ge">4.4.2</unaffected> + <vulnerable range="lt">4.4.2</vulnerable> + </package> + </affected> + <background> + <p>Tcpreplay is a suite of utilities for UNIX systems for editing and replaying network traffic which was previously captured by tools like tcpdump and ethereal/wireshark.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Tcpreplay. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Tcpreplay users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/tcpreplay-4.4.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45386">CVE-2021-45386</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45387">CVE-2021-45387</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27416">CVE-2022-27416</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27418">CVE-2022-27418</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27939">CVE-2022-27939</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27940">CVE-2022-27940</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27941">CVE-2022-27941</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27942">CVE-2022-27942</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28487">CVE-2022-28487</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-37047">CVE-2022-37047</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-37048">CVE-2022-37048</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-37049">CVE-2022-37049</uri> + </references> + <metadata tag="requester" timestamp="2022-10-16T14:42:49.366484Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-16T14:42:49.370906Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-09.xml b/metadata/glsa/glsa-202210-09.xml new file mode 100644 index 000000000000..dbb426860d29 --- /dev/null +++ b/metadata/glsa/glsa-202210-09.xml @@ -0,0 +1,76 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-09"> + <title>Rust: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">rust,rust-bin</product> + <announced>2022-10-16</announced> + <revised count="1">2022-10-16</revised> + <bug>870166</bug> + <bug>831638</bug> + <bug>821157</bug> + <bug>807052</bug> + <bug>782367</bug> + <access>remote</access> + <affected> + <package name="dev-lang/rust" auto="yes" arch="*"> + <unaffected range="ge">1.63.0-r1</unaffected> + <vulnerable range="lt">1.63.0-r1</vulnerable> + </package> + <package name="dev-lang/rust-bin" auto="yes" arch="*"> + <unaffected range="ge">1.64.0</unaffected> + <vulnerable range="lt">1.64.0</vulnerable> + </package> + </affected> + <background> + <p>A systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Rust. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Rust users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/rust-1.63.0-r1" + </code> + + <p>All Rust binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/rust-bin-1.64.0" + </code> + + <p>In addition, users using Portage 3.0.38 or later should ensure that packages with Rust binaries have no vulnerable code statically linked into their binaries by rebuilding the @rust-rebuild set:</p> + + <code> + # emerge --ask --oneshot --verbose @rust-rebuild + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28875">CVE-2021-28875</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28876">CVE-2021-28876</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28877">CVE-2021-28877</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28878">CVE-2021-28878</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28879">CVE-2021-28879</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-29922">CVE-2021-29922</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31162">CVE-2021-31162</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36317">CVE-2021-36317</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36318">CVE-2021-36318</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42574">CVE-2021-42574</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42694">CVE-2021-42694</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21658">CVE-2022-21658</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36113">CVE-2022-36113</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36114">CVE-2022-36114</uri> + </references> + <metadata tag="requester" timestamp="2022-10-16T14:43:11.432733Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-16T14:43:11.437329Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 40d83921d3d5..98bfa60ae39d 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sun, 16 Oct 2022 12:09:53 +0000 +Sun, 16 Oct 2022 18:09:56 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index b1a12b3d73c6..c32526fd918c 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -8e52f9f318ef7a9ff9934af98577da9ceadf5360 1665286750 2022-10-09T03:39:10+00:00 +cda5f646cd9bc370223b79be59deee389a0caeef 1665931525 2022-10-16T14:45:25+00:00 |