diff options
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 491803 -> 494188 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-202012-09.xml | 50 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-10.xml | 60 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-11.xml | 46 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-12.xml | 53 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-13.xml | 51 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-14.xml | 51 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-15.xml | 50 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-16.xml | 73 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-17.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-18.xml | 55 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-19.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-20.xml | 122 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-22.xml | 58 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-23.xml | 59 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202012-24.xml | 51 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
19 files changed, 900 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 132d1ba25db9..9bf188744404 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 491803 BLAKE2B 78c7b315718b290681f17c40a54b26e436d02ce9c07c7af217a95b8ba814d80acc88d2663352de1ae84551e2ca2c3599522f47f220f7729a6058ea3424c7371f SHA512 ab40e1589be1f2a6217a23c90ec3460c0358c487f815e9eedbe4164a7eadf4bd9b00bc1444285fbffeeff87fdc732a5321cd9e70839cc4622c40fa254a9b51a2 -TIMESTAMP 2020-12-18T10:38:43Z +MANIFEST Manifest.files.gz 494188 BLAKE2B 06bbe4de83e86ba40cd9d32af0f5c629f7193a7b2d45313f5bbf32584c1872d72e37301ba735e9b855e0277581de211e930f66477a0bb84e9dd623fe6440fecc SHA512 f1a00ed1160522175a46c088034a8eb2afd13d41fa33354a8d74917618abeaa144f3c942f458ca2dc736b92823fe045919c4edbd9749f72b8ea031e46de95411 +TIMESTAMP 2020-12-25T22:38:29Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl/chrNfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl/maeVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klAw9A/7BNyBDsJ+AcdcQIxEX4Jq+yOVc8m9pfDOesex8y+qlOWm2820Uf220Fp+ -NscNT1kPmvScHDr8o8neadrsX5oxvizg6EmFDSClHdrZDl5k+TekbxjK6t36xS+/ -3ZcrVXmW7BzKmCv7OKwve/vpABOFloAbVuH0NnQMGJncOGF50bGwUu05gOFoFFHO -lmtYOGI4EDXQtTxIbqt79xlu5zw3dEhAuhN1S0UjDfUDl8jHRKmGXgboKlvwJ7oR -eADv/bizjvtcHWg7XkPmDN/OdXGnkw11RwhLLIH6jeurWtXCa0RjveEDqsAhwe4j -+x1edU4hdfCEw2j2pSrGhdoVL/I2sH120Qfm0GztGOgPiLw5i1EeF2qR+uVcG0d3 -prVDVhuocoP1G9dn5c1gmnBYOO+tL4Djd+CBF+SeEgX/Bby6klBskSzHfemjMOV+ -6Kdl6SFBDPQeoCYLZUAqr2C7NJ5PG5atOljE48RREGE2JZs09AjqRVr8RGDKkBGJ -WP1GwhofAcDrljNjQXE+NYbKxmmQp69Z9C9lp7TWkDqqHwUcapVWJOO4dGtWDvUd -h+I5qZTFcncU9PW1gdeh6Q8dx8cPx2jQ3tP/sEJLckfkqYfDlNQCIGD55SoSgEw8 -Trr5k860757ncsKs/9HnWQvt7qcSp6SkADIQ2qiO1GBbQt8uKTA= -=5oUm +klArLA/+JCCLRIMC3NN6LfUBrUnuFC7+VRXOZeIfFgWcCO0JYbtyAwRE/C/bwduJ +WQaShhh4xOQvlzSFCz2CxY1NHv2fL811hUA6BIoSRC5cGmYribPiwD4qA/ckbavw +RhHH25rE3YajaiZ5nUGFFxRUpJNBKtOk1eAgoS1lH+aTkiDpQSj+jRjTVx/Rs+/f +YyczZRRUA90PLOLAW/jGCrXyCjfUL+ca15z7lBmfkkx2fU3N4QsdXkFAGgVigzej +bCCXYu7bphKdCUXWZ0sALWC+uYZRhW6DqUSEz+dW88WiSCD1HQvh+Q4NUlYnGgRS +U6fnvW32oofgNBOgpUgzpteszJbQsxEAphlCPXkvz5ic3uVZE1nvMXlSeVPPtuzM +GKFazch/vM2EVaZ+c6DOfyzjZ8Ekui3HmahJJuvW21pM6deoGt0k2MvTOc8t/SiA +vV4zQL8P+SPKxlnV7WrR6wedGXkW3mtC8uAaOQKjYXV2LLkfN3kJnLJ66uavTads +VbJXqlLAaT3jY6q76BmBmZHbGNgufhqZhdUE4Z9VDXMeakACnl4KI+4bZ8pa197Z +tcxT5B+BHLAOahXISif4LEEm4qlsE29LW8jtg6XC/xFQ05pOOoN5jrJ1z9XMffvt +zXLWxaITW2yFNkVVhJjrr2I1lt4Ue7avIRX3bKatG6VzSDOZ2nA= +=4Mzp -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex c21bcf6ee949..20ab6831b3d6 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202012-09.xml b/metadata/glsa/glsa-202012-09.xml new file mode 100644 index 000000000000..98367ceec438 --- /dev/null +++ b/metadata/glsa/glsa-202012-09.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-09"> + <title>Cherokee: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Cherokee, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">cherokee</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>715204</bug> + <access>remote</access> + <affected> + <package name="www-servers/cherokee" auto="yes" arch="*"> + <vulnerable range="le">1.2.104-r2</vulnerable> + </package> + </affected> + <background> + <p>Cherokee is an extra-light web server.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Cherokee. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for Cherokee. We recommend that users + unmerge package: + </p> + + <code> + # emerge --unmerge "www-servers/cherokee" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2006-1681">CVE-2006-1681</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20798">CVE-2019-20798</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20799">CVE-2019-20799</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20800">CVE-2019-20800</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-12845">CVE-2020-12845</uri> + </references> + <metadata tag="requester" timestamp="2020-12-23T16:51:00Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:47:34Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-10.xml b/metadata/glsa/glsa-202012-10.xml new file mode 100644 index 000000000000..d3fcad05f767 --- /dev/null +++ b/metadata/glsa/glsa-202012-10.xml @@ -0,0 +1,60 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-10"> + <title>WebkitGTK+: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in WebKitGTK+, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">webkit-gtk</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>755947</bug> + <access>remote</access> + <affected> + <package name="net-libs/webkit-gtk" auto="yes" arch="*"> + <unaffected range="ge">2.30.3</unaffected> + <vulnerable range="lt">2.30.3</vulnerable> + </package> + </affected> + <background> + <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, from hybrid + HTML/CSS applications to full-fledged web browsers. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker, by enticing a user to visit maliciously crafted web + content, may be able to execute arbitrary code or cause memory + corruption. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All WebkitGTK+ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.30.3" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13543">CVE-2020-13543</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13584">CVE-2020-13584</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9948">CVE-2020-9948</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9951">CVE-2020-9951</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9952">CVE-2020-9952</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9983">CVE-2020-9983</uri> + <uri link="https://webkitgtk.org/security/WSA-2020-0008.html">WSA-2020-0008</uri> + <uri link="https://webkitgtk.org/security/WSA-2020-0009.html">WSA-2020-0009</uri> + </references> + <metadata tag="requester" timestamp="2020-12-22T22:19:16Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:48:49Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-11.xml b/metadata/glsa/glsa-202012-11.xml new file mode 100644 index 000000000000..f3d69f2db485 --- /dev/null +++ b/metadata/glsa/glsa-202012-11.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-11"> + <title>c-ares: Denial of service</title> + <synopsis>A Denial of Service vulnerability was discovered in c-ares.</synopsis> + <product type="ebuild">c-ares</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>754939</bug> + <access>local, remote</access> + <affected> + <package name="net-dns/c-ares" auto="yes" arch="*"> + <unaffected range="ge">1.17.1</unaffected> + <vulnerable range="lt">1.17.1</vulnerable> + </package> + </affected> + <background> + <p>c-ares is an asynchronous resolver library.</p> + </background> + <description> + <p>It was discovered that c-ares incorrectly handled certain DNS requests.</p> + </description> + <impact type="low"> + <p>A remote attacker, able to trigger a DNS request for a host of their + choice by an application linked against c-ares, could possibly cause a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All c-ares users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/c-ares-1.17.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8277">CVE-2020-8277</uri> + </references> + <metadata tag="requester" timestamp="2020-12-22T22:25:15Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:49:06Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-12.xml b/metadata/glsa/glsa-202012-12.xml new file mode 100644 index 000000000000..ea229f22c983 --- /dev/null +++ b/metadata/glsa/glsa-202012-12.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-12"> + <title>libass: User-assisted execution of arbitrary code</title> + <synopsis>A vulnerability has been found in libass that could allow a remote + attacker to execute arbitrary code. + </synopsis> + <product type="ebuild">libass</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>746413</bug> + <access>local, remote</access> + <affected> + <package name="media-libs/libass" auto="yes" arch="*"> + <unaffected range="ge">0.15.0</unaffected> + <vulnerable range="lt">0.15.0</vulnerable> + </package> + </affected> + <background> + <p>libass is a portable subtitle renderer for the ASS/SSA (Advanced + Substation Alpha/Substation Alpha) subtitle format. + </p> + </background> + <description> + <p>It was discovered that libass did not properly handle Advanced + Substation Alpha/Substation Alpha subtitle format files. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to process an a specially crafted + subtitle format file using an application linked against libass, possibly + resulting in execution of arbitrary code with the privileges of the + process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libass users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libass-0.15.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26682">CVE-2020-26682</uri> + </references> + <metadata tag="requester" timestamp="2020-12-22T22:35:27Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:52:17Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-13.xml b/metadata/glsa/glsa-202012-13.xml new file mode 100644 index 000000000000..5bd290db05f7 --- /dev/null +++ b/metadata/glsa/glsa-202012-13.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-13"> + <title>OpenSSL: Denial of service</title> + <synopsis>A vulnerability in OpenSSL might allow remote attackers to cause a + Denial of Service condition. + </synopsis> + <product type="ebuild">openssl</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>759079</bug> + <access>local, remote</access> + <affected> + <package name="dev-libs/openssl" auto="yes" arch="*"> + <unaffected range="ge">1.1.1i</unaffected> + <vulnerable range="lt">1.1.1i</vulnerable> + </package> + </affected> + <background> + <p>OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer + (SSL v2/v3) and Transport Layer Security (TLS v1/v1.1/v1.2/v1.3) as well + as a general purpose cryptography library. + </p> + </background> + <description> + <p>A null pointer dereference flaw was found in OpenSSL.</p> + </description> + <impact type="low"> + <p>A remote attacker, able to control the arguments of the GENERAL_NAME_cmp + function in an application linked against OpenSSL, could possibly cause a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenSSL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.1.1i" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1971">CVE-2020-1971</uri> + </references> + <metadata tag="requester" timestamp="2020-12-22T22:47:12Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:52:34Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-14.xml b/metadata/glsa/glsa-202012-14.xml new file mode 100644 index 000000000000..6d7c215154f7 --- /dev/null +++ b/metadata/glsa/glsa-202012-14.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-14"> + <title>cURL: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in cURL, the worst of + which could result in information disclosure or data loss. + </synopsis> + <product type="ebuild">curl</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>737990</bug> + <bug>759259</bug> + <access>remote</access> + <affected> + <package name="net-misc/curl" auto="yes" arch="*"> + <unaffected range="ge">7.74.0</unaffected> + <vulnerable range="lt">7.74.0</vulnerable> + </package> + </affected> + <background> + <p>A command line tool and library for transferring data with URLs.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in cURL. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All cURL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.74.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8231">CVE-2020-8231</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8284">CVE-2020-8284</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8285">CVE-2020-8285</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8286">CVE-2020-8286</uri> + </references> + <metadata tag="requester" timestamp="2020-12-22T22:55:43Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:52:57Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-15.xml b/metadata/glsa/glsa-202012-15.xml new file mode 100644 index 000000000000..771f8956fd74 --- /dev/null +++ b/metadata/glsa/glsa-202012-15.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-15"> + <title>GDK-PixBuf: Denial of service</title> + <synopsis>A vulnerability in GDK-PixBuf library could lead to a Denial of + Service condition. + </synopsis> + <product type="ebuild">gdk-pixbuf</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>759094</bug> + <access>local, remote</access> + <affected> + <package name="x11-libs/gdk-pixbuf" auto="yes" arch="*"> + <unaffected range="ge">2.42.2</unaffected> + <vulnerable range="lt">2.42.2</vulnerable> + </package> + </affected> + <background> + <p>GDK-PixBuf is an image loading library for GTK+.</p> + </background> + <description> + <p>It was discovered that the GDK-PixBuf library did not properly handle + certain GIF images. + </p> + </description> + <impact type="low"> + <p>A remote attacker could entice a user to open a specially crafted GIF + image in an application linked against GDK-PixBuf library, possibly + resulting in a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GDK-PixBuf library users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/gdk-pixbuf-2.42.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-29385">CVE-2020-29385</uri> + </references> + <metadata tag="requester" timestamp="2020-12-22T23:01:46Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:53:21Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-16.xml b/metadata/glsa/glsa-202012-16.xml new file mode 100644 index 000000000000..30556bb56e1f --- /dev/null +++ b/metadata/glsa/glsa-202012-16.xml @@ -0,0 +1,73 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-16"> + <title>PHP: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in PHP, the worst of which + could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">php</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>711140</bug> + <bug>745993</bug> + <bug>756775</bug> + <access>local, remote</access> + <affected> + <package name="dev-lang/php" auto="yes" arch="*"> + <unaffected range="ge" slot="7.2">7.2.34-r1</unaffected> + <unaffected range="ge" slot="7.3">7.3.25</unaffected> + <unaffected range="ge" slot="7.4">7.4.13</unaffected> + <vulnerable range="lt">8.0.0</vulnerable> + </package> + </affected> + <background> + <p>PHP is an open source general-purpose scripting language that is + especially suited for web development. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PHP. Please review the + CVE identifiers and change log referenced below for details. + </p> + </description> + <impact type="low"> + <p>An attacker could cause a Denial of Service condition or obtain + sensitive information. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PHP 7.2.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.2.34-r1:7.2" + </code> + + <p>All PHP 7.3.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.3.25:7.3" + </code> + + <p>All PHP 7.4.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.13:7.4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7069">CVE-2020-7069</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7070">CVE-2020-7070</uri> + <uri link="https://www.php.net/ChangeLog-7.php#7.4.13">PHP 7.4.13 Change + Log + </uri> + </references> + <metadata tag="requester" timestamp="2020-12-22T23:21:19Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:53:43Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-17.xml b/metadata/glsa/glsa-202012-17.xml new file mode 100644 index 000000000000..80b1db8fc462 --- /dev/null +++ b/metadata/glsa/glsa-202012-17.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-17"> + <title>D-Bus: Denial of service</title> + <synopsis>A local Denial of Service vulnerability was discovered in D-Bus.</synopsis> + <product type="ebuild">dbus</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>755392</bug> + <access>local</access> + <affected> + <package name="sys-apps/dbus" auto="yes" arch="*"> + <unaffected range="ge">1.12.20</unaffected> + <vulnerable range="lt">1.12.20</vulnerable> + </package> + </affected> + <background> + <p>D-Bus is a message bus system which processes can use to talk to each + other. + </p> + </background> + <description> + <p>It was discovered that D-Bus did not properly handle the situation when + two usernames have the same numeric UID. + </p> + </description> + <impact type="low"> + <p>An attacker could possibly cause a Denial of Service condition or + trigger other undefined behavior, possibly including incorrect + authorization decisions. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All D-Bus users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.12.20" + </code> + + </resolution> + <references> + <uri link="https://lists.freedesktop.org/archives/ftp-release/2020-July/000758.html"> + dbus 1.12.20 security update announcement + </uri> + </references> + <metadata tag="requester" timestamp="2020-12-23T00:47:59Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:54:00Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-18.xml b/metadata/glsa/glsa-202012-18.xml new file mode 100644 index 000000000000..f7fbf13a6da1 --- /dev/null +++ b/metadata/glsa/glsa-202012-18.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-18"> + <title>PowerDNS: information disclosure</title> + <synopsis>An information disclosure vulnerability in PowerDNS allow remote + attackers to obtain sensitive information. + </synopsis> + <product type="ebuild">pdns</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>744160</bug> + <access>remote</access> + <affected> + <package name="net-dns/pdns" auto="yes" arch="*"> + <unaffected range="ge">4.3.1</unaffected> + <vulnerable range="lt">4.3.1</vulnerable> + </package> + </affected> + <background> + <p>The PowerDNS nameserver is an authoritative-only nameserver which uses a + flexible backend architecture. + </p> + </background> + <description> + <p>It was discovered that PowerDNS did not properly handle certain unknown + records. + </p> + </description> + <impact type="low"> + <p>An authorized attacker with the ability to insert crafted records into a + zone might be able to leak the content of uninitialized memory. Crafted + records cannot be inserted via AXFR. + </p> + </impact> + <workaround> + <p>Do not take zone data from untrusted users.</p> + </workaround> + <resolution> + <p>All PowerDNS users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/pdns-4.3.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-17482">CVE-2020-17482</uri> + <uri link="https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html"> + PowerDNS Security Advisory 2020-05 + </uri> + </references> + <metadata tag="requester" timestamp="2020-12-23T16:32:50Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:54:22Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-19.xml b/metadata/glsa/glsa-202012-19.xml new file mode 100644 index 000000000000..939cc25c34e8 --- /dev/null +++ b/metadata/glsa/glsa-202012-19.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-19"> + <title>PowerDNS Recursor: Denial of service</title> + <synopsis>A vulnerability in PowerDNS Recursor could lead to a Denial of + Service condition. + </synopsis> + <product type="ebuild">pdns-recursor</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>746923</bug> + <access>remote</access> + <affected> + <package name="net-dns/pdns-recursor" auto="yes" arch="*"> + <unaffected range="ge">4.3.5</unaffected> + <vulnerable range="lt">4.3.5</vulnerable> + </package> + </affected> + <background> + <p>PowerDNS Recursor is a high-end, high-performance resolving name server.</p> + </background> + <description> + <p>It was discovered that it was possible to update the DNSSEC validation + state to a bogus state for a cached record via DNS ANY query. + </p> + </description> + <impact type="low"> + <p>A remote attacker could send specially crafted DNS queries to deny + DNSSEC validation. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PowerDNS Recursor users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/pdns-recursor-4.3.5" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25829">CVE-2020-25829</uri> + <uri link="https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"> + PowerDNS Security Advisory 2020-07 + </uri> + </references> + <metadata tag="requester" timestamp="2020-12-23T17:00:31Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:54:43Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-20.xml b/metadata/glsa/glsa-202012-20.xml new file mode 100644 index 000000000000..883bfb84112a --- /dev/null +++ b/metadata/glsa/glsa-202012-20.xml @@ -0,0 +1,122 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-20"> + <title>Mozilla Firefox, Mozilla Thunderbird: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox and + Mozilla Thunderbird, the worst of which could result in the arbitrary + execution of code. + </synopsis> + <product type="ebuild">firefox,thunderbird</product> + <announced>2020-12-23</announced> + <revised count="1">2020-12-23</revised> + <bug>759097</bug> + <access>local, remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge" slot="0/esr78">78.6.0</unaffected> + <unaffected range="ge">84.0</unaffected> + <vulnerable range="lt">84.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge" slot="0/esr78">78.6.0</unaffected> + <unaffected range="ge">84.0</unaffected> + <vulnerable range="lt">84.0</vulnerable> + </package> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">78.6.0</unaffected> + <vulnerable range="lt">78.6.0</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">78.6.0</unaffected> + <vulnerable range="lt">78.6.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + project. + </p> + + <p>Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox and + Mozilla Thunderbird. Please review the CVE identifiers referenced below + for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-84.0" + </code> + + <p>All Mozilla Firefox (bin) users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-84.0" + </code> + + <p>All Mozilla Firefox ESR users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/firefox-78.6.0:0/esr78" + </code> + + <p>All Mozilla Firefox ESR (bin) users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/firefox-bin-78.6.0:0/esr78" + </code> + + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-78.6.0" + </code> + + <p>All Mozilla Thunderbird (bin) users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-78.6.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16042">CVE-2020-16042</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26971">CVE-2020-26971</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26973">CVE-2020-26973</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26974">CVE-2020-26974</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26978">CVE-2020-26978</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35111">CVE-2020-35111</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35113">CVE-2020-35113</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-55/"> + MFSA-2020-55 + </uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/"> + MFSA-2020-56 + </uri> + </references> + <metadata tag="requester" timestamp="2020-12-22T22:07:43Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-23T19:56:47Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-22.xml b/metadata/glsa/glsa-202012-22.xml new file mode 100644 index 000000000000..083b6e2777cd --- /dev/null +++ b/metadata/glsa/glsa-202012-22.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-22"> + <title>HAProxy: Arbitrary code execution</title> + <synopsis>A buffer overflow in HAProxy might allow an attacker to execute + arbitrary code. + </synopsis> + <product type="ebuild">haproxy</product> + <announced>2020-12-24</announced> + <revised count="1">2020-12-24</revised> + <bug>715944</bug> + <access>remote</access> + <affected> + <package name="net-proxy/haproxy" auto="yes" arch="*"> + <unaffected range="ge" slot="0/2.0">2.0.13</unaffected> + <unaffected range="ge">2.1.4</unaffected> + <vulnerable range="lt">2.1.4</vulnerable> + </package> + </affected> + <background> + <p>HAProxy is a TCP/HTTP reverse proxy for high availability environments.</p> + </background> + <description> + <p>It was discovered that HAProxy incorrectly handled certain HTTP/2 + headers. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by sending a specially crafted HTTP/2 request, could + possibly execute arbitrary code with the privileges of the process, or + cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>Disable HTTP/2 support.</p> + </workaround> + <resolution> + <p>All HAProxy 2.0.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-2.0.13:0/2.0" + </code> + + <p>All other HAProxy users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-2.1.4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11100">CVE-2020-11100</uri> + </references> + <metadata tag="requester" timestamp="2020-05-20T16:01:15Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-12-24T14:09:42Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-23.xml b/metadata/glsa/glsa-202012-23.xml new file mode 100644 index 000000000000..15ee7d69256d --- /dev/null +++ b/metadata/glsa/glsa-202012-23.xml @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-23"> + <title>Apache Tomcat: Information disclosure</title> + <synopsis>A vulnerability has been discovered in Apache Tomcat that allows + for the disclosure of sensitive information. + </synopsis> + <product type="ebuild">tomcat</product> + <announced>2020-12-24</announced> + <revised count="1">2020-12-24</revised> + <bug>758338</bug> + <access>remote</access> + <affected> + <package name="www-servers/tomcat" auto="yes" arch="*"> + <unaffected range="ge" slot="8.5">8.5.60</unaffected> + <unaffected range="ge" slot="9">9.0.40</unaffected> + <vulnerable range="lt" slot="8.5">8.5.60</vulnerable> + <vulnerable range="lt" slot="9">9.0.40</vulnerable> + </package> + </affected> + <background> + <p>Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.</p> + </background> + <description> + <p>It was discovered that Apache Tomcat could re-use an HTTP request header + value from the previous stream received on an HTTP/2 connection for the + request associated with the subsequent stream. + </p> + </description> + <impact type="low"> + <p>A remote attacker, by sending well-timed HTTP/2 requests, could possibly + obtain sensitive information. + </p> + </impact> + <workaround> + <p>Disable HTTP/2 support.</p> + </workaround> + <resolution> + <p>All Apache Tomcat 8.5.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.5.60:8.5" + </code> + + <p>All Apache Tomcat 9.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/tomcat-9.0.40:9" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-17527">CVE-2020-17527</uri> + </references> + <metadata tag="requester" timestamp="2020-12-23T01:20:53Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-24T14:11:02Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202012-24.xml b/metadata/glsa/glsa-202012-24.xml new file mode 100644 index 000000000000..b0f388729a48 --- /dev/null +++ b/metadata/glsa/glsa-202012-24.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202012-24"> + <title>Samba: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Samba, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">samba</product> + <announced>2020-12-24</announced> + <revised count="1">2020-12-24</revised> + <bug>743433</bug> + <bug>751724</bug> + <access>remote</access> + <affected> + <package name="net-fs/samba" auto="yes" arch="*"> + <unaffected range="ge">4.12.9</unaffected> + <vulnerable range="lt">4.12.9</vulnerable> + </package> + </affected> + <background> + <p>Samba is a suite of SMB and CIFS client/server programs.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Samba. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Samba users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-4.12.9" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14318">CVE-2020-14318</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14323">CVE-2020-14323</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14383">CVE-2020-14383</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1472">CVE-2020-1472</uri> + </references> + <metadata tag="requester" timestamp="2020-12-23T17:13:10Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-12-24T14:11:44Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 3566219e0db0..698dafaf84e1 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Fri, 18 Dec 2020 10:38:40 +0000 +Fri, 25 Dec 2020 22:38:26 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index d6f3da74af96..53f93d093df4 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -2d6a7eded7a3cf117b214efd061a0ad33a26510d 1607301079 2020-12-07T00:31:19+00:00 +ea35db4303f80b8dc5f6dffe7a6c3111e9e37b5a 1608819368 2020-12-24T14:16:08+00:00 |