diff options
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 429647 -> 431078 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-201811-01.xml | 54 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201811-02.xml | 53 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201811-03.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201811-04.xml | 73 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201811-05.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201811-06.xml | 53 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201811-07.xml | 49 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201811-08.xml | 50 | ||||
| -rw-r--r-- | metadata/glsa/glsa-201811-09.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
13 files changed, 505 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 272b5617c473..66be81562320 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 429647 BLAKE2B a411cce710ab8dd39a655bd0e0cc190fbcae6f53119ffd89cae0be474bd52b18b9f669c37dc08ddc9e6dc2a29bf677b9015df98cc57c2d30284d663c0b745fe0 SHA512 727e13fbfd98dfc90a62c0a63c29d8331a6b94e4b42d913790e4a78f814e95d07a616b3b426612b6bfed54ee01f6b9889ca7c2f42345120b9b84f4679ebf482d -TIMESTAMP 2018-11-03T07:38:39Z +MANIFEST Manifest.files.gz 431078 BLAKE2B a37fcfee71256f9d40f60594c0e23daa5c659172c73db4acde25cfdd707e9c953c72c601225f03add857a3a4cd00dd0e4d133ce2a5780bc2e304faaa458a4319 SHA512 34e61d1ae19c99e2490f0ce5a8c731b8cbbf25f056f7432c3433599c2ba70347a4dc032b240a0b1d37227f95691c4c78e3d496bae3d66dff4167de8de8693f5d +TIMESTAMP 2018-11-18T08:38:36Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlvdUH9fFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlvxJQxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klB9HhAAloTGT9BfjtX6lE1xv7+YdKOjU8YbkFR4rbjKI2zGnYqQAc8ZM1zss3+q -pRDBwW1Bgp3LavCqFdTDVAqVQ2CiGjzAvWAyjYqjQnWyi+2mlgbgB1WpJLufd32P -647NlKJcpIzGBW2CrL/fkQiqYkeYKx1fr9nr+BJoLYK7hPZbewKNITU2OsiV+TtM -wgJ7uFECAbluJbdDnJPrY+8mYNpAaHrxmvzPx61hHq3rbMP3V8IC0753QUPhgKbr -NzIKDX+HbQXN5eydTyUHvPIe2n/F/Xj6r3gYa+NwbynnI5ggjBChkaLrKLHzjpVE -oUUox9auS/AsN5gxHOaCGZUZ0sDnx/QKAhOKSF20b7MVU8pIPpBtM/C/JASprKSo -QN2YywpdSioqLf6wcTxxsn0bRu4QlNter8fpe38ai76V2n7GSxxZ0bJrVjzaw18b -uEkuA+ZWaRE6bkokhUSkTTfQImlOKcH18TXUtivPcjFqichlNacys+ErunG0Z97V -A5wpJW343ERkqNOwYvrmfNK3DYUQ/KcAuEq/pu5SxpSCbZdfh9gwSkXZv5zVKjpL -QbAAOyTOhx0vTmc+9fBtNRfUkiepJHYOlt1SiyljYOrhdp28WBzPgvrFoeOcGXeM -WSuPl143uqYvamOWXXIY5fOy4gUGoJLxlCnScLQ8i3JbqAud8z0= -=YiFX +klAQNA/+LYW4R8jPLBp08Reh78sEkHJSZMNLmPt6DYCqB6ao31iMkwo+5nZj/TxI +VJ+n56iXlY7hm2EvU/SOnta0rONG6QMxFPrOgDMsYsT9o1Qk/ybodPJifB+HW+M9 +pDmuMIyr+hJgYsc/udiEI0t6lT6V83f4DZIbVzt4kHk9VYPYXrj4VpcvQVI3uy1H +yy3Akdb3zSOeR7gOam0WvWDfFnGD2oeNmR1wp+qpYuHsSvfrSlx0hJtrFUS21teL +WFso2irh0whV8FqvpHFgA8E7/OX/qNmoEy/6gzWWMhz5McoO6/NX9+FS65lP+PFw +Ee/DGREMtG0rv0RdwuncsSpRscF/myzo//d394VWFQSVUCS+una6OrGyPOmkYAUh +Dk7cF/skISpOGqbts9aPlJrNwxH1fmEXpBZoeqvlm2VXjaKGYTkQNCcjYuGEuouz +RvPbIB5dSEdYM+EWDBHbamixdYscx/RtL8vi1Y2nLnR50M82lKy5zG65VEh21RSl +r00r7eHJBS7la9XcNqH4Wj6UAF2aUVI8knYRWfK5tg8yzJYbDSVXIYjmUYHfBkBo +JdZX2xTnkxm7FqgM7SjojFMWyfgwBp5lGWjzaR40+zXoLnN3fxFjAxE8rxaCdO7h +gsiteLC0/G3AtxTqEXh/3HtmWktyQDv3Uq6QGAeTRZ7Pjsqcm7s= +=KWRB -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex d0b2412ba016..f7610bd56006 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-201811-01.xml b/metadata/glsa/glsa-201811-01.xml new file mode 100644 index 000000000000..098096755489 --- /dev/null +++ b/metadata/glsa/glsa-201811-01.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-01"> + <title>X.Org X11 library: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in X.Org X11 library, the + worst of which could allow for remote code execution. + </synopsis> + <product type="ebuild">libX11</product> + <announced>2018-11-09</announced> + <revised count="1">2018-11-09</revised> + <bug>664184</bug> + <access>remote</access> + <affected> + <package name="x11-libs/libX11" auto="yes" arch="*"> + <unaffected range="ge">1.6.6</unaffected> + <vulnerable range="lt">1.6.6</vulnerable> + </package> + </affected> + <background> + <p>X.Org is an implementation of the X Window System. The X.Org X11 library + provides the X11 protocol library files. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in X.Org X11 library. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by enticing a user to connect to a malicious server, + could cause the execution of arbitrary code with the privileges of the + process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All X.Org X11 library users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libX11-1.6.6" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14598">CVE-2018-14598</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14599">CVE-2018-14599</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14600">CVE-2018-14600</uri> + </references> + <metadata tag="requester" timestamp="2018-09-24T03:54:14Z">irishluck83</metadata> + <metadata tag="submitter" timestamp="2018-11-09T00:23:32Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-02.xml b/metadata/glsa/glsa-201811-02.xml new file mode 100644 index 000000000000..6ba1bc458393 --- /dev/null +++ b/metadata/glsa/glsa-201811-02.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-02"> + <title>Python: Buffer overflow</title> + <synopsis>A buffer overflow in Python might allow remote attackers to cause a + Denial of Service condition. + </synopsis> + <product type="ebuild">Python</product> + <announced>2018-11-09</announced> + <revised count="1">2018-11-09</revised> + <bug>647862</bug> + <access>remote</access> + <affected> + <package name="dev-lang/python" auto="yes" arch="*"> + <unaffected range="ge">2.7.15</unaffected> + <vulnerable range="lt">2.7.15</vulnerable> + </package> + </affected> + <background> + <p>Python is an interpreted, interactive, object-oriented programming + language. + </p> + </background> + <description> + <p>A buffer overflow vulnerability have been discovered in Python. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, in special situations such as function as a service, + could violate a trust boundary and cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Python users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.15" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000030"> + CVE-2018-1000030 + </uri> + </references> + <metadata tag="requester" timestamp="2018-10-16T02:38:25Z">irishluck83</metadata> + <metadata tag="submitter" timestamp="2018-11-09T00:24:00Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-03.xml b/metadata/glsa/glsa-201811-03.xml new file mode 100644 index 000000000000..cbf256a1d569 --- /dev/null +++ b/metadata/glsa/glsa-201811-03.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-03"> + <title>OpenSSL: Denial of Service</title> + <synopsis>A vulnerability in OpenSSL might allow remote attackers to cause a + Denial of Service condition. + </synopsis> + <product type="ebuild">openssl</product> + <announced>2018-11-09</announced> + <revised count="1">2018-11-09</revised> + <bug>663654</bug> + <access>remote</access> + <affected> + <package name="dev-libs/openssl" auto="yes" arch="*"> + <unaffected range="ge">1.0.2o-r6</unaffected> + <vulnerable range="lt">1.0.2o-r6</vulnerable> + </package> + </affected> + <background> + <p>OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer + (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general + purpose cryptography library. + </p> + </background> + <description> + <p>It was discovered that OpenSSL allow malicious servers to send very + large primes to a client during DH(E) based TLS handshakes. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by sending large prime to client during DH(E) TLS + handshake, could possibly cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenSSL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2o-r6" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-0732">CVE-2018-0732</uri> + </references> + <metadata tag="requester" timestamp="2018-11-08T02:56:32Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2018-11-09T00:24:28Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-04.xml b/metadata/glsa/glsa-201811-04.xml new file mode 100644 index 000000000000..a32fa0121383 --- /dev/null +++ b/metadata/glsa/glsa-201811-04.xml @@ -0,0 +1,73 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-04"> + <title>Mozilla Firefox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which may allow execution of arbitrary code. + </synopsis> + <product type="ebuild">firefox</product> + <announced>2018-11-09</announced> + <revised count="1">2018-11-09</revised> + <bug>669430</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge">60.3.0</unaffected> + <vulnerable range="lt">60.3.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge">60.3.0</unaffected> + <vulnerable range="lt">60.3.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to view a specially crafted web + page, possibly resulting in the execution of arbitrary code with the + privileges of the process, cause a Denial of Service condition, bypass + access restriction, access otherwise protected information. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-60.3.0" + </code> + + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-60.3.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12389">CVE-2018-12389</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12390">CVE-2018-12390</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12392">CVE-2018-12392</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12393">CVE-2018-12393</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12395">CVE-2018-12395</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12396">CVE-2018-12396</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12397">CVE-2018-12397</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/"> + Mozilla Foundation Security Advisory 2018-27 + </uri> + </references> + <metadata tag="requester" timestamp="2018-10-31T21:42:48Z">whissi</metadata> + <metadata tag="submitter" timestamp="2018-11-09T00:25:06Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-05.xml b/metadata/glsa/glsa-201811-05.xml new file mode 100644 index 000000000000..f37e9af492b9 --- /dev/null +++ b/metadata/glsa/glsa-201811-05.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-05"> + <title>PHProjekt: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in PHProjekt due to + embedded Zend Framework, the worst of which could allow attackers to + remotely execute arbitrary commands. + </synopsis> + <product type="ebuild">PHProjekt</product> + <announced>2018-11-10</announced> + <revised count="1">2018-11-10</revised> + <bug>650936</bug> + <access>remote</access> + <affected> + <package name="www-apps/phprojekt" auto="yes" arch="*"> + <vulnerable range="le">6.1.2</vulnerable> + </package> + </affected> + <background> + <p>PHProjekt is an application suite that supports communication and + management of teams and companies. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PHProjekt due to + embedded Zend Framework. Please review the GLSA identifiers referenced + below for details. + </p> + </description> + <impact type="normal"> + <p>Remote attackers could execute arbitrary commands or conduct SQL + injection attacks. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for PHProjekt and recommends that users + unmerge the package: + </p> + + <code> + # emerge --unmerge "www-apps/phprojekt" + </code> + </resolution> + <references> + <uri link="https://security.gentoo.org/glsa/201804-10">GLSA 201804-10</uri> + </references> + <metadata tag="requester" timestamp="2018-10-10T16:56:26Z">whissi</metadata> + <metadata tag="submitter" timestamp="2018-11-10T00:10:47Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-06.xml b/metadata/glsa/glsa-201811-06.xml new file mode 100644 index 000000000000..6083ad9ef3d7 --- /dev/null +++ b/metadata/glsa/glsa-201811-06.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-06"> + <title>libde265: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libde265, the worst of + which allows remote attackers to execute arbitrary code. + </synopsis> + <product type="ebuild">libde265</product> + <announced>2018-11-10</announced> + <revised count="1">2018-11-10</revised> + <bug>665520</bug> + <access>remote</access> + <affected> + <package name="media-libs/libde265" auto="yes" arch="*"> + <unaffected range="ge">1.0.3</unaffected> + <vulnerable range="lt">1.0.3</vulnerable> + </package> + </affected> + <background> + <p>Open h.265 video codec implementation.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libde265. Please review + libde265 changelog referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted media + file using libde265 or linked applications, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libde265 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libde265-1.0.3" + </code> + + </resolution> + <references> + <uri link="https://github.com/strukturag/libde265/compare/v1.0.2...v1.0.3"> + libde265 v1.03 Changelog + </uri> + </references> + <metadata tag="requester" timestamp="2018-09-21T12:42:46Z">whissi</metadata> + <metadata tag="submitter" timestamp="2018-11-10T00:11:04Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-07.xml b/metadata/glsa/glsa-201811-07.xml new file mode 100644 index 000000000000..a8cd2f63051d --- /dev/null +++ b/metadata/glsa/glsa-201811-07.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-07"> + <title>Pango: Denial of Service</title> + <synopsis>A vulnerability in Pango could result in a Denial of Service + condition. + </synopsis> + <product type="ebuild">pango</product> + <announced>2018-11-10</announced> + <revised count="1">2018-11-10</revised> + <bug>664108</bug> + <access>remote</access> + <affected> + <package name="x11-libs/pango" auto="yes" arch="*"> + <unaffected range="ge">1.42.4</unaffected> + <vulnerable range="lt">1.42.4</vulnerable> + </package> + </affected> + <background> + <p>Library for layout and rendering of internationalized text.</p> + </background> + <description> + <p>Processing certain invalid Emoji sequences in a GTK+ application can + trigger a reachable assertion resulting in an application crash. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could provide a specially crafted Emoji sequences, + possibly resulting in a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Pango users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/pango-1.42.4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-15120">CVE-2018-15120</uri> + </references> + <metadata tag="requester" timestamp="2018-08-30T12:31:14Z">whissi</metadata> + <metadata tag="submitter" timestamp="2018-11-10T00:11:22Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-08.xml b/metadata/glsa/glsa-201811-08.xml new file mode 100644 index 000000000000..7b0bc67ea86f --- /dev/null +++ b/metadata/glsa/glsa-201811-08.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-08"> + <title>Okular: Directory traversal</title> + <synopsis>Okular is vulnerable to a directory traversal attack.</synopsis> + <product type="ebuild">Okular</product> + <announced>2018-11-10</announced> + <revised count="1">2018-11-10</revised> + <bug>665662</bug> + <access>remote</access> + <affected> + <package name="kde-apps/okular" auto="yes" arch="*"> + <unaffected range="ge">18.04.3-r1</unaffected> + <vulnerable range="lt">18.04.3-r1</vulnerable> + </package> + </affected> + <background> + <p>Okular is a universal document viewer based on KPDF for KDE 4.</p> + </background> + <description> + <p>It was discovered that Okular contains a Directory Traversal + vulnerability in function unpackDocumentArchive() in core/document.cpp. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted Okular + archive, possibly allowing the writing of arbitrary files with the + privileges of the process. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Okular users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-apps/okular-18.04.3-r1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000801"> + CVE-2018-1000801 + </uri> + </references> + <metadata tag="requester" timestamp="2018-10-09T10:06:04Z">Zlogene</metadata> + <metadata tag="submitter" timestamp="2018-11-10T00:11:36Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201811-09.xml b/metadata/glsa/glsa-201811-09.xml new file mode 100644 index 000000000000..c2c62151e471 --- /dev/null +++ b/metadata/glsa/glsa-201811-09.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201811-09"> + <title>Icecast: Arbitrary code execution</title> + <synopsis>A vulnerability in Icecast might allow remote attackers to execute + arbitrary code. + </synopsis> + <product type="ebuild">Icecast</product> + <announced>2018-11-10</announced> + <revised count="1">2018-11-10</revised> + <bug>670148</bug> + <access>remote</access> + <affected> + <package name="net-misc/icecast" auto="yes" arch="*"> + <unaffected range="ge">2.4.4</unaffected> + <vulnerable range="lt">2.4.4</vulnerable> + </package> + </affected> + <background> + <p>Icecast is an open source alternative to SHOUTcast that supports MP3, + OGG (Vorbis/Theora) and AAC streaming. + </p> + </background> + <description> + <p>Multiple buffer overflows have been discovered in Icecast. Please review + the CVE identifier referenced below for details. + </p> + </description> + <impact type="high"> + <p>A remote attacker, by sending a specially crafted request using + authentication type “url”, could possibly execute arbitrary code with + the privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Icecast users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/icecast-2.4.4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18820">CVE-2018-18820</uri> + </references> + <metadata tag="requester" timestamp="2018-11-08T14:07:15Z">whissi</metadata> + <metadata tag="submitter" timestamp="2018-11-10T00:11:51Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 00851f29a882..78275940bcba 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sat, 03 Nov 2018 07:38:35 +0000 +Sun, 18 Nov 2018 08:38:33 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 41fb03066c8c..222bb03a9e88 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -3fe134c9c609fe0fa952396df0dd91b901ef64de 1540938926 2018-10-30T22:35:26+00:00 +d0ed5c4d9d5a03355ab534b5784906e0956ea022 1541809004 2018-11-10T00:16:44+00:00 |