diff options
Diffstat (limited to 'metadata/glsa')
81 files changed, 4673 insertions, 19 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index d37d8363faf0..49bc42a5cc48 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 450288 BLAKE2B 3798da941a15fcee18382da626450662d799e35257d8ad4a0b1552a6ddaae69d623b969c7ea2a3ff528f29e7ea6067f37208f6499dc6674753bd8f0bc73ac9b6 SHA512 c989a03018fd5d5d0ec3658457962a1285eb9736eaf370cd03c34b1c2e6807a141280958db2771efc54eda1120570c478512f7e244686722c0c6fc53bcfde64c -TIMESTAMP 2020-02-29T17:08:56Z +MANIFEST Manifest.files.gz 462212 BLAKE2B 5776c6001abb402454a2b47a7b9bf3bf9047598d1aece9f78d5b9c3c27b9e2beb04358067b23d0aab0fa3a39a6704dbc7989395dc50e173ff19712be407974d6 SHA512 b5ee2fe405b23fa0d01a4455e021e430490898b9d86f37bdd8cdf6f3e1e612bc5782cde9c380e6d19690d6c9d75154b7ece632c229e69202510fa1255c1cb2a6 +TIMESTAMP 2020-04-12T01:38:57Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl5amqhfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl6ScTFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCHfxAAmv5fe0cimS/BvBWb68hWQT6uIavQxJAUFxKYrPePg9IuJZunH8wuUJ4+ -11QC13WcNsSOH57LXwJW+3D5UcDeZjCIGbbMeRv5ZSmA6/Yyn52l+bB5rzXpX7ac -Ic92e3yodi7wdbDXHD90WM/iLSUABuLMLR798uV4Vt3/vakM15MfIERifdMXFUSN -5pAs2jXmbk+5f8kIwKCnZ+mdD1WfTRJ5q1bmAljoqqq5sbr2GRilHBdntooO1BC4 -b51CcbXLwMPOQjehZRH70aDfNYzinbAF8kmi3ADXsrpghv02GBwA0NQnfyPRc+OM -9qOOl0XoXhMj7i+rKCBWBDzXgk9MmDwe03twMSeSqiZtYcK0MMJT2QKdjw+TfJ58 -6ZbR64V3tvOL0iW6UZsqU0+4hO7q/9LMhAO70s/YHdCi+ZtPK1bz7WJpHd/4MgtV -rp0paRLbwLlp+nwuP62vBvGmZupkmj9Np1YR7/+oTc6yNhNSKn0l/E9k1k6rsZIJ -sLXi20A4H8KslGzDlDzHlOWz1gH4IccRr0gCLqhovYvPtbi5qPis+dvtfBOhJYr8 -69VpqzYyDApC8COokXla1AEc9jkg79BYvLAFav+6i6e0OYf2j/9fdmH+LKsusmhx -WG9WQUoXUE0T1X2MzeGwZMqzZzwNwOA9e7XnJz8Hk27zmmGjhYw= -=Hcmt +klA2DRAAiTm99vhWjrVbLyTspLIxWs+f341vqhSR6EQ84k1H/pKRoeywOosu+v3R +BdECknFaydhSJg47U8hdOxn3DDywQy//55TuTN40jUS/kWyrEIMhpiRz3PvIl7Gl +coLa52mwdV6GLywJKcsZwn1T0S3ttMDnmlBWn/EYnkOvbXV1vrn32obvcUbaUMMP +C/ha+l2syTF73FJqr1EEjzq2aFxvcJNtojuHhNqeyfwJe+PEI0juLfMehrlucSsd +7+zAk+srYuBo6p0KrOwXno5Uj4griXaT7JJhe2t78ruqwHOMwQQzF0f8l/hRHs3O +p6dKK4cyAbU03tGCfAuw9BPyCYlGCDzJbD1GPmfM5FP4ywFZxWHG+enfgoUjFwvI +Q2YiBT/sRzajy0jjbS/XZZ4CabIQPI40+WRyEatcrEx3IoiwcpMbiwngwlqVg4wf +YLAAWIGcsQiCD42TbY1UOXApUT4eVLRQHPVK/gVJGQeF8ODRh+I5Ie2kC3oi5yGN +8APaSiS1jGARXWcNc5PhVlkNUW6TtE6AWciUwVlM7S2112Hy27/2TrW4UEzHyvWX +5HMwTGblMzdSpSlerwjF2HikolBD7KbmqmFJzvPD78LbibRib2F3P+7I40v67Uoc +MP/sUqUU3ZOMwAO/YUV5tj+MDxqhESs+O/HHbXWgc89AZjGjMmk= +=PlQ9 -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 07b7a7ec9a25..e387e538aea7 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-201807-03.xml b/metadata/glsa/glsa-201807-03.xml index f6a41e2fa62d..60ab861e112d 100644 --- a/metadata/glsa/glsa-201807-03.xml +++ b/metadata/glsa/glsa-201807-03.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="201807-03"> - <title>ZNC:Multiple Vulnerabilities</title> + <title>ZNC: Multiple Vulnerabilities</title> <synopsis>Multiple vulnerabilities have been found in ZNC, the worst of which could result in privilege escalation. </synopsis> diff --git a/metadata/glsa/glsa-201807-04.xml b/metadata/glsa/glsa-201807-04.xml index 38cedbc06c3c..4c7b0637d0f1 100644 --- a/metadata/glsa/glsa-201807-04.xml +++ b/metadata/glsa/glsa-201807-04.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="201807-04"> - <title>cURL:Heap-based Buffer Overflow </title> + <title>cURL: Heap-based buffer overflow</title> <synopsis>A heap-based buffer overflow in cURL might allow remote attackers to execute arbitrary code. </synopsis> diff --git a/metadata/glsa/glsa-202003-01.xml b/metadata/glsa/glsa-202003-01.xml new file mode 100644 index 000000000000..6a4beffcf47b --- /dev/null +++ b/metadata/glsa/glsa-202003-01.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-01"> + <title>Groovy: Arbitrary code execution</title> + <synopsis>A vulnerability within serialization might allow remote attackers + to execute arbitrary code. + </synopsis> + <product type="ebuild">groovy</product> + <announced>2020-03-07</announced> + <revised count="3">2020-03-12</revised> + <bug>605690</bug> + <access>remote</access> + <affected> + <package name="dev-java/groovy" auto="yes" arch="*"> + <vulnerable range="le">2.4.5</vulnerable> + </package> + </affected> + <background> + <p>A multi-faceted language for the Java platform</p> + </background> + <description> + <p>It was discovered that there was a vulnerability within the Java + serialization/deserialization process. + </p> + </description> + <impact type="normal"> + <p>An attacker, by crafting a special serialized object, could execute + arbitrary code. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for Groovy. We recommend that users + unmerge Groovy: + </p> + + <code> + # emerge --unmerge "dev-java/groovy" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-6814">CVE-2016-6814</uri> + </references> + <metadata tag="requester" timestamp="2019-09-15T02:25:56Z">b-man</metadata> + <metadata tag="submitter" timestamp="2020-03-12T19:07:51Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-02.xml b/metadata/glsa/glsa-202003-02.xml new file mode 100644 index 000000000000..38ac4d055367 --- /dev/null +++ b/metadata/glsa/glsa-202003-02.xml @@ -0,0 +1,104 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-02"> + <title>Mozilla Firefox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which may allow execution of arbitrary code. + </synopsis> + <product type="ebuild">firefox</product> + <announced>2020-03-12</announced> + <revised count="2">2020-03-12</revised> + <bug>702638</bug> + <bug>705000</bug> + <bug>709346</bug> + <bug>712182</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge">68.6.0</unaffected> + <vulnerable range="lt">68.6.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge">68.6.0</unaffected> + <vulnerable range="lt">68.6.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to view a specially crafted web + page, possibly resulting in the execution of arbitrary code with the + privileges of the process or a Denial of Service condition. Furthermore, + a remote attacker may be able to perform Man-in-the-Middle attacks, + obtain sensitive information, spoof the address bar, conduct clickjacking + attacks, bypass security restrictions and protection mechanisms, or have + other unspecified impact. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-68.6.0" + </code> + + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-68.6.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11745">CVE-2019-11745</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17005">CVE-2019-17005</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17008">CVE-2019-17008</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17010">CVE-2019-17010</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17011">CVE-2019-17011</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17012">CVE-2019-17012</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17016">CVE-2019-17016</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17017">CVE-2019-17017</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17022">CVE-2019-17022</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17024">CVE-2019-17024</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17026">CVE-2019-17026</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20503">CVE-2019-20503</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6796">CVE-2020-6796</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6797">CVE-2020-6797</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6798">CVE-2020-6798</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6799">CVE-2020-6799</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6800">CVE-2020-6800</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6805">CVE-2020-6805</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6806">CVE-2020-6806</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6807">CVE-2020-6807</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6811">CVE-2020-6811</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6812">CVE-2020-6812</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6814">CVE-2020-6814</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/"> + MFSA-2019-37 + </uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/"> + MFSA-2020-03 + </uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/"> + MFSA-2020-06 + </uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/"> + MFSA-2020-09 + </uri> + </references> + <metadata tag="requester" timestamp="2020-03-07T16:47:24Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2020-03-12T19:17:30Z">BlueKnight</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-03.xml b/metadata/glsa/glsa-202003-03.xml new file mode 100644 index 000000000000..65df80e511e4 --- /dev/null +++ b/metadata/glsa/glsa-202003-03.xml @@ -0,0 +1,102 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-03"> + <title>PostgreSQL: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in PostgreSQL, the worst + of which could result in the execution of arbitrary code. + </synopsis> + <product type="ebuild">postgresql</product> + <announced>2020-03-12</announced> + <revised count="2">2020-03-12</revised> + <bug>685846</bug> + <bug>688420</bug> + <bug>709708</bug> + <access>local, remote</access> + <affected> + <package name="dev-db/postgresql" auto="yes" arch="*"> + <unaffected range="ge" slot="9.4">9.4.26</unaffected> + <unaffected range="ge" slot="9.5">9.5.21</unaffected> + <unaffected range="ge" slot="9.6">9.6.17</unaffected> + <unaffected range="ge" slot="10">10.12</unaffected> + <unaffected range="ge" slot="11">11.7</unaffected> + <unaffected range="ge" slot="12">12.2</unaffected> + <vulnerable range="lt" slot="9.4">9.4.26</vulnerable> + <vulnerable range="lt" slot="9.5">9.5.21</vulnerable> + <vulnerable range="lt" slot="9.6">9.6.17</vulnerable> + <vulnerable range="lt" slot="10">10.12</vulnerable> + <vulnerable range="lt" slot="11">11.7</vulnerable> + <vulnerable range="lt" slot="12">12.2</vulnerable> + </package> + </affected> + <background> + <p>PostgreSQL is an open source object-relational database management + system. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PostgreSQL. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, bypass certain client-side connection security + features, read arbitrary server memory, alter certain data or cause a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PostgreSQL 9.4.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.26:9.4" + </code> + + <p>All PostgreSQL 9.5.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.21:9.5" + </code> + + <p>All PostgreSQL 9.6.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.17:9.6" + </code> + + <p>All PostgreSQL 10.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.12:10" + </code> + + <p>All PostgreSQL 11.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.7:11" + </code> + + <p>All PostgreSQL 12.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.2:12" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10129">CVE-2019-10129</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10130">CVE-2019-10130</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10164">CVE-2019-10164</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1720">CVE-2020-1720</uri> + </references> + <metadata tag="requester" timestamp="2019-10-26T23:59:26Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-12T20:20:41Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-04.xml b/metadata/glsa/glsa-202003-04.xml new file mode 100644 index 000000000000..c822e21abf22 --- /dev/null +++ b/metadata/glsa/glsa-202003-04.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-04"> + <title>Vim, gVim: Remote execution of arbitrary code</title> + <synopsis>A vulnerability has been found in Vim and gVim concerning how + certain modeline options are treated. + </synopsis> + <product type="ebuild">vim,gvim</product> + <announced>2020-03-12</announced> + <revised count="1">2020-03-12</revised> + <bug>687394</bug> + <access>local, remote</access> + <affected> + <package name="app-editors/vim" auto="yes" arch="*"> + <unaffected range="ge">8.1.1486</unaffected> + <vulnerable range="lt">8.1.1486</vulnerable> + </package> + <package name="app-editors/gvim" auto="yes" arch="*"> + <unaffected range="ge">8.1.1486</unaffected> + <vulnerable range="lt">8.1.1486</vulnerable> + </package> + </affected> + <background> + <p>Vim is an efficient, highly configurable improved version of the classic + ‘vi’ text editor. gVim is the GUI version of Vim. + </p> + </background> + <description> + <p> + It was found that the <code>:source!</code> command was not restricted by + the sandbox mode. If modeline was explicitly enabled, opening a specially + crafted text file in vim could result in arbitrary command execution. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted file + using Vim or gVim, possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Vim users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/vim-8.1.1486" + </code> + + <p>All gVim users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-editors/gvim-8.1.1486" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12735">CVE-2019-12735</uri> + </references> + <metadata tag="requester" timestamp="2019-10-27T00:04:29Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-12T20:37:36Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-05.xml b/metadata/glsa/glsa-202003-05.xml new file mode 100644 index 000000000000..ee3c3f3c4499 --- /dev/null +++ b/metadata/glsa/glsa-202003-05.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-05"> + <title>e2fsprogs: Arbitrary code execution</title> + <synopsis>A vulnerability in e2fsprogs might allow an attacker to execute + arbitrary code. + </synopsis> + <product type="ebuild">e2fsprogs</product> + <announced>2020-03-13</announced> + <revised count="1">2020-03-13</revised> + <bug>695522</bug> + <access>local, remote</access> + <affected> + <package name="sys-fs/e2fsprogs" auto="yes" arch="*"> + <unaffected range="ge">1.45.4</unaffected> + <vulnerable range="lt">1.45.4</vulnerable> + </package> + </affected> + <background> + <p>e2fsprogs is a set of utilities for maintaining the ext2, ext3 and ext4 + file systems. + </p> + </background> + <description> + <p>It was discovered that e2fsprogs incorrectly handled certain ext4 + partitions. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to process a specially crafted + corrupted file system using e2fsck, possibly resulting in execution of + arbitrary code with the privileges of the process or a Denial of Service + condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All e2fsprogs users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/e2fsprogs-1.45.4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5094">CVE-2019-5094</uri> + </references> + <metadata tag="requester" timestamp="2019-10-29T10:09:38Z">ackle</metadata> + <metadata tag="submitter" timestamp="2020-03-13T01:50:25Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-06.xml b/metadata/glsa/glsa-202003-06.xml new file mode 100644 index 000000000000..8dd5cbb7ee92 --- /dev/null +++ b/metadata/glsa/glsa-202003-06.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-06"> + <title>Ruby: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Ruby, the worst of + which could lead to the remote execution of arbitrary code. + </synopsis> + <product type="ebuild">ruby</product> + <announced>2020-03-13</announced> + <revised count="1">2020-03-13</revised> + <bug>696004</bug> + <access>remote</access> + <affected> + <package name="dev-lang/ruby" auto="yes" arch="*"> + <unaffected range="ge" slot="2.4">2.4.9</unaffected> + <unaffected range="ge" slot="2.5">2.5.7</unaffected> + <vulnerable range="lt" slot="2.4">2.4.9</vulnerable> + <vulnerable range="lt" slot="2.5">2.5.7</vulnerable> + </package> + </affected> + <background> + <p>Ruby is an interpreted object-oriented programming language. The + elaborate standard library includes an HTTP server (“WEBRick”) and a + class for XML parsing (“REXML”). + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Ruby. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could execute arbitrary code, have unauthorized access + by bypassing intended path matching or cause a Denial of Service + condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Ruby 2.4.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-2.4.9:2.4" + </code> + + <p>All Ruby 2.5.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ruby-2.5.7:2.5" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15845">CVE-2019-15845</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16201">CVE-2019-16201</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16254">CVE-2019-16254</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16255">CVE-2019-16255</uri> + </references> + <metadata tag="requester" timestamp="2019-10-26T17:40:41Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-13T02:29:30Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-07.xml b/metadata/glsa/glsa-202003-07.xml new file mode 100644 index 000000000000..ef7f30132b20 --- /dev/null +++ b/metadata/glsa/glsa-202003-07.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-07"> + <title>RabbitMQ C client: Arbitrary code execution</title> + <synopsis>A vulnerability in RabbitMQ C client might allow an attacker to + execute arbitrary code. + </synopsis> + <product type="ebuild">rabbitmq-c</product> + <announced>2020-03-13</announced> + <revised count="1">2020-03-13</revised> + <bug>701810</bug> + <access>remote</access> + <affected> + <package name="net-libs/rabbitmq-c" auto="yes" arch="*"> + <unaffected range="ge">0.10.0</unaffected> + <vulnerable range="lt">0.10.0</vulnerable> + </package> + </affected> + <background> + <p>A C-language AMQP client library for use with v2.0+ of the RabbitMQ + broker. + </p> + </background> + <description> + <p>It was discovered that RabbitMQ C client incorrectly handled certain + inputs. + </p> + </description> + <impact type="high"> + <p>A remote attacker, by sending a specially crafted request, could + possibly execute arbitrary code with the privileges of the process or + cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All RabbitMQ C client users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/rabbitmq-c-0.10.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18609">CVE-2019-18609</uri> + </references> + <metadata tag="requester" timestamp="2019-12-26T15:20:01Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-13T02:48:45Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-08.xml b/metadata/glsa/glsa-202003-08.xml new file mode 100644 index 000000000000..2860dda152c1 --- /dev/null +++ b/metadata/glsa/glsa-202003-08.xml @@ -0,0 +1,156 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-08"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could allow remote attackers to execute + arbitrary code. + </synopsis> + <product type="ebuild">chromium,google-chrome</product> + <announced>2020-03-13</announced> + <revised count="1">2020-03-13</revised> + <bug>699676</bug> + <bug>700588</bug> + <bug>702498</bug> + <bug>703286</bug> + <bug>704960</bug> + <bug>705638</bug> + <bug>708322</bug> + <bug>710760</bug> + <bug>711570</bug> + <access>local, remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">80.0.3987.132</unaffected> + <vulnerable range="lt">80.0.3987.132</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">80.0.3987.132</unaffected> + <vulnerable range="lt">80.0.3987.132</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifiers and Google Chrome + Releases for details. + </p> + </description> + <impact type="high"> + <p>A remote attacker could execute arbitrary code, escalate privileges, + obtain sensitive information, spoof an URL or cause a Denial of Service + condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-80.0.3987.132" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-80.0.3987.132" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13723">CVE-2019-13723</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13724">CVE-2019-13724</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13725">CVE-2019-13725</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13726">CVE-2019-13726</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13727">CVE-2019-13727</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13728">CVE-2019-13728</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13729">CVE-2019-13729</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13730">CVE-2019-13730</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13732">CVE-2019-13732</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13734">CVE-2019-13734</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13735">CVE-2019-13735</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13736">CVE-2019-13736</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13737">CVE-2019-13737</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13738">CVE-2019-13738</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13739">CVE-2019-13739</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13740">CVE-2019-13740</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13741">CVE-2019-13741</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13742">CVE-2019-13742</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13743">CVE-2019-13743</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13744">CVE-2019-13744</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13745">CVE-2019-13745</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13746">CVE-2019-13746</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13747">CVE-2019-13747</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13748">CVE-2019-13748</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13749">CVE-2019-13749</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13750">CVE-2019-13750</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13751">CVE-2019-13751</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13752">CVE-2019-13752</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13753">CVE-2019-13753</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13754">CVE-2019-13754</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13755">CVE-2019-13755</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13756">CVE-2019-13756</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13757">CVE-2019-13757</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13758">CVE-2019-13758</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13759">CVE-2019-13759</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13761">CVE-2019-13761</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13762">CVE-2019-13762</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13763">CVE-2019-13763</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13764">CVE-2019-13764</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13767">CVE-2019-13767</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6377">CVE-2020-6377</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6378">CVE-2020-6378</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6379">CVE-2020-6379</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6380">CVE-2020-6380</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6381">CVE-2020-6381</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6382">CVE-2020-6382</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6385">CVE-2020-6385</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6387">CVE-2020-6387</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6388">CVE-2020-6388</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6389">CVE-2020-6389</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6390">CVE-2020-6390</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6391">CVE-2020-6391</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6392">CVE-2020-6392</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6393">CVE-2020-6393</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6394">CVE-2020-6394</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6395">CVE-2020-6395</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6396">CVE-2020-6396</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6397">CVE-2020-6397</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6398">CVE-2020-6398</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6399">CVE-2020-6399</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6400">CVE-2020-6400</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6401">CVE-2020-6401</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6402">CVE-2020-6402</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6403">CVE-2020-6403</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6404">CVE-2020-6404</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6406">CVE-2020-6406</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6407">CVE-2020-6407</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6408">CVE-2020-6408</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6409">CVE-2020-6409</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6410">CVE-2020-6410</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6411">CVE-2020-6411</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6412">CVE-2020-6412</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6413">CVE-2020-6413</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6414">CVE-2020-6414</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6415">CVE-2020-6415</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6416">CVE-2020-6416</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6418">CVE-2020-6418</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6420">CVE-2020-6420</uri> + </references> + <metadata tag="requester" timestamp="2020-03-01T17:56:52Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-13T03:16:21Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-09.xml b/metadata/glsa/glsa-202003-09.xml new file mode 100644 index 000000000000..60427a9d7ac9 --- /dev/null +++ b/metadata/glsa/glsa-202003-09.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-09"> + <title>OpenID library for Ruby: Server-Side Request Forgery</title> + <synopsis>A vulnerability in OpenID library for Ruby at worst might allow an + attacker to bypass authentication. + </synopsis> + <product type="ebuild">ruby-openid</product> + <announced>2020-03-14</announced> + <revised count="2">2020-03-14</revised> + <bug>698464</bug> + <access>remote</access> + <affected> + <package name="dev-ruby/ruby-openid" auto="yes" arch="*"> + <unaffected range="ge">2.9.2</unaffected> + <vulnerable range="lt">2.9.2</vulnerable> + </package> + </affected> + <background> + <p>A Ruby library for verifying and serving OpenID identities.</p> + </background> + <description> + <p>It was discovered that OpenID library for Ruby performed discovery + first, and then verification. + </p> + </description> + <impact type="high"> + <p>A remote attacker could possibly change the URL used for discovery and + trick the server into connecting to the URL. This server in turn could be + a private server not + publicly accessible. + </p> + + <p>In addition, if the client that uses this library discloses connection + errors, this in turn could disclose information from the private server + to the attacker. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ruby-openid users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/ruby-openid-2.9.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11027">CVE-2019-11027</uri> + </references> + <metadata tag="requester" timestamp="2020-03-13T02:03:43Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-14T16:10:29Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-10.xml b/metadata/glsa/glsa-202003-10.xml new file mode 100644 index 000000000000..f14245582c42 --- /dev/null +++ b/metadata/glsa/glsa-202003-10.xml @@ -0,0 +1,106 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-10"> + <title>Mozilla Thunderbird: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">thunderbird</product> + <announced>2020-03-14</announced> + <revised count="1">2020-03-14</revised> + <bug>698516</bug> + <bug>702638</bug> + <bug>709350</bug> + <bug>712518</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">68.6.0</unaffected> + <vulnerable range="lt">68.6.0</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">68.6.0</unaffected> + <vulnerable range="lt">68.6.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>A remote attacker may be able to execute arbitrary code, cause a Denial + of Service condition, obtain sensitive information, or conduct Cross-Site + Request Forgery (CSRF). + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-68.6.0" + </code> + + <p>All Mozilla Thunderbird binary users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-68.6.0" + </code> + + </resolution> + <references> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/"> + MFSA-2019-35 + </uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/"> + MFSA-2019-37 + </uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/"> + MFSA-2020-07 + </uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/"> + MFSA-2020-10 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11745">CVE-2019-11745</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11757">CVE-2019-11757</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11759">CVE-2019-11759</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11760">CVE-2019-11760</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11761">CVE-2019-11761</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11762">CVE-2019-11762</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11763">CVE-2019-11763</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11764">CVE-2019-11764</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17005">CVE-2019-17005</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17008">CVE-2019-17008</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17010">CVE-2019-17010</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17011">CVE-2019-17011</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17012">CVE-2019-17012</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20503">CVE-2019-20503</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6792">CVE-2020-6792</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6793">CVE-2020-6793</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6794">CVE-2020-6794</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6795">CVE-2020-6795</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6798">CVE-2020-6798</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6800">CVE-2020-6800</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6805">CVE-2020-6805</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6806">CVE-2020-6806</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6807">CVE-2020-6807</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6811">CVE-2020-6811</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6812">CVE-2020-6812</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6814">CVE-2020-6814</uri> + </references> + <metadata tag="requester" timestamp="2020-02-23T05:31:39Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2020-03-14T16:01:40Z">BlueKnight</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-11.xml b/metadata/glsa/glsa-202003-11.xml new file mode 100644 index 000000000000..d8f1f2bd9813 --- /dev/null +++ b/metadata/glsa/glsa-202003-11.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-11"> + <title>SVG Salamander: Server-Side Request Forgery</title> + <synopsis>A SSRF may allow remote attackers to forge illegitimate requests.</synopsis> + <product type="ebuild">svgsalamander</product> + <announced>2020-03-14</announced> + <revised count="1">2020-03-14</revised> + <bug>607720</bug> + <access>remote</access> + <affected> + <package name="dev-java/svgsalamander" auto="yes" arch="*"> + <vulnerable range="le">0.0-r2</vulnerable> + </package> + </affected> + <background> + <p>SVG Salamander is a light weight SVG renderer and animator for Java.</p> + </background> + <description> + <p>A Server-Side Request Forgery was discovered in SVG Salamander.</p> + </description> + <impact type="normal"> + <p>An attacker, by sending a specially crafted SVG file, can conduct SSRF.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for SVG Salamander. We recommend that + users unmerge SVG Salamander: + </p> + + <code> + # emerge --unmerge "dev-java/svgsalamander" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-5617">CVE-2017-5617</uri> + </references> + <metadata tag="requester" timestamp="2019-09-15T02:33:02Z">b-man</metadata> + <metadata tag="submitter" timestamp="2020-03-14T16:07:50Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-12.xml b/metadata/glsa/glsa-202003-12.xml new file mode 100644 index 000000000000..4232a5655da1 --- /dev/null +++ b/metadata/glsa/glsa-202003-12.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-12"> + <title>sudo: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in sudo, the worst of + which could result in privilege escalation. + </synopsis> + <product type="ebuild">sudo</product> + <announced>2020-03-14</announced> + <revised count="1">2020-03-14</revised> + <bug>697462</bug> + <bug>707574</bug> + <access>local</access> + <affected> + <package name="app-admin/sudo" auto="yes" arch="*"> + <unaffected range="ge">1.8.31</unaffected> + <vulnerable range="lt">1.8.31</vulnerable> + </package> + </affected> + <background> + <p>sudo (su “do”) allows a system administrator to delegate authority + to give certain users (or groups of users) the ability to run some (or + all) commands as root or another user while providing an audit trail of + the commands and their arguments. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in sudo. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>A local attacker could expose or corrupt memory information, inject code + to be run as a root user or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All sudo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.31" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14287">CVE-2019-14287</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18634">CVE-2019-18634</uri> + </references> + <metadata tag="requester" timestamp="2020-02-29T15:42:31Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-14T16:20:57Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-13.xml b/metadata/glsa/glsa-202003-13.xml new file mode 100644 index 000000000000..4eabdcd70b9b --- /dev/null +++ b/metadata/glsa/glsa-202003-13.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-13"> + <title>musl: x87 floating-point stack adjustment imbalance</title> + <synopsis>An x87 stack handling error in musl might allow an attacker to have + an application dependent impact. + </synopsis> + <product type="ebuild">musl</product> + <announced>2020-03-14</announced> + <revised count="2">2020-03-15</revised> + <bug>711276</bug> + <access>local, remote</access> + <affected> + <package name="sys-libs/musl" auto="yes" arch="*"> + <unaffected range="ge">1.1.24</unaffected> + <vulnerable range="lt">1.1.24</vulnerable> + </package> + </affected> + <background> + <p>musl is an implementation of the C standard library built on top of the + Linux system call API, including interfaces defined in the base language + standard, POSIX, and widely agreed-upon extensions. + </p> + </background> + <description> + <p>A flaw in musl libc’s arch-specific math assembly code for i386 was + found which can lead to x87 stack overflow in the execution of subsequent + math code. + </p> + </description> + <impact type="normal"> + <p>Impact depends on how the application built against musl libc handles + the ABI-violating x87 state. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All musl users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/musl-1.1.24" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14697">CVE-2019-14697</uri> + </references> + <metadata tag="requester" timestamp="2020-03-03T20:43:59Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T00:52:05Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-14.xml b/metadata/glsa/glsa-202003-14.xml new file mode 100644 index 000000000000..a209c716b4b9 --- /dev/null +++ b/metadata/glsa/glsa-202003-14.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-14"> + <title>atftp: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in atftp, the worst of + which could result in the execution of arbitrary code. + </synopsis> + <product type="ebuild">atftp</product> + <announced>2020-03-14</announced> + <revised count="1">2020-03-14</revised> + <bug>711630</bug> + <access>remote</access> + <affected> + <package name="net-ftp/atftp" auto="yes" arch="*"> + <unaffected range="ge">0.7.2</unaffected> + <vulnerable range="lt">0.7.2</vulnerable> + </package> + </affected> + <background> + <p>atftp is a client/server implementation of the TFTP protocol that + implements RFCs 1350, 2090, 2347, 2348, and 2349. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in atftp. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>A remote attacker could send a specially crafted packet to an atftp + instance, possibly resulting in the execution of arbitrary code with the + privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All atftp users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/atftp-0.7.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11365">CVE-2019-11365</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11366">CVE-2019-11366</uri> + </references> + <metadata tag="requester" timestamp="2020-03-08T00:17:16Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-14T16:48:02Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-15.xml b/metadata/glsa/glsa-202003-15.xml new file mode 100644 index 000000000000..6ed03f0156b4 --- /dev/null +++ b/metadata/glsa/glsa-202003-15.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-15"> + <title>ICU: Integer overflow</title> + <synopsis>An integer overflow flaw in ICU could possibly allow for the + execution of arbitrary code. + </synopsis> + <product type="ebuild">ICU</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>710758</bug> + <access>local, remote</access> + <affected> + <package name="dev-libs/icu" auto="yes" arch="*"> + <unaffected range="ge">65.1-r1</unaffected> + <vulnerable range="lt">65.1-r1</vulnerable> + </package> + </affected> + <background> + <p>ICU is a mature, widely used set of C/C++ and Java libraries providing + Unicode and Globalization support for software applications. + </p> + </background> + <description> + <p>It was discovered that ICU’s UnicodeString::doAppend() function is + vulnerable to an integer overflow. Please review the CVE identifiers + referenced below for more details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to process a specially crafted + string in an application linked against ICU, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ICU users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/icu-65.1-r1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10531">CVE-2020-10531</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T01:07:26Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T01:36:26Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-16.xml b/metadata/glsa/glsa-202003-16.xml new file mode 100644 index 000000000000..0e89f97242b7 --- /dev/null +++ b/metadata/glsa/glsa-202003-16.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-16"> + <title>SQLite: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in SQLite, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">sqlite</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>697678</bug> + <bug>711526</bug> + <access>local, remote</access> + <affected> + <package name="dev-db/sqlite" auto="yes" arch="*"> + <unaffected range="ge">3.31.1</unaffected> + <vulnerable range="lt">3.31.1</vulnerable> + </package> + </affected> + <background> + <p>SQLite is a C library that implements an SQL database engine.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in SQLite. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All SQLite users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.31.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16168">CVE-2019-16168</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5827">CVE-2019-5827</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9327">CVE-2020-9327</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T01:58:17Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T02:02:12Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-17.xml b/metadata/glsa/glsa-202003-17.xml new file mode 100644 index 000000000000..42fa05e08494 --- /dev/null +++ b/metadata/glsa/glsa-202003-17.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-17"> + <title>nfdump: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in nfdump, the worst of + which could result in the execution of arbitrary code. + </synopsis> + <product type="ebuild">nfsdump</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>711316</bug> + <access>local, remote</access> + <affected> + <package name="net-analyzer/nfdump" auto="yes" arch="*"> + <unaffected range="ge">1.6.19</unaffected> + <vulnerable range="lt">1.6.19</vulnerable> + </package> + </affected> + <background> + <p>nfdump is a toolset in order to collect and process netflow and sflow + data, sent from netflow/sflow compatible devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in nfdump. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by sending specially crafted netflow/sflow data, + could possibly execute arbitrary code with the privileges of the process + or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All nfdump users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/nfdump-1.6.19" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1010057"> + CVE-2019-1010057 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14459">CVE-2019-14459</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T02:20:52Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T02:25:05Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-18.xml b/metadata/glsa/glsa-202003-18.xml new file mode 100644 index 000000000000..26f12a64feb7 --- /dev/null +++ b/metadata/glsa/glsa-202003-18.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-18"> + <title>libvirt: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in libvirt, the worst + of which may result in the execution of arbitrary commands. + </synopsis> + <product type="ebuild">libvirt</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>711306</bug> + <access>local</access> + <affected> + <package name="app-emulation/libvirt" auto="yes" arch="*"> + <unaffected range="ge">5.4.1</unaffected> + <vulnerable range="lt">5.4.1</vulnerable> + </package> + </affected> + <background> + <p>libvirt is a C toolkit for manipulating virtual machines.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libvirt. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>A local privileged attacker could execute arbitrary commands, escalate + privileges or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libvirt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/libvirt-5.4.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10161">CVE-2019-10161</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10166">CVE-2019-10166</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10167">CVE-2019-10167</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10168">CVE-2019-10168</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T02:39:16Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T02:42:25Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-19.xml b/metadata/glsa/glsa-202003-19.xml new file mode 100644 index 000000000000..30fa979f684d --- /dev/null +++ b/metadata/glsa/glsa-202003-19.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-19"> + <title>PPP: Buffer overflow</title> + <synopsis>A buffer overflow in PPP might allow a remote attacker to execute + arbitrary code. + </synopsis> + <product type="ebuild">PPP</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>710308</bug> + <access>remote</access> + <affected> + <package name="net-dialup/ppp" auto="yes" arch="*"> + <unaffected range="ge">2.4.8</unaffected> + <vulnerable range="lt">2.4.8</vulnerable> + </package> + </affected> + <background> + <p>PPP is a Unix implementation of the Point-to-Point Protocol.</p> + </background> + <description> + <p>It was discovered that bounds check in PPP for the rhostname was + improperly constructed in the EAP request and response functions. + </p> + </description> + <impact type="high"> + <p>A remote attacker, by sending specially crafted authentication data, + could possibly execute arbitrary code with the privileges of the process + or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PPP users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/ppp-2.4.8" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8597">CVE-2020-8597</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T02:58:39Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T03:04:09Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-20.xml b/metadata/glsa/glsa-202003-20.xml new file mode 100644 index 000000000000..696a1298d328 --- /dev/null +++ b/metadata/glsa/glsa-202003-20.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-20"> + <title>systemd: Heap use-after-free</title> + <synopsis>A heap use-after-free flaw in systemd at worst might allow an + attacker to execute arbitrary code. + </synopsis> + <product type="ebuild">systemd</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>708806</bug> + <access>local</access> + <affected> + <package name="sys-apps/systemd" auto="yes" arch="*"> + <unaffected range="ge">244.3</unaffected> + <vulnerable range="lt">244.3</vulnerable> + </package> + </affected> + <background> + <p>A system and service manager.</p> + </background> + <description> + <p>It was found that systemd incorrectly handled certain Polkit queries.</p> + </description> + <impact type="high"> + <p>A local unprivileged user, by sending a specially crafted Polkit query, + could possibly execute arbitrary code with the privileges of the process, + escalate privileges or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All systemd users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/systemd-244.3" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1712">CVE-2020-1712</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T03:18:50Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T03:26:30Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-21.xml b/metadata/glsa/glsa-202003-21.xml new file mode 100644 index 000000000000..5f5c03bbfac4 --- /dev/null +++ b/metadata/glsa/glsa-202003-21.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-21"> + <title>runC: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in runC, the worst of + which may lead to privilege escalation. + </synopsis> + <product type="ebuild">runC</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>677744</bug> + <bug>709456</bug> + <bug>711182</bug> + <access>local, remote</access> + <affected> + <package name="app-emulation/runc" auto="yes" arch="*"> + <unaffected range="ge">1.0.0_rc10</unaffected> + <vulnerable range="lt">1.0.0_rc10</vulnerable> + </package> + </affected> + <background> + <p>RunC is a CLI tool for spawning and running containers according to the + OCI specification. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in runC. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>An attacker, by running a malicious Docker image, could escape the + container, bypass security restrictions, escalate privileges or cause a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All runC users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/runc-1.0.0_rc10" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16884">CVE-2019-16884</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19921">CVE-2019-19921</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5736">CVE-2019-5736</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T04:19:19Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T04:26:32Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-22.xml b/metadata/glsa/glsa-202003-22.xml new file mode 100644 index 000000000000..c69d16f0a64e --- /dev/null +++ b/metadata/glsa/glsa-202003-22.xml @@ -0,0 +1,94 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-22"> + <title>WebkitGTK+: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in WebKitGTK+, the worst + of which may lead to arbitrary code execution. + </synopsis> + <product type="ebuild">webkitgtk+</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>699156</bug> + <bug>706374</bug> + <bug>709612</bug> + <access>remote</access> + <affected> + <package name="net-libs/webkit-gtk" auto="yes" arch="*"> + <unaffected range="ge">2.26.4</unaffected> + <vulnerable range="lt">2.26.4</vulnerable> + </package> + </affected> + <background> + <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, from hybrid + HTML/CSS applications to full-fledged web browsers. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please + review the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could execute arbitrary code, cause a Denial of + Service condition, bypass intended memory-read restrictions, conduct a + timing side-channel attack to bypass the Same Origin Policy or obtain + sensitive information. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All WebkitGTK+ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.26.4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8625">CVE-2019-8625</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8674">CVE-2019-8674</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8707">CVE-2019-8707</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8710">CVE-2019-8710</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8719">CVE-2019-8719</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8720">CVE-2019-8720</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8726">CVE-2019-8726</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8733">CVE-2019-8733</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8735">CVE-2019-8735</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8743">CVE-2019-8743</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8763">CVE-2019-8763</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8764">CVE-2019-8764</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8765">CVE-2019-8765</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8766">CVE-2019-8766</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8768">CVE-2019-8768</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8769">CVE-2019-8769</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8771">CVE-2019-8771</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8782">CVE-2019-8782</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8783">CVE-2019-8783</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8808">CVE-2019-8808</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8811">CVE-2019-8811</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8812">CVE-2019-8812</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8813">CVE-2019-8813</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8814">CVE-2019-8814</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8815">CVE-2019-8815</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8816">CVE-2019-8816</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8819">CVE-2019-8819</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8820">CVE-2019-8820</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8821">CVE-2019-8821</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8822">CVE-2019-8822</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8823">CVE-2019-8823</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8835">CVE-2019-8835</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8844">CVE-2019-8844</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8846">CVE-2019-8846</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3862">CVE-2020-3862</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3864">CVE-2020-3864</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3865">CVE-2020-3865</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3867">CVE-2020-3867</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3868">CVE-2020-3868</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T04:37:44Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T04:42:48Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-23.xml b/metadata/glsa/glsa-202003-23.xml new file mode 100644 index 000000000000..0a16d80df9a3 --- /dev/null +++ b/metadata/glsa/glsa-202003-23.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-23"> + <title>libjpeg-turbo: User-assisted execution of arbitrary code</title> + <synopsis>Several integer overflows in libjpeg-turbo might allow an attacker + to execute arbitrary code. + </synopsis> + <product type="ebuild">libjpeg-turbo</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>699830</bug> + <access>local, remote</access> + <affected> + <package name="media-libs/libjpeg-turbo" auto="yes" arch="*"> + <unaffected range="ge">2.0.3</unaffected> + <vulnerable range="lt">2.0.3</vulnerable> + </package> + </affected> + <background> + <p>libjpeg-turbo is a MMX, SSE, and SSE2 SIMD accelerated JPEG library.</p> + </background> + <description> + <p>It was discovered that libjpeg-turbo incorrectly handled certain JPEG + images. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted JPEG + file in an application linked against libjpeg-turbo, possibly resulting + in execution of arbitrary code with the privileges of the process or a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libjpeg-turbo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-2.0.3" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2201">CVE-2019-2201</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T04:50:57Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T14:25:41Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-24.xml b/metadata/glsa/glsa-202003-24.xml new file mode 100644 index 000000000000..dbb042e1771b --- /dev/null +++ b/metadata/glsa/glsa-202003-24.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-24"> + <title>file: Heap-based buffer overflow</title> + <synopsis>A heap-based buffer overflow in file might allow remote attackers + to execute arbitrary code. + </synopsis> + <product type="ebuild">file</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>698610</bug> + <access>local, remote</access> + <affected> + <package name="sys-apps/file" auto="yes" arch="*"> + <unaffected range="ge">5.37-r1</unaffected> + <vulnerable range="lt">5.37-r1</vulnerable> + </package> + </affected> + <background> + <p>file is a utility that guesses a file format by scanning binary data for + patterns. + </p> + </background> + <description> + <p>It was discovered that file incorrectly handled certain malformed files.</p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to process a specially crafted + file via libmagic or file, possibly resulting in execution of arbitrary + code with the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All file users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/file-5.37-r1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18218">CVE-2019-18218</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T04:56:34Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T14:35:19Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-25.xml b/metadata/glsa/glsa-202003-25.xml new file mode 100644 index 000000000000..ed368e6fbbd2 --- /dev/null +++ b/metadata/glsa/glsa-202003-25.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-25"> + <title>libTIFF: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in LibTIFF, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">tiff</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>639700</bug> + <bug>690732</bug> + <bug>699868</bug> + <access>local, remote</access> + <affected> + <package name="media-libs/tiff" auto="yes" arch="*"> + <unaffected range="ge">4.1.0</unaffected> + <vulnerable range="lt">4.1.0</vulnerable> + </package> + </affected> + <background> + <p>The TIFF library contains encoding and decoding routines for the Tag + Image File Format. It is called by numerous programs, including GNOME and + KDE applications, to interpret TIFF images. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libTIFF. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by enticing the user to process a specially crafted + TIFF file, could possibly cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libTIFF users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/tiff-4.1.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17095">CVE-2017-17095</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19210">CVE-2018-19210</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17546">CVE-2019-17546</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6128">CVE-2019-6128</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7663">CVE-2019-7663</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T14:58:38Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T15:09:13Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-26.xml b/metadata/glsa/glsa-202003-26.xml new file mode 100644 index 000000000000..570a06748746 --- /dev/null +++ b/metadata/glsa/glsa-202003-26.xml @@ -0,0 +1,87 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-26"> + <title>Python: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Python, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">python</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>676700</bug> + <bug>680246</bug> + <bug>680298</bug> + <bug>684838</bug> + <bug>689822</bug> + <access>local, remote</access> + <affected> + <package name="dev-lang/python" auto="yes" arch="*"> + <unaffected range="ge" slot="2.7">2.7.17</unaffected> + <unaffected range="ge" slot="3.5/3.5m">3.5.7</unaffected> + <unaffected range="ge" slot="3.6/3.6m">3.6.9</unaffected> + <unaffected range="ge" slot="3.7/3.7m">3.7.4</unaffected> + <vulnerable range="lt" slot="2.7">2.7.17</vulnerable> + <vulnerable range="lt" slot="3.5/3.5m">3.5.7</vulnerable> + <vulnerable range="lt" slot="3.6/3.6m">3.6.9</vulnerable> + <vulnerable range="lt" slot="3.7/3.7m">3.7.4</vulnerable> + </package> + </affected> + <background> + <p>Python is an interpreted, interactive, object-oriented programming + language. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Python. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly perform a CRLF injection attack, obtain + sensitive information, trick Python into sending cookies to the wrong + domain or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Python 2.7.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.17:2.7" + </code> + + <p>All Python 3.5.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.5.7:3.5/3.5m" + </code> + + <p>All Python 3.6.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.6.9:3.6/3.6m" + </code> + + <p>All Python 3.7x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.7.4:3.7/3.7m" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20852">CVE-2018-20852</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5010">CVE-2019-5010</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9636">CVE-2019-9636</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9740">CVE-2019-9740</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9947">CVE-2019-9947</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9948">CVE-2019-9948</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T15:47:20Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T15:56:47Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-27.xml b/metadata/glsa/glsa-202003-27.xml new file mode 100644 index 000000000000..d34f8ce9fe80 --- /dev/null +++ b/metadata/glsa/glsa-202003-27.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-27"> + <title>libssh: Arbitrary command execution</title> + <synopsis>A vulnerability in libssh could allow a remote attacker to execute + arbitrary commands. + </synopsis> + <product type="ebuild">libssh</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>701598</bug> + <access>remote</access> + <affected> + <package name="net-libs/libssh" auto="yes" arch="*"> + <unaffected range="ge">0.9.3</unaffected> + <vulnerable range="lt">0.9.3</vulnerable> + </package> + </affected> + <background> + <p>libssh is a multiplatform C library implementing the SSHv2 protocol on + client and server side. + </p> + </background> + <description> + <p>It was discovered that libssh incorrectly handled certain scp commands.</p> + </description> + <impact type="normal"> + <p>A remote attacker could trick a victim into using a specially crafted + scp command, possibly resulting in the execution of arbitrary commands on + the server. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libssh users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.9.3" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14889">CVE-2019-14889</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T16:06:34Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T16:16:36Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-28.xml b/metadata/glsa/glsa-202003-28.xml new file mode 100644 index 000000000000..19bc271b64a7 --- /dev/null +++ b/metadata/glsa/glsa-202003-28.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-28"> + <title>libarchive: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libarchive, the worst + of which may lead to arbitrary code execution. + </synopsis> + <product type="ebuild">libarchive</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>699222</bug> + <bug>710358</bug> + <access>local, remote</access> + <affected> + <package name="app-arch/libarchive" auto="yes" arch="*"> + <unaffected range="ge">3.4.2</unaffected> + <vulnerable range="lt">3.4.2</vulnerable> + </package> + </affected> + <background> + <p>libarchive is a library for manipulating different streaming archive + formats, including certain tar variants, several cpio formats, and both + BSD and GNU ar variants. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libarchive. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted + archive file possibly resulting in the execution of arbitrary code with + the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libarchive users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.4.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18408">CVE-2019-18408</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9308">CVE-2020-9308</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T16:23:19Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T16:26:32Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-29.xml b/metadata/glsa/glsa-202003-29.xml new file mode 100644 index 000000000000..e075f5d26ae3 --- /dev/null +++ b/metadata/glsa/glsa-202003-29.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-29"> + <title>cURL: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in cURL, the worst of + which may lead to arbitrary code execution. + </synopsis> + <product type="ebuild">curl</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>686050</bug> + <bug>694020</bug> + <access>remote</access> + <affected> + <package name="net-misc/curl" auto="yes" arch="*"> + <unaffected range="ge">7.66.0</unaffected> + <vulnerable range="lt">7.66.0</vulnerable> + </package> + </affected> + <background> + <p>A command line tool and library for transferring data with URLs.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in cURL. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All cURL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.66.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5435">CVE-2019-5435</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5436">CVE-2019-5436</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5481">CVE-2019-5481</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5482">CVE-2019-5482</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T16:31:33Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T16:37:06Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-30.xml b/metadata/glsa/glsa-202003-30.xml new file mode 100644 index 000000000000..894d97beb939 --- /dev/null +++ b/metadata/glsa/glsa-202003-30.xml @@ -0,0 +1,76 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-30"> + <title>Git: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Git, the worst of which + could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">git</product> + <announced>2020-03-15</announced> + <revised count="2">2020-03-20</revised> + <bug>702296</bug> + <access>local, remote</access> + <affected> + <package name="dev-vcs/git" auto="yes" arch="*"> + <unaffected range="rge">2.21.1</unaffected> + <unaffected range="rge">2.23.1-r1</unaffected> + <unaffected range="rge">2.24.1</unaffected> + <vulnerable range="lt">2.24.1</vulnerable> + </package> + </affected> + <background> + <p>Git is a free and open source distributed version control system + designed to handle everything from small to very large projects with + speed and efficiency. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Git. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could possibly overwrite arbitrary paths, execute arbitrary + code, and overwrite files in the .git directory. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Git 2.21.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.21.1" + </code> + + <p>All Git 2.23.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.23.1-r1" + </code> + + <p>All Git 2.24.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.24.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1348">CVE-2019-1348</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1349">CVE-2019-1349</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1350">CVE-2019-1350</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1351">CVE-2019-1351</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1352">CVE-2019-1352</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1353">CVE-2019-1353</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1354">CVE-2019-1354</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1387">CVE-2019-1387</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19604">CVE-2019-19604</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T16:52:27Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-20T21:00:47Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-31.xml b/metadata/glsa/glsa-202003-31.xml new file mode 100644 index 000000000000..4dae6769b5e6 --- /dev/null +++ b/metadata/glsa/glsa-202003-31.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-31"> + <title>gdb: Buffer overflow</title> + <synopsis>A buffer overflow in gdb might allow a remote attacker to cause a + Denial of Service condition. + </synopsis> + <product type="ebuild">gdb</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>690582</bug> + <access>local, remote</access> + <affected> + <package name="sys-devel/gdb" auto="yes" arch="*"> + <unaffected range="ge">9.1</unaffected> + <vulnerable range="lt">9.1</vulnerable> + </package> + </affected> + <background> + <p>gdb is the GNU project’s debugger, facilitating the analysis and + debugging of applications. The BFD library provides a uniform method of + accessing a variety of object file formats. + </p> + </background> + <description> + <p>It was discovered that gdb didn’t properly validate the ELF section + sizes from input file. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted ELF + binary using gdb, possibly resulting in information disclosure or a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All gdb users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/gdb-9.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1010180"> + CVE-2019-1010180 + </uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T19:07:24Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T19:13:13Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-32.xml b/metadata/glsa/glsa-202003-32.xml new file mode 100644 index 000000000000..a4070273bd01 --- /dev/null +++ b/metadata/glsa/glsa-202003-32.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-32"> + <title>Libgcrypt: Side-channel attack</title> + <synopsis>A vulnerability in Libgcrypt could allow a local attacker to + recover sensitive information. + </synopsis> + <product type="ebuild">libgcrypt</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>693108</bug> + <access>local</access> + <affected> + <package name="dev-libs/libgcrypt" auto="yes" arch="*"> + <unaffected range="ge">1.8.5</unaffected> + <vulnerable range="lt">1.8.5</vulnerable> + </package> + </affected> + <background> + <p>Libgcrypt is a general purpose cryptographic library derived out of + GnuPG. + </p> + </background> + <description> + <p>A timing attack was found in the way ECCDSA was implemented in + Libgcrypt. + </p> + </description> + <impact type="low"> + <p>A local man-in-the-middle attacker, during signature generation, could + possibly recover the private key. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Libgcrypt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.8.5" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13627">CVE-2019-13627</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T19:23:38Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T19:29:34Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-33.xml b/metadata/glsa/glsa-202003-33.xml new file mode 100644 index 000000000000..8d028e17b0d1 --- /dev/null +++ b/metadata/glsa/glsa-202003-33.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-33"> + <title>GStreamer Base Plugins: Heap-based buffer overflow</title> + <synopsis>A heap-based buffer overflow in GStreamer Base Plugins might allow + remote attackers to execute arbitrary code. + </synopsis> + <product type="ebuild">gst-plugins-base</product> + <announced>2020-03-15</announced> + <revised count="1">2020-03-15</revised> + <bug>701294</bug> + <access>remote</access> + <affected> + <package name="media-libs/gst-plugins-base" auto="yes" arch="*"> + <unaffected range="ge">1.14.5-r1</unaffected> + <vulnerable range="lt">1.14.5-r1</vulnerable> + </package> + </affected> + <background> + <p>A well-groomed and well-maintained collection of GStreamer plug-ins and + elements, spanning the range of possible types of elements one would want + to write for GStreamer. + </p> + </background> + <description> + <p>It was discovered that GStreamer Base Plugins did not correctly handle + certain malformed RTSP streams. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted RTSP + stream with a GStreamer application, possibly resulting in the execution + of arbitrary code or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GStreamer Base Plugins users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-libs/gst-plugins-base-1.14.5-r1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9928">CVE-2019-9928</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T19:49:56Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-15T19:54:43Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-34.xml b/metadata/glsa/glsa-202003-34.xml new file mode 100644 index 000000000000..940fc5edd5db --- /dev/null +++ b/metadata/glsa/glsa-202003-34.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-34"> + <title>Squid: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Squid, the worst of + which could lead to arbitrary code execution. + </synopsis> + <product type="ebuild">squid</product> + <announced>2020-03-16</announced> + <revised count="1">2020-03-16</revised> + <bug>699854</bug> + <bug>708296</bug> + <access>remote</access> + <affected> + <package name="net-proxy/squid" auto="yes" arch="*"> + <unaffected range="ge">4.10</unaffected> + <vulnerable range="lt">4.10</vulnerable> + </package> + </affected> + <background> + <p>Squid is a full-featured Web proxy cache designed to run on Unix + systems. It supports proxying and caching of HTTP, FTP, and other URLs, + as well as SSL support, cache hierarchies, transparent caching, access + control lists and many other features. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Squid. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by sending a specially crafted request, could + possibly execute arbitrary code with the privileges of the process, + obtain sensitive information or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Squid users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/squid-4.10" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12526">CVE-2019-12526</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12528">CVE-2019-12528</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18678">CVE-2019-18678</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18679">CVE-2019-18679</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8449">CVE-2020-8449</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8450">CVE-2020-8450</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8517">CVE-2020-8517</uri> + </references> + <metadata tag="requester" timestamp="2019-11-11T17:42:19Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-16T11:34:35Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-35.xml b/metadata/glsa/glsa-202003-35.xml new file mode 100644 index 000000000000..fa72b90a87d1 --- /dev/null +++ b/metadata/glsa/glsa-202003-35.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-35"> + <title>ProFTPd: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in ProFTPd, the worst of + which may lead to arbitrary code execution. + </synopsis> + <product type="ebuild">proftpd</product> + <announced>2020-03-16</announced> + <revised count="1">2020-03-16</revised> + <bug>699520</bug> + <bug>701814</bug> + <bug>710730</bug> + <access>remote</access> + <affected> + <package name="net-ftp/proftpd" auto="yes" arch="*"> + <unaffected range="ge">1.3.6c</unaffected> + <vulnerable range="lt">1.3.6c</vulnerable> + </package> + </affected> + <background> + <p>ProFTPD is an advanced and very configurable FTP server.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ProFTPd. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by interrupting the data transfer channel, could + possibly execute arbitrary code with the privileges of the process or + cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ProFTPd users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.6c" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18217">CVE-2019-18217</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19269">CVE-2019-19269</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9272">CVE-2020-9272</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9273">CVE-2020-9273</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T06:37:49Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2020-03-16T21:08:17Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-36.xml b/metadata/glsa/glsa-202003-36.xml new file mode 100644 index 000000000000..77b24063e94f --- /dev/null +++ b/metadata/glsa/glsa-202003-36.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-36"> + <title>libvorbis: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libvorbis, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">libvorbis</product> + <announced>2020-03-16</announced> + <revised count="1">2020-03-16</revised> + <bug>631646</bug> + <bug>699862</bug> + <access>local, remote</access> + <affected> + <package name="media-libs/libvorbis" auto="yes" arch="*"> + <unaffected range="ge">1.3.6-r1</unaffected> + <vulnerable range="lt">1.3.6-r1</vulnerable> + </package> + </affected> + <background> + <p>libvorbis is the reference implementation of the Xiph.org Ogg Vorbis + audio file format. It is used by many applications for playback of Ogg + Vorbis files. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libvorbis. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by enticing the user to process a specially crafted + audio file, could possibly cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libvorbis users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libvorbis-1.3.6-r1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14160">CVE-2017-14160</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10392">CVE-2018-10392</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10393">CVE-2018-10393</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T15:16:28Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-16T21:12:28Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-37.xml b/metadata/glsa/glsa-202003-37.xml new file mode 100644 index 000000000000..27963a656f92 --- /dev/null +++ b/metadata/glsa/glsa-202003-37.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-37"> + <title>Mozilla Network Security Service: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Network + Security Service (NSS), the worst of which may lead to arbitrary code + execution. + </synopsis> + <product type="ebuild">nss</product> + <announced>2020-03-16</announced> + <revised count="2">2020-03-16</revised> + <bug>627534</bug> + <bug>676868</bug> + <bug>701840</bug> + <access>local, remote</access> + <affected> + <package name="dev-libs/nss" auto="yes" arch="*"> + <unaffected range="ge">3.49</unaffected> + <vulnerable range="lt">3.49</vulnerable> + </package> + </affected> + <background> + <p>The Mozilla Network Security Service (NSS) is a library implementing + security features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS + #12, S/MIME and X.509 certificates. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Network + Security Service (NSS). Please review the CVE identifiers referenced + below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could execute arbitrary code, cause a Denial of Service + condition or have other unspecified impact. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Network Security Service (NSS) users should upgrade to the + latest version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.49" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11695">CVE-2017-11695</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11696">CVE-2017-11696</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11697">CVE-2017-11697</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11698">CVE-2017-11698</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18508">CVE-2018-18508</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11745">CVE-2019-11745</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T15:34:44Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-16T21:17:42Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-38.xml b/metadata/glsa/glsa-202003-38.xml new file mode 100644 index 000000000000..0fe1b36c64ea --- /dev/null +++ b/metadata/glsa/glsa-202003-38.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-38"> + <title>PECL Imagick: Arbitrary code execution</title> + <synopsis>A vulnerability in Imagick PHP extension might allow an attacker to + execute arbitrary code. + </synopsis> + <product type="ebuild">pecl-imagick</product> + <announced>2020-03-19</announced> + <revised count="1">2020-03-19</revised> + <bug>687030</bug> + <access>remote</access> + <affected> + <package name="dev-php/pecl-imagick" auto="yes" arch="*"> + <unaffected range="ge">3.4.4</unaffected> + <vulnerable range="lt">3.4.4</vulnerable> + </package> + </affected> + <background> + <p>Imagick is a PHP extension to create and modify images using the + ImageMagick library. + </p> + </background> + <description> + <p>An out-of-bounds write vulnerability was discovered in the Imagick PHP + extension. + </p> + </description> + <impact type="high"> + <p>A remote attacker, able to upload specially crafted images which will + get processed by Imagick, could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Imagick PHP extension users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/pecl-imagick-3.4.4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11037">CVE-2019-11037</uri> + </references> + <metadata tag="requester" timestamp="2020-03-17T14:27:07Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-19T15:54:46Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-39.xml b/metadata/glsa/glsa-202003-39.xml new file mode 100644 index 000000000000..3da65eb92d8d --- /dev/null +++ b/metadata/glsa/glsa-202003-39.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-39"> + <title>phpMyAdmin: SQL injection</title> + <synopsis>An SQL injection vulnerability in phpMyAdmin may allow attackers to + execute arbitrary SQL statements. + </synopsis> + <product type="ebuild">phpmyadmin</product> + <announced>2020-03-19</announced> + <revised count="1">2020-03-19</revised> + <bug>701830</bug> + <access>remote</access> + <affected> + <package name="dev-db/phpmyadmin" auto="yes" arch="*"> + <unaffected range="ge">4.9.2</unaffected> + <vulnerable range="lt">4.9.2</vulnerable> + </package> + </affected> + <background> + <p>phpMyAdmin is a web-based management tool for MySQL databases.</p> + </background> + <description> + <p>PhpMyAdmin was vulnerable to an SQL injection attack through the + designer feature. + </p> + </description> + <impact type="normal"> + <p>An authenticated remote attacker, by specifying a specially crafted + database/table name, could trigger an SQL injection attack. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All phpMyAdmin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-4.9.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18622">CVE-2019-18622</uri> + <uri link="https://www.phpmyadmin.net/security/PMASA-2019-5/">PMASA-2019-5</uri> + </references> + <metadata tag="requester" timestamp="2020-03-19T16:07:14Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-19T16:19:16Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-40.xml b/metadata/glsa/glsa-202003-40.xml new file mode 100644 index 000000000000..75c8ef9418fa --- /dev/null +++ b/metadata/glsa/glsa-202003-40.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-40"> + <title>Cacti: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Cacti, the worst of + which could lead to the remote execution of arbitrary code. + </synopsis> + <product type="ebuild">cacti</product> + <announced>2020-03-19</announced> + <revised count="1">2020-03-19</revised> + <bug>702312</bug> + <bug>708938</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/cacti" auto="yes" arch="*"> + <unaffected range="ge">1.2.9</unaffected> + <vulnerable range="lt">1.2.9</vulnerable> + </package> + </affected> + <background> + <p>Cacti is a complete frontend to rrdtool.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Cacti. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Remote attackers could execute arbitrary code or bypass intended access + restrictions. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Cacti users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-1.2.9" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16723">CVE-2019-16723</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17357">CVE-2019-17357</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17358">CVE-2019-17358</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7106">CVE-2020-7106</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7237">CVE-2020-7237</uri> + </references> + <metadata tag="requester" timestamp="2020-03-19T16:27:20Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-19T16:29:17Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-41.xml b/metadata/glsa/glsa-202003-41.xml new file mode 100644 index 000000000000..ac164d157735 --- /dev/null +++ b/metadata/glsa/glsa-202003-41.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-41"> + <title>GNU FriBidi: Heap-based buffer overflow</title> + <synopsis>A heap-based buffer overflow in GNU FriBidi might allow remote + attackers to execute arbitrary code. + </synopsis> + <product type="ebuild">fribidi</product> + <announced>2020-03-19</announced> + <revised count="1">2020-03-19</revised> + <bug>699338</bug> + <access>local, remote</access> + <affected> + <package name="dev-libs/fribidi" auto="yes" arch="*"> + <unaffected range="ge">1.0.8</unaffected> + <vulnerable range="lt">1.0.8</vulnerable> + </package> + </affected> + <background> + <p>The Free Implementation of the Unicode Bidirectional Algorithm.</p> + </background> + <description> + <p>A heap-based buffer overflow vulnerability was found in GNU FriBidi.</p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly cause a memory corruption, execute + arbitrary code with the privileges of the process or cause a Denial of + Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All FriBidi users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/fribidi-1.0.8" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18397">CVE-2019-18397</uri> + </references> + <metadata tag="requester" timestamp="2020-03-19T16:36:42Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-19T16:41:09Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-42.xml b/metadata/glsa/glsa-202003-42.xml new file mode 100644 index 000000000000..76a2944ee9c4 --- /dev/null +++ b/metadata/glsa/glsa-202003-42.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-42"> + <title>libgit2: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libgit2, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">libgit2</product> + <announced>2020-03-19</announced> + <revised count="1">2020-03-19</revised> + <bug>702522</bug> + <access>local, remote</access> + <affected> + <package name="dev-libs/libgit2" auto="yes" arch="*"> + <unaffected range="ge">0.28.4</unaffected> + <vulnerable range="lt">0.28.4</vulnerable> + </package> + </affected> + <background> + <p>libgit2 is a portable, pure C implementation of the Git core methods + provided as a re-entrant linkable library with a solid API. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libgit2. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could possibly overwrite arbitrary paths, execute arbitrary + code, and overwrite files in the .git directory. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libgit2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libgit2-0.28.4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1348">CVE-2019-1348</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1350">CVE-2019-1350</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1387">CVE-2019-1387</uri> + </references> + <metadata tag="requester" timestamp="2020-03-19T16:48:12Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-19T16:50:07Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-43.xml b/metadata/glsa/glsa-202003-43.xml new file mode 100644 index 000000000000..12f723cb9665 --- /dev/null +++ b/metadata/glsa/glsa-202003-43.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-43"> + <title>Apache Tomcat: Multiple vulnerabilities</title> + <synopsis> Multiple vulnerabilities have been found in Apache Tomcat, the + worst of which could lead to arbitrary code execution. + </synopsis> + <product type="ebuild">tomcat</product> + <announced>2020-03-19</announced> + <revised count="2">2020-03-20</revised> + <bug>692402</bug> + <bug>706208</bug> + <bug>710656</bug> + <access>remote</access> + <affected> + <package name="www-servers/tomcat" auto="yes" arch="*"> + <unaffected range="rge">8.5.51</unaffected> + <unaffected range="rge">7.0.100</unaffected> + <vulnerable range="lt">8.5.51</vulnerable> + </package> + </affected> + <background> + <p>Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Apache Tomcat. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could possibly smuggle HTTP requests or execute arbitrary + code. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Apache Tomcat 7.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.100:7" + </code> + + <p>All Apache Tomcat 8.5.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.5.51:8.5" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-0221">CVE-2019-0221</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12418">CVE-2019-12418</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17563">CVE-2019-17563</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1938">CVE-2020-1938</uri> + </references> + <metadata tag="requester" timestamp="2020-03-19T17:09:01Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-20T21:02:49Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-44.xml b/metadata/glsa/glsa-202003-44.xml new file mode 100644 index 000000000000..91ebcf2f6aca --- /dev/null +++ b/metadata/glsa/glsa-202003-44.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-44"> + <title>Binary diff: Heap-based buffer overflow</title> + <synopsis>A heap-based buffer overflow in Binary diff might allow remote + attackers to execute arbitrary code. + </synopsis> + <product type="ebuild">bsdiff</product> + <announced>2020-03-19</announced> + <revised count="1">2020-03-19</revised> + <bug>701848</bug> + <access>local, remote</access> + <affected> + <package name="dev-util/bsdiff" auto="yes" arch="*"> + <unaffected range="ge">4.3-r4</unaffected> + <vulnerable range="lt">4.3-r4</vulnerable> + </package> + </affected> + <background> + <p>bsdiff and bspatch are tools for building and applying patches to binary + files. + </p> + </background> + <description> + <p>It was discovered that the implementation of bspatch did not check for a + negative value on numbers of bytes read from the diff and extra streams. + </p> + </description> + <impact type="high"> + <p>A remote attacker could entice a user to apply a specially crafted patch + using bspatch, possibly resulting in execution of arbitrary code with the + privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Binary diff users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/bsdiff-4.3-r4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2014-9862">CVE-2014-9862</uri> + </references> + <metadata tag="requester" timestamp="2020-03-19T18:34:43Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-19T18:40:24Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-45.xml b/metadata/glsa/glsa-202003-45.xml new file mode 100644 index 000000000000..e436236d6878 --- /dev/null +++ b/metadata/glsa/glsa-202003-45.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-45"> + <title>PyYAML: Arbitrary code execution</title> + <synopsis>A flaw in PyYAML might allow attackers to execute arbitrary code.</synopsis> + <product type="ebuild">pyyaml</product> + <announced>2020-03-19</announced> + <revised count="1">2020-03-19</revised> + <bug>659348</bug> + <access>local, remote</access> + <affected> + <package name="dev-python/pyyaml" auto="yes" arch="*"> + <unaffected range="ge">5.1</unaffected> + <vulnerable range="lt">5.1</vulnerable> + </package> + </affected> + <background> + <p>PyYAML is a YAML parser and emitter for Python.</p> + </background> + <description> + <p>It was found that using yaml.load() API on untrusted input could lead to + arbitrary code execution. + </p> + </description> + <impact type="high"> + <p>A remote attacker could entice a user to process specially crafted input + in an application using yaml.load() from PyYAML, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PyYAML users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/pyyaml-5.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-18342">CVE-2017-18342</uri> + </references> + <metadata tag="requester" timestamp="2020-03-19T18:50:48Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-19T18:55:38Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-46.xml b/metadata/glsa/glsa-202003-46.xml new file mode 100644 index 000000000000..ae2d48c32026 --- /dev/null +++ b/metadata/glsa/glsa-202003-46.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-46"> + <title>ClamAV: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in ClamAV, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">clamav</product> + <announced>2020-03-19</announced> + <revised count="1">2020-03-19</revised> + <bug>702010</bug> + <bug>708424</bug> + <access>local, remote</access> + <affected> + <package name="app-antivirus/clamav" auto="yes" arch="*"> + <unaffected range="ge">0.102.2</unaffected> + <vulnerable range="lt">0.102.2</vulnerable> + </package> + </affected> + <background> + <p>ClamAV is a GPL virus scanner.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ClamAV. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="low"> + <p>A remote attacker could cause ClamAV to scan a specially crafted file, + possibly resulting in a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ClamAV users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.102.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15961">CVE-2019-15961</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3123">CVE-2020-3123</uri> + </references> + <metadata tag="requester" timestamp="2020-03-19T20:43:36Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-19T20:46:54Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-47.xml b/metadata/glsa/glsa-202003-47.xml new file mode 100644 index 000000000000..e127121e070f --- /dev/null +++ b/metadata/glsa/glsa-202003-47.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-47"> + <title>Exim: Heap-based buffer overflow</title> + <synopsis>A vulnerability in Exim could allow a remote attacker to execute + arbitrary code. + </synopsis> + <product type="ebuild"></product> + <announced>2020-03-20</announced> + <revised count="1">2020-03-20</revised> + <bug>701282</bug> + <access>remote</access> + <affected> + <package name="mail-mta/exim" auto="yes" arch="*"> + <unaffected range="ge">4.92.3</unaffected> + <vulnerable range="lt">4.92.3</vulnerable> + </package> + </affected> + <background> + <p>Exim is a message transfer agent (MTA) designed to be a a highly + configurable, drop-in replacement for sendmail. + </p> + </background> + <description> + <p>It was discovered that Exim incorrectly handled certain string + operations. + </p> + </description> + <impact type="high"> + <p>A remote attacker, able to connect to a vulnerable Exim instance, could + possibly execute arbitrary code with the privileges of the process or + cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Exim users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/exim-4.92.3" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16928">CVE-2019-16928</uri> + </references> + <metadata tag="requester" timestamp="2020-03-20T18:44:44Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-20T18:48:39Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-48.xml b/metadata/glsa/glsa-202003-48.xml new file mode 100644 index 000000000000..94ecb6b4e6ef --- /dev/null +++ b/metadata/glsa/glsa-202003-48.xml @@ -0,0 +1,78 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-48"> + <title>Node.js: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Node.js, worst of which + could allow remote attackers to write arbitrary files. + </synopsis> + <product type="ebuild">nodejs</product> + <announced>2020-03-20</announced> + <revised count="2">2020-03-20</revised> + <bug>658074</bug> + <bug>665656</bug> + <bug>672136</bug> + <bug>679132</bug> + <bug>702988</bug> + <bug>708458</bug> + <access>local, remote</access> + <affected> + <package name="net-libs/nodejs" auto="yes" arch="*"> + <unaffected range="rge">10.19.0</unaffected> + <unaffected range="rge">12.15.0</unaffected> + <vulnerable range="lt">12.15.0</vulnerable> + </package> + </affected> + <background> + <p>Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript + engine. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Node.js. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly write arbitrary files, cause a Denial + of Service condition or can conduct HTTP request splitting attacks. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Node.js <12.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/nodejs-10.19.0" + </code> + + <p>All Node.js 12.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/nodejs-12.15.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12115">CVE-2018-12115</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12116">CVE-2018-12116</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12121">CVE-2018-12121</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12122">CVE-2018-12122</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12123">CVE-2018-12123</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7161">CVE-2018-7161</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7162">CVE-2018-7162</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7164">CVE-2018-7164</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7167">CVE-2018-7167</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15604">CVE-2019-15604</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15605">CVE-2019-15605</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15606">CVE-2019-15606</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16777">CVE-2019-16777</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5737">CVE-2019-5737</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5739">CVE-2019-5739</uri> + </references> + <metadata tag="requester" timestamp="2020-03-20T04:40:01Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2020-03-20T20:50:31Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-49.xml b/metadata/glsa/glsa-202003-49.xml new file mode 100644 index 000000000000..682453c993a0 --- /dev/null +++ b/metadata/glsa/glsa-202003-49.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-49"> + <title>BlueZ: Security bypass</title> + <synopsis>A vulnerability in BlueZ might allow remote attackers to bypass + security restrictions. + </synopsis> + <product type="ebuild">bluez</product> + <announced>2020-03-25</announced> + <revised count="1">2020-03-25</revised> + <bug>712292</bug> + <access>remote</access> + <affected> + <package name="net-wireless/bluez" auto="yes" arch="*"> + <unaffected range="ge">5.54</unaffected> + <vulnerable range="lt">5.54</vulnerable> + </package> + </affected> + <background> + <p>Set of tools to manage Bluetooth devices for Linux.</p> + </background> + <description> + <p>It was discovered that the HID and HOGP profiles implementations in + BlueZ did not specifically require bonding between the device and the + host. + </p> + </description> + <impact type="high"> + <p>A remote attacker with adjacent access could impersonate an existing HID + device, cause a Denial of Service condition or escalate privileges. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All BlueZ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/bluez-5.54" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-0556">CVE-2020-0556</uri> + </references> + <metadata tag="requester" timestamp="2020-03-25T15:19:08Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-25T15:33:12Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-50.xml b/metadata/glsa/glsa-202003-50.xml new file mode 100644 index 000000000000..36ab084c78c9 --- /dev/null +++ b/metadata/glsa/glsa-202003-50.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-50"> + <title>Tor: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities were found in Tor, the worst of which + could allow remote attackers to cause a Denial of Service condition. + </synopsis> + <product type="ebuild">tor</product> + <announced>2020-03-25</announced> + <revised count="1">2020-03-25</revised> + <bug>713238</bug> + <access>remote</access> + <affected> + <package name="net-vpn/tor" auto="yes" arch="*"> + <unaffected range="rge">0.4.1.9</unaffected> + <unaffected range="rge">0.4.2.7</unaffected> + <vulnerable range="lt">0.4.2.7</vulnerable> + </package> + </affected> + <background> + <p>Tor is an implementation of second generation Onion Routing, a + connection-oriented anonymizing communication service. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Tor, and tor. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="low"> + <p>A remote attacker could possibly cause a Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Tor 0.4.1.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-vpn/tor-0.4.1.9" + </code> + + <p>All Tor 0.4.2.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-vpn/tor-0.4.2.7" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10592">CVE-2020-10592</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10593">CVE-2020-10593</uri> + </references> + <metadata tag="requester" timestamp="2020-03-25T15:44:11Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-25T15:54:00Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-51.xml b/metadata/glsa/glsa-202003-51.xml new file mode 100644 index 000000000000..f8176070b409 --- /dev/null +++ b/metadata/glsa/glsa-202003-51.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-51"> + <title>WeeChat: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in WeeChat, the worst of + which could allow remote attackers to cause a Denial of Service condition. + </synopsis> + <product type="ebuild">weechat</product> + <announced>2020-03-25</announced> + <revised count="1">2020-03-25</revised> + <bug>709452</bug> + <bug>714086</bug> + <access>remote</access> + <affected> + <package name="net-irc/weechat" auto="yes" arch="*"> + <unaffected range="ge">2.7.1</unaffected> + <vulnerable range="lt">2.7.1</vulnerable> + </package> + </affected> + <background> + <p>Wee Enhanced Environment for Chat (WeeChat) is a light and extensible + console IRC client. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in WeeChat. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="low"> + <p>A remote attacker, by sending a specially crafted IRC message, could + possibly cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All WeeChat users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-irc/weechat-2.7.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8955">CVE-2020-8955</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9759">CVE-2020-9759</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9760">CVE-2020-9760</uri> + </references> + <metadata tag="requester" timestamp="2020-03-25T16:00:28Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-25T16:04:22Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-52.xml b/metadata/glsa/glsa-202003-52.xml new file mode 100644 index 000000000000..aafebaff00af --- /dev/null +++ b/metadata/glsa/glsa-202003-52.xml @@ -0,0 +1,88 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-52"> + <title>Samba: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Samba, the worst of + which could lead to remote code execution. + </synopsis> + <product type="ebuild">samba</product> + <announced>2020-03-25</announced> + <revised count="1">2020-03-25</revised> + <bug>664316</bug> + <bug>672140</bug> + <bug>686036</bug> + <bug>693558</bug> + <bug>702928</bug> + <bug>706144</bug> + <access>remote</access> + <affected> + <package name="net-fs/samba" auto="yes" arch="*"> + <unaffected range="rge">4.9.18</unaffected> + <unaffected range="rge">4.10.13</unaffected> + <unaffected range="rge">4.11.6</unaffected> + <vulnerable range="lt">4.11.6</vulnerable> + </package> + </affected> + <background> + <p>Samba is a suite of SMB and CIFS client/server programs.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Samba. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code, cause a Denial + of Service condition, conduct a man-in-the-middle attack, or obtain + sensitive information. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Samba 4.9.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-4.9.18" + </code> + + <p>All Samba 4.10.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-4.10.13" + </code> + + <p>All Samba 4.11.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-4.11.6" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10858">CVE-2018-10858</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10918">CVE-2018-10918</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10919">CVE-2018-10919</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1139">CVE-2018-1139</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1140">CVE-2018-1140</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14629">CVE-2018-14629</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16841">CVE-2018-16841</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16851">CVE-2018-16851</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16852">CVE-2018-16852</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16853">CVE-2018-16853</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16857">CVE-2018-16857</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16860">CVE-2018-16860</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10197">CVE-2019-10197</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14861">CVE-2019-14861</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14870">CVE-2019-14870</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14902">CVE-2019-14902</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14907">CVE-2019-14907</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19344">CVE-2019-19344</uri> + </references> + <metadata tag="requester" timestamp="2020-03-25T16:20:13Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-25T16:34:04Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-53.xml b/metadata/glsa/glsa-202003-53.xml new file mode 100644 index 000000000000..2f1a217d45c1 --- /dev/null +++ b/metadata/glsa/glsa-202003-53.xml @@ -0,0 +1,78 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-53"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could allow remote attackers to execute + arbitrary code. + </synopsis> + <product type="ebuild">chromium,google-chrome</product> + <announced>2020-03-25</announced> + <revised count="1">2020-03-25</revised> + <bug>713282</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">80.0.3987.149</unaffected> + <vulnerable range="lt">80.0.3987.149</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">80.0.3987.149</unaffected> + <vulnerable range="lt">80.0.3987.149</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted HTML + or multimedia file using Chromium or Google Chrome, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-80.0.3987.149" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-80.0.3987.149" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6422">CVE-2020-6422</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6424">CVE-2020-6424</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6425">CVE-2020-6425</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6426">CVE-2020-6426</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6427">CVE-2020-6427</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6428">CVE-2020-6428</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6429">CVE-2020-6429</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6449">CVE-2020-6449</uri> + </references> + <metadata tag="requester" timestamp="2020-03-25T18:24:50Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-25T18:31:07Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-54.xml b/metadata/glsa/glsa-202003-54.xml new file mode 100644 index 000000000000..0e12b029b92b --- /dev/null +++ b/metadata/glsa/glsa-202003-54.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-54"> + <title>Pure-FTPd: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Pure-FTPd, the worst of + which could allow remote attackers to cause a Denial of Service condition. + </synopsis> + <product type="ebuild">pure-ftpd</product> + <announced>2020-03-25</announced> + <revised count="1">2020-03-25</revised> + <bug>711124</bug> + <access>remote</access> + <affected> + <package name="net-ftp/pure-ftpd" auto="yes" arch="*"> + <unaffected range="ge">1.0.49-r2</unaffected> + <vulnerable range="lt">1.0.49-r2</vulnerable> + </package> + </affected> + <background> + <p>Pure-FTPd is a fast, production-quality and standards-compliant FTP + server. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Pure-FTPd. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="low"> + <p>A remote attacker could possibly cause a Denial of Service condition or + cause an information disclosure. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Pure-FTPd users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/pure-ftpd-1.0.49-r2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9274">CVE-2020-9274</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9365">CVE-2020-9365</uri> + </references> + <metadata tag="requester" timestamp="2020-03-25T18:52:14Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-25T18:58:54Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-55.xml b/metadata/glsa/glsa-202003-55.xml new file mode 100644 index 000000000000..681f03815876 --- /dev/null +++ b/metadata/glsa/glsa-202003-55.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-55"> + <title>Zsh: Privilege escalation</title> + <synopsis>A vulnerability in Zsh might allow an attacker to escalate + privileges. + </synopsis> + <product type="ebuild">zsh</product> + <announced>2020-03-25</announced> + <revised count="1">2020-03-25</revised> + <bug>711136</bug> + <access>local, remote</access> + <affected> + <package name="app-shells/zsh" auto="yes" arch="*"> + <unaffected range="ge">5.8</unaffected> + <vulnerable range="lt">5.8</vulnerable> + </package> + </affected> + <background> + <p>A shell designed for interactive use, although it is also a powerful + scripting language. + </p> + </background> + <description> + <p>It was discovered that Zsh was insecure dropping privileges when + unsetting PRIVILEGED option. + </p> + </description> + <impact type="normal"> + <p>An attacker could escalate privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Zsh users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-shells/zsh-5.8" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20044">CVE-2019-20044</uri> + </references> + <metadata tag="requester" timestamp="2020-03-25T20:14:34Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-25T20:22:40Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-56.xml b/metadata/glsa/glsa-202003-56.xml new file mode 100644 index 000000000000..8f25345155e7 --- /dev/null +++ b/metadata/glsa/glsa-202003-56.xml @@ -0,0 +1,73 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-56"> + <title>Xen: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Xen, the worst of which + could allow for privilege escalation. + </synopsis> + <product type="ebuild">xen</product> + <announced>2020-03-25</announced> + <revised count="1">2020-03-25</revised> + <bug>686024</bug> + <bug>699048</bug> + <bug>699996</bug> + <bug>702644</bug> + <access>local</access> + <affected> + <package name="app-emulation/xen" auto="yes" arch="*"> + <unaffected range="ge">4.12.0-r1</unaffected> + <vulnerable range="lt">4.12.0-r1</vulnerable> + </package> + <package name="app-emulation/xen-tools" auto="yes" arch="*"> + <unaffected range="ge">4.12.0-r1</unaffected> + <vulnerable range="lt">4.12.0-r1</vulnerable> + </package> + </affected> + <background> + <p>Xen is a bare-metal hypervisor.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Xen. Please review the + referenced CVE identifiers for details. + </p> + </description> + <impact type="high"> + <p>A local attacker could potentially gain privileges on the host system or + cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Xen users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.12.0-r1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12126">CVE-2018-12126</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12127">CVE-2018-12127</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12130">CVE-2018-12130</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12207">CVE-2018-12207</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12207">CVE-2018-12207</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11091">CVE-2019-11091</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11135">CVE-2019-11135</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18420">CVE-2019-18420</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18421">CVE-2019-18421</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18423">CVE-2019-18423</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18424">CVE-2019-18424</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18425">CVE-2019-18425</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19577">CVE-2019-19577</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19578">CVE-2019-19578</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19580">CVE-2019-19580</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19581">CVE-2019-19581</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19582">CVE-2019-19582</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19583">CVE-2019-19583</uri> + </references> + <metadata tag="requester" timestamp="2020-03-25T20:41:14Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-25T20:45:30Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-57.xml b/metadata/glsa/glsa-202003-57.xml new file mode 100644 index 000000000000..507ece2ce63b --- /dev/null +++ b/metadata/glsa/glsa-202003-57.xml @@ -0,0 +1,78 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-57"> + <title>PHP: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in PHP, the worst of which + could result in the execution of arbitrary shell commands. + </synopsis> + <product type="ebuild">PHP</product> + <announced>2020-03-26</announced> + <revised count="1">2020-03-26</revised> + <bug>671872</bug> + <bug>706168</bug> + <bug>710304</bug> + <bug>713484</bug> + <access>local, remote</access> + <affected> + <package name="dev-lang/php" auto="yes" arch="*"> + <unaffected range="rge">7.2.29</unaffected> + <unaffected range="rge">7.3.16</unaffected> + <unaffected range="rge">7.4.4</unaffected> + <vulnerable range="lt">7.4.4</vulnerable> + </package> + </affected> + <background> + <p>PHP is an open source general-purpose scripting language that is + especially suited for web development. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PHP. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>An attacker could possibly execute arbitrary shell commands, cause a + Denial of Service condition or obtain sensitive information. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PHP 7.2.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.2.29" + </code> + + <p>All PHP 7.3.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.3.16" + </code> + + <p>All PHP 7.4.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19518">CVE-2018-19518</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7059">CVE-2020-7059</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7060">CVE-2020-7060</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7061">CVE-2020-7061</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7062">CVE-2020-7062</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7063">CVE-2020-7063</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7064">CVE-2020-7064</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7065">CVE-2020-7065</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7066">CVE-2020-7066</uri> + </references> + <metadata tag="requester" timestamp="2020-03-26T13:24:45Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-26T13:30:45Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-58.xml b/metadata/glsa/glsa-202003-58.xml new file mode 100644 index 000000000000..7c15220be493 --- /dev/null +++ b/metadata/glsa/glsa-202003-58.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-58"> + <title>UnZip: User-assisted execution of arbitrary code</title> + <synopsis>Multiple vulnerabilities have been found in UnZip, the worst of + which could result in the execution of arbitrary code. + </synopsis> + <product type="ebuild">unzip</product> + <announced>2020-03-26</announced> + <revised count="1">2020-03-26</revised> + <bug>647008</bug> + <bug>691566</bug> + <access>local, remote</access> + <affected> + <package name="app-arch/unzip" auto="yes" arch="*"> + <unaffected range="ge">6.0_p25</unaffected> + <vulnerable range="lt">6.0_p25</vulnerable> + </package> + </affected> + <background> + <p>Info-ZIP’s UnZip is a tool to list and extract files inside PKZIP + compressed files. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in UnZip. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted ZIP + archive using UnZip, possibly resulting in execution of arbitrary code + with the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All UnZip users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/unzip-6.0_p25" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000035"> + CVE-2018-1000035 + </uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13232">CVE-2019-13232</uri> + </references> + <metadata tag="requester" timestamp="2020-03-26T18:14:24Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-26T18:18:52Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-59.xml b/metadata/glsa/glsa-202003-59.xml new file mode 100644 index 000000000000..b0f7f3f83180 --- /dev/null +++ b/metadata/glsa/glsa-202003-59.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-59"> + <title>libvpx: User-assisted execution of arbitrary code</title> + <synopsis>Multiple vulnerabilities have been found in libvpx, the worst of + which could result in the execution of arbitrary code. + </synopsis> + <product type="ebuild">libvpx</product> + <announced>2020-03-26</announced> + <revised count="1">2020-03-26</revised> + <bug>701834</bug> + <access>local, remote</access> + <affected> + <package name="media-libs/libvpx" auto="yes" arch="*"> + <unaffected range="rge">1.7.0-r1</unaffected> + <unaffected range="rge">1.8.1</unaffected> + <vulnerable range="lt">1.8.1</vulnerable> + </package> + </affected> + <background> + <p>libvpx is the VP8 codec SDK used to encode and decode video streams, + typically within a WebM format media file. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libvpx. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted media + file, possibly resulting in the execution of arbitrary code with the + privileges of the user running the application, or a Denial of Service. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libvpx 1.7.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libvpx-1.7.0-r1" + </code> + + <p>All libvpx 1.8.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libvpx-1.8.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9232">CVE-2019-9232</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9325">CVE-2019-9325</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9371">CVE-2019-9371</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9433">CVE-2019-9433</uri> + </references> + <metadata tag="requester" timestamp="2020-03-26T18:33:42Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-26T18:39:39Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-60.xml b/metadata/glsa/glsa-202003-60.xml new file mode 100644 index 000000000000..28bde54884a3 --- /dev/null +++ b/metadata/glsa/glsa-202003-60.xml @@ -0,0 +1,60 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-60"> + <title>QtCore: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in QtCore, the worst of + which could result in the execution of arbitrary code. + </synopsis> + <product type="ebuild">qtcore</product> + <announced>2020-03-26</announced> + <revised count="1">2020-03-26</revised> + <bug>699226</bug> + <bug>707354</bug> + <access>local, remote</access> + <affected> + <package name="dev-qt/qtcore" auto="yes" arch="*"> + <unaffected range="rge">5.12.3-r2</unaffected> + <unaffected range="rge">5.13.2-r2</unaffected> + <vulnerable range="lt">5.13.2-r2</vulnerable> + </package> + </affected> + <background> + <p>The Qt toolkit is a comprehensive C++ application development framework.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in QtCore. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could possibly execute arbitrary code with the privileges of + the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All QtCore 5.12.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtcore-5.12.3-r2" + </code> + + <p>All QtCore 5.13.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtcore-5.13.2-r2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18281">CVE-2019-18281</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-0569">CVE-2020-0569</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-0570">CVE-2020-0570</uri> + </references> + <metadata tag="requester" timestamp="2020-03-26T18:45:51Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-26T18:51:32Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-61.xml b/metadata/glsa/glsa-202003-61.xml new file mode 100644 index 000000000000..be2b54a87dcf --- /dev/null +++ b/metadata/glsa/glsa-202003-61.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-61"> + <title>Adobe Flash Player: Remote execution of arbitrary code</title> + <synopsis>A vulnerability in Adobe Flash Player might allow remote attackers + to execute arbitrary code. + </synopsis> + <product type="ebuild">adobe-flash</product> + <announced>2020-03-26</announced> + <revised count="1">2020-03-26</revised> + <bug>709728</bug> + <access>remote</access> + <affected> + <package name="www-plugins/adobe-flash" auto="yes" arch="*"> + <unaffected range="ge">32.0.0.330</unaffected> + <vulnerable range="lt">32.0.0.330</vulnerable> + </package> + </affected> + <background> + <p>The Adobe Flash Player is a renderer for the SWF file format, which is + commonly used to provide interactive websites. + </p> + </background> + <description> + <p>A critical type confusion vulnerability was discovered in Adobe Flash + Player. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Adobe Flash users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-plugins/adobe-flash-32.0.0.330" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3757">CVE-2020-3757</uri> + </references> + <metadata tag="requester" timestamp="2020-03-26T18:59:40Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-26T19:02:22Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-62.xml b/metadata/glsa/glsa-202003-62.xml new file mode 100644 index 000000000000..659c68b6d685 --- /dev/null +++ b/metadata/glsa/glsa-202003-62.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-62"> + <title>GNU Screen: Buffer overflow</title> + <synopsis>A buffer overflow in GNU Screen might allow remote attackers to + corrupt memory. + </synopsis> + <product type="ebuild">screen</product> + <announced>2020-03-30</announced> + <revised count="1">2020-03-30</revised> + <bug>708460</bug> + <access>remote</access> + <affected> + <package name="app-misc/screen" auto="yes" arch="*"> + <unaffected range="ge">4.8.0</unaffected> + <vulnerable range="lt">4.8.0</vulnerable> + </package> + </affected> + <background> + <p>GNU Screen is a full-screen window manager that multiplexes a physical + terminal between several processes, typically interactive shells. + </p> + </background> + <description> + <p>A buffer overflow was found in the way GNU Screen treated the special + escape OSC 49. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by writing a specially crafted string of characters + to a GNU Screen window, could possibly corrupt memory or have other + unspecified impact. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GNU Screen users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-misc/screen-4.8.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9366">CVE-2020-9366</uri> + </references> + <metadata tag="requester" timestamp="2020-03-30T05:50:23Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2020-03-30T14:41:12Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-63.xml b/metadata/glsa/glsa-202003-63.xml new file mode 100644 index 000000000000..475b97bc2874 --- /dev/null +++ b/metadata/glsa/glsa-202003-63.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-63"> + <title>GNU IDN Library 2: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in GNU IDN Library 2, the + worst of which could result in the remote execution of arbitrary code. + </synopsis> + <product type="ebuild">libidn2</product> + <announced>2020-03-30</announced> + <revised count="1">2020-03-30</revised> + <bug>697752</bug> + <access>local, remote</access> + <affected> + <package name="net-dns/libidn2" auto="yes" arch="*"> + <unaffected range="ge">2.2.0</unaffected> + <vulnerable range="lt">2.2.0</vulnerable> + </package> + </affected> + <background> + <p>GNU IDN Library 2 is an implementation of the IDNA2008 + TR46 + specifications (RFC 5890, RFC 5891, RFC 5892, RFC 5893, TR 46). + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GNU IDN Library 2. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could send specially crafted input, possibly resulting + in execution of arbitrary code with the privileges of the process, + impersonation of domains or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GNU IDN Library 2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/libidn2-2.2.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12290">CVE-2019-12290</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18224">CVE-2019-18224</uri> + </references> + <metadata tag="requester" timestamp="2020-03-30T14:23:33Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-30T14:45:26Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-64.xml b/metadata/glsa/glsa-202003-64.xml new file mode 100644 index 000000000000..1b7c239fd3ba --- /dev/null +++ b/metadata/glsa/glsa-202003-64.xml @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-64"> + <title>libxls: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libxls, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">libxls</product> + <announced>2020-03-30</announced> + <revised count="1">2020-03-30</revised> + <bug>638336</bug> + <bug>674006</bug> + <access>local, remote</access> + <affected> + <package name="dev-libs/libxls" auto="yes" arch="*"> + <unaffected range="ge">1.5.2</unaffected> + <vulnerable range="lt">1.5.2</vulnerable> + </package> + </affected> + <background> + <p>libxls is a C library for reading Excel files in the nasty old binary + OLE format, plus a command-line tool for converting XLS to CSV. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libxls. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to process a specially crafted + Excel file using libxls, possibly resulting in execution of arbitrary + code with the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libxls users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libxls-1.5.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12110">CVE-2017-12110</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12111">CVE-2017-12111</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2896">CVE-2017-2896</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2897">CVE-2017-2897</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2919">CVE-2017-2919</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20450">CVE-2018-20450</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20452">CVE-2018-20452</uri> + </references> + <metadata tag="requester" timestamp="2020-03-28T22:19:47Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2020-03-30T14:52:32Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-65.xml b/metadata/glsa/glsa-202003-65.xml new file mode 100644 index 000000000000..2ca8be185357 --- /dev/null +++ b/metadata/glsa/glsa-202003-65.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-65"> + <title>FFmpeg: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in FFmpeg, the worst of + which allows remote attackers to execute arbitrary code. + </synopsis> + <product type="ebuild">ffmpeg</product> + <announced>2020-03-30</announced> + <revised count="1">2020-03-30</revised> + <bug>660924</bug> + <bug>692418</bug> + <bug>711144</bug> + <access>local, remote</access> + <affected> + <package name="media-video/ffmpeg" auto="yes" arch="*"> + <unaffected range="ge">4.2.0</unaffected> + <vulnerable range="ge">4</vulnerable> + </package> + </affected> + <background> + <p>FFmpeg is a complete, cross-platform solution to record, convert and + stream audio and video. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in FFmpeg. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user or automated system using FFmpeg + to process a specially crafted file, resulting in the execution of + arbitrary code or a Denial of Service. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All FFmpeg 4.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-4.2.0" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10001">CVE-2018-10001</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6912">CVE-2018-6912</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7557">CVE-2018-7557</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7751">CVE-2018-7751</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9841">CVE-2018-9841</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12730">CVE-2019-12730</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13312">CVE-2019-13312</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13390">CVE-2019-13390</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17539">CVE-2019-17539</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17542">CVE-2019-17542</uri> + </references> + <metadata tag="requester" timestamp="2020-03-20T05:25:46Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2020-03-30T15:05:02Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-66.xml b/metadata/glsa/glsa-202003-66.xml new file mode 100644 index 000000000000..d1f66e504218 --- /dev/null +++ b/metadata/glsa/glsa-202003-66.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-66"> + <title>QEMU: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in QEMU, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">qemu</product> + <announced>2020-03-30</announced> + <revised count="1">2020-03-30</revised> + <bug>709490</bug> + <bug>711334</bug> + <access>local</access> + <affected> + <package name="app-emulation/qemu" auto="yes" arch="*"> + <unaffected range="ge">4.2.0-r2</unaffected> + <vulnerable range="lt">4.2.0-r2</vulnerable> + </package> + </affected> + <background> + <p>QEMU is a generic and open source machine emulator and virtualizer.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in QEMU. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could possibly execute arbitrary code with the privileges of + the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All QEMU users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/qemu-4.2.0-r2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13164">CVE-2019-13164</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8608">CVE-2020-8608</uri> + </references> + <metadata tag="requester" timestamp="2020-03-15T02:14:50Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-30T15:14:47Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202004-01.xml b/metadata/glsa/glsa-202004-01.xml new file mode 100644 index 000000000000..a88cde25a8a9 --- /dev/null +++ b/metadata/glsa/glsa-202004-01.xml @@ -0,0 +1,66 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202004-01"> + <title>HAProxy: Remote execution of arbitrary code</title> + <synopsis>A vulnerability in HAProxy might lead to remote execution of + arbitrary code. + </synopsis> + <product type="ebuild">haproxy</product> + <announced>2020-04-01</announced> + <revised count="1">2020-04-01</revised> + <bug>701842</bug> + <access>remote</access> + <affected> + <package name="net-proxy/haproxy" auto="yes" arch="*"> + <unaffected range="rge">1.8.23</unaffected> + <unaffected range="rge">1.9.13</unaffected> + <unaffected range="rge">2.0.10</unaffected> + <vulnerable range="lt">2.0.10</vulnerable> + </package> + </affected> + <background> + <p>HAProxy is a TCP/HTTP reverse proxy for high availability environments.</p> + </background> + <description> + <p>It was discovered that HAProxy incorrectly handled certain HTTP/2 + headers. + </p> + </description> + <impact type="high"> + <p>A remote attacker could send a specially crafted HTTP/2 header, possibly + resulting in execution of arbitrary code with the privileges of the + process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All HAProxy 1.8.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-1.8.23" + </code> + + <p>All HAProxy 1.9.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-1.9.13" + </code> + + <p>All HAProxy 2.0.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/haproxy-2.0.10" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19330">CVE-2019-19330</uri> + </references> + <metadata tag="requester" timestamp="2020-04-01T19:22:40Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-04-01T19:28:55Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202004-02.xml b/metadata/glsa/glsa-202004-02.xml new file mode 100644 index 000000000000..33129dd64c29 --- /dev/null +++ b/metadata/glsa/glsa-202004-02.xml @@ -0,0 +1,122 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202004-02"> + <title>VirtualBox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in VirtualBox, the worst + of which could allow an attacker to take control of VirtualBox. + </synopsis> + <product type="ebuild">virtualbox</product> + <announced>2020-04-01</announced> + <revised count="1">2020-04-01</revised> + <bug>714064</bug> + <access>local, remote</access> + <affected> + <package name="app-emulation/virtualbox" auto="yes" arch="*"> + <unaffected range="rge">5.2.36</unaffected> + <unaffected range="rge">6.0.16</unaffected> + <unaffected range="rge">6.1.2</unaffected> + <vulnerable range="lt">6.1.2</vulnerable> + </package> + <package name="app-emulation/virtualbox-bin" auto="yes" arch="*"> + <unaffected range="rge">5.2.36</unaffected> + <unaffected range="rge">6.0.16</unaffected> + <unaffected range="rge">6.1.2</unaffected> + <vulnerable range="lt">6.1.2</vulnerable> + </package> + </affected> + <background> + <p>VirtualBox is a powerful virtualization product from Oracle.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in VirtualBox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could take control of VirtualBox resulting in the execution + of arbitrary code with the privileges of the process, a Denial of Service + condition, or other unspecified impacts. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All VirtualBox 5.2.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-5.2.36" + </code> + + <p>All VirtualBox 6.0.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.0.16" + </code> + + <p>All VirtualBox 6.1.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.2" + </code> + + <p>All VirtualBox binary 5.2.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/virtualbox-bin-5.2.36" + </code> + + <p>All VirtualBox binary 6.0.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/virtualbox-bin-6.0.16" + </code> + + <p>All VirtualBox binary 6.1.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/virtualbox-bin-6.1.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2926">CVE-2019-2926</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2944">CVE-2019-2944</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2984">CVE-2019-2984</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3002">CVE-2019-3002</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3005">CVE-2019-3005</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3017">CVE-2019-3017</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3021">CVE-2019-3021</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3026">CVE-2019-3026</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3028">CVE-2019-3028</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3031">CVE-2019-3031</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2674">CVE-2020-2674</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2678">CVE-2020-2678</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2681">CVE-2020-2681</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2682">CVE-2020-2682</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2689">CVE-2020-2689</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2690">CVE-2020-2690</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2691">CVE-2020-2691</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2692">CVE-2020-2692</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2693">CVE-2020-2693</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2698">CVE-2020-2698</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2702">CVE-2020-2702</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2703">CVE-2020-2703</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2704">CVE-2020-2704</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2705">CVE-2020-2705</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2725">CVE-2020-2725</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2726">CVE-2020-2726</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2727">CVE-2020-2727</uri> + </references> + <metadata tag="requester" timestamp="2020-04-01T19:35:27Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-04-01T19:41:08Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202004-03.xml b/metadata/glsa/glsa-202004-03.xml new file mode 100644 index 000000000000..66862b17b0e6 --- /dev/null +++ b/metadata/glsa/glsa-202004-03.xml @@ -0,0 +1,60 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202004-03"> + <title>GPL Ghostscript: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in GPL Ghostscript, the + worst of which could result in the execution of arbitrary code. + </synopsis> + <product type="ebuild">ghostscript</product> + <announced>2020-04-01</announced> + <revised count="1">2020-04-01</revised> + <bug>676264</bug> + <bug>692106</bug> + <bug>693002</bug> + <access>local, remote</access> + <affected> + <package name="app-text/ghostscript-gpl" auto="yes" arch="*"> + <unaffected range="ge">9.28_rc4</unaffected> + <vulnerable range="lt">9.28_rc4</vulnerable> + </package> + </affected> + <background> + <p>Ghostscript is an interpreter for the PostScript language and for PDF.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GPL Ghostscript. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to process a specially crafted + file using GPL Ghostscript, possibly resulting in execution of arbitrary + code with the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GPL Ghostscript users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-text/ghostscript-gpl-9.28_rc4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10216">CVE-2019-10216</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14811">CVE-2019-14811</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14812">CVE-2019-14812</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14813">CVE-2019-14813</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14817">CVE-2019-14817</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3835">CVE-2019-3835</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3838">CVE-2019-3838</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6116">CVE-2019-6116</uri> + </references> + <metadata tag="requester" timestamp="2020-04-01T19:47:46Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-04-01T19:50:31Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202004-04.xml b/metadata/glsa/glsa-202004-04.xml new file mode 100644 index 000000000000..aae687ae7b93 --- /dev/null +++ b/metadata/glsa/glsa-202004-04.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202004-04"> + <title>Qt WebEngine: Arbitrary code execution</title> + <synopsis>A heap use-after-free flaw in Qt WebEngine at worst might allow an + attacker to execute arbitrary code. + </synopsis> + <product type="ebuild">qtwebengine</product> + <announced>2020-04-01</announced> + <revised count="1">2020-04-01</revised> + <bug>699328</bug> + <access>local, remote</access> + <affected> + <package name="dev-qt/qtwebengine" auto="yes" arch="*"> + <unaffected range="ge">5.14.1</unaffected> + <vulnerable range="lt">5.14.1</vulnerable> + </package> + </affected> + <background> + <p>Library for rendering dynamic web content in Qt5 C++ and QML + applications. + </p> + </background> + <description> + <p>A use-after-free vulnerability has been found in the audio component of + Qt WebEngine. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted media + file in an application linked against Qt WebEngine, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Qt WebEngine users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.14.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13720">CVE-2019-13720</uri> + </references> + <metadata tag="requester" timestamp="2020-04-01T19:59:12Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-04-01T20:04:23Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202004-05.xml b/metadata/glsa/glsa-202004-05.xml new file mode 100644 index 000000000000..7b9d4af2f95b --- /dev/null +++ b/metadata/glsa/glsa-202004-05.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202004-05"> + <title>ledger: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in ledger, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">ledger</product> + <announced>2020-04-01</announced> + <revised count="1">2020-04-01</revised> + <bug>627060</bug> + <access>remote</access> + <affected> + <package name="app-office/ledger" auto="yes" arch="*"> + <unaffected range="ge">3.1.2</unaffected> + <vulnerable range="lt">3.1.2</vulnerable> + </package> + </affected> + <background> + <p>Ledger is a powerful, double-entry accounting system that is accessed + from the UNIX command-line. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ledger. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to process a specially crafted + file using ledger, possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ledger users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-office/ledger-3.1.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12481">CVE-2017-12481</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12482">CVE-2017-12482</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2807">CVE-2017-2807</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2808">CVE-2017-2808</uri> + </references> + <metadata tag="requester" timestamp="2020-04-01T20:22:30Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-04-01T20:25:33Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202004-06.xml b/metadata/glsa/glsa-202004-06.xml new file mode 100644 index 000000000000..5e8ca1511cbf --- /dev/null +++ b/metadata/glsa/glsa-202004-06.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202004-06"> + <title>GnuTLS: DTLS protocol regression</title> + <synopsis>A regression in GnuTLS breaks the security guarantees of the DTLS + protocol. + </synopsis> + <product type="ebuild">gnutls</product> + <announced>2020-04-02</announced> + <revised count="1">2020-04-02</revised> + <bug>715602</bug> + <access>local, remote</access> + <affected> + <package name="net-libs/gnutls" auto="yes" arch="*"> + <unaffected range="ge">3.6.13</unaffected> + <vulnerable range="lt">3.6.13</vulnerable> + </package> + </affected> + <background> + <p>GnuTLS is an Open Source implementation of the TLS and SSL protocols.</p> + </background> + <description> + <p>It was discovered that DTLS client did not contribute any randomness to + the DTLS negotiation. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced advisory for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GnuTLS users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/gnutls-3.6.13" + </code> + + </resolution> + <references> + <uri link="https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31"> + GNUTLS-SA-2020-03-31 + </uri> + </references> + <metadata tag="requester" timestamp="2020-04-02T22:03:22Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-04-02T23:01:11Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202004-07.xml b/metadata/glsa/glsa-202004-07.xml new file mode 100644 index 000000000000..cf8709bebe4e --- /dev/null +++ b/metadata/glsa/glsa-202004-07.xml @@ -0,0 +1,64 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202004-07"> + <title>Mozilla Firefox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">firefox</product> + <announced>2020-04-04</announced> + <revised count="1">2020-04-04</revised> + <bug>716098</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="rge">68.6.1</unaffected> + <unaffected range="rge">74.0.1</unaffected> + <vulnerable range="lt">74.0.1</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to view a specially crafted web + page, possibly resulting in the execution of arbitrary code with the + privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox ESR users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-68.6.1" + </code> + + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-74.0.1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6819">CVE-2020-6819</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6820">CVE-2020-6820</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/"> + MFSA-2020-11 + </uri> + </references> + <metadata tag="requester" timestamp="2020-04-04T10:59:17Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-04-04T11:03:31Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202004-08.xml b/metadata/glsa/glsa-202004-08.xml new file mode 100644 index 000000000000..2bccb96214e5 --- /dev/null +++ b/metadata/glsa/glsa-202004-08.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202004-08"> + <title>libssh: Denial of Service</title> + <synopsis>A vulnerability in libssh could allow a remote attacker to cause a + Denial of Service condition. + </synopsis> + <product type="ebuild">libssh</product> + <announced>2020-04-10</announced> + <revised count="1">2020-04-10</revised> + <bug>716788</bug> + <access>remote</access> + <affected> + <package name="net-libs/libssh" auto="yes" arch="*"> + <unaffected range="ge">0.9.4</unaffected> + <vulnerable range="lt">0.9.4</vulnerable> + </package> + </affected> + <background> + <p>libssh is a multiplatform C library implementing the SSHv2 protocol on + client and server side. + </p> + </background> + <description> + <p>It was discovered that libssh could crash when AES-CTR ciphers are used.</p> + </description> + <impact type="low"> + <p>A remote attacker running a malicious client or server could possibly + crash the counterpart implemented with libssh and cause a Denial of + Service condition. + </p> + </impact> + <workaround> + <p>Disable AES-CTR ciphers. If you implement a server using libssh it is + recommended to use a prefork model so each session runs in an own + process. + </p> + </workaround> + <resolution> + <p>All libssh users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.9.4" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1730">CVE-2020-1730</uri> + </references> + <metadata tag="requester" timestamp="2020-04-10T21:38:04Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-04-10T21:45:49Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202004-09.xml b/metadata/glsa/glsa-202004-09.xml new file mode 100644 index 000000000000..90297ed5e841 --- /dev/null +++ b/metadata/glsa/glsa-202004-09.xml @@ -0,0 +1,97 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202004-09"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could allow remote attackers to execute + arbitrary code. + </synopsis> + <product type="ebuild">chrome,chromium</product> + <announced>2020-04-10</announced> + <revised count="1">2020-04-10</revised> + <bug>715720</bug> + <bug>716612</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">81.0.4044.92</unaffected> + <vulnerable range="lt">81.0.4044.92</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">81.0.4044.92</unaffected> + <vulnerable range="lt">81.0.4044.92</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifiers for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted HTML + or multimedia file using Chromium or Google Chrome, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-81.0.4044.92" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-81.0.4044.92" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6423">CVE-2020-6423</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6430">CVE-2020-6430</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6431">CVE-2020-6431</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6432">CVE-2020-6432</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6433">CVE-2020-6433</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6434">CVE-2020-6434</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6435">CVE-2020-6435</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6436">CVE-2020-6436</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6437">CVE-2020-6437</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6438">CVE-2020-6438</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6439">CVE-2020-6439</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6440">CVE-2020-6440</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6441">CVE-2020-6441</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6442">CVE-2020-6442</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6443">CVE-2020-6443</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6444">CVE-2020-6444</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6445">CVE-2020-6445</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6446">CVE-2020-6446</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6447">CVE-2020-6447</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6448">CVE-2020-6448</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6450">CVE-2020-6450</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6451">CVE-2020-6451</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6452">CVE-2020-6452</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6454">CVE-2020-6454</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6455">CVE-2020-6455</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6456">CVE-2020-6456</uri> + </references> + <metadata tag="requester" timestamp="2020-04-10T21:58:24Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-04-10T22:01:27Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 166b262f78ad..5259482477da 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sat, 29 Feb 2020 17:08:53 +0000 +Sun, 12 Apr 2020 01:38:54 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 14ac9c2950b4..e60cae01f3fc 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -751af6f91da06f53265195cff434eb66a145af73 1574641117 2019-11-25T00:18:37+00:00 +f2cb9b0eb0e16fd065838568dbe36727be807027 1586556154 2020-04-10T22:02:34+00:00 |