6 files changed, 122 insertions, 17 deletions

diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 3a453797f35a..78f736bcbf9f 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 415966 BLAKE2B 664ebf4d322399166469a6cd167dfeeba8ecc3b61712e950abcb3c63c18cca02140bfaa206e2eb06bb1476d73682fe2d76e35b8a94dc0228c60af02e86c19a87 SHA512 7d06c7f62e8712502202c5d9e88cc501b34d79560f0bdd5e1f5907dc55cbc791a6d1c654b9e913106a8a96545f88c154fb9731c255532e719a8a5c200a14acc3
-TIMESTAMP 2018-01-26T14:38:30Z
+MANIFEST Manifest.files.gz 416281 BLAKE2B 9f5d0005cdae01ce5134efdc393aef2fa9e4486317293d473758f4b6f8a874ce6ac4b387a4d8c46338853ea09d96165ac399c906f15c28230dbfd8e95d4cdf26 SHA512 abd62c080ba1aa5d4609732620883228f3aa81aa544122207a98ca33c50401945a5d524cfb277af684f89fcc0fb6bc394206dcd88925ddccd9d1d6a9ee4a9949
+TIMESTAMP 2018-01-27T17:08:31Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlprPWZfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlpssg9fFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klAxYxAAtH5Pn1i40vUGCtIsp4f1t1qbaZnVY3CbZMv0bfi/E7+TnjYiViX9+fUQ
-DlCuP4Iw6znGILlmaHqWBfm3Vp3UbsM/25Hdh5EGLS+aTWqZYVpURLg0Xbbt3j4c
-WN5XQj1Mr55r3Wf4AsltBrlJ97s0PGgaWETQKt6svF8pBWLVtzXLLsKTcHGey5r+
-enF89cUYCKfZ3RPYkPjPpy40v1rU1IE6S+B2wX4Obg74Y20iZQV+e+pV/yNcd1nQ
-NJWCQ9fcoOUBqD5/J0lDACt+Rvv0QVoc2FZDwfJ9wEmcrT6mWtaMz2TuXybfnZkW
-aUgJBXDz/kFqNkMyOs67r/3hUH0oUw7lgshURs+mQrlE4+ddCetu4b08Bo5pye5u
-qVUq3EGUQ2m91DXH3KlN0CPBOWOF0GjG/l7O2L54pB7MUXMuNc8u1mMqF8uhD6JF
-fXZHdb2y7Ww1fLmkPNq0iH5XrrITWM5RqpWFmzCBv8vLFvWR+dZ6GnPClWKjOQBo
-vgRm2sGo26y+HZUthSXhB11iDlVxNmSye048wDDjsmzFyyqMBgUECOdBvtsK5z8n
-eOvBG7sT1c4S6/jHpr6A+pP9S5rIl3ddVjx7VffVNARcTmRwE8f6t2DmNOf37W/N
-/G39PeQvyKCYpTK2hCJZW+pEDvBio9o7wy/4L0CO0OKauXpIkwY=
-=w/A2
+klB8lhAAshl8/IWz7rA9DB2LulqcTCA31/LKk/nK+H7hsIQDDkhX+H4w3vpeadnO
+qnpSOQ0L3zb/zbXt9IMp8TYY2hiurjsBkg9RF4MEp0UqlLRFLEBX4KzzNYBCABkE
+NOi8xHI/rSzFTWLgWMiN9pN3BvBgUyOdODnOZoeRHqY4RQBuIwjS4OLCcRug5eCq
+pEEm6dqO3e17aITB1SmU0LrO8vsLEeC5X9MzGJQq6MzwjmdvNG0S0r4+gBD/ivMO
+VFfZzvVkquHxgIp0yVjER0cZtN8VFEE6VdYZk8GAQaDyDcA+NoP0WxG9BhsNiO7x
+z+TsF7FBshJvTCkVYYy3B98yeVGukzcWB9qlNPlx0FkFQuXOuqjHEMIRqE1nXsl/
+oHZV0DDTDe5piS/YIGRnRpY8HbNzPywL5NLupMocQ0UoSHrZLj+8kWFUIXxL1PzU
+E+2Fdqve4fCGH+WZ5Ia3YSOHlEHsvl/eK1mXcC1q1t57x9JUj8Aw//mce5MjKseR
+qpnD5FaqsT3jF0eOtEkPXe1Zz4CQXLWFTbkkp+G/3oiDvMKG3voYHmTNGTwked7o
+opS6Ry90UDZkw/R2jLct/fgANBN2odyMgKNX7/Aoxe2rzSAyzHvtQbFdrGmdHvQp
+0np7gMefh/gqoO77LO/wuNSi1icNrf0zteOgiQrzOvxN3YtEx7s=
+=LbIQ
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index f87efb13feb5..f87abaa3fa80 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-201801-19.xml b/metadata/glsa/glsa-201801-19.xml
new file mode 100644
index 000000000000..42b4b79dfcef
--- /dev/null
+++ b/metadata/glsa/glsa-201801-19.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-19">
+  <title>ClamAV: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in ClamAV, the worst of
+    which may allow execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">clamav</product>
+  <announced>2018-01-26</announced>
+  <revised count="1">2018-01-26</revised>
+  <bug>645794</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-antivirus/clamav" auto="yes" arch="*">
+      <unaffected range="ge">0.99.3</unaffected>
+      <vulnerable range="lt">0.99.3</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>ClamAV is a GPL virus scanner.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in ClamAV. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="high">
+    <p>A remote attacker could cause ClamAV to scan a specially crafted file,
+      possibly resulting in execution of arbitrary code with the privileges of
+      the process or cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All ClamAV users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-antivirus/clamav-0.99.3"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12374">CVE-2017-12374</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12375">CVE-2017-12375</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12376">CVE-2017-12376</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12377">CVE-2017-12377</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12378">CVE-2017-12378</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12379">CVE-2017-12379</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12380">CVE-2017-12380</uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-26T15:58:04Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2018-01-26T16:14:41Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201801-20.xml b/metadata/glsa/glsa-201801-20.xml
new file mode 100644
index 000000000000..f5f2e01a30c4
--- /dev/null
+++ b/metadata/glsa/glsa-201801-20.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-20">
+  <title>Fossil: User-assisted execution of arbitrary code</title>
+  <synopsis>A vulnerability has been discovered in Fossil allowing for
+    user-assisted remote execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">fossil</product>
+  <announced>2018-01-27</announced>
+  <revised count="1">2018-01-27</revised>
+  <bug>640208</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-vcs/fossil" auto="yes" arch="*">
+      <unaffected range="ge">2.4</unaffected>
+      <vulnerable range="lt">2.4</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Fossil is a simple, high-reliability, distributed software configuration
+      management system.
+    </p>
+  </background>
+  <description>
+    <p>Fossil does not properly validate SSH sync protocol URLs.</p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to open a specially crafted URL,
+      could possibly execute arbitrary commands with the privileges of the user
+      running the application.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Fossil users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-vcs/fossil-2.4"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17459">CVE-2017-17459</uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-22T21:39:18Z">b-man</metadata>
+  <metadata tag="submitter" timestamp="2018-01-27T17:00:59Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 3e5d4982e927..d12dcf7f326f 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Fri, 26 Jan 2018 14:38:27 +0000
+Sat, 27 Jan 2018 17:08:28 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 473792849815..70bcad55b1d5 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-1f7488673c3108de82dfc31b7c1132230e991834 1516196748 2018-01-17T13:45:48+00:00
+d8a17c05c216f757bca7ba612006419934a11158 1517072516 2018-01-27T17:01:56+00:00