summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/Manifest30
-rw-r--r--metadata/glsa/Manifest.files.gzbin449006 -> 449650 bytes
-rw-r--r--metadata/glsa/glsa-201911-01.xml55
-rw-r--r--metadata/glsa/glsa-201911-02.xml49
-rw-r--r--metadata/glsa/glsa-201911-03.xml51
-rw-r--r--metadata/glsa/glsa-201911-04.xml50
-rw-r--r--metadata/glsa/timestamp.chk2
-rw-r--r--metadata/glsa/timestamp.commit2
8 files changed, 222 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 78865332cded..18510522be00 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
-MANIFEST Manifest.files.gz 449006 BLAKE2B ab32207f84ac7631fd8d236fe1aa63e88587b06e44eb1809cd72818ffb95ebb8390c250d5ab1ac5b1ac80968c4cef20897786383d93e0f140f7f1be52e7cb314 SHA512 d97241a68516a4c88a2d1afe7dac7dc36b0124cf3186aca88c595b3e66875bc4c66530c9b1c5221bf584a799c385182af538ea678c6f87418d9749030c73d619
-TIMESTAMP 2019-11-03T15:08:53Z
+MANIFEST Manifest.files.gz 449650 BLAKE2B 6dfe5b538aa8b27b7721085ca1d3a95579aa48824a42a42364ccb72b1f7baa7bc26c011da790724df4295cd519d468b71fae3df528eab5759be66024501331e7 SHA512 03849ba6f05a9e0d0908f12dafc8617ccb9340589e1896fd94eee10ac300f2dd1f1ad6a5665cae101a1d1bde150bd80adb13e634a464090c266b5a2d73696783
+TIMESTAMP 2019-11-10T12:38:51Z
-----BEGIN PGP SIGNATURE-----
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl2+7YVfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl3IBNtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klA/hQ//Q90V3h1hPpFXA3KueeVXekIVjVAOoiEaYpjsn0KP8JVZGAsMjyF2KOfV
-Q2zX1Pfb2KSPI/RR1z92BMd+CBtLcQvx6I0vhk0ZCGk/6cyr95q4a4ekeA+V3xOU
-HqYK4ary3q5RD2ns79nCpMtOYH6k4g6W9DGX0RRdMKW44c110o3XjDHgtQcc4SKx
-83Y/oAk8nmQ3J1TiBIuF2Rz5dOQPgqxI3ojcIteIHYnC4vRZX7HKCN9dGd3JFzv8
-jDxHWeTv5gCEfz2qSsU6oMA3cEfhOQv/8wPut9BtkOIQxgVcDp/ofIVRH6ijul9n
-UNgtF/+4ERwsADw+VABy+B1AlU+ivz4xclnjeaYEWivt2kc+17KFgTR5eM7rooj9
-6xmm6OzI/ZSiblWfo7lquiqUQErZpjLxJOFck8JJnXmHpYdQfkrAm2+d1/Us/Dl7
-XcQpC/dSz8rDnRgjhBVjn8q6tJs1o/4nI4EvX4au5KLOYZueRE5wTNuSGRHrS/sM
-481wDpIecIRa/lIocojNSfxVL8wNSp17KcjMfiev2yDj9/cb6N5d9Ae/QzGLiXPc
-fM6/FyEbkUq7Lk4kOIiD5+5COdCQ32uyUaqP1zu5NPI9XzDaQte8TyB6OeUu59UX
-yjHGtaYKKqs4SiIlbbRKkHUDUis7+Xh8AyQgFYaTh4ZlpNWJ2a0=
-=VLza
+klAmrw/8DDnp1Ulnol/LTLw4vdpOxPFbJ3z0l/9Y2xlN+iU3ypJTwTtrlkgS3Oka
+6zelLJq2t3XQI3ypcq4WlGWb9dTmDHnwTYMt75U8gX1VgqO15z8HyHVy626r4ZQ2
+EEPWdoN9kG8E0XjJQpSq6WXc/q6dAOuQY9zsiVadDofz5Ffb92fquCqrqZG7Wz3h
+AgA8C8tTNwRINnwQDEZt4F0Mtg5/pgubA5sJsMrkvFymh78qtVOSrGuk/u0mpqxr
+KgapGqMOrt/Uy4JsvRb9WAdkBPpVc/MFoKoZ2w8if0BTFrz6NasSRqy7GVN8Tkzh
+rA0IY9C05YzRItFSDpxP/UgHxY/aIOJ/WIqtikbKqspqgxfHmpkOVJG8kRjS298g
+R0S4EhoOxVK37E0TEgoJycfp5OY7oZyMxV5V4BhLeoAxuh8Vgf+NQLZIIUQzUiJP
+6alKZGSGYggPG+qgU7tm8dfG9FMfemLSfRc+4Mf73U0hGFbUyWvOwtTtuEYueGXK
+KdCRtfnVYOBbFB5OKNWe2r3NpDZgLF6ETc6DvTfQWRVLuSqztQM8in4Drui3weSt
+6HA4cQ+tq2HbBCsl9vdB6Q7S5YbROpkKOjK8qoOO595ZiwgTrpph8t2739Q2vm6t
+SKKKMNOxYtESFr4/ruvqLYWNstzVx+8nD9xP2vdY4JeAmJyXk0w=
+=VA/Y
-----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 676b6a27efd7..e9c74c8bb513 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
Binary files differ
diff --git a/metadata/glsa/glsa-201911-01.xml b/metadata/glsa/glsa-201911-01.xml
new file mode 100644
index 000000000000..e87f7485d76b
--- /dev/null
+++ b/metadata/glsa/glsa-201911-01.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-01">
+ <title>OpenSSH: Integer overflow</title>
+ <synopsis>An integer overflow in OpenSSH might allow an attacker to execute
+ arbitrary code.
+ </synopsis>
+ <product type="ebuild">openssh</product>
+ <announced>2019-11-07</announced>
+ <revised count="1">2019-11-07</revised>
+ <bug>697046</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-misc/openssh" auto="yes" arch="*">
+ <unaffected range="ge">8.0_p1-r4</unaffected>
+ <vulnerable range="ge">8.0_p1-r2</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>OpenSSH is a complete SSH protocol implementation that includes SFTP
+ client and server support.
+ </p>
+ </background>
+ <description>
+ <p>OpenSSH, when built with “xmss” USE flag enabled, has a
+ pre-authentication integer overflow if a client or server is configured
+ to use a crafted XMSS key.
+ </p>
+
+ <p>NOTE: This USE flag is disabled by default!</p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could connect to a vulnerable OpenSSH server using a
+ special crafted XMSS key possibly resulting in execution of arbitrary
+ code with the privileges of the process or a Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>Disable XMSS key type.</p>
+ </workaround>
+ <resolution>
+ <p>All OpenSSH users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=net-misc/openssh/openssh-8.0_p1-r4"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16905">CVE-2019-16905</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-10-26T14:48:28Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2019-11-07T19:01:23Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201911-02.xml b/metadata/glsa/glsa-201911-02.xml
new file mode 100644
index 000000000000..8d4d4b4254c8
--- /dev/null
+++ b/metadata/glsa/glsa-201911-02.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-02">
+ <title>pump: User-assisted execution of arbitrary code</title>
+ <synopsis>A buffer overflow in pump might allow remote attacker to execute
+ arbitrary code.
+ </synopsis>
+ <product type="ebuild">pump</product>
+ <announced>2019-11-07</announced>
+ <revised count="1">2019-11-07</revised>
+ <bug>694314</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-misc/pump" auto="yes" arch="*">
+ <vulnerable range="le">0.8.24-r4</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>BOOTP and DHCP client for automatic IP configuration.</p>
+ </background>
+ <description>
+ <p>It was discovered that there was an arbitrary code execution
+ vulnerability in the pump DHCP/BOOTP client.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker, by enticing a user to connect to a malicious server,
+ could cause the execution of arbitrary code with the privileges of the
+ user running pump DHCP/BOOTP client.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>Gentoo has discontinued support for pump. We recommend that users
+ unmerge pump:
+ </p>
+
+ <code>
+ # emerge --unmerge "net-misc/pump"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://bugs.debian.org/933674">Debian Bug Report 933674</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-10-26T18:02:26Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2019-11-07T19:05:32Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201911-03.xml b/metadata/glsa/glsa-201911-03.xml
new file mode 100644
index 000000000000..0d7dff81e1d8
--- /dev/null
+++ b/metadata/glsa/glsa-201911-03.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-03">
+ <title>Oniguruma: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Oniguruma, the worst of
+ which could result in the arbitrary execution of code.
+ </synopsis>
+ <product type="ebuild">oniguruma</product>
+ <announced>2019-11-07</announced>
+ <revised count="1">2019-11-07</revised>
+ <bug>691832</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="dev-libs/oniguruma" auto="yes" arch="*">
+ <unaffected range="ge">6.9.3</unaffected>
+ <vulnerable range="lt">6.9.3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Oniguruma is a regular expression library.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Oniguruma. Please
+ review the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="high">
+ <p>A remote attacker, by enticing a user to process a specially crafted
+ string using an application linked against Oniguruma, could possibly
+ execute arbitrary code with the privileges of the process or cause a
+ Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Oniguruma users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-libs/oniguruma-6.9.3"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13224">CVE-2019-13224</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13225">CVE-2019-13225</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-09-12T21:09:00Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2019-11-07T19:07:37Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201911-04.xml b/metadata/glsa/glsa-201911-04.xml
new file mode 100644
index 000000000000..8793df1008cf
--- /dev/null
+++ b/metadata/glsa/glsa-201911-04.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-04">
+ <title>OpenSSL: Multiple vulnerabilities</title>
+ <synopsis>Multiple information disclosure vulnerabilities in OpenSSL allow
+ attackers to obtain sensitive information.
+ </synopsis>
+ <product type="ebuild">openssl</product>
+ <announced>2019-11-07</announced>
+ <revised count="1">2019-11-07</revised>
+ <bug>694162</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="dev-libs/openssl" auto="yes" arch="*">
+ <unaffected range="ge">1.0.2t</unaffected>
+ <vulnerable range="lt">1.0.2t</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
+ (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
+ purpose cryptography library.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in OpenSSL. Please review
+ the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="low">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All OpenSSL users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-libs/openssl-1.0.2t"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1547">CVE-2019-1547</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1563">CVE-2019-1563</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-09-12T14:09:32Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2019-11-07T19:09:02Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 0228db373743..e2f6f72bc9c5 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sun, 03 Nov 2019 15:08:50 +0000
+Sun, 10 Nov 2019 12:38:48 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index c9b577a39721..a101667e6fc1 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-4c2e30a50e776e9ec1833c4419ce239e6d9cc178 1572001702 2019-10-25T11:08:22+00:00
+1b5ecb46a85c74babc035c5996537e2d1932cce0 1573153780 2019-11-07T19:09:40+00:00
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-14 13:15:34 +0000