diff options
Diffstat (limited to 'metadata/glsa')
28 files changed, 1208 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 9f442a91dc46..913f0f13cba9 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 530688 BLAKE2B 1384754019a41108cd5a577394c6aafe7ddaa1600e86ddd30f667b8ffcd2a271d1d63c110dd32bcc5d2cdf57213dc2ed2ad65288c00d7dd764fc88a2a5ad121f SHA512 08bf73bc99a66d9fbe7dcf764826772bf00488ab216fa1e39298dffc1fef683f7a82d65031193ede26cf629f7bb21ac7a709099a37a9c6772e7b4eacbf503986 -TIMESTAMP 2022-10-30T20:09:37Z +MANIFEST Manifest.files.gz 534504 BLAKE2B eed9bb7a29c892a3259ca2d48b64837705fe26fbd6577bad1d3cace4232a5888ce8266ed96a03aca90d23a4478a9d0f75d6461dc800cc7f82db148acbd695a6b SHA512 b0d2b680e5aca400045ea32f4ddd621ed5cc3f567357e871ab24f936146e91eb30e012ec665ed48cd6e462046ffd067c2342356ac5be65f78cc6607739b27bb0 +TIMESTAMP 2022-10-31T02:11:13Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmNe2gFfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmNfLsFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klBbeg/+IwLooLuuxC/AoIOJ3zc522ii9u6STzmfyO5epTYSDMslfIDBNGbyPpwb -qc/xwjo6NSGYY+vfTyte4yNsLjFChtISk5BsDZKVhacLC0pIlWa9sGBXdgZalTRF -fKo9VtWUr3ROzPbA7ul+a+BxhZXh9oKmcg6FrXhBuDCuUkTO8amLNIuFfbrf8Nli -v6qIa4ngz1eXqxjfrFtzw6EJQur5L1yFGLLiF1hHMmO6qnp2Vvqi+O8gP4yYs3hF -oipuvus/k/ifMkHZQj2i4B/xuZt1vCh0arPgZbn1Ka4UrfdXEFxWs/sJ1wSTLuZZ -EEKzn/cA6x21zLle/EpFQ1LLOU/QW9+RRGij/XVH5pDoM9x37YC3fxYLds3pTSse -K81ZDDkZ8cS6U1s5JN5Gu/JkDhILGShOC8NqLwt8y40P337TKhOYuc3qZu1JPqhm -XswVfXfIzsFddeU1ErYwYVOVotGCwSh4nMsK2l2/We2IvqkCByg9bGAUh6NBBdhG -SIgqkDaeORy2/8XdrjQtm09zc65+Q4M2MUgUjbkRFknIDr8p9Jz8w9ARIoVOxCxp -/wxy6C0vKKn/bwyShauiLCqQIYaeTEldVyIiycqVRLjF57A7EMXwtsoMKMDoZh3U -65X7da5n32UiwId/lLgn6YdY2hR8T9BDHr/K5xeWgT6YagoncMQ= -=lLhp +klDkBQ/+JVOlRrXIsaDRIskH9bpxIzMFtHoCA//2wAqH7wJl0f1mBpf6KZOim6by +kx/YYV1jRGog6182I3HwjAOX//7FRuOvIbt1ikySVKI9T2g1IPbj92uwljHBF47l +OSJDTmFZ4CH8R9riWHXVHfjEFTDpbodWcs5UDo6PzGwTI/HTk+MyXkfO3qYlmKvi +tzrxuej/04i+qaaQRxT6sAtdB6JOsrv9wCBxGmkPRR4oy9uTT+EVCOnlemoOYj9p +ZFV2TaNX0EInMQyoF6sgxmTajIIUwcJ/nxxJzvNL1LOjaG8jI6YfeDyIGy+6KSGC +xLh3PmoPQiUEGZSwQiUWjDPhxnO9RoXPAZGaDHz13pWE3DQXPOHAtiCaHBckz79Q +U/W/vcC+FBeahktux5PkByDy9zyTLEao+sZR0rONNFqj6c6fSQ3lo5ZZmzG9kY0E +ONJJq1XC8ywqNLv0EPO2kAPx1Y7vHrjfAW7eP92oBkDlC9K8/+FJYJ6Lv2QIDWRO +62sggbcBkeIZjdEEEaBHjhO5gdEwfJgomu+U2VodMcr5eBKPwczyI0tc0EbKhkWW +OuuTP/zQVSJ7GZ0Lm8f1eZ5WwcX9L5cHX8LdB6VTduTM3f4pgfH9rY9dde+o+Hyr +c5hlMoPA/DDIlFQ5TZoY3i5XWxtLSI666wQcayaBYaoqAv1dQ6g= +=ZTkM -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 6b89b5ea51db..393a04f741eb 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202210-10.xml b/metadata/glsa/glsa-202210-10.xml new file mode 100644 index 000000000000..a4dcc0e92cd4 --- /dev/null +++ b/metadata/glsa/glsa-202210-10.xml @@ -0,0 +1,57 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-10"> + <title>LibTIFF: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in LibTIFF, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">tiff</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>830981</bug> + <bug>837560</bug> + <access>remote</access> + <affected> + <package name="media-libs/tiff" auto="yes" arch="*"> + <unaffected range="ge">4.4.0</unaffected> + <vulnerable range="lt">4.4.0</vulnerable> + </package> + </affected> + <background> + <p>LibTIFF provides support for reading and manipulating TIFF (Tagged Image File Format) images.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in LibTIFF. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All LibTIFF users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/tiff-4.4.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0561">CVE-2022-0561</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0562">CVE-2022-0562</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0865">CVE-2022-0865</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0891">CVE-2022-0891</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0907">CVE-2022-0907</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0908">CVE-2022-0908</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0909">CVE-2022-0909</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0924">CVE-2022-0924</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1056">CVE-2022-1056</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1210">CVE-2022-1210</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1354">CVE-2022-1354</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1355">CVE-2022-1355</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1622">CVE-2022-1622</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1623">CVE-2022-1623</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22844">CVE-2022-22844</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:08:31.094552Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:08:31.101464Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-11.xml b/metadata/glsa/glsa-202210-11.xml new file mode 100644 index 000000000000..7db2fb28e485 --- /dev/null +++ b/metadata/glsa/glsa-202210-11.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-11"> + <title>schroot: Denial of Service</title> + <synopsis>A vulnerability has been discovered in schroot which could result in denial of service of the schroot service.</synopsis> + <product type="ebuild">schroot</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>867016</bug> + <access>remote</access> + <affected> + <package name="dev-util/schroot" auto="yes" arch="*"> + <unaffected range="ge">1.6.13_p2</unaffected> + <vulnerable range="lt">1.6.13_p2</vulnerable> + </package> + </affected> + <background> + <p>schroot is a utility to execute commands in a chroot environment.</p> + </background> + <description> + <p>schroot is unecessarily permissive in rules regarding chroot and session names.</p> + </description> + <impact type="low"> + <p>A crafted chroot or session name can break the internal state of the schroot service, leading to denial of service.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All schroot users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/schroot-1.6.13" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2787">CVE-2022-2787</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:08:56.631015Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:08:56.636355Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-12.xml b/metadata/glsa/glsa-202210-12.xml new file mode 100644 index 000000000000..fe42a616900a --- /dev/null +++ b/metadata/glsa/glsa-202210-12.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-12"> + <title>Lighttpd: Denial of Service</title> + <synopsis>A vulnerability has been discovered in lighttpd which could result in denial of service.</synopsis> + <product type="ebuild">lighttpd</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>869890</bug> + <access>remote</access> + <affected> + <package name="www-servers/lighttpd" auto="yes" arch="*"> + <unaffected range="ge">1.4.67</unaffected> + <vulnerable range="lt">1.4.67</vulnerable> + </package> + </affected> + <background> + <p>Lighttpd is a lightweight high-performance web server.</p> + </background> + <description> + <p>Lighttpd's mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received.</p> + </description> + <impact type="low"> + <p>An attacker can trigger a denial of service via making Lighttpd try to call an uninitialized function pointer.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All lighttpd users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.67" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-37797">CVE-2022-37797</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41556">CVE-2022-41556</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:09:14.713606Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:09:14.718507Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-13.xml b/metadata/glsa/glsa-202210-13.xml new file mode 100644 index 000000000000..2a9427d61de4 --- /dev/null +++ b/metadata/glsa/glsa-202210-13.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-13"> + <title>libgcrypt: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libgcrypt, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">libgcrypt</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>766213</bug> + <bug>795480</bug> + <bug>811900</bug> + <access>remote</access> + <affected> + <package name="dev-libs/libgcrypt" auto="yes" arch="*"> + <unaffected range="ge">1.9.4</unaffected> + <vulnerable range="lt">1.9.4</vulnerable> + </package> + </affected> + <background> + <p>libgcrypt is a general purpose cryptographic library derived out of GnuPG.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libgcrypt. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libgcrypt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.9.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33560">CVE-2021-33560</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-40528">CVE-2021-40528</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:09:53.561970Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:09:53.566557Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-14.xml b/metadata/glsa/glsa-202210-14.xml new file mode 100644 index 000000000000..e6f40a33256b --- /dev/null +++ b/metadata/glsa/glsa-202210-14.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-14"> + <title>Gitea: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Gitea, the worst of which could lead to denial of service</synopsis> + <product type="ebuild">gitea</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>848465</bug> + <bug>857819</bug> + <bug>868996</bug> + <bug>877355</bug> + <access>remote</access> + <affected> + <package name="www-apps/gitea" auto="yes" arch="*"> + <unaffected range="ge">1.17.3</unaffected> + <vulnerable range="lt">1.17.3</vulnerable> + </package> + </affected> + <background> + <p>Gitea is a painless self-hosted Git service.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Gitea. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Gitea users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/gitea-1.17.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1928">CVE-2022-1928</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32149">CVE-2022-32149</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38183">CVE-2022-38183</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42968">CVE-2022-42968</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:10:13.201097Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:10:13.205677Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-15.xml b/metadata/glsa/glsa-202210-15.xml new file mode 100644 index 000000000000..6f78f4a8451e --- /dev/null +++ b/metadata/glsa/glsa-202210-15.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-15"> + <title>GDAL: Heap Buffer Overflow</title> + <synopsis>A heap buffer overflow vulnerability has been found in GDAL which could result in denial of service.</synopsis> + <product type="ebuild">gdal</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>830370</bug> + <access>remote</access> + <affected> + <package name="sci-libs/gdal" auto="yes" arch="*"> + <unaffected range="ge">3.4.1</unaffected> + <vulnerable range="lt">3.4.1</vulnerable> + </package> + </affected> + <background> + <p>GDAL is a geospatial data abstraction library.</p> + </background> + <description> + <p>GDAL does not sufficiently sanitize input when loading PCIDSK binary segments.</p> + </description> + <impact type="low"> + <p>Loading crafted PCIDSK data via GDAL could result in denial of service.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GDAL users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-libs/gdal-3.4.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45943">CVE-2021-45943</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:10:36.240702Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:10:36.246058Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-16.xml b/metadata/glsa/glsa-202210-16.xml new file mode 100644 index 000000000000..90204a61eef5 --- /dev/null +++ b/metadata/glsa/glsa-202210-16.xml @@ -0,0 +1,106 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-16"> + <title>Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution.</synopsis> + <product type="ebuild">chromium,chromium-bin,google-chrome,microsoft-edge</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>873817</bug> + <bug>874855</bug> + <bug>876855</bug> + <bug>873217</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">106.0.5249.119</unaffected> + <vulnerable range="lt">106.0.5249.119</vulnerable> + </package> + <package name="www-client/chromium-bin" auto="yes" arch="*"> + <unaffected range="ge">106.0.5249.119</unaffected> + <vulnerable range="lt">106.0.5249.119</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">106.0.5249.119</unaffected> + <vulnerable range="lt">106.0.5249.119</vulnerable> + </package> + <package name="www-client/microsoft-edge" auto="yes" arch="*"> + <unaffected range="ge">106.0.1370.37</unaffected> + <vulnerable range="lt">106.0.1370.37</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
+
+Google Chrome is one fast, simple, and secure browser for all your devices.
+
+Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium, Google Chrome, and Microsoft Edge. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/chromium-106.0.5249.119" + </code> + + <p>All Chromium binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/chromium-bin-106.0.5249.119" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/google-chrome-106.0.5249.119" + </code> + + <p>All Microsoft Edge users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-106.0.1370.37" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3201">CVE-2022-3201</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3304">CVE-2022-3304</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3305">CVE-2022-3305</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3306">CVE-2022-3306</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3307">CVE-2022-3307</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3308">CVE-2022-3308</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3309">CVE-2022-3309</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3310">CVE-2022-3310</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3311">CVE-2022-3311</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3312">CVE-2022-3312</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3313">CVE-2022-3313</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3314">CVE-2022-3314</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3315">CVE-2022-3315</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3316">CVE-2022-3316</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3317">CVE-2022-3317</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3318">CVE-2022-3318</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3370">CVE-2022-3370</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3373">CVE-2022-3373</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3445">CVE-2022-3445</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3446">CVE-2022-3446</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3447">CVE-2022-3447</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3448">CVE-2022-3448</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3449">CVE-2022-3449</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3450">CVE-2022-3450</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41035">CVE-2022-41035</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:11:15.409827Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:11:15.412125Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-17.xml b/metadata/glsa/glsa-202210-17.xml new file mode 100644 index 000000000000..244b3eb9ce18 --- /dev/null +++ b/metadata/glsa/glsa-202210-17.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-17"> + <title>JHead: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in JHead, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">jhead</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>730746</bug> + <access>remote</access> + <affected> + <package name="media-gfx/jhead" auto="yes" arch="*"> + <unaffected range="ge">3.06.0.1</unaffected> + <vulnerable range="lt">3.06.0.1</vulnerable> + </package> + </affected> + <background> + <p>JHead is an EXIF JPEG header manipulation tool.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in JHead. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All JHead users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/jhead-3.06.0.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3496">CVE-2021-3496</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28275">CVE-2021-28275</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28276">CVE-2021-28276</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28277">CVE-2021-28277</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28278">CVE-2021-28278</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:12:23.524182Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:12:23.530335Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-18.xml b/metadata/glsa/glsa-202210-18.xml new file mode 100644 index 000000000000..02b970e9b346 --- /dev/null +++ b/metadata/glsa/glsa-202210-18.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-18"> + <title>Sofia-SIP: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Sofia-SIP, the worst of which could result in remote code execution.</synopsis> + <product type="ebuild">sofia-sip</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>848870</bug> + <access>remote</access> + <affected> + <package name="net-libs/sofia-sip" auto="yes" arch="*"> + <unaffected range="ge">1.13.8</unaffected> + <vulnerable range="lt">1.13.8</vulnerable> + </package> + </affected> + <background> + <p>Sofia-SIP is an RFC3261 compliant SIP User-Agent library.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Sofia-SIP. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Sofia-SIP users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/sofia-sip-1.13.8" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31001">CVE-2022-31001</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31002">CVE-2022-31002</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31003">CVE-2022-31003</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:12:52.132249Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:12:52.137910Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-19.xml b/metadata/glsa/glsa-202210-19.xml new file mode 100644 index 000000000000..c76898e3fe23 --- /dev/null +++ b/metadata/glsa/glsa-202210-19.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-19"> + <title>Apptainer: Lack of Digital Signature Hash Verification</title> + <synopsis>A vulnerability has been found in Apptainer which could result in the usage of an unexpected of a container.</synopsis> + <product type="ebuild">apptainer</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>875869</bug> + <access>remote</access> + <affected> + <package name="app-containers/apptainer" auto="yes" arch="*"> + <unaffected range="ge">1.1.2</unaffected> + <vulnerable range="lt">1.1.2</vulnerable> + </package> + </affected> + <background> + <p>Apptainer is the container system for secure high-performance computing.</p> + </background> + <description> + <p>The Go module "sif" version 2.8.0 and older, which is a statically linked dependency of Apptainer, does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.</p> + </description> + <impact type="low"> + <p>An image whose verification relies on a cryptographically insecure hash algorithm could be replaced, resulting in users using an image other than the one that was expected.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Apptainer users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-containers/apptainer-1.1.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39237">CVE-2022-39237</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:13:42.466161Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:13:42.470930Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-20.xml b/metadata/glsa/glsa-202210-20.xml new file mode 100644 index 000000000000..0efb8be7c4f2 --- /dev/null +++ b/metadata/glsa/glsa-202210-20.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-20"> + <title>Nicotine+: Denial of Service</title> + <synopsis>A vulnerability has been found in Nicotine+ which could result in denial of service.</synopsis> + <product type="ebuild">nicotine+</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>835374</bug> + <access>remote</access> + <affected> + <package name="net-p2p/nicotine+" auto="yes" arch="*"> + <unaffected range="ge">3.2.1</unaffected> + <vulnerable range="lt">3.2.1</vulnerable> + </package> + </affected> + <background> + <p>Nicotine+ is a fork of nicotine, a Soulseek client in Python.</p> + </background> + <description> + <p>Nicotine+ does not sufficiently validate file path in download requests.</p> + </description> + <impact type="low"> + <p>A file path in a download request which contains a null character will cause a crash of Nicotine+.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Nicotine+ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/nicotine+-3.2.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45848">CVE-2021-45848</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:14:04.156383Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:14:04.161504Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-21.xml b/metadata/glsa/glsa-202210-21.xml new file mode 100644 index 000000000000..048f9d1f3816 --- /dev/null +++ b/metadata/glsa/glsa-202210-21.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-21"> + <title>FasterXML jackson-databind: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in FasterXML jackson-databind, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">jackson-databind</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>874033</bug> + <access>remote</access> + <affected> + <package name="dev-java/jackson-databind" auto="yes" arch="*"> + <unaffected range="ge">2.13.4.1</unaffected> + <vulnerable range="lt">2.13.4.1</vulnerable> + </package> + </affected> + <background> + <p>FasterXML jackson-databind is a general data-binding package for Jackson (2.x) which works on streaming API (core) implementation(s).</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in FasterXML jackson-databind. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All FasterXML jackson-databind users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/jackson-databind-2.13.4.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42003">CVE-2022-42003</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42004">CVE-2022-42004</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:15:38.213258Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:15:38.220174Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-22.xml b/metadata/glsa/glsa-202210-22.xml new file mode 100644 index 000000000000..871a489db2cb --- /dev/null +++ b/metadata/glsa/glsa-202210-22.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-22"> + <title>RPM: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in RPM, the worst of which could lead to root privilege escalation.</synopsis> + <product type="ebuild">rpm</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>830380</bug> + <bug>866716</bug> + <access>remote</access> + <affected> + <package name="app-arch/rpm" auto="yes" arch="*"> + <unaffected range="ge">4.18.0</unaffected> + <vulnerable range="lt">4.18.0</vulnerable> + </package> + </affected> + <background> + <p>The Red Hat Package Manager (RPM) is a command line driven package management system capable of installing, uninstalling, verifying, querying, and updating computer software packages.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in RPM. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All RPM users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/rpm-4.18.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3521">CVE-2021-3521</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35937">CVE-2021-35937</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35938">CVE-2021-35938</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35939">CVE-2021-35939</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:15:56.870970Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:15:56.876124Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-23.xml b/metadata/glsa/glsa-202210-23.xml new file mode 100644 index 000000000000..8d0b1439c5e8 --- /dev/null +++ b/metadata/glsa/glsa-202210-23.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-23"> + <title>libksba: Remote Code Execution</title> + <synopsis>An integer overflow vulnerability has been found in libksba which could result in remote code execution.</synopsis> + <product type="ebuild">libksba</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>877453</bug> + <access>remote</access> + <affected> + <package name="dev-libs/libksba" auto="yes" arch="*"> + <unaffected range="ge">1.6.2</unaffected> + <vulnerable range="lt">1.6.2</vulnerable> + </package> + </affected> + <background> + <p>Libksba is a X.509 and CMS (PKCS#7) library.</p> + </background> + <description> + <p>An integer overflow in parsing ASN.1 objects could lead to a buffer overflow.</p> + </description> + <impact type="high"> + <p>Crafted ASN.1 objects could trigger an integer overflow and buffer overflow to result in remote code execution.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libksba users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libksba-1.6.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3515">CVE-2022-3515</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:16:48.468327Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:16:48.474794Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-24.xml b/metadata/glsa/glsa-202210-24.xml new file mode 100644 index 000000000000..50c5aee207ed --- /dev/null +++ b/metadata/glsa/glsa-202210-24.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-24"> + <title>FreeRDP: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in FreeRDP, the worst of which could result in remote code execution.</synopsis> + <product type="ebuild">freerdp</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>876905</bug> + <bug>842231</bug> + <bug>819534</bug> + <access>remote</access> + <affected> + <package name="net-misc/freerdp" auto="yes" arch="*"> + <unaffected range="ge">2.8.1</unaffected> + <vulnerable range="lt">2.8.1</vulnerable> + </package> + </affected> + <background> + <p>FreeRDP is a free implementation of the remote desktop protocol.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in FreeRDP. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All FreeRDP users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/freerdp-2.8.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41159">CVE-2021-41159</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41160">CVE-2021-41160</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24882">CVE-2022-24882</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24883">CVE-2022-24883</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39282">CVE-2022-39282</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39283">CVE-2022-39283</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:17:11.581235Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:17:11.586318Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202210-25.xml b/metadata/glsa/glsa-202210-25.xml new file mode 100644 index 000000000000..e424e32709d9 --- /dev/null +++ b/metadata/glsa/glsa-202210-25.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-25"> + <title>ISC BIND: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in ISC BIND, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">bind,bind-tools</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>820563</bug> + <bug>835439</bug> + <bug>872206</bug> + <access>remote</access> + <affected> + <package name="net-dns/bind" auto="yes" arch="*"> + <unaffected range="ge">9.16.33</unaffected> + <vulnerable range="lt">9.16.33</vulnerable> + </package> + <package name="net-dns/bind-tools" auto="yes" arch="*"> + <unaffected range="ge">9.16.33</unaffected> + <vulnerable range="lt">9.16.33</vulnerable> + </package> + </affected> + <background> + <p>ISC BIND is the Internet Systems Consortium implementation of the Domain Name System (DNS) protocol.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ISC BIND. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ISC BIND users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-9.16.33" + </code> + + <p>All ISC BIND-tools users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/bind-tools-9.16.33" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25219">CVE-2021-25219</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25220">CVE-2021-25220</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0396">CVE-2022-0396</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2795">CVE-2022-2795</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2881">CVE-2022-2881</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2906">CVE-2022-2906</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3080">CVE-2022-3080</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38177">CVE-2022-38177</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38178">CVE-2022-38178</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:18:02.086645Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:18:02.092498Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-26.xml b/metadata/glsa/glsa-202210-26.xml new file mode 100644 index 000000000000..af8eba5fe76e --- /dev/null +++ b/metadata/glsa/glsa-202210-26.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-26"> + <title>Shadow: TOCTOU Race</title> + <synopsis>A TOCTOU race has been discovered in Shadow, which could result in the unauthorized modification of files.</synopsis> + <product type="ebuild">shadow</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>830486</bug> + <access>remote</access> + <affected> + <package name="sys-apps/shadow" auto="yes" arch="*"> + <unaffected range="ge">4.12.2</unaffected> + <vulnerable range="lt">4.12.2</vulnerable> + </package> + </affected> + <background> + <p>Shadow contains utilities to deal with user accounts</p> + </background> + <description> + <p>A TOCTOU race condition was discovered in shadow. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw when the administrator invokes usermod/userdel.</p> + </description> + <impact type="normal"> + <p>An unauthorized user could potentially modify files which they do not have write permissions for.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Shadow users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.12.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2013-4235">CVE-2013-4235</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:22:12.661215Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:22:12.666288Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-27.xml b/metadata/glsa/glsa-202210-27.xml new file mode 100644 index 000000000000..d8bb0cfcd2cc --- /dev/null +++ b/metadata/glsa/glsa-202210-27.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-27"> + <title>open-vm-tools: Local Privilege Escalation</title> + <synopsis>A vulnerability has been discovered in open-vm-tools which could allow for local privilege escalation.</synopsis> + <product type="ebuild">open-vm-tools</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>866227</bug> + <access>remote</access> + <affected> + <package name="app-emulation/open-vm-tools" auto="yes" arch="*"> + <unaffected range="ge">12.1.0</unaffected> + <vulnerable range="lt">12.1.0</vulnerable> + </package> + </affected> + <background> + <p>open-vm-tools contains tools for VMware guests.</p> + </background> + <description> + <p>A pipe accessible to unprivileged users in the VMWare guest does not sufficiently sanitize input.</p> + </description> + <impact type="high"> + <p>An unprivileged guest user could achieve root privileges within the guest.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All open-vm-tools users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/open-vm-tools-12.1.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31676">CVE-2022-31676</uri> + <uri>VMSA-2022-0024.1</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:23:04.771992Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:23:04.777600Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-28.xml b/metadata/glsa/glsa-202210-28.xml new file mode 100644 index 000000000000..c8bdc202aab3 --- /dev/null +++ b/metadata/glsa/glsa-202210-28.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-28"> + <title>exif: Denial of Service</title> + <synopsis>A vulnerability has been discovered in exif which could result in denial of service.</synopsis> + <product type="ebuild">exif</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>783522</bug> + <access>remote</access> + <affected> + <package name="media-gfx/exif" auto="yes" arch="*"> + <unaffected range="ge">0.6.22</unaffected> + <vulnerable range="lt">0.6.22</vulnerable> + </package> + </affected> + <background> + <p>libexif is a library for parsing, editing and saving Exif metadata from images. exif is a small command line interface for libexif.</p> + </background> + <description> + <p>There is a bug in exif's XML output format which can result in a null pointer dereference when outputting crafted JPEG EXIF data.</p> + </description> + <impact type="low"> + <p>A crafted JPEG image can trigger a denial of service in the form of a null pointer dereference.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All exif users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/exif-0.6.22" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-27815">CVE-2021-27815</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:23:34.557009Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:23:34.562073Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-29.xml b/metadata/glsa/glsa-202210-29.xml new file mode 100644 index 000000000000..4f9e39cbb961 --- /dev/null +++ b/metadata/glsa/glsa-202210-29.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-29"> + <title>Net-SNMP: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Net-SNMP, the worst of which could result in denial of service.</synopsis> + <product type="ebuild">net-snmp</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>855500</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/net-snmp" auto="yes" arch="*"> + <unaffected range="ge">5.9.2</unaffected> + <vulnerable range="lt">5.9.2</vulnerable> + </package> + </affected> + <background> + <p>Net-SNMP is a suite of applications used to implement the Simple Network Management Protocol.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Net-SNMP. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Net-SNMP users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.9.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24805">CVE-2022-24805</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24806">CVE-2022-24806</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24807">CVE-2022-24807</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24808">CVE-2022-24808</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24809">CVE-2022-24809</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24810">CVE-2022-24810</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:24:42.408832Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:24:42.415311Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-30.xml b/metadata/glsa/glsa-202210-30.xml new file mode 100644 index 000000000000..faf6cd204e83 --- /dev/null +++ b/metadata/glsa/glsa-202210-30.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-30"> + <title>X.Org X server, XWayland: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in the Xorg Server and XWayland, the worst of which can result in remote code execution.</synopsis> + <product type="ebuild">xorg-server,xwayland</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>857780</bug> + <access>remote</access> + <affected> + <package name="x11-base/xorg-server" auto="yes" arch="*"> + <unaffected range="ge">21.1.4</unaffected> + <vulnerable range="lt">21.1.4</vulnerable> + </package> + <package name="x11-base/xwayland" auto="yes" arch="*"> + <unaffected range="ge">22.1.3</unaffected> + <vulnerable range="lt">22.1.3</vulnerable> + </package> + </affected> + <background> + <p>The X Window System is a graphical windowing system based on a client/server model.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in X.Org X server and XWayland. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All X.Org X server users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-21.1.4" + </code> + + <p>All XWayland users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xwayland-22.1.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2319">CVE-2022-2319</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2320">CVE-2022-2320</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:25:37.769589Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:25:37.775833Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-31.xml b/metadata/glsa/glsa-202210-31.xml new file mode 100644 index 000000000000..2c913f0d4bc7 --- /dev/null +++ b/metadata/glsa/glsa-202210-31.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-31"> + <title>OpenEXR: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in OpenEXR, the worst of which could result in arbitrary code execution.</synopsis> + <product type="ebuild">openexr</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>838079</bug> + <bug>830384</bug> + <bug>817431</bug> + <bug>810541</bug> + <bug>801373</bug> + <bug>787452</bug> + <access>remote</access> + <affected> + <package name="media-libs/openexr" auto="yes" arch="*"> + <unaffected range="ge">3.1.5</unaffected> + <vulnerable range="lt">3.1.5</vulnerable> + </package> + </affected> + <background> + <p>OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenEXR. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenEXR users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/openexr-3.1.5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3598">CVE-2021-3598</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3605">CVE-2021-3605</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3933">CVE-2021-3933</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3941">CVE-2021-3941</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20304">CVE-2021-20304</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23169">CVE-2021-23169</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45942">CVE-2021-45942</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:28:08.616594Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:28:08.622668Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-32.xml b/metadata/glsa/glsa-202210-32.xml new file mode 100644 index 000000000000..172d59385569 --- /dev/null +++ b/metadata/glsa/glsa-202210-32.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-32"> + <title>hiredis, hiredis-py: Multiple Vulnerabilities</title> + <synopsis>An integer overflow has been found in hiredis which could result in arbitrary code execution.</synopsis> + <product type="ebuild">hiredis,hiredis</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>873079</bug> + <bug>816318</bug> + <access>remote</access> + <affected> + <package name="dev-libs/hiredis" auto="yes" arch="*"> + <unaffected range="ge">1.0.1</unaffected> + <vulnerable range="lt">1.0.1</vulnerable> + </package> + <package name="dev-python/hiredis" auto="yes" arch="*"> + <unaffected range="ge">2.0.0</unaffected> + <vulnerable range="lt">2.0.0</vulnerable> + </package> + </affected> + <background> + <p>hiredis is a minimalistic C client library for the Redis database.
+
+hiredis-py is a Python extension that wraps hiredis.</p> + </background> + <description> + <p>Hiredis is vulnerable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow.</p> + </description> + <impact type="normal"> + <p>Malicious Redis commands could result in remote code execution.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All hiredis users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/hiredis-1.0.1" + </code> + + <p>All hiredis-py users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/hiredis-2.0.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32765">CVE-2021-32765</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:29:20.506011Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:29:20.514033Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202210-33.xml b/metadata/glsa/glsa-202210-33.xml new file mode 100644 index 000000000000..a59781932aa2 --- /dev/null +++ b/metadata/glsa/glsa-202210-33.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202210-33"> + <title>Libtirpc: Denial of Service</title> + <synopsis>A vulnerability has been discovered in Libtirpc which could result in denial of service.</synopsis> + <product type="ebuild">libtirpc</product> + <announced>2022-10-31</announced> + <revised count="1">2022-10-31</revised> + <bug>859634</bug> + <access>remote</access> + <affected> + <package name="net-libs/libtirpc" auto="yes" arch="*"> + <unaffected range="ge">1.3.2</unaffected> + <vulnerable range="lt">1.3.2</vulnerable> + </package> + </affected> + <background> + <p>Libtirpc is a port of Sun's Transport-Independent RPC library to Linux.</p> + </background> + <description> + <p>Currently svc_run does not handle poll timeout and rendezvous_request
+does not handle EMFILE error returned from accept(2 as it used to.
+These two missing functionality were removed by commit b2c9430f46c4.
+
+The effect of not handling poll timeout allows idle TCP conections
+to remain ESTABLISHED indefinitely. When the number of connections
+reaches the limit of the open file descriptors (ulimit -n) then
+accept(2) fails with EMFILE. Since there is no handling of EMFILE
+error this causes svc_run() to get in a tight loop calling accept(2).
+This resulting in the RPC service of svc_run is being down, it's
+no longer able to service any requests.
+
+Due to a lack of handling of certain error cases, connections to Libtirpc could remain ESTABLISHED indefinitely.</p> + </description> + <impact type="normal"> + <p>Denial of service can be achieved via establishing enough connections to Libtirpc to reach the limit of open file descriptors for the process.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Libtirpc users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libtirpc-1.3.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46828">CVE-2021-46828</uri> + </references> + <metadata tag="requester" timestamp="2022-10-31T01:30:06.446859Z">ajak</metadata> + <metadata tag="submitter" timestamp="2022-10-31T01:30:06.456481Z">ajak</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 511f981807cd..24a29d6ad208 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sun, 30 Oct 2022 20:09:34 +0000 +Mon, 31 Oct 2022 02:11:10 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index c32526fd918c..990214d62d77 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -cda5f646cd9bc370223b79be59deee389a0caeef 1665931525 2022-10-16T14:45:25+00:00 +5144637cf49194493c452aae3f7a7b07bf677d9b 1667180477 2022-10-31T01:41:17+00:00 |