diff options
Diffstat (limited to 'metadata/glsa')
25 files changed, 1262 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 807eb9d9b2ba..bdb466ec6711 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 496888 BLAKE2B 9a8e48e705b83d0db366e4888a292cde78b191857d846a370c8c9908479c42c700f1d323d98e4aa4d9b6c2e0d3a80723d6cf76b125a273f90c8452ccb8f52fcf SHA512 d3e9efddd34ec46cab11f602c4a7b71480efc08ed49372d92ba27d45fdaf8129db8b52a169483e512d968a24c9a22f50140b178eb538444bb6200ee4eec5ef81 -TIMESTAMP 2021-01-22T20:08:39Z +MANIFEST Manifest.files.gz 500220 BLAKE2B aabc50258bfbbe2cb5f971f25f26b6c05a6f14b711c2f736db373e7c0f145f0cf5c547efb6e1ec1d43ad7c393a98fedc6e4f0b6a62a75dea9d2737f89715f3bb SHA512 66b9eade9f3337a820d760fef65a13534a76b1b7a62212ccfc6cd15a592b34f013e749b09caeb49eab79948c7489c23ae10c93f2b39bc07cd930f362aace586e +TIMESTAMP 2021-01-29T17:38:24Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmALMMdfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmAUSBBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klC88Q//X2h0rP3NYa0rA8lySWj21hExpd6/llu7LS18xkxy3t7T9SG17c7CxY8z -TTWPoQm0Ck9li0rKVfo5/GJL5gtL4jqEKWBUcfGECIzymm7ouwxn9XF8HfziX5YB -TbuZYFjemEbmPBHclDtOxS10sxuN4GL9g/yef9kBwST1bGPZBfksNIBllaqz19VW -P5bdRYoglf2LoH9Hp7VbppJAmyJPCEbJfsN5xvL0giqlR5V44JjRnfsh0RE1ni5I -Om+WilXAuyDH55a3jTZzX2IrGic5q1N7JIrTI/3/wjf8GY/ecIgtJQMpijNrcHEb -sW4OsfnbgTICm5QBLjx8IR0cFE3DQ1PkcfEJyHuStoNq2q10dIpvRdIV2dv5JeJ6 -Jy85jnXeGfXkD6PG2VoHdgqGhYmtzUoCNmyRvtIKJFXUfUoZ1Qer8kogO5xctzo5 -ro6JOuM8/vUhyyOSs7Nn08uwZ7pLTifo5omDX/pVElTxT6NQ+51Rig9ty/OQrkdt -5n+gIRdj81ntikW4pGOPOjfqt95epN2znjxapGLiw+01wWvp4YBr3OLTDCoObTxT -l0heXWC3+RVZ6Cm1CCoDdEYopn5fAuVPWG7FZ48KdZ00n5zwnHNIBbvSYb8+ahp3 -9ZlXb0dbyw0uSEtPBb7CWgEKKnH33BMoleap1KUvQfeJPzp3lLA= -=2FTv +klCamA/+PkIaOt+yq+q+7+OFtHAAlHiYG+YXTxjt4S0/SL86nCk5a3cgidEelaiW +3YcydTbBCJj6DqPO50n0w9U/LnYp4rZUuZCGmopTbw6wePvJUg6jjr7wmMRzZr2T +hu/YRNE3+NcN1XPiHXXUfx5JcHFMV3uVe1sxjKC3NUWy6TPfPRPun3YqMzdVRsRr +/athvqya/wi0kbrmjZ8p3qAgbz7+jyuDmV5k/YfGjYnZSyY8W0d4LgRsHWqs36Lo +fvDzc9LVK1jgJMIxPOwpfrU1IvYoKN4E7oVZjby/jgjN4BFNtcxlKjoieEVbPXtC +Kp0pqT5wvzgjuX9L1gwtYExa93mT9G5skQDJTom0De1hSF+yV4/dGovUYYLQv2aF +h9MzCOGhP+MeW4+1R6Tmhoo9JeIJ9wdev/mLRnuF5oNt74OxtRwFfMdL6GEmAtsX +csR9kiTsGMlxtvwVqlCdJ2FKo3Vg7ztj2z644hCjzfM8hVCH5kewtF2cTj8ndQzX +hGd7+uX3ZR6pG58o8nZE/hrfueVU6yjcLjZ7+PppWGVyZqiGq3dLJmkJnp3I+CJy +oQyhvmEPIunsxAZ/MUctjydLVrGW5iynT6w8j28BGzqCufSG60XXrY9T2zRmOVEV +xE8aprokT9xx0mdBin2FMLspjProhrmYDfxvlBK3bL9o1riX4RE= +=JcYw -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex ab29e0fa0273..8e5c9db63e0a 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202101-18.xml b/metadata/glsa/glsa-202101-18.xml new file mode 100644 index 000000000000..03d6e27b19ce --- /dev/null +++ b/metadata/glsa/glsa-202101-18.xml @@ -0,0 +1,90 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-18"> + <title>Python: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Python, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">python</product> + <announced>2021-01-24</announced> + <revised count="1">2021-01-24</revised> + <bug>749339</bug> + <bug>759928</bug> + <bug>766189</bug> + <access>remote</access> + <affected> + <package name="dev-lang/python" auto="yes" arch="*"> + <unaffected range="ge" slot="2.7">2.7.18-r6</unaffected> + <unaffected range="ge" slot="3.6">3.6.12-r2</unaffected> + <unaffected range="ge" slot="3.7">3.7.9-r2</unaffected> + <unaffected range="ge" slot="3.8">3.8.7-r1</unaffected> + <unaffected range="ge" slot="3.9">3.9.1-r1</unaffected> + <vulnerable range="lt" slot="2.7">2.7.18-r6</vulnerable> + <vulnerable range="lt" slot="3.6">3.6.12-r2</vulnerable> + <vulnerable range="lt" slot="3.7">3.7.9-r2</vulnerable> + <vulnerable range="lt" slot="3.8">3.8.7-r1</vulnerable> + <vulnerable range="lt" slot="3.9">3.9.1-r1</vulnerable> + </package> + </affected> + <background> + <p>Python is an interpreted, interactive, object-oriented programming + language. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Python. Please review + the bugs referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Python 2.7 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.18-r5" + </code> + + <p>All Python 3.6 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.6.12-r1" + </code> + + <p>All Python 3.7 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.7.9-r1" + </code> + + <p>All Python 3.8 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.8.6-r1" + </code> + + <p>All Python 3.9 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.9.0-r1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26116">CVE-2020-26116</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3177">CVE-2021-3177</uri> + </references> + <metadata tag="requester" timestamp="2021-01-04T03:36:56Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-24T23:58:22Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-19.xml b/metadata/glsa/glsa-202101-19.xml new file mode 100644 index 000000000000..866c37dcdf8a --- /dev/null +++ b/metadata/glsa/glsa-202101-19.xml @@ -0,0 +1,86 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-19"> + <title>OpenJDK: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in OpenJDK, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">openjdk</product> + <announced>2021-01-25</announced> + <revised count="1">2021-01-25</revised> + <bug>705992</bug> + <bug>750833</bug> + <access>remote</access> + <affected> + <package name="dev-java/openjdk" auto="yes" arch="*"> + <unaffected range="ge">8.272_p10</unaffected> + <vulnerable range="lt">8.272_p10</vulnerable> + </package> + <package name="dev-java/openjdk-bin" auto="yes" arch="*"> + <unaffected range="ge">8.272_p10</unaffected> + <vulnerable range="lt">8.272_p10</vulnerable> + </package> + <package name="dev-java/openjdk-jre-bin" auto="yes" arch="*"> + <unaffected range="ge">8.272_p10</unaffected> + <vulnerable range="lt">8.272_p10</vulnerable> + </package> + </affected> + <background> + <p>OpenJDK is a free and open-source implementation of the Java Platform, + Standard Edition. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenJDK. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenJDK users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-8.272_p10" + </code> + + <p>All OpenJDK (binary) users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-8.272_p10" + </code> + + <p>All OpenJDK JRE (binary) users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=dev-java/openjdk-jre-bin-8.272_p10" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14779">CVE-2020-14779</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14781">CVE-2020-14781</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14782">CVE-2020-14782</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14792">CVE-2020-14792</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14796">CVE-2020-14796</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14797">CVE-2020-14797</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14798">CVE-2020-14798</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14803">CVE-2020-14803</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2583">CVE-2020-2583</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2590">CVE-2020-2590</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2593">CVE-2020-2593</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2601">CVE-2020-2601</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2604">CVE-2020-2604</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2654">CVE-2020-2654</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2659">CVE-2020-2659</uri> + </references> + <metadata tag="requester" timestamp="2020-11-01T10:46:07Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-25T00:02:23Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-20.xml b/metadata/glsa/glsa-202101-20.xml new file mode 100644 index 000000000000..c4fc0f6dd37c --- /dev/null +++ b/metadata/glsa/glsa-202101-20.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-20"> + <title>glibc: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in glibc, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">glibc</product> + <announced>2021-01-25</announced> + <revised count="1">2021-01-25</revised> + <bug>611344</bug> + <bug>717058</bug> + <bug>720730</bug> + <bug>758359</bug> + <access>local, remote</access> + <affected> + <package name="sys-libs/glibc" auto="yes" arch="*"> + <unaffected range="ge">2.32-r5</unaffected> + <vulnerable range="lt">2.32-r5</vulnerable> + </package> + </affected> + <background> + <p>glibc is a package that contains the GNU C library.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in glibc. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All glibc users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.32-r5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-10228">CVE-2016-10228</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1752">CVE-2020-1752</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-29562">CVE-2020-29562</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-29573">CVE-2020-29573</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6096">CVE-2020-6096</uri> + </references> + <metadata tag="requester" timestamp="2020-12-27T17:59:30Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-25T00:05:08Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-21.xml b/metadata/glsa/glsa-202101-21.xml new file mode 100644 index 000000000000..38c63fc9f4d1 --- /dev/null +++ b/metadata/glsa/glsa-202101-21.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-21"> + <title>Flatpak: Sandbox escape</title> + <synopsis>A vulnerability was discovered in Flatpak which could allow a + remote attacker to execute arbitrary code. + </synopsis> + <product type="ebuild">flatpak</product> + <announced>2021-01-25</announced> + <revised count="1">2021-01-25</revised> + <bug>765457</bug> + <access>remote</access> + <affected> + <package name="sys-apps/flatpak" auto="yes" arch="*"> + <unaffected range="ge">1.10.0</unaffected> + <vulnerable range="lt">1.10.0</vulnerable> + </package> + </affected> + <background> + <p>Flatpak is a Linux application sandboxing and distribution framework.</p> + </background> + <description> + <p>A bug was discovered in the flatpak-portal service that can allow + sandboxed applications to execute arbitrary code on the host system (a + sandbox escape). + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted + Flatpak app possibly resulting in execution of arbitrary code with the + privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>As a workaround, this vulnerability can be mitigated by preventing the + flatpak-portal service from starting, but that mitigation will prevent + many Flatpak apps from working correctly. It is highly recommended to + upgrade. + </p> + </workaround> + <resolution> + <p>All Flatpak users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.10.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21261">CVE-2021-21261</uri> + </references> + <metadata tag="requester" timestamp="2021-01-22T00:26:55Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-25T00:07:24Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-22.xml b/metadata/glsa/glsa-202101-22.xml new file mode 100644 index 000000000000..36a94ff168ac --- /dev/null +++ b/metadata/glsa/glsa-202101-22.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-22"> + <title>libvirt: Unintended access to /dev/mapper/control</title> + <synopsis>A vulnerability in libvirt may allow root privilege escalation.</synopsis> + <product type="ebuild">libvirt</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>739948</bug> + <access>local</access> + <affected> + <package name="app-emulation/libvirt" auto="yes" arch="*"> + <unaffected range="ge">6.7.0</unaffected> + <vulnerable range="lt">6.7.0</vulnerable> + </package> + </affected> + <background> + <p>libvirt is a C toolkit for manipulating virtual machines.</p> + </background> + <description> + <p>A file descriptor for /dev/mapper/control was insufficiently protected.</p> + </description> + <impact type="high"> + <p>A local attacker may be able to escalate to root privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libvirt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/libvirt-6.7.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14339">CVE-2020-14339</uri> + </references> + <metadata tag="requester" timestamp="2020-10-05T23:25:12Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:10:19Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-23.xml b/metadata/glsa/glsa-202101-23.xml new file mode 100644 index 000000000000..d3ba7f305498 --- /dev/null +++ b/metadata/glsa/glsa-202101-23.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-23"> + <title>PEAR Archive_Tar: Directory traversal</title> + <synopsis>Multiple vulnerabilities have been found in PEAR Archive_Tar, the + worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">PEAR-Archive_Tar</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>755653</bug> + <bug>766036</bug> + <access>remote</access> + <affected> + <package name="dev-php/PEAR-Archive_Tar" auto="yes" arch="*"> + <unaffected range="ge">1.4.12</unaffected> + <vulnerable range="lt">1.4.12</vulnerable> + </package> + </affected> + <background> + <p>This class provides handling of tar files in PHP.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PEAR Archive_Tar. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PEAR-Archive_Tar users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Archive_Tar-1.4.12" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28948">CVE-2020-28948</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28949">CVE-2020-28949</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36193">CVE-2020-36193</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T23:43:27Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:10:53Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-24.xml b/metadata/glsa/glsa-202101-24.xml new file mode 100644 index 000000000000..3e9fb3f77765 --- /dev/null +++ b/metadata/glsa/glsa-202101-24.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-24"> + <title>cfitsio: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in cfitsio, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">cfitsio</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>673944</bug> + <access>remote</access> + <affected> + <package name="sci-libs/cfitsio" auto="yes" arch="*"> + <unaffected range="ge">3.490</unaffected> + <vulnerable range="lt">3.490</vulnerable> + </package> + </affected> + <background> + <p>A C and Fortran library for manipulating FITS files.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in cfitsio. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All cfitsio users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-libs/cfitsio-3.490" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3846">CVE-2018-3846</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3847">CVE-2018-3847</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3848">CVE-2018-3848</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3849">CVE-2018-3849</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T23:40:35Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:12:33Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-25.xml b/metadata/glsa/glsa-202101-25.xml new file mode 100644 index 000000000000..6914662437b5 --- /dev/null +++ b/metadata/glsa/glsa-202101-25.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-25"> + <title>Mutt: Denial of service</title> + <synopsis>A vulnerability in Mutt could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">mutt</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>765790</bug> + <access>remote</access> + <affected> + <package name="mail-client/mutt" auto="yes" arch="*"> + <unaffected range="ge">2.0.4-r1</unaffected> + <vulnerable range="lt">2.0.4-r1</vulnerable> + </package> + </affected> + <background> + <p>Mutt is a small but very powerful text-based mail client.</p> + </background> + <description> + <p>A memory leak could occur when a crafted email message is received.</p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mutt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mutt-2.0.4-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3181">CVE-2021-3181</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T23:33:22Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:13:00Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-26.xml b/metadata/glsa/glsa-202101-26.xml new file mode 100644 index 000000000000..64fbf2c1b631 --- /dev/null +++ b/metadata/glsa/glsa-202101-26.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-26"> + <title>f2fs-tools: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in f2fs-tools, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">f2fs-tools</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>749318</bug> + <access>remote</access> + <affected> + <package name="sys-fs/f2fs-tools" auto="yes" arch="*"> + <unaffected range="ge">1.14.0</unaffected> + <vulnerable range="lt">1.14.0</vulnerable> + </package> + </affected> + <background> + <p>Tools for Flash-Friendly File System (F2FS).</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in f2fs-tools. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All f2fs-tools users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/f2fs-tools-1.14.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6104">CVE-2020-6104</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6105">CVE-2020-6105</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6106">CVE-2020-6106</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6107">CVE-2020-6107</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6108">CVE-2020-6108</uri> + </references> + <metadata tag="requester" timestamp="2020-11-01T10:45:37Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:13:26Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-27.xml b/metadata/glsa/glsa-202101-27.xml new file mode 100644 index 000000000000..776a91822460 --- /dev/null +++ b/metadata/glsa/glsa-202101-27.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-27"> + <title>FreeRADIUS: Root privilege escalation</title> + <synopsis>Multiple vulnerabilities were discovered in Gentoo's systemd unit + for FreeRADIUS which could lead to root privilege escalation. + </synopsis> + <product type="ebuild">freeradius</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>630910</bug> + <access>local</access> + <affected> + <package name="net-dialup/freeradius" auto="yes" arch="*"> + <unaffected range="ge">3.0.20-r1</unaffected> + <vulnerable range="lt">3.0.20-r1</vulnerable> + </package> + </affected> + <background> + <p>FreeRADIUS is a modular, high performance free RADIUS suite.</p> + </background> + <description> + <p>It was discovered that Gentoo’s FreeRADIUS systemd unit set + permissions on an unsafe directory on start. + </p> + </description> + <impact type="normal"> + <p>A local attacker could escalate privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All FreeRADIUS users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/freeradius-3.0.20-r1" + </code> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2021-01-25T21:55:08Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:13:46Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-28.xml b/metadata/glsa/glsa-202101-28.xml new file mode 100644 index 000000000000..8ba014862bfd --- /dev/null +++ b/metadata/glsa/glsa-202101-28.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-28"> + <title>ncurses: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in ncurses, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">ncurses</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>698210</bug> + <access>remote</access> + <affected> + <package name="sys-apps/ncurses" auto="yes" arch="*"> + <unaffected range="ge">6.2</unaffected> + <vulnerable range="lt">6.2</vulnerable> + </package> + </affected> + <background> + <p>A console display library.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ncurses. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ncurses users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/ncurses-6.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17594">CVE-2019-17594</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17595">CVE-2019-17595</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T17:12:09Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:14:57Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-29.xml b/metadata/glsa/glsa-202101-29.xml new file mode 100644 index 000000000000..5f2c0b02b104 --- /dev/null +++ b/metadata/glsa/glsa-202101-29.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-29"> + <title>OpenJPEG: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in OpenJPEG, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">openjpeg</product> + <announced>2021-01-26</announced> + <revised count="2">2021-01-26</revised> + <bug>711260</bug> + <bug>718918</bug> + <access>remote</access> + <affected> + <package name="media-libs/openjpeg" auto="yes" arch="*"> + <unaffected range="ge" slot="2">2.4.0</unaffected> + <vulnerable range="lt" slot="2">2.4.0</vulnerable> + <vulnerable range="lt" slot="1">1.5.2-r1</vulnerable> + </package> + </affected> + <background> + <p>OpenJPEG is an open-source JPEG 2000 library.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenJPEG. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenJPEG 2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/openjpeg-2.4.0:2" + </code> + + <p>Gentoo has discontinued support OpenJPEG 1.x and any dependent packages + should now be using OpenJPEG 2 or have dropped support for the library. + We recommend that users unmerge OpenJPEG 1.x: + </p> + + <code> + # emerge --unmerge "media-libs/openjpeg:1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-21010">CVE-2018-21010</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12973">CVE-2019-12973</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15389">CVE-2020-15389</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27814">CVE-2020-27814</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27841">CVE-2020-27841</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27842">CVE-2020-27842</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27843">CVE-2020-27843</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27844">CVE-2020-27844</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27845">CVE-2020-27845</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T20:17:39Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T02:54:20Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-30.xml b/metadata/glsa/glsa-202101-30.xml new file mode 100644 index 000000000000..0c4e07eeaaa7 --- /dev/null +++ b/metadata/glsa/glsa-202101-30.xml @@ -0,0 +1,151 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-30"> + <title>Qt WebEngine: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Qt WebEngine, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">qtwebengine</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>734600</bug> + <bug>754852</bug> + <access>remote</access> + <affected> + <package name="dev-qt/qtwebengine" auto="yes" arch="*"> + <unaffected range="ge">5.15.2</unaffected> + <vulnerable range="lt">5.15.2</vulnerable> + </package> + </affected> + <background> + <p>Library for rendering dynamic web content in Qt5 C++ and QML + applications. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Qt WebEngine. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Qt WebEngine users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15959">CVE-2020-15959</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15959">CVE-2020-15959</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15960">CVE-2020-15960</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15960">CVE-2020-15960</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15961">CVE-2020-15961</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15961">CVE-2020-15961</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15962">CVE-2020-15962</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15962">CVE-2020-15962</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15963">CVE-2020-15963</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15963">CVE-2020-15963</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15964">CVE-2020-15964</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15964">CVE-2020-15964</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15965">CVE-2020-15965</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15965">CVE-2020-15965</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15966">CVE-2020-15966</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15966">CVE-2020-15966</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15968">CVE-2020-15968</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15968">CVE-2020-15968</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15969">CVE-2020-15969</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15969">CVE-2020-15969</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15972">CVE-2020-15972</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15972">CVE-2020-15972</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15974">CVE-2020-15974</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15974">CVE-2020-15974</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15976">CVE-2020-15976</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15976">CVE-2020-15976</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15977">CVE-2020-15977</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15977">CVE-2020-15977</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15978">CVE-2020-15978</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15978">CVE-2020-15978</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15979">CVE-2020-15979</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15979">CVE-2020-15979</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15985">CVE-2020-15985</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15985">CVE-2020-15985</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15987">CVE-2020-15987</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15987">CVE-2020-15987</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15989">CVE-2020-15989</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15989">CVE-2020-15989</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15992">CVE-2020-15992</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15992">CVE-2020-15992</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16001">CVE-2020-16001</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16001">CVE-2020-16001</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16002">CVE-2020-16002</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16002">CVE-2020-16002</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16003">CVE-2020-16003</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16003">CVE-2020-16003</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6467">CVE-2020-6467</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6467">CVE-2020-6467</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6470">CVE-2020-6470</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6470">CVE-2020-6470</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6471">CVE-2020-6471</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6471">CVE-2020-6471</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6472">CVE-2020-6472</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6473">CVE-2020-6473</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6474">CVE-2020-6474</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6475">CVE-2020-6475</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6476">CVE-2020-6476</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6480">CVE-2020-6480</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6481">CVE-2020-6481</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6482">CVE-2020-6482</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6483">CVE-2020-6483</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6486">CVE-2020-6486</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6487">CVE-2020-6487</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6489">CVE-2020-6489</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6490">CVE-2020-6490</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6506">CVE-2020-6506</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6510">CVE-2020-6510</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6511">CVE-2020-6511</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6512">CVE-2020-6512</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6513">CVE-2020-6513</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6514">CVE-2020-6514</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6518">CVE-2020-6518</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6523">CVE-2020-6523</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6524">CVE-2020-6524</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6526">CVE-2020-6526</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6529">CVE-2020-6529</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6530">CVE-2020-6530</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6531">CVE-2020-6531</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6532">CVE-2020-6532</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6533">CVE-2020-6533</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6534">CVE-2020-6534</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6535">CVE-2020-6535</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6540">CVE-2020-6540</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6541">CVE-2020-6541</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6542">CVE-2020-6542</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6543">CVE-2020-6543</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6544">CVE-2020-6544</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6545">CVE-2020-6545</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6548">CVE-2020-6548</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6549">CVE-2020-6549</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6550">CVE-2020-6550</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6551">CVE-2020-6551</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6555">CVE-2020-6555</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6557">CVE-2020-6557</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6559">CVE-2020-6559</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6561">CVE-2020-6561</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6562">CVE-2020-6562</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6569">CVE-2020-6569</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6570">CVE-2020-6570</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6571">CVE-2020-6571</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6573">CVE-2020-6573</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6575">CVE-2020-6575</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6576">CVE-2020-6576</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T23:03:36Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:15:52Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-31.xml b/metadata/glsa/glsa-202101-31.xml new file mode 100644 index 000000000000..3d7dcd82f908 --- /dev/null +++ b/metadata/glsa/glsa-202101-31.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-31"> + <title>Cacti: Remote code execution</title> + <synopsis>A vulnerability in Cacti could lead to remote code execution.</synopsis> + <product type="ebuild">cacti</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>765019</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/cacti" auto="yes" arch="*"> + <unaffected range="ge">1.2.16-r1</unaffected> + <vulnerable range="lt">1.2.16-r1</vulnerable> + </package> + </affected> + <background> + <p>Cacti is a complete frontend to rrdtool.</p> + </background> + <description> + <p>The side_id parameter in data_debug.php does not properly verify input + allowing SQL injection. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Cacti users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-1.2.16-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35701">CVE-2020-35701</uri> + </references> + <metadata tag="requester" timestamp="2021-01-26T00:34:29Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T23:38:21Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-32.xml b/metadata/glsa/glsa-202101-32.xml new file mode 100644 index 000000000000..2c1a6dd3ef52 --- /dev/null +++ b/metadata/glsa/glsa-202101-32.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-32"> + <title>Mutt, NeoMutt: Information disclosure</title> + <synopsis>A weakness was discovered in Mutt and NeoMutt's TLS handshake + handling + </synopsis> + <product type="ebuild">NeoMutt</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>755833</bug> + <bug>755866</bug> + <access>remote</access> + <affected> + <package name="mail-client/mutt" auto="yes" arch="*"> + <unaffected range="ge">2.0.2</unaffected> + <vulnerable range="lt">2.0.2</vulnerable> + </package> + <package name="mail-client/neomutt" auto="yes" arch="*"> + <unaffected range="ge">20201120</unaffected> + <vulnerable range="lt">20201120</vulnerable> + </package> + </affected> + <background> + <p>Mutt is a small but very powerful text-based mail client.</p> + + <p>NeoMutt is a command line mail reader (or MUA). It’s a fork of Mutt + with added features. + </p> + </background> + <description> + <p>A weakness in TLS handshake handling was found which may allow + information disclosure. + </p> + </description> + <impact type="normal"> + <p>A remote attacker may be able to cause information disclosure.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mutt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mutt-2.0.2" + </code> + + <p>All NeoMutt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/neomutt-20201120" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28896">CVE-2020-28896</uri> + </references> + <metadata tag="requester" timestamp="2021-01-26T00:28:06Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T23:39:28Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-33.xml b/metadata/glsa/glsa-202101-33.xml new file mode 100644 index 000000000000..a53bfabd5cd9 --- /dev/null +++ b/metadata/glsa/glsa-202101-33.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-33"> + <title>sudo: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in sudo, the worst of + which could result in privilege escalation. + </synopsis> + <product type="ebuild">sudo</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>764986</bug> + <bug>767364</bug> + <access>local</access> + <affected> + <package name="app-admin/sudo" auto="yes" arch="*"> + <unaffected range="ge">1.9.5_p2</unaffected> + <vulnerable range="lt">1.9.5_p2</vulnerable> + </package> + </affected> + <background> + <p>sudo (su “do”) allows a system administrator to delegate authority + to give certain users (or groups of users) the ability to run some (or + all) commands as root or another user while providing an audit trail of + the commands and their arguments. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in sudo. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>Local users are able to gain unauthorized privileges on the system or + determine the existence of files. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All sudo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.5_p2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23239">CVE-2021-23239</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23240">CVE-2021-23240</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3156">CVE-2021-3156</uri> + <uri link="https://www.sudo.ws/alerts/sudoedit_selinux.html">Upstream + advisory (CVE-2020-23240) + </uri> + <uri link="https://www.sudo.ws/alerts/unescape_overflow.html">Upstream + advisory (CVE-2021-3156) + </uri> + </references> + <metadata tag="requester" timestamp="2021-01-26T22:52:21Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T23:40:46Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-34.xml b/metadata/glsa/glsa-202101-34.xml new file mode 100644 index 000000000000..bedeea759a1d --- /dev/null +++ b/metadata/glsa/glsa-202101-34.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-34"> + <title>Telegram Desktop: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Telegram, the worst of + which could result in information disclosure. + </synopsis> + <product type="ebuild">telegram</product> + <announced>2021-01-27</announced> + <revised count="1">2021-01-27</revised> + <bug>736774</bug> + <bug>749288</bug> + <access>remote</access> + <affected> + <package name="net-im/telegram-desktop" auto="yes" arch="*"> + <unaffected range="ge">2.4.4</unaffected> + <vulnerable range="lt">2.4.4</vulnerable> + </package> + </affected> + <background> + <p>Telegram is a messaging app with a focus on speed and security.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Telegram Desktop. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Telegram Desktop users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/telegram-desktop-2.4.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-17448">CVE-2020-17448</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25824">CVE-2020-25824</uri> + </references> + <metadata tag="requester" timestamp="2021-01-27T04:40:13Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-27T16:13:13Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-35.xml b/metadata/glsa/glsa-202101-35.xml new file mode 100644 index 000000000000..974a6a240ef5 --- /dev/null +++ b/metadata/glsa/glsa-202101-35.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-35"> + <title>phpMyAdmin: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in phpMyAdmin, allowing + remote attackers to conduct XSS. + </synopsis> + <product type="ebuild">phpmyadmin</product> + <announced>2021-01-27</announced> + <revised count="1">2021-01-27</revised> + <bug>747805</bug> + <access>remote</access> + <affected> + <package name="dev-db/phpmyadmin" auto="yes" arch="*"> + <unaffected range="ge" slot="4.9.6">4.9.6</unaffected> + <vulnerable range="lt" slot="4.9.6">4.9.6</vulnerable> + </package> + </affected> + <background> + <p>phpMyAdmin is a web-based management tool for MySQL databases.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in phpMyAdmin. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All phpMyAdmin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-4.9.6" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26934">CVE-2020-26934</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26935">CVE-2020-26935</uri> + </references> + <metadata tag="requester" timestamp="2020-11-19T19:31:06Z">whissi</metadata> + <metadata tag="submitter" timestamp="2021-01-27T16:14:41Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-36.xml b/metadata/glsa/glsa-202101-36.xml new file mode 100644 index 000000000000..7b5b52d6a17b --- /dev/null +++ b/metadata/glsa/glsa-202101-36.xml @@ -0,0 +1,60 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-36"> + <title>ImageMagick: Command injection</title> + <synopsis>A vulnerability in ImageMagick's handling of PDF was discovered + possibly allowing code execution. + </synopsis> + <product type="ebuild">imagemagick</product> + <announced>2021-01-29</announced> + <revised count="1">2021-01-29</revised> + <bug>756829</bug> + <access>remote</access> + <affected> + <package name="media-gfx/imagemagick" auto="yes" arch="*"> + <unaffected range="ge">7.0.10.41-r1</unaffected> + <unaffected range="ge">6.9.11.41-r1</unaffected> + <vulnerable range="lt">7.0.10.41-r1</vulnerable> + <vulnerable range="lt">6.9.11.41-r1</vulnerable> + </package> + </affected> + <background> + <p>A collection of tools and libraries for many image formats.</p> + </background> + <description> + <p>A flaw in ImageMagick’s handling of password protected PDFs was + discovered. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted PDF + using ImageMagick possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>Do not open untrusted PDFs.</p> + </workaround> + <resolution> + <p>All ImageMagick 7 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-gfx/imagemagick-7.0.10.41-r1" + </code> + + <p>All ImageMagick 6 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-gfx/imagemagick-6.9.11.41-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-29599">CVE-2020-29599</uri> + </references> + <metadata tag="requester" timestamp="2021-01-28T02:24:26Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-29T00:02:42Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-37.xml b/metadata/glsa/glsa-202101-37.xml new file mode 100644 index 000000000000..52b09f41e0a2 --- /dev/null +++ b/metadata/glsa/glsa-202101-37.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-37"> + <title>VLC: Buffer overflow</title> + <synopsis>A buffer overflow in VLC might allow remote attacker(s) to execute + arbitrary code. + </synopsis> + <product type="ebuild">vlc</product> + <announced>2021-01-29</announced> + <revised count="1">2021-01-29</revised> + <bug>765040</bug> + <access>remote</access> + <affected> + <package name="media-video/vlc" auto="yes" arch="*"> + <unaffected range="ge">3.0.12.1</unaffected> + <vulnerable range="lt">3.0.12.1</vulnerable> + </package> + </affected> + <background> + <p>VLC is a cross-platform media player and streaming server.</p> + </background> + <description> + <p>VLC was found to have a buffer overflow when handling crafted MKV files.</p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted MKV + file using VLC possibly resulting in execution of arbitrary code with the + privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All VLC users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/vlc-3.0.12.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26664">CVE-2020-26664</uri> + </references> + <metadata tag="requester" timestamp="2021-01-28T02:32:59Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-29T00:04:09Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-38.xml b/metadata/glsa/glsa-202101-38.xml new file mode 100644 index 000000000000..11ca507fa1e1 --- /dev/null +++ b/metadata/glsa/glsa-202101-38.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-38"> + <title>NSD: Symbolic link traversal</title> + <synopsis>A vulnerability was discovered in NSD which could allow a local + attacker to cause a Denial of Service condition. + </synopsis> + <product type="ebuild">nsd</product> + <announced>2021-01-29</announced> + <revised count="1">2021-01-29</revised> + <bug>758977</bug> + <access>local</access> + <affected> + <package name="net-dns/nsd" auto="yes" arch="*"> + <unaffected range="ge">4.3.4</unaffected> + <vulnerable range="lt">4.3.4</vulnerable> + </package> + </affected> + <background> + <p>An authoritative only, high performance, open source name server</p> + </background> + <description> + <p>A local vulnerability was discovered that would allow for a local + symlink attack due to how NSD handles PID files. + </p> + </description> + <impact type="normal"> + <p>A local attacker could cause a Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All NSD users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/nsd-4.3.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28935">CVE-2020-28935</uri> + <uri link="https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"> + Upstream advisory + </uri> + </references> + <metadata tag="requester" timestamp="2020-04-22T15:47:22Z">whissi</metadata> + <metadata tag="submitter" timestamp="2021-01-29T00:05:16Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index a5dbbef5e51f..5a5c0130df7c 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Fri, 22 Jan 2021 20:08:35 +0000 +Fri, 29 Jan 2021 17:38:21 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 55000c1dfc6e..67da988a6843 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -fc457c57148901f04674f1d427ad8bb280eb3c72 1611338159 2021-01-22T17:55:59+00:00 +efd0aa32fd2ca278747b075a2c8f414bb8aadead 1611878727 2021-01-29T00:05:27+00:00 |