diff options
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 595396 -> 596663 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-202501-04.xml | 43 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202501-05.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202501-06.xml | 47 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202501-07.xml | 45 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202501-08.xml | 48 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202501-09.xml | 134 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202501-10.xml | 104 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202501-11.xml | 54 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
12 files changed, 534 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index fd1894029d3b..ccd44348bc4b 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 595396 BLAKE2B e2cec258096db925ff61bbfdac7d3cb0322ba1319c2e49e6e58e6f1f10c19961630a48c1479974e25023ec8bf89a507461227e2e371f2e46deb1e43272dc1663 SHA512 6e466f529ca1a138d0c2857a7b3a8f2b51c56ee38d3a15ac4efac9819992162e5eccb7719f161b8426eb186371adaf3b0dbeaf0b9fda3195abb5622f027146cc -TIMESTAMP 2025-01-23T06:11:03Z +MANIFEST Manifest.files.gz 596663 BLAKE2B d03f77688298f7e2b1c117787c6f899250317779b0320cb4d08119535bbb454be5ff75faf4d4f6b88394f22fc5ce722770f4e51f537acca0853947165902a3ab SHA512 ca731da057a6d173058e289dcfa3c1e06f0e35cc32aa1f85102f6637f27eb4a9f2444a9eb532f9df30535ce50e36fc4a7976c85eb02dcc7f7b80b4a213ec6d2d +TIMESTAMP 2025-01-24T06:10:43Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmeR3XdfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmeTLuNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCaUg/+NbrUGS1HAj7v/iBQiFQAzfTtNMxGlcVuTwgiWjcqIqOy22K2BvMpotbU -h+hIq4PMMVIvFbvZA1NRUk+kvjZ1LOx8zN4uyjKdO1fsWhGdJ0u5OlpGKpRS7KFX -4WknSFVisNWcZ+zY8y/xyk7jmSfXYQRfWLf0Pf/9UpFdDdQIaAuyJcj4pLoFMabo -lNJ3MG4LkcKRlyOC5T0FOYM5ojlNT/2gY9jGgpMQVgHkaL5xx+fEc3Hs/QACOlwC -UimX1oZjpLaWQTmxlsfSdk1ZIbK5w8X6/M/UTnCPkDz77+OmXzFFI2ZHpVTzN7T9 -oL/fptBJzBZK7sxUQk0D4pLVYjmktzz6jbN9W4vFcBd505+LfO2O7H9eWIn6f4IL -MANMtRStAsLNx/81t9Vt70L2RDoJHcAxH3fWSrUCJlO3Viqdiv1Zjahr1Ok3NaDe -7rt70NBYBDv1k2pa8plCzV+dIhFZMXOuxmvuWIFTQtRjKUTG6N38EnBtd/GhJTMe -zCtJLJbylHRE2s90p2dpuINnyMtZfZ+QlscNb96pgGO3kXgZpK7P4NX62umsqlDZ -SClJuG99YF5Vex2n09XFEcoeD0j0wT77zIPWJQrTIrc+HqjX8u2nt/qXow1DmJxD -2tG5aNARktmxjGLCzmg+OjWQl6/r36xbKj3nzL5dkVHdGmScRSQ= -=Fn+a +klCbaQ//WdD6P9lkuHW8mPARlrMTb6X0Bse4gulidyQE0ANaFnDyowRRIsIdj/oB +cZIzad4H/o7xJ9UqAanG7iV7lGnWmMGz0eJFLO6b4T9HYq/edXH9wEuiD7Q+DRT2 +EsZqBKtYMtzD70nQPw1kHoyk4/vnBUfM4CwOzl4o6SPrBEvK/B9g791ZE3Qno8OQ +v07X/5H6+YhukbT26YjiaGWrLdBJStWOKcVtulEMSzZIs3NBf6QKn5TZpRDnD/iu +5T2bhEhDxc8N4ZXKM1zTW5TJN0hTrqrAEHvf8boRqGLe7bNd2AxRvdtU9wt7m8W4 +Ab8bVl4dHslDbPDPOa57s4TTJljDqvsJVSbKWQ4ZWZlpXGDDzSR5HmWME67vjYLk +y2h4h2d3r1ZpfwNjx6VLl9qoAlBNBIejXdvt+Ag0SpdK8ZJVer00cLYNRrS1Ap2P +e+eFgJ/hZMVwpNY2vnuw0UP9x52wuNJa3nob/q/auQ1yWnu2zTbAV1ugWto12nvU +Kk4haNHclyfx3JAJSC2UsCs9thz23C4gQHmp31oCQNotzXqxrwfZtfllzeX0gASY +PazHSGqGG7q/gxPj5gdAqsJb8nj6kLopMSSoDX3aPYcV/rJRmsGMe4JcxvX54R3T +tJhNU9hpU4kEhwoVjQTBIf/V+qQhcLq+zonujiHk4payR7NxreA= +=Wy7p -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 2f0787081225..94b3bc076ff3 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202501-04.xml b/metadata/glsa/glsa-202501-04.xml new file mode 100644 index 000000000000..c4de71508269 --- /dev/null +++ b/metadata/glsa/glsa-202501-04.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202501-04"> + <title>Yubico pam-u2f: Partial Authentication Bypass</title> + <synopsis>A vulnerability has been discovered in Yubico pam-u2f, which can lead to a partial authentication bypass.</synopsis> + <product type="ebuild">pam_u2f</product> + <announced>2025-01-23</announced> + <revised count="1">2025-01-23</revised> + <bug>948201</bug> + <access>local</access> + <affected> + <package name="sys-auth/pam_u2f" auto="yes" arch="*"> + <unaffected range="ge">1.3.2</unaffected> + <vulnerable range="lt">1.3.2</vulnerable> + </package> + </affected> + <background> + <p>Yubico pam-u2f is a PAM module for FIDO2 and U2F keys.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Yubico pam-u2f. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Depending on specific settings and usage scenarios the result of the pam-u2f module may be altered or ignored.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Yubico pam-u2f users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-auth/pam_u2f-1.3.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-23013">CVE-2025-23013</uri> + <uri link="https://www.yubico.com/support/security-advisories/YSA-2025-01">YSA-2025-01</uri> + </references> + <metadata tag="requester" timestamp="2025-01-23T06:15:02.537459Z">graaff</metadata> + <metadata tag="submitter" timestamp="2025-01-23T06:15:02.541001Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202501-05.xml b/metadata/glsa/glsa-202501-05.xml new file mode 100644 index 000000000000..db168d63dfdd --- /dev/null +++ b/metadata/glsa/glsa-202501-05.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202501-05"> + <title>libuv: Hostname Truncation</title> + <synopsis>A vulnerability has been discovered in libuv, where hostname truncation can lead to attacker-controlled lookups.</synopsis> + <product type="ebuild">libuv</product> + <announced>2025-01-23</announced> + <revised count="1">2025-01-23</revised> + <bug>924127</bug> + <access>remote</access> + <affected> + <package name="dev-libs/libuv" auto="yes" arch="*"> + <unaffected range="ge">1.48.0</unaffected> + <vulnerable range="lt">1.48.0</vulnerable> + </package> + </affected> + <background> + <p>libuv is a multi-platform support library with a focus on asynchronous I/O.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libuv. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="normal"> + <p>The uv_getaddrinfo function in src/unix/getaddrinfo.c truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses like 0x00007f000001, which are considered valid by getaddrinfo and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libuv users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libuv-1.48.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24806">CVE-2024-24806</uri> + </references> + <metadata tag="requester" timestamp="2025-01-23T06:16:58.811764Z">graaff</metadata> + <metadata tag="submitter" timestamp="2025-01-23T06:16:58.815474Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202501-06.xml b/metadata/glsa/glsa-202501-06.xml new file mode 100644 index 000000000000..eb611460ca45 --- /dev/null +++ b/metadata/glsa/glsa-202501-06.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202501-06"> + <title>GPL Ghostscript: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in GPL Ghostscript, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">ghostscript-gpl</product> + <announced>2025-01-23</announced> + <revised count="1">2025-01-23</revised> + <bug>942639</bug> + <access>remote</access> + <affected> + <package name="app-text/ghostscript-gpl" auto="yes" arch="*"> + <unaffected range="ge">10.04.0</unaffected> + <vulnerable range="lt">10.04.0</vulnerable> + </package> + </affected> + <background> + <p>Ghostscript is an interpreter for the PostScript language and for PDF.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GPL Ghostscript users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-10.04.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46951">CVE-2024-46951</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46952">CVE-2024-46952</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46953">CVE-2024-46953</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46954">CVE-2024-46954</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46955">CVE-2024-46955</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46956">CVE-2024-46956</uri> + </references> + <metadata tag="requester" timestamp="2025-01-23T06:18:34.082233Z">graaff</metadata> + <metadata tag="submitter" timestamp="2025-01-23T06:18:34.085244Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202501-07.xml b/metadata/glsa/glsa-202501-07.xml new file mode 100644 index 000000000000..5181122006d6 --- /dev/null +++ b/metadata/glsa/glsa-202501-07.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202501-07"> + <title>libgsf: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in libgsf, the worst of which can lead to arbitrary code execution.</synopsis> + <product type="ebuild">libgsf</product> + <announced>2025-01-23</announced> + <revised count="1">2025-01-23</revised> + <bug>940777</bug> + <access>remote</access> + <affected> + <package name="gnome-extra/libgsf" auto="yes" arch="*"> + <unaffected range="ge">1.14.53</unaffected> + <vulnerable range="lt">1.14.53</vulnerable> + </package> + </affected> + <background> + <p>The GNOME Structured File Library is an I/O library that can read and write common file types and handle structured formats that provide file-system-in-a-file semantics.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libgsf. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libgsf users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=gnome-extra/libgsf-1.14.53" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-36474">CVE-2024-36474</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-42415">CVE-2024-42415</uri> + <uri>TALOS-2024-2068</uri> + <uri>TALOS-2024-2069</uri> + </references> + <metadata tag="requester" timestamp="2025-01-23T06:25:02.419159Z">graaff</metadata> + <metadata tag="submitter" timestamp="2025-01-23T06:25:02.421783Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202501-08.xml b/metadata/glsa/glsa-202501-08.xml new file mode 100644 index 000000000000..153f3a3771a1 --- /dev/null +++ b/metadata/glsa/glsa-202501-08.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202501-08"> + <title>Qt: Buffer Overflow</title> + <synopsis>A vulnerability has been discovered in Qt, where a buffer overflow can lead to denial of service.</synopsis> + <product type="ebuild">qtbase,qtcore</product> + <announced>2025-01-23</announced> + <revised count="1">2025-01-23</revised> + <bug>911790</bug> + <access>local</access> + <affected> + <package name="dev-qt/qtbase" auto="yes" arch="*"> + <unaffected range="ge">6.5.2</unaffected> + <vulnerable range="lt">6.5.2</vulnerable> + </package> + <package name="dev-qt/qtcore" auto="yes" arch="*"> + <unaffected range="ge">5.15.10-r1</unaffected> + <vulnerable range="lt">5.15.10-r1</vulnerable> + </package> + </affected> + <background> + <p>Qt is a cross-platform application development framework.</p> + </background> + <description> + <p>When given specifically crafted data then QXmlStreamReader can end up causing a buffer overflow and subsequently a crash or freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Qt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtcore-5.15.10-r1" + # emerge --ask --oneshot --verbose ">=dev-qt/qtbase-6.5.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37369">CVE-2023-37369</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38197">CVE-2023-38197</uri> + </references> + <metadata tag="requester" timestamp="2025-01-23T07:21:01.913237Z">graaff</metadata> + <metadata tag="submitter" timestamp="2025-01-23T07:21:01.915567Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202501-09.xml b/metadata/glsa/glsa-202501-09.xml new file mode 100644 index 000000000000..99697342490b --- /dev/null +++ b/metadata/glsa/glsa-202501-09.xml @@ -0,0 +1,134 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202501-09"> + <title>QtWebEngine: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">qtwebengine</product> + <announced>2025-01-23</announced> + <revised count="1">2025-01-23</revised> + <bug>944807</bug> + <access>remote</access> + <affected> + <package name="dev-qt/qtwebengine" auto="yes" arch="*"> + <unaffected range="ge">5.15.16_p20241115</unaffected> + <vulnerable range="lt">5.15.16_p20241115</vulnerable> + </package> + </affected> + <background> + <p>QtWebEngine is a library for rendering dynamic web content in Qt5 and Qt6 C++ and QML applications.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in QtWebEngine. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All QtWebEngine users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.16_p20241115" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4058">CVE-2024-4058</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4059">CVE-2024-4059</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4060">CVE-2024-4060</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4558">CVE-2024-4558</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4559">CVE-2024-4559</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4761">CVE-2024-4761</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5157">CVE-2024-5157</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5158">CVE-2024-5158</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5159">CVE-2024-5159</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5160">CVE-2024-5160</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5830">CVE-2024-5830</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5831">CVE-2024-5831</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5832">CVE-2024-5832</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5833">CVE-2024-5833</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5834">CVE-2024-5834</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5835">CVE-2024-5835</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5836">CVE-2024-5836</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5837">CVE-2024-5837</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5838">CVE-2024-5838</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5839">CVE-2024-5839</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5840">CVE-2024-5840</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5841">CVE-2024-5841</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5842">CVE-2024-5842</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5843">CVE-2024-5843</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5844">CVE-2024-5844</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5845">CVE-2024-5845</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5846">CVE-2024-5846</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5847">CVE-2024-5847</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6290">CVE-2024-6290</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6291">CVE-2024-6291</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6292">CVE-2024-6292</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6293">CVE-2024-6293</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6988">CVE-2024-6988</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6989">CVE-2024-6989</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6991">CVE-2024-6991</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6994">CVE-2024-6994</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6995">CVE-2024-6995</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6996">CVE-2024-6996</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6997">CVE-2024-6997</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6998">CVE-2024-6998</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6999">CVE-2024-6999</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7000">CVE-2024-7000</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7001">CVE-2024-7001</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7003">CVE-2024-7003</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7004">CVE-2024-7004</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7005">CVE-2024-7005</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7532">CVE-2024-7532</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7533">CVE-2024-7533</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7534">CVE-2024-7534</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7535">CVE-2024-7535</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7536">CVE-2024-7536</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7550">CVE-2024-7550</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7964">CVE-2024-7964</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7965">CVE-2024-7965</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7966">CVE-2024-7966</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7967">CVE-2024-7967</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7968">CVE-2024-7968</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7969">CVE-2024-7969</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7971">CVE-2024-7971</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7972">CVE-2024-7972</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7973">CVE-2024-7973</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7974">CVE-2024-7974</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7975">CVE-2024-7975</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7976">CVE-2024-7976</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7977">CVE-2024-7977</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7978">CVE-2024-7978</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7979">CVE-2024-7979</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7980">CVE-2024-7980</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7981">CVE-2024-7981</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8033">CVE-2024-8033</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8034">CVE-2024-8034</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8035">CVE-2024-8035</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8193">CVE-2024-8193</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8194">CVE-2024-8194</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8198">CVE-2024-8198</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8636">CVE-2024-8636</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8637">CVE-2024-8637</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8638">CVE-2024-8638</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8639">CVE-2024-8639</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9120">CVE-2024-9120</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9121">CVE-2024-9121</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9122">CVE-2024-9122</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9123">CVE-2024-9123</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9602">CVE-2024-9602</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9603">CVE-2024-9603</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10229">CVE-2024-10229</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10230">CVE-2024-10230</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10231">CVE-2024-10231</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10826">CVE-2024-10826</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10827">CVE-2024-10827</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-45490">CVE-2024-45490</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-45491">CVE-2024-45491</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-45492">CVE-2024-45492</uri> + </references> + <metadata tag="requester" timestamp="2025-01-23T07:22:20.140856Z">graaff</metadata> + <metadata tag="submitter" timestamp="2025-01-23T07:22:20.142818Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202501-10.xml b/metadata/glsa/glsa-202501-10.xml new file mode 100644 index 000000000000..e8e9b1c0ac70 --- /dev/null +++ b/metadata/glsa/glsa-202501-10.xml @@ -0,0 +1,104 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202501-10"> + <title>Mozilla Firefox: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution.</synopsis> + <product type="ebuild">firefox,firefox-bin</product> + <announced>2025-01-23</announced> + <revised count="1">2025-01-23</revised> + <bug>942469</bug> + <bug>945050</bug> + <bug>948113</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">134.0</unaffected> + <unaffected range="ge" slot="esr">128.6.0</unaffected> + <vulnerable range="lt" slot="rapid">134.0</vulnerable> + <vulnerable range="lt" slot="esr">128.6.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge" slot="rapid">134.0</unaffected> + <unaffected range="ge" slot="esr">128.6.0</unaffected> + <vulnerable range="lt" slot="rapid">134.0</vulnerable> + <vulnerable range="lt" slot="esr">128.6.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox users should upgrade to the latest version in their release channel:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-134.0:rapid" + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-128.6.0:esr" + </code> + + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-134.0:rapid" + # emerge --ask --oneshot --verbose ">=www-client/firefox-128.6.0:esr" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10458">CVE-2024-10458</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10459">CVE-2024-10459</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10460">CVE-2024-10460</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10461">CVE-2024-10461</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10462">CVE-2024-10462</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10463">CVE-2024-10463</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10464">CVE-2024-10464</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10465">CVE-2024-10465</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10466">CVE-2024-10466</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10467">CVE-2024-10467</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10468">CVE-2024-10468</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11692">CVE-2024-11692</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11694">CVE-2024-11694</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11695">CVE-2024-11695</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11696">CVE-2024-11696</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11697">CVE-2024-11697</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11699">CVE-2024-11699</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11700">CVE-2024-11700</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11701">CVE-2024-11701</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11704">CVE-2024-11704</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11705">CVE-2024-11705</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11706">CVE-2024-11706</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11708">CVE-2024-11708</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0237">CVE-2025-0237</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0238">CVE-2025-0238</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0239">CVE-2025-0239</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0240">CVE-2025-0240</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0241">CVE-2025-0241</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0242">CVE-2025-0242</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0243">CVE-2025-0243</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0247">CVE-2025-0247</uri> + <uri>MFSA2024-55</uri> + <uri>MFSA2024-56</uri> + <uri>MFSA2024-57</uri> + <uri>MFSA2024-58</uri> + <uri>MFSA2024-59</uri> + <uri>MFSA2024-63</uri> + <uri>MFSA2024-64</uri> + <uri>MFSA2024-65</uri> + <uri>MFSA2024-67</uri> + <uri>MFSA2024-68</uri> + <uri>MFSA2025-01</uri> + <uri>MFSA2025-02</uri> + <uri>MFSA2025-05</uri> + </references> + <metadata tag="requester" timestamp="2025-01-23T07:24:25.583285Z">graaff</metadata> + <metadata tag="submitter" timestamp="2025-01-23T07:24:25.586463Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/glsa-202501-11.xml b/metadata/glsa/glsa-202501-11.xml new file mode 100644 index 000000000000..4222591dfb01 --- /dev/null +++ b/metadata/glsa/glsa-202501-11.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202501-11"> + <title>PHP: Multiple Vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been discovered in PHP, the worst of which could lead to arbitrary code execution.</synopsis> + <product type="ebuild">php</product> + <announced>2025-01-23</announced> + <revised count="1">2025-01-23</revised> + <bug>941598</bug> + <access>remote</access> + <affected> + <package name="dev-lang/php" auto="yes" arch="*"> + <unaffected range="ge" slot="8.2">8.2.24</unaffected> + <unaffected range="ge" slot="8.3">8.3.12</unaffected> + <vulnerable range="lt" slot="8.2">8.2.24</vulnerable> + <vulnerable range="lt" slot="8.3">8.3.12</vulnerable> + <vulnerable range="lt" slot="8.1">8.1.30</vulnerable> + </package> + </affected> + <background> + <p>PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details.</p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PHP users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-8.2.24:8.2" + # emerge --ask --oneshot --verbose ">=dev-lang/php-8.3.12:8.3" + </code> + + <p>Gentoo has discontinued support for php 8.1:</p> + + <code> + # emerge --ask --verbose --depclean "dev-lang/php:8.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8925">CVE-2024-8925</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8927">CVE-2024-8927</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9026">CVE-2024-9026</uri> + </references> + <metadata tag="requester" timestamp="2025-01-23T07:26:35.892309Z">graaff</metadata> + <metadata tag="submitter" timestamp="2025-01-23T07:26:35.894806Z">graaff</metadata> +</glsa>
\ No newline at end of file diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 4a740145d316..3aafd54bf9c9 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Thu, 23 Jan 2025 06:11:00 +0000 +Fri, 24 Jan 2025 06:10:39 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 9b2ab2f75f6d..9342cfcc57f2 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -0820b69db21f5d907940e213dc5099a1198aa9ca 1737203264 2025-01-18T12:27:44Z +681de9cd0cd49ec8f318f71af0c5917f69f302d8 1737617238 2025-01-23T07:27:18Z |