diff options
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/Manifest | 30 | ||||
| -rw-r--r-- | metadata/glsa/Manifest.files.gz | bin | 485271 -> 486217 bytes | |||
| -rw-r--r-- | metadata/glsa/glsa-202009-13.xml | 74 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-14.xml | 61 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-15.xml | 50 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-16.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-17.xml | 48 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-18.xml | 71 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.chk | 2 | ||||
| -rw-r--r-- | metadata/glsa/timestamp.commit | 2 |
10 files changed, 373 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index eede2bc1bc2a..27b24e14f18c 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 485271 BLAKE2B 4eb8988705304f2e383081a3133de4ec8449e5f0f46de62a4f4c2c2af6353817ee8ec26fe0ae3fd4c8426b8050e7c0de9c3059ab313f7900ebd16aafc208995f SHA512 fa3aa9f4ae7a8c7e47f52390c6374a7742be939c44aa7705cde67726e11710429dacc0c2688d754eb68f752d311d29aaf6454c0cefcd866c171ec1f1a33d76df -TIMESTAMP 2020-09-23T21:38:30Z +MANIFEST Manifest.files.gz 486217 BLAKE2B a2e8388c21e11622400955df84cf5750d3dc1ed97260561adcf8593401f8ff3776aefdf5d04f851eb00ee9174b5b2687221348810862c270d26525ad93d576a6 SHA512 b61762e35911592950f03484850ed8e6736359d874b45a8dc2f8c3e462bef78fc8623da4842eeba0a994b89218e6ced81235ec4b0d1cee904aa59dd83fa038b1 +TIMESTAMP 2020-09-30T15:38:36Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl9rwFZfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl90pnxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCkvg/9GqU7PqhiUj/jHu50sSnjG7fROWk9HPkbQYV/eNrv6GS/dAXuyNlem1Bm -I8OzOjOW2cQgkyojFvjdDz/VEBVxaUoF+w9yxwyMoLBEym/QXmq9UrG35MIPo/j5 -RbXaQmUsf1QwdZ64AYpSsmCo7l1i7dqaiLpkIGpGdkZxN69OCiCthNk/WovGY3zy -5vHo2JwljJ9RJzXyrRZSAyGOAdAHB+IOsIVkWiP/XlpFlulGZImN8STTO0irVwQ3 -MZ9WzpjdjsTypz+k6pvCLrgDDQl9hwo0+MI58TWvzHiQA+6dHrWDL6KrHp1fMLEM -tn5ILsmHu5v93jGaCaID5BEi98slgup9XBdXzGTW9ZnXuNkRkvT/sI/yiyxCgGki -ChvonvsrD/tXVCVFgWJ+drStZUAsxGiM7ELn72vdMgzBw7uZQA2b2oLcvUfuC6Qz -haj0Uhb0cycrpa10Rn8n7/ACuK6qsTS2voIxwTfw20X/ZVIHinyO1jVlVHavw/Pf -2ybnnlRoFVaPbuiiutkupUYUVPdDlUPf8XAySI55vMD0GCmga66mS7P2JQNwwvoQ -pJm6tBpHnzIXEbxZNkfDvOiKJ3RKnH+inPgsM/i7Wv5OJ2Aje6iSd+/jPNc56Aiz -6amqzGLhWgf3BjJsjXPmmqvCc1fC0bcvEfUo4cZxHU7DKUqSpFQ= -=lcFW +klB6yxAAmUaNNp1dEV1oQioyfUW4M7TTIAN67TaCYpBpi4b3zo83udZ72Ciuc8jN +gCo9FLvu2L2i5dUZbm4v7+1lpyz63ZduGxqo4gnhxaLx8CXHnOm/aaTYfKVaBj5Z +o3BCJEwYZQdIMR8teZLTscsUJsi3wuOQNmOnxnFAmthTj8O1TR4i3qfZnStGDQ6l ++2IKHY9kdpvbZLenSkoftv8nVI8SC/qAutL9BDsCD6aYhndSLgP/Dy3z7J/nxJDs +varjiOBuwms7lnXKka6NAH7OkSbJ6+nyE231Ea92yK9z1hg2N2+C2MZVA/vIIJTA +JEWz+RnoVvB8EnjeV78MuZvfhV8RDDZQz7uJ/N8emgMQLvQiA4vtxX0d6tGgKhQo +dYqhXahoAwrnqTqDRxIrdtzLfQmuWiVEBSexWg485z/GjKD1cXdAEDwjmEC3QgeW +yuaxF6hdpjpFpaduFz74vq1R12g/G8zu0XCklhNZ4R+6WZi25l2KI3WZFzDsBFV1 +KaKubf1j8ci4VUcplDKVSjQaqeyHzlVbOHourAcOpdsayCHIFOgcAqWX1tl8GztN +ljBLQ8yBQxaYwffo4GvpDOTK4ugxBRR9LS+lCmFUhTPT3aS/HQUyJcI7eBpLH6QC +s6e9tkhiMqfmdvNKUGmhun1wPf6jJwYjmDonwjDCod+3EBgTsP0= +=O4C1 -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz Binary files differindex 3bdc6fcc838a..57704eac4cbc 100644 --- a/metadata/glsa/Manifest.files.gz +++ b/metadata/glsa/Manifest.files.gz diff --git a/metadata/glsa/glsa-202009-13.xml b/metadata/glsa/glsa-202009-13.xml new file mode 100644 index 000000000000..163c6c7718e7 --- /dev/null +++ b/metadata/glsa/glsa-202009-13.xml @@ -0,0 +1,74 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-13"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromiun and Google + Chrome, the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">chromium,google-chrome</product> + <announced>2020-09-29</announced> + <revised count="1">2020-09-29</revised> + <bug>744007</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">85.0.4183.121</unaffected> + <vulnerable range="lt">85.0.4183.121</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">85.0.4183.121</unaffected> + <vulnerable range="lt">85.0.4183.121</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-85.0.4183.121" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-85.0.4183.121" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15960">CVE-2020-15960</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15961">CVE-2020-15961</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15962">CVE-2020-15962</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15963">CVE-2020-15963</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15964">CVE-2020-15964</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15965">CVE-2020-15965</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15966">CVE-2020-15966</uri> + <uri link="https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html"> + Upstream advisory + </uri> + </references> + <metadata tag="requester" timestamp="2020-09-23T03:40:44Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-09-29T18:05:33Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-14.xml b/metadata/glsa/glsa-202009-14.xml new file mode 100644 index 000000000000..e7f29aeae16a --- /dev/null +++ b/metadata/glsa/glsa-202009-14.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-14"> + <title>Xen: Buffer overflow</title> + <synopsis>A buffer overflow in Xen might allow remote attacker(s) to execute + arbitrary code. + </synopsis> + <product type="ebuild">xen</product> + <announced>2020-09-29</announced> + <revised count="1">2020-09-29</revised> + <bug>738040</bug> + <access>local, remote</access> + <affected> + <package name="app-emulation/xen" auto="yes" arch="*"> + <unaffected range="ge">4.13.1-r3</unaffected> + <vulnerable range="lt">4.13.1-r3</vulnerable> + </package> + <package name="app-emulation/xen-tools" auto="yes" arch="*"> + <unaffected range="ge">4.13.1-r3</unaffected> + <vulnerable range="lt">4.13.1-r3</vulnerable> + </package> + </affected> + <background> + <p>Xen is a bare-metal hypervisor.</p> + </background> + <description> + <p>An out-of-bounds read/write access issue was found in the USB emulator + when using QEMU. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Xen users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.13.1-r3" + </code> + + <p>All Xen tools users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-tools-4.13.1-r3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14364">CVE-2020-14364</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-335.html">XSA-335</uri> + </references> + <metadata tag="requester" timestamp="2020-09-23T03:24:25Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-09-29T18:05:39Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-15.xml b/metadata/glsa/glsa-202009-15.xml new file mode 100644 index 000000000000..8fb1616dfeff --- /dev/null +++ b/metadata/glsa/glsa-202009-15.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-15"> + <title>libuv: Buffer overflow</title> + <synopsis>A buffer overflow in libuv might allow remote attacker(s) to + execute arbitrary code. + </synopsis> + <product type="ebuild">libuv</product> + <announced>2020-09-29</announced> + <revised count="1">2020-09-29</revised> + <bug>742890</bug> + <access>remote</access> + <affected> + <package name="dev-libs/libuv" auto="yes" arch="*"> + <unaffected range="ge">1.39.0</unaffected> + <vulnerable range="lt">1.39.0</vulnerable> + </package> + </affected> + <background> + <p>libuv is a multi-platform support library with a focus on asynchronous + I/O. + </p> + </background> + <description> + <p>libuv used an incorrect buffer size for paths, causing a buffer + overflow. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libuv users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libuv-1.39.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8252">CVE-2020-8252</uri> + </references> + <metadata tag="requester" timestamp="2020-09-23T13:49:20Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-09-29T18:05:50Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-16.xml b/metadata/glsa/glsa-202009-16.xml new file mode 100644 index 000000000000..f58afe91c747 --- /dev/null +++ b/metadata/glsa/glsa-202009-16.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-16"> + <title>LinuxCIFS: Shell injection</title> + <synopsis>A vulnerability in LinuxCIFS may allow a remote code execution via + a command line option. + </synopsis> + <product type="ebuild">LinuxCIFS</product> + <announced>2020-09-29</announced> + <revised count="1">2020-09-29</revised> + <bug>743211</bug> + <access>remote</access> + <affected> + <package name="net-fs/cifs-utils" auto="yes" arch="*"> + <unaffected range="ge">6.11</unaffected> + <vulnerable range="lt">6.11</vulnerable> + </package> + </affected> + <background> + <p>The LinuxCIFS utils are a collection of tools for managing Linux CIFS + Client Filesystems. + </p> + </background> + <description> + <p>The mount.cifs utility had a shell injection issue where one can embed + shell commands via the username mount option. Those commands will be run + via popen() in the context of the user calling mount. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to use a specially crafted + argument using mount.cifs, possibly resulting in execution of arbitrary + code with the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All LinuxCIFS users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/cifs-utils-6.11" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14342">CVE-2020-14342</uri> + </references> + <metadata tag="requester" timestamp="2020-09-20T13:02:21Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-09-29T18:06:06Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-17.xml b/metadata/glsa/glsa-202009-17.xml new file mode 100644 index 000000000000..408f401fbb95 --- /dev/null +++ b/metadata/glsa/glsa-202009-17.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-17"> + <title>gpsd: Arbitrary code execution</title> + <synopsis>A vulnerability in gpsd could allow remote code execution.</synopsis> + <product type="ebuild">gpsd</product> + <announced>2020-09-29</announced> + <revised count="1">2020-09-29</revised> + <bug>743766</bug> + <access>remote</access> + <affected> + <package name="sci-geosciences/gpsd" auto="yes" arch="*"> + <unaffected range="ge">3.18</unaffected> + <vulnerable range="lt">3.18</vulnerable> + </package> + </affected> + <background> + <p>gpsd is a GPS daemon and library for USB/serial GPS devices and + GPS/mapping clients. + </p> + </background> + <description> + <p>A stack-based buffer overflow was discovered in gpsd on port 2947/TCP or + crafted JSON inputs. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All gpsd users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-geosciences/gpsd-3.18" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17937">CVE-2018-17937</uri> + </references> + <metadata tag="requester" timestamp="2020-09-25T20:46:53Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-09-29T18:06:31Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-18.xml b/metadata/glsa/glsa-202009-18.xml new file mode 100644 index 000000000000..024a1e62ea62 --- /dev/null +++ b/metadata/glsa/glsa-202009-18.xml @@ -0,0 +1,71 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-18"> + <title>Bitcoin: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Bitcoin, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">bitcoin</product> + <announced>2020-09-30</announced> + <revised count="1">2020-09-30</revised> + <bug>711198</bug> + <access>remote</access> + <affected> + <package name="net-p2p/bitcoind" auto="yes" arch="*"> + <unaffected range="ge">0.20.1</unaffected> + <vulnerable range="lt">0.20.1</vulnerable> + </package> + <package name="net-p2p/bitcoin-qt" auto="yes" arch="*"> + <unaffected range="ge">0.20.1</unaffected> + <vulnerable range="lt">0.20.1</vulnerable> + </package> + <package name="net-p2p/bitcoin-cli" auto="yes" arch="*"> + <unaffected range="ge">0.20.1</unaffected> + <vulnerable range="lt">0.20.1</vulnerable> + </package> + </affected> + <background> + <p>Bitcoin Core consists of both “full-node” software for fully + validating the blockchain as well as a bitcoin wallet. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Bitcoin. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All bitcoind users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/bitcoind-0.20.1" + </code> + + <p>All bitcoin-qt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/bitcoin-qt-0.20.1" + </code> + + <p>All bitcoin-cli users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/bitcoin-cli-0.20.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15947">CVE-2019-15947</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14198">CVE-2020-14198</uri> + </references> + <metadata tag="requester" timestamp="2020-09-18T00:17:00Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-09-30T00:20:42Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index b272585312a4..ef606278e760 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Wed, 23 Sep 2020 21:38:27 +0000 +Wed, 30 Sep 2020 15:38:33 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index fd63cfbeda80..25e643fc27d2 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -7204454a89cbf14c4905c5fdedcd66553a95e8aa 1600040174 2020-09-13T23:36:14+00:00 +785de3f76c77159a620986af784b88d221fb335c 1601425319 2020-09-30T00:21:59+00:00 |