From 3cf7c3ef441822c889356fd1812ebf2944a59851 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Tue, 25 Aug 2020 10:45:55 +0100 Subject: gentoo resync : 25.08.2020 --- metadata/glsa/Manifest | 30 ++++++------ metadata/glsa/Manifest.files.gz | Bin 469226 -> 480829 bytes metadata/glsa/glsa-202007-01.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202007-02.xml | 62 +++++++++++++++++++++++++ metadata/glsa/glsa-202007-03.xml | 61 +++++++++++++++++++++++++ metadata/glsa/glsa-202007-04.xml | 61 +++++++++++++++++++++++++ metadata/glsa/glsa-202007-05.xml | 55 ++++++++++++++++++++++ metadata/glsa/glsa-202007-06.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202007-07.xml | 51 +++++++++++++++++++++ metadata/glsa/glsa-202007-08.xml | 96 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-202007-09.xml | 67 +++++++++++++++++++++++++++ metadata/glsa/glsa-202007-10.xml | 71 +++++++++++++++++++++++++++++ metadata/glsa/glsa-202007-11.xml | 56 +++++++++++++++++++++++ metadata/glsa/glsa-202007-12.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202007-13.xml | 55 ++++++++++++++++++++++ metadata/glsa/glsa-202007-14.xml | 44 ++++++++++++++++++ metadata/glsa/glsa-202007-15.xml | 52 +++++++++++++++++++++ metadata/glsa/glsa-202007-16.xml | 47 +++++++++++++++++++ metadata/glsa/glsa-202007-17.xml | 55 ++++++++++++++++++++++ metadata/glsa/glsa-202007-18.xml | 48 ++++++++++++++++++++ metadata/glsa/glsa-202007-19.xml | 51 +++++++++++++++++++++ metadata/glsa/glsa-202007-20.xml | 51 +++++++++++++++++++++ metadata/glsa/glsa-202007-21.xml | 51 +++++++++++++++++++++ metadata/glsa/glsa-202007-22.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202007-23.xml | 48 ++++++++++++++++++++ metadata/glsa/glsa-202007-24.xml | 47 +++++++++++++++++++ metadata/glsa/glsa-202007-25.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202007-26.xml | 55 ++++++++++++++++++++++ metadata/glsa/glsa-202007-27.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202007-28.xml | 46 +++++++++++++++++++ metadata/glsa/glsa-202007-29.xml | 59 ++++++++++++++++++++++++ metadata/glsa/glsa-202007-30.xml | 51 +++++++++++++++++++++ metadata/glsa/glsa-202007-31.xml | 55 ++++++++++++++++++++++ metadata/glsa/glsa-202007-32.xml | 45 ++++++++++++++++++ metadata/glsa/glsa-202007-33.xml | 52 +++++++++++++++++++++ metadata/glsa/glsa-202007-34.xml | 51 +++++++++++++++++++++ metadata/glsa/glsa-202007-35.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202007-36.xml | 52 +++++++++++++++++++++ metadata/glsa/glsa-202007-37.xml | 48 ++++++++++++++++++++ metadata/glsa/glsa-202007-38.xml | 52 +++++++++++++++++++++ metadata/glsa/glsa-202007-39.xml | 60 ++++++++++++++++++++++++ metadata/glsa/glsa-202007-40.xml | 54 ++++++++++++++++++++++ metadata/glsa/glsa-202007-41.xml | 58 +++++++++++++++++++++++ metadata/glsa/glsa-202007-42.xml | 48 ++++++++++++++++++++ metadata/glsa/glsa-202007-43.xml | 46 +++++++++++++++++++ metadata/glsa/glsa-202007-44.xml | 52 +++++++++++++++++++++ metadata/glsa/glsa-202007-45.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202007-46.xml | 46 +++++++++++++++++++ metadata/glsa/glsa-202007-47.xml | 49 ++++++++++++++++++++ metadata/glsa/glsa-202007-48.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202007-49.xml | 49 ++++++++++++++++++++ metadata/glsa/glsa-202007-50.xml | 49 ++++++++++++++++++++ metadata/glsa/glsa-202007-51.xml | 44 ++++++++++++++++++ metadata/glsa/glsa-202007-52.xml | 49 ++++++++++++++++++++ metadata/glsa/glsa-202007-53.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202007-54.xml | 49 ++++++++++++++++++++ metadata/glsa/glsa-202007-55.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202007-56.xml | 48 ++++++++++++++++++++ metadata/glsa/glsa-202007-57.xml | 65 ++++++++++++++++++++++++++ metadata/glsa/glsa-202007-58.xml | 54 ++++++++++++++++++++++ metadata/glsa/glsa-202007-59.xml | 70 ++++++++++++++++++++++++++++ metadata/glsa/glsa-202007-60.xml | 62 +++++++++++++++++++++++++ metadata/glsa/glsa-202007-61.xml | 55 ++++++++++++++++++++++ metadata/glsa/glsa-202007-62.xml | 51 +++++++++++++++++++++ metadata/glsa/glsa-202007-63.xml | 53 +++++++++++++++++++++ metadata/glsa/glsa-202007-64.xml | 68 +++++++++++++++++++++++++++ metadata/glsa/glsa-202007-65.xml | 52 +++++++++++++++++++++ metadata/glsa/glsa-202008-01.xml | 77 +++++++++++++++++++++++++++++++ metadata/glsa/glsa-202008-02.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202008-03.xml | 51 +++++++++++++++++++++ metadata/glsa/glsa-202008-04.xml | 51 +++++++++++++++++++++ metadata/glsa/glsa-202008-05.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202008-06.xml | 50 ++++++++++++++++++++ metadata/glsa/glsa-202008-07.xml | 80 ++++++++++++++++++++++++++++++++ metadata/glsa/glsa-202008-08.xml | 51 +++++++++++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 77 files changed, 3953 insertions(+), 17 deletions(-) create mode 100644 metadata/glsa/glsa-202007-01.xml create mode 100644 metadata/glsa/glsa-202007-02.xml create mode 100644 metadata/glsa/glsa-202007-03.xml create mode 100644 metadata/glsa/glsa-202007-04.xml create mode 100644 metadata/glsa/glsa-202007-05.xml create mode 100644 metadata/glsa/glsa-202007-06.xml create mode 100644 metadata/glsa/glsa-202007-07.xml create mode 100644 metadata/glsa/glsa-202007-08.xml create mode 100644 metadata/glsa/glsa-202007-09.xml create mode 100644 metadata/glsa/glsa-202007-10.xml create mode 100644 metadata/glsa/glsa-202007-11.xml create mode 100644 metadata/glsa/glsa-202007-12.xml create mode 100644 metadata/glsa/glsa-202007-13.xml create mode 100644 metadata/glsa/glsa-202007-14.xml create mode 100644 metadata/glsa/glsa-202007-15.xml create mode 100644 metadata/glsa/glsa-202007-16.xml create mode 100644 metadata/glsa/glsa-202007-17.xml create mode 100644 metadata/glsa/glsa-202007-18.xml create mode 100644 metadata/glsa/glsa-202007-19.xml create mode 100644 metadata/glsa/glsa-202007-20.xml create mode 100644 metadata/glsa/glsa-202007-21.xml create mode 100644 metadata/glsa/glsa-202007-22.xml create mode 100644 metadata/glsa/glsa-202007-23.xml create mode 100644 metadata/glsa/glsa-202007-24.xml create mode 100644 metadata/glsa/glsa-202007-25.xml create mode 100644 metadata/glsa/glsa-202007-26.xml create mode 100644 metadata/glsa/glsa-202007-27.xml create mode 100644 metadata/glsa/glsa-202007-28.xml create mode 100644 metadata/glsa/glsa-202007-29.xml create mode 100644 metadata/glsa/glsa-202007-30.xml create mode 100644 metadata/glsa/glsa-202007-31.xml create mode 100644 metadata/glsa/glsa-202007-32.xml create mode 100644 metadata/glsa/glsa-202007-33.xml create mode 100644 metadata/glsa/glsa-202007-34.xml create mode 100644 metadata/glsa/glsa-202007-35.xml create mode 100644 metadata/glsa/glsa-202007-36.xml create mode 100644 metadata/glsa/glsa-202007-37.xml create mode 100644 metadata/glsa/glsa-202007-38.xml create mode 100644 metadata/glsa/glsa-202007-39.xml create mode 100644 metadata/glsa/glsa-202007-40.xml create mode 100644 metadata/glsa/glsa-202007-41.xml create mode 100644 metadata/glsa/glsa-202007-42.xml create mode 100644 metadata/glsa/glsa-202007-43.xml create mode 100644 metadata/glsa/glsa-202007-44.xml create mode 100644 metadata/glsa/glsa-202007-45.xml create mode 100644 metadata/glsa/glsa-202007-46.xml create mode 100644 metadata/glsa/glsa-202007-47.xml create mode 100644 metadata/glsa/glsa-202007-48.xml create mode 100644 metadata/glsa/glsa-202007-49.xml create mode 100644 metadata/glsa/glsa-202007-50.xml create mode 100644 metadata/glsa/glsa-202007-51.xml create mode 100644 metadata/glsa/glsa-202007-52.xml create mode 100644 metadata/glsa/glsa-202007-53.xml create mode 100644 metadata/glsa/glsa-202007-54.xml create mode 100644 metadata/glsa/glsa-202007-55.xml create mode 100644 metadata/glsa/glsa-202007-56.xml create mode 100644 metadata/glsa/glsa-202007-57.xml create mode 100644 metadata/glsa/glsa-202007-58.xml create mode 100644 metadata/glsa/glsa-202007-59.xml create mode 100644 metadata/glsa/glsa-202007-60.xml create mode 100644 metadata/glsa/glsa-202007-61.xml create mode 100644 metadata/glsa/glsa-202007-62.xml create mode 100644 metadata/glsa/glsa-202007-63.xml create mode 100644 metadata/glsa/glsa-202007-64.xml create mode 100644 metadata/glsa/glsa-202007-65.xml create mode 100644 metadata/glsa/glsa-202008-01.xml create mode 100644 metadata/glsa/glsa-202008-02.xml create mode 100644 metadata/glsa/glsa-202008-03.xml create mode 100644 metadata/glsa/glsa-202008-04.xml create mode 100644 metadata/glsa/glsa-202008-05.xml create mode 100644 metadata/glsa/glsa-202008-06.xml create mode 100644 metadata/glsa/glsa-202008-07.xml create mode 100644 metadata/glsa/glsa-202008-08.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 362bf881c1a9..560ea4376bd0 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 469226 BLAKE2B 7802023c2e2f34c26e4ab80c5dc66d82df62eae23b930c29c3bebb5b4ded87a3a117438be8d0fe26990389a3a2947f4151a8aecdd768fcd1388a595c78cd7d73 SHA512 c8862da9c01fac7f061d6ed989c78046fca0143f6f6c82ce4d8c8662fe53725e542bc7eb68e3936d66230eedcea6132083a3412ca73bd3a83c42808079029d0e -TIMESTAMP 2020-07-04T12:38:26Z +MANIFEST Manifest.files.gz 480829 BLAKE2B 7b875550bc3942bd6cddbe0c5c0ece578516314fe4a0a5cdd538e929c903b557ac2af9e301d5f7232331b35fdd266cec7820aab259fc68aadddb4451bc4fefc7 SHA512 3370d43afeebe4815706a4ff51c9176617549d872cfd990d379873d58909952b19ef588fb91c7597fe9a2d900bf73a12b47d7fb29760d1f6faf5537993cac3a5 +TIMESTAMP 2020-08-25T08:08:43Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl8AeEJfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl9ExwtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klBe4RAAls/KVsBnXuXbfOYhzbtakBwM8EOfHOhOSlGx7bUTTEJryQorcNhciCQX -foZH23v5LdLn1nXw2MJ/9BrDZD2pVJ1Iee/0cJU0SDq9HGwIYQoTScR1pH1UThIq -DlQEOemgdKUiFKWrE+37cFIDCKU7oQcjaRbrTlNfZ+dIQihDWlFxpOmD+KrSpRxb -K6BEmRgTht82RwA/wge8mWj5vdd8ISoVt5x+835LDMXQIkIRxX/Ls8O9X1Vs8kYW -LiC1gZUH56JJsgb37kREUDC0/XkIQgAMZ03/NTiDJinIBMgRK/sMzDoFaX6HDIr4 -RTsMnLykZyWK9sihYpkyXlzLaGi7psKZSpHs/vYT09tULa2YXVIzJ1AXKOOdQDps -BvabUWJwKxXIEUIq3nC0bhTnrHfDJTRX9cNLYT8Jbh3/5+DYC/j2wtCPsO32S9NX -ZU6zl1QkDIk9KMEs00NMu0aBA8HKyvB4vBSkDrN30maO9f9G7hGsesEtDJdLA6tr -N/Udq9dm1pM4Ogwpt2ZbB2UcpDktukNB7qR4ADzpKBbJbj9SC2lWpL8BLuAjq8Jr -dRzIZN0xyrk0st+dzZpgpQoeFoYcuWR9KvcqDsRsbHuIqY4hAARQq3vYOVuQYWlP -Y9CqT9ZEirrTRdCvQopODVutITJJfTUoHvctyGLY8ek59Z+ImX0= -=Sz/f +klCudBAAoNc9I702Ky7EuFyvbLNr5P2Kr1CAC3PbKVHa2oFwvQBVIEdT0dCVhCpO +mF85IrizBXh6z7OTAMPMW4QEcghCu3VSsaCbxt3r8Vi90dNDXClmU7/Dxy0YyyYV +xe0HuWhhRyqkzYgxp4rLfBw2Btcuc1regHrIVWnAF+2Trp/3sKR3+nCDYBQgnbMq +1aXjVzCmNkfCZek7ySpxDj3qzUaNMErMAzv6eCaJh1GI1nMT1yscdKJtAtP9FT0Y +QB7FtdCoek6RHqGqdy7aX4xdMbxdX27X+nluRDb3rRMgnAyu2HdW7egAz/fEgJAh +38nEstcXQVplrIA9zipwXs2M8zg6QbTg48CMqzEhhJhYPSUTI69KQFwH+3B4KGON +IUPGckNU1VmyedXr7mKINaGshM+xp3Sjtl599KsAzNmDlPCJ8EYm3VtzucrbCV2e +l7tBIr9TsI7KEy2d64wLfvD2AA3sJNGhwvO7B5cLD0Q0iSetcHyvUyJclNrQZYRN +Gj43L4m5JblwhMG8QASNT1wFQ8baxiMVsF/qMzC7seFfpvEzw/nz2rpMtjoI/JRh +CSQ0w8FXzpgNHjk9kAPYKe91TZ8SZSU1/PEYFXxxtrRHDZuf5pYK+9UFdZKNI8RS +62lBJKykUoI65vV3xFlaUGnNgMzx2zbfe7JfgRX263Xdb3aCo70= +=DunG -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz index 48dd3882a070..769ddee349ad 100644 Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ diff --git a/metadata/glsa/glsa-202007-01.xml b/metadata/glsa/glsa-202007-01.xml new file mode 100644 index 000000000000..56c6b1c3013b --- /dev/null +++ b/metadata/glsa/glsa-202007-01.xml @@ -0,0 +1,50 @@ + + + + netqmail: Multiple vulnerabilities + Multiple vulnerabilities have been found in netqmail, the worst of + which could result in the arbitrary execution of code. + + netqmail + 2020-07-26 + 2020-07-26 + 721566 + local, remote + + + 1.06-r13 + 1.06-r13 + + + +

qmail is a secure, reliable, efficient, simple message transfer agent.

+ + +

Multiple vulnerabilities have been discovered in netqmail. Please review + the CVE identifiers referenced below for details. +

+ + +

In the default configuration, these vulnerabilities are only local. + Please review the referenced CVE identifiers for details. +

+ + +

There is no known workaround at this time.

+ + +

All netqmail users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/netqmail-1.06-r13" + + + + CVE-2005-1513 + CVE-2005-1514 + CVE-2005-1515 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-02.xml b/metadata/glsa/glsa-202007-02.xml new file mode 100644 index 000000000000..7cc7db21c7aa --- /dev/null +++ b/metadata/glsa/glsa-202007-02.xml @@ -0,0 +1,62 @@ + + + + Xen: Multiple vulnerabilities + Multiple vulnerabilities have been found in Xen, the worst of which + could result in the arbitrary execution of code. + + xen + 2020-07-26 + 2020-07-26 + 731658 + remote + + + 4.12.3-r2 + 4.12.3-r2 + + + 4.12.3-r2 + 4.12.3-r2 + + + +

Xen is a bare-metal hypervisor.

+ + +

Multiple vulnerabilities have been discovered in Xen. Please review the + CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Xen users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.12.3-r2" + + +

All Xen Tools users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-tools-4.12.3-r2" + + + + CVE-2020-15563 + CVE-2020-15564 + CVE-2020-15565 + CVE-2020-15566 + CVE-2020-15567 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-03.xml b/metadata/glsa/glsa-202007-03.xml new file mode 100644 index 000000000000..93079b9e24c7 --- /dev/null +++ b/metadata/glsa/glsa-202007-03.xml @@ -0,0 +1,61 @@ + + + + Cacti: Multiple vulnerabilities + Multiple vulnerabilities have been found in Cacti, the worst of + which could result in the arbitrary execution of code. + + cacti + 2020-07-26 + 2020-07-26 + 728678 + 732522 + remote + + + 1.2.13 + 1.2.13 + + + 1.2.13 + 1.2.13 + + + +

Cacti is a complete frontend to rrdtool.

+ + +

Multiple vulnerabilities have been discovered in Cacti. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Cacti users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-1.2.13" + + +

All Cacti Spine users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-spine-1.2.13" + + + + + CVE-2020-11022 + CVE-2020-11023 + CVE-2020-14295 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-04.xml b/metadata/glsa/glsa-202007-04.xml new file mode 100644 index 000000000000..b04ea7893e90 --- /dev/null +++ b/metadata/glsa/glsa-202007-04.xml @@ -0,0 +1,61 @@ + + + + fwupd, libjcat: Multiple vulnerabilities + Multiple vulnerabilities have been found in fwupd and libjcat, the + worst of which could result in the arbitrary execution of code. + + fwupd,libjfcat + 2020-07-26 + 2020-07-26 + 727656 + remote + + + 1.3.10 + 1.3.10 + + + 0.1.3 + 0.1.3 + + + +

fwupd aims to make updating firmware on Linux automatic, safe and + reliable. libjcat is a library and tool for reading and writing Jcat + files. +

+ + +

Multiple vulnerabilities have been discovered in fwupd and libjcat. + Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All fwupd users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/fwupd-1.3.10" + + +

All libjcat users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libjcat-0.1.3" + + + + + CVE-2020-10759 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-05.xml b/metadata/glsa/glsa-202007-05.xml new file mode 100644 index 000000000000..75ae7ba35b88 --- /dev/null +++ b/metadata/glsa/glsa-202007-05.xml @@ -0,0 +1,55 @@ + + + + libexif: Multiple vulnerabilities + Multiple vulnerabilities have been found in libexif, the worst of + which could result in the arbitrary execution of code. + + libexif + 2020-07-26 + 2020-07-26 + 708728 + remote + + + 0.6.22 + 0.6.22 + + + +

libexif is a library for parsing, editing and saving Exif metadata from + images. +

+ + +

Multiple vulnerabilities have been discovered in libexif. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All libexif users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libexif-0.6.22" + + + + + CVE-2016-6328 + CVE-2019-9278 + CVE-2020-0093 + CVE-2020-12767 + CVE-2020-13112 + CVE-2020-13113 + CVE-2020-13114 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-06.xml b/metadata/glsa/glsa-202007-06.xml new file mode 100644 index 000000000000..e8f7cd438d97 --- /dev/null +++ b/metadata/glsa/glsa-202007-06.xml @@ -0,0 +1,50 @@ + + + + HylaFAX: Multiple vulnerabilities + Multiple vulnerabilities have been found in HylaFAX, the worst of + which could result in privilege escalation. + + hylafax + 2020-07-26 + 2020-07-26 + 730290 + local + + + 7.0.2 + 7.0.2 + + + +

HylaFAX is an enterprise-class system for sending and receiving + facsimile messages and for sending alpha-numeric pages. +

+ + +

Multiple vulnerabilities have been discovered in HylaFAX. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All HylaFAX users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/hylafaxplus-7.0.2" + + + + + CVE-2020-15396 + CVE-2020-15397 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-07.xml b/metadata/glsa/glsa-202007-07.xml new file mode 100644 index 000000000000..3093043f627d --- /dev/null +++ b/metadata/glsa/glsa-202007-07.xml @@ -0,0 +1,51 @@ + + + + Transmission: Remote code execution + A use-after-free possibly allowing remote execution of code was + discovered in Transmission. + + transmission + 2020-07-26 + 2020-07-26 + 723258 + remote + + + 3.00 + 3.00 + + + +

Transmission is a cross-platform BitTorrent client.

+ + +

Transmission mishandles some memory management which may allow + manipulation of the heap. +

+ + +

A remote attacker could entice a user to open a specially crafted + torrent file using Transmission, possibly resulting in execution of + arbitrary code with the privileges of the process or a Denial of Service + condition. +

+ + +

There is no known workaround at this time.

+ + +

All Transmission users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-p2p/transmission-3.00" + + + + + CVE-2018-10756 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-08.xml b/metadata/glsa/glsa-202007-08.xml new file mode 100644 index 000000000000..a4f230e66bb5 --- /dev/null +++ b/metadata/glsa/glsa-202007-08.xml @@ -0,0 +1,96 @@ + + + + Chromium, Google Chrome: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + + chromium,google-chrome + 2020-07-26 + 2020-07-26 + 728418 + 729310 + 732588 + remote + + + 84.0.4147.89 + 84.0.4147.89 + + + 84.0.4147.89 + 84.0.4147.89 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ +

Google Chrome is one fast, simple, and secure browser for all your + devices. +

+ + +

Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-84.0.4147.89" + + +

All Google Chrome users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-84.0.4147.89" + + + + CVE-2020-6505 + CVE-2020-6506 + CVE-2020-6507 + CVE-2020-6509 + CVE-2020-6510 + CVE-2020-6511 + CVE-2020-6512 + CVE-2020-6513 + CVE-2020-6514 + CVE-2020-6515 + CVE-2020-6516 + CVE-2020-6517 + CVE-2020-6518 + CVE-2020-6519 + CVE-2020-6520 + CVE-2020-6521 + CVE-2020-6522 + CVE-2020-6523 + CVE-2020-6524 + CVE-2020-6525 + CVE-2020-6526 + CVE-2020-6527 + CVE-2020-6528 + CVE-2020-6529 + CVE-2020-6530 + CVE-2020-6531 + CVE-2020-6533 + CVE-2020-6534 + CVE-2020-6535 + CVE-2020-6536 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-09.xml b/metadata/glsa/glsa-202007-09.xml new file mode 100644 index 000000000000..eafd82da1347 --- /dev/null +++ b/metadata/glsa/glsa-202007-09.xml @@ -0,0 +1,67 @@ + + + + Mozilla Thunderbird: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could result in the arbitrary execution of code. + + thunderbird + 2020-07-26 + 2020-07-26 + 730628 + remote + + + 68.10.0 + 68.10.0 + + + 68.10.0 + 68.10.0 + + + +

Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. +

+ + +

Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Thunderbird users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-68.10.0" + + +

All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-68.10.0" + + + + + CVE-2020-12417 + CVE-2020-12418 + CVE-2020-12419 + CVE-2020-12420 + CVE-2020-12421 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-10.xml b/metadata/glsa/glsa-202007-10.xml new file mode 100644 index 000000000000..ba5545fd961d --- /dev/null +++ b/metadata/glsa/glsa-202007-10.xml @@ -0,0 +1,71 @@ + + + + Mozilla Firefox: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which could result in the arbitrary execution of code. + + firefox + 2020-07-26 + 2020-07-26 + 730418 + remote + + + 68.10.0 + 68.10.0 + + + 68.10.0 + 68.10.0 + + + +

Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. +

+ + +

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Firefox users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-68.10.0" + + +

All Mozilla Firefox binary users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-68.10.0" + + + + + CVE-2020-12402 + CVE-2020-12415 + CVE-2020-12416 + CVE-2020-12417 + CVE-2020-12418 + CVE-2020-12419 + CVE-2020-12420 + CVE-2020-12421 + CVE-2020-12422 + CVE-2020-12424 + CVE-2020-12425 + CVE-2020-12426 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-11.xml b/metadata/glsa/glsa-202007-11.xml new file mode 100644 index 000000000000..914221d8593e --- /dev/null +++ b/metadata/glsa/glsa-202007-11.xml @@ -0,0 +1,56 @@ + + + + WebKitGTK+: Multiple vulnerabilities + Multiple vulnerabilities have been found in WebKitGTK+, the worst + of which could result in the arbitrary execution of code. + + webkitgtk+ + 2020-07-26 + 2020-07-26 + 732104 + remote + + + 2.28.3 + 2.28.3 + + + +

WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, from hybrid + HTML/CSS applications to full-fledged web browsers. +

+ + +

Multiple vulnerabilities have been discovered in WebKitGTK+. Please + review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All WebKitGTK+ users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.28.3" + + + + CVE-2020-13753 + CVE-2020-9802 + CVE-2020-9803 + CVE-2020-9805 + CVE-2020-9806 + CVE-2020-9807 + CVE-2020-9843 + CVE-2020-9850 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-12.xml b/metadata/glsa/glsa-202007-12.xml new file mode 100644 index 000000000000..15f5cd20ec8f --- /dev/null +++ b/metadata/glsa/glsa-202007-12.xml @@ -0,0 +1,50 @@ + + + + NTP: Multiple vulnerabilities + Multiple vulnerabilities have been found in NTP, the worst of which + could result in a Denial of Service condition. + + ntp + 2020-07-26 + 2020-07-26 + 717798 + 729458 + remote + + + 4.2.8_p15 + 4.2.8_p15 + + + +

NTP contains software for the Network Time Protocol.

+ + +

Multiple vulnerabilities have been discovered in NTP. Please review the + CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All NTP users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8_p15" + + + + + CVE-2020-11868 + CVE-2020-13817 + CVE-2020-15025 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-13.xml b/metadata/glsa/glsa-202007-13.xml new file mode 100644 index 000000000000..5c0c85cff0ec --- /dev/null +++ b/metadata/glsa/glsa-202007-13.xml @@ -0,0 +1,55 @@ + + + + Wireshark: Multiple vulnerabilities + Multiple vulnerabilities have been found in Wireshark, the worst of + which could result in a Denial of Service condition. + + wireshark + 2020-07-26 + 2020-07-26 + 711012 + 716756 + 724132 + 730414 + remote + + + 3.2.5 + 3.2.5 + + + +

Wireshark is a network protocol analyzer formerly known as ethereal.

+ + +

Multiple vulnerabilities have been discovered in Wireshark. Please + review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Wireshark users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-3.2.5" + + + + CVE-2020-11647 + CVE-2020-13164 + CVE-2020-15466 + CVE-2020-9428 + CVE-2020-9429 + CVE-2020-9430 + CVE-2020-9431 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-14.xml b/metadata/glsa/glsa-202007-14.xml new file mode 100644 index 000000000000..6fe7f34940eb --- /dev/null +++ b/metadata/glsa/glsa-202007-14.xml @@ -0,0 +1,44 @@ + + + + yaml-cpp: Denial of service + A vulnerability in yaml-cpp could lead to a Denial of Service + condition. + + yaml-cpp + 2020-07-26 + 2020-07-26 + 626662 + remote + + + 0.6.3-r2 + 0.6.3-r2 + + + +

yaml-cpp is a YAML parser and emitter in C++.

+ + +

The function Scanner::peek in scanner.cpp may have an assertion failure.

+ + +

An attacker could cause a possible Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All yaml-cpp users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-cpp/yaml-cpp-0.6.3-r2" + + + + CVE-2017-11692 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-15.xml b/metadata/glsa/glsa-202007-15.xml new file mode 100644 index 000000000000..f45efd336712 --- /dev/null +++ b/metadata/glsa/glsa-202007-15.xml @@ -0,0 +1,52 @@ + + + + Samba: Multiple vulnerabilities + Multiple vulnerabilities have been found in Samba, the worst of + which could result in a Denial of Service condition. + + samba + 2020-07-26 + 2020-07-26 + 719120 + 730472 + remote + + + 4.11.11 + 4.11.11 + + + +

Samba is a suite of SMB and CIFS client/server programs.

+ + +

Multiple vulnerabilities have been discovered in Samba. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Samba users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-4.11.11" + + + + CVE-2020-10700 + CVE-2020-10704 + CVE-2020-10730 + CVE-2020-10745 + CVE-2020-10760 + CVE-2020-14303 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-16.xml b/metadata/glsa/glsa-202007-16.xml new file mode 100644 index 000000000000..393e5994ccf0 --- /dev/null +++ b/metadata/glsa/glsa-202007-16.xml @@ -0,0 +1,47 @@ + + + + cURL: Multiple vulnerabilities + Multiple vulnerabilities have been found in cURL, the worst of + which could result in information disclosure or data loss. + + curl + 2020-07-26 + 2020-07-26 + 729374 + remote + + + 7.71.0 + 7.71.0 + + + +

A command line tool and library for transferring data with URLs.

+ + +

Multiple vulnerabilities have been discovered in cURL. Please review the + CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All cURL users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.71.0" + + + + CVE-2020-8169 + CVE-2020-8177 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-17.xml b/metadata/glsa/glsa-202007-17.xml new file mode 100644 index 000000000000..1234ccc4b9f0 --- /dev/null +++ b/metadata/glsa/glsa-202007-17.xml @@ -0,0 +1,55 @@ + + + + JHead: Multiple vulnerabilities + Multiple vulnerabilities have been found in JHead, the worst of + which could result in a Denial of Service condition. + + jhead + 2020-07-26 + 2020-07-27 + 701826 + 711220 + remote + + + 3.04 + 3.04 + + + +

JHead is an exif jpeg header manipulation tool.

+ + +

Multiple vulnerabilities have been discovered in JHead. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All JHead users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/jhead-3.04" + + + + + CVE-2019-1010301 + + + CVE-2019-1010302 + + CVE-2019-19035 + CVE-2020-6624 + CVE-2020-6625 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-18.xml b/metadata/glsa/glsa-202007-18.xml new file mode 100644 index 000000000000..01b58a0aaddf --- /dev/null +++ b/metadata/glsa/glsa-202007-18.xml @@ -0,0 +1,48 @@ + + + + QtNetwork: Denial of service + A vulnerability in QtNetwork could lead to a Denial of Service + condition. + + qtnetwork + 2020-07-26 + 2020-07-26 + 727604 + remote + + + 5.14.2-r1 + 5.14.2-r1 + + + +

QtNetwork provides a set of APIs for programming applications that use + TCP/IP. It is part of the Qt framework. +

+ + +

A flaw was discovered in QtNetwork’s handling of OpenSSL protocol + errors. +

+ + +

An attacker could cause a possible Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All QtNetwork users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtnetwork-5.14.2-r1" + + + + CVE-2020-13962 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-19.xml b/metadata/glsa/glsa-202007-19.xml new file mode 100644 index 000000000000..2155cd008014 --- /dev/null +++ b/metadata/glsa/glsa-202007-19.xml @@ -0,0 +1,51 @@ + + + + WavPack: Multiple vulnerabilities + Multiple vulnerabilities have been found in WavPack, the worst of + which could result in a Denial of Service condition. + + wavpack + 2020-07-27 + 2020-07-27 + 672638 + remote + + + 5.3.2 + 5.3.2 + + + +

WavPack is a set of hybrid lossless audio compression tools.

+ + +

Multiple vulnerabilities have been discovered in WavPack. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could send a specially crafted audio file possibly + resulting in a Denial of Service condition. Please review the referenced + CVE identifiers for details. +

+ + +

There is no known workaround at this time.

+ + +

All WavPack users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-sound/wavpack-5.3.2" + + + + CVE-2018-19840 + CVE-2018-19841 + CVE-2019-11498 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-20.xml b/metadata/glsa/glsa-202007-20.xml new file mode 100644 index 000000000000..b05df4b8156e --- /dev/null +++ b/metadata/glsa/glsa-202007-20.xml @@ -0,0 +1,51 @@ + + + + fuseiso: Multiple vulnerabilities + Multiple vulnerabilities have been found in fuseiso, the worst of + which could result in the arbitrary execution of code. + + fuseiso + 2020-07-27 + 2020-07-27 + 713328 + remote + + + 20070708-r3 + 20070708-r3 + + + +

FuseISO is a FUSE module to mount ISO filesystem images (.iso, .nrg, + .bin, .mdf and .img files). +

+ + +

Multiple vulnerabilities have been discovered in fuseiso. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to open a specially crafted ISO + file using fuseiso, possibly resulting in execution of arbitrary code + with the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All fuseiso users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/fuseiso-20070708-r3" + + + + CVE-2015-8837 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-21.xml b/metadata/glsa/glsa-202007-21.xml new file mode 100644 index 000000000000..41a83f01f91e --- /dev/null +++ b/metadata/glsa/glsa-202007-21.xml @@ -0,0 +1,51 @@ + + + + Libreswan: Denial of service + A vulnerability in Libreswan could lead to a Denial of Service + condition. + + libreswan + 2020-07-27 + 2020-07-27 + 722696 + remote + + + 3.32 + 3.32 + + + +

Libreswan is a free software implementation of the most widely supported + and standarized VPN protocol based on (“IPsec”) and the Internet Key + Exchange (“IKE”). +

+ + +

As a result of a bug in handling certain bogus encrypted IKEv1, while + building a log message that the packet has been dropped, a NULL pointer + dereference causes Libreswan to crash and restart when it attempts to log + the state name involved. +

+ + +

An attacker could cause a possible Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All Libreswan users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-vpn/libreswan-3.32" + + + + CVE-2020-1763 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-22.xml b/metadata/glsa/glsa-202007-22.xml new file mode 100644 index 000000000000..fce9e1a3bb57 --- /dev/null +++ b/metadata/glsa/glsa-202007-22.xml @@ -0,0 +1,50 @@ + + + + sysstat: Arbitrary code execution + A use-after-free in sysstat was discovered which may allow + arbitrary code execution. + + sysstat + 2020-07-27 + 2020-07-27 + 706206 + local + + + 12.2.1 + 12.2.1 + + + +

sysstat is a package containing a number of performance monitoring + utilities for Linux, including sar, mpstat, iostat and sa tools. +

+ + +

A double-free in sysstat’s check_file_actlst() function was + discovered. +

+ + +

A local attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All sysstat users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.2.1" + + + + CVE-2019-19725 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-23.xml b/metadata/glsa/glsa-202007-23.xml new file mode 100644 index 000000000000..49b3737c3075 --- /dev/null +++ b/metadata/glsa/glsa-202007-23.xml @@ -0,0 +1,48 @@ + + + + ClamAV: Multiple vulnerabilities + Multiple vulnerabilities have been found in ClamAV, the worst of + which could result in a Denial of Service condition. + + clamav + 2020-07-27 + 2020-07-27 + 732944 + remote + + + 0.102.4 + 0.102.4 + + + +

ClamAV is a GPL virus scanner.

+ + +

Multiple vulnerabilities have been discovered in ClamAV. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All ClamAV users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.102.4" + + + + CVE-2020-3327 + CVE-2020-3350 + CVE-2020-3481 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-24.xml b/metadata/glsa/glsa-202007-24.xml new file mode 100644 index 000000000000..1ee579b1f66c --- /dev/null +++ b/metadata/glsa/glsa-202007-24.xml @@ -0,0 +1,47 @@ + + + + Twisted: Access restriction bypasses + Multiple vulnerabilities have been found in Twisted, the worst of + which could result in a Denial of Service condition. + + twisted + 2020-07-27 + 2020-07-27 + 712240 + remote + + + 20.3.0 + 20.3.0 + + + +

Twisted is an asynchronous networking framework written in Python.

+ + +

Multiple vulnerabilities have been discovered in Twisted. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Twisted users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/twisted-20.3.0" + + + + CVE-2020-10108 + CVE-2020-10109 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-25.xml b/metadata/glsa/glsa-202007-25.xml new file mode 100644 index 000000000000..95c3536dcf7b --- /dev/null +++ b/metadata/glsa/glsa-202007-25.xml @@ -0,0 +1,50 @@ + + + + arpwatch: Root privilege escalation + A vulnerability was discovered in arpwatch which may allow local + attackers to gain root privileges. + + arpwatch + 2020-07-27 + 2020-07-27 + 602552 + local + + + 2.1.15-r11 + 2.1.15-r11 + + + +

The ethernet monitor program; for keeping track of ethernet/ip address + pairings. +

+ + +

It was discovered that Gentoo’s arpwatch ebuild made excessive + permission operations on its data directories, possibly changing + ownership of unintended files. This only affects OpenRC systems, as the + flaw was exploitable via the init script. +

+ + +

A local attacker could escalate privileges.

+ + +

There is no known workaround at this time.

+ + +

All arpwatch users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=net-analyzer/arpwatch-2.1.15-r11" + + + + + b-man + sam_c + diff --git a/metadata/glsa/glsa-202007-26.xml b/metadata/glsa/glsa-202007-26.xml new file mode 100644 index 000000000000..9d1a1dbc8f36 --- /dev/null +++ b/metadata/glsa/glsa-202007-26.xml @@ -0,0 +1,55 @@ + + + + SQLite: Multiple vulnerabilities + Multiple vulnerabilities have been found in SQLite, the worst of + which could result in the arbitrary execution of code. + + sqlite + 2020-07-27 + 2020-07-27 + 716748 + remote + + + 3.32.3 + 3.32.3 + + + +

SQLite is a C library that implements an SQL database engine.

+ + +

Multiple vulnerabilities have been discovered in SQLite. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All SQLite users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.32.3" + + + + CVE-2019-20218 + CVE-2020-11655 + CVE-2020-11656 + CVE-2020-13434 + CVE-2020-13435 + CVE-2020-13630 + CVE-2020-13631 + CVE-2020-13632 + CVE-2020-13871 + CVE-2020-15358 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-27.xml b/metadata/glsa/glsa-202007-27.xml new file mode 100644 index 000000000000..cc568e2427e0 --- /dev/null +++ b/metadata/glsa/glsa-202007-27.xml @@ -0,0 +1,50 @@ + + + + Haml: Arbitrary code execution + A flaw in Haml allows arbitrary code execution as a result of + improper filtering. + + haml + 2020-07-27 + 2020-07-27 + 699840 + remote + + + 5.1.2 + 5.1.2 + + + +

Haml is a templating engine for HTML.

+ + +

It was discovered that Haml was not correctly filtering out special + characters which may be used for attributes. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Haml users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/haml-5.1.2" + + + + + CVE-2017-1002201 + + + BlueKnight + sam_c + diff --git a/metadata/glsa/glsa-202007-28.xml b/metadata/glsa/glsa-202007-28.xml new file mode 100644 index 000000000000..9f2b781ea0eb --- /dev/null +++ b/metadata/glsa/glsa-202007-28.xml @@ -0,0 +1,46 @@ + + + + re2c: Buffer overflow + A vulnerability in re2c could lead to a Denial of Service + condition. + + re2c + 2020-07-27 + 2020-07-27 + 718350 + remote + + + 1.3-r1 + 1.3-r1 + + + +

re2c is a tool for generating C-based recognizers from regular + expressions. +

+ + +

A heap buffer overflow vulnerability was discovered in re2c.

+ + +

An attacker could possibly cause a Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All re2c users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/re2c-1.3-r1" + + + + CVE-2020-11958 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-29.xml b/metadata/glsa/glsa-202007-29.xml new file mode 100644 index 000000000000..07c32a1b7c2f --- /dev/null +++ b/metadata/glsa/glsa-202007-29.xml @@ -0,0 +1,59 @@ + + + + rssh: Multiple vulnerabilities + Multiple vulnerabilities have been found in rssh, the worst of + which could result in the arbitrary execution of code. + + rssh + 2020-07-27 + 2020-07-27 + 699842 + remote + + + 2.3.4_p3 + + + +

rssh is a restricted shell, allowing only a few commands like scp or + sftp. It is often used as a complement to OpenSSH to provide limited + access to users. +

+ + +

Multiple vulnerabilities have been discovered in rssh. Please review the + CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for rssh. We recommend that users + unmerge rssh: +

+ + + # emerge --unmerge "app-shells/rssh" + + +

NOTE: The Gentoo developer(s) maintaining rssh have discontinued support + at this time. It may be possible that a new Gentoo developer will update + rssh at a later date. OpenSSH (net-misc/openssh) may be able to provide + similar functionality using its extensive configuration. +

+ + + + CVE-2019-1000018 + + CVE-2019-3463 + CVE-2019-3464 + + b-man + sam_c + diff --git a/metadata/glsa/glsa-202007-30.xml b/metadata/glsa/glsa-202007-30.xml new file mode 100644 index 000000000000..7a093aa57c5a --- /dev/null +++ b/metadata/glsa/glsa-202007-30.xml @@ -0,0 +1,51 @@ + + + + spice: Arbitrary code execution + A buffer overread has been discovered in spice possibly allowing + remote execution of code. + + spice + 2020-07-27 + 2020-07-27 + 717776 + remote + + + 0.14.2 + 0.14.2 + + + +

Provides a complete open source solution for remote access to virtual + machines in a seamless way so you can play videos, record audio, share + USB devices, and share folders without complications. +

+ + +

A flaw in spice’s memory handling code has been discovered, allowing + an out of bounds read. +

+ + +

A remote attacker may be able to send malicious packets causing remote + code execution. +

+ + +

There is no known workaround at this time.

+ + +

All spice users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/spice-0.14.2" + + + + CVE-2019-3813 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-31.xml b/metadata/glsa/glsa-202007-31.xml new file mode 100644 index 000000000000..add1030a6800 --- /dev/null +++ b/metadata/glsa/glsa-202007-31.xml @@ -0,0 +1,55 @@ + + + + Icinga: Root privilege escalation + Icinga installs files with insecure permissions allowing root + privilege escalation. + + icinga + 2020-07-27 + 2020-07-27 + 638186 + local + + + 1.14.2 + + + +

Icinga is an open source computer system and network monitoring + application. It was originally created as a fork of the Nagios system + monitoring application in 2009. +

+ + +

It was discovered that Icinga’s installed files have insecure + permissions, possibly allowing root privilege escalation. +

+ + +

A local attacker could escalate privileges to root.

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for Icinga. We recommend that users + unmerge Icinga: +

+ + + # emerge --unmerge "net-analyzer/icinga" + + +

NOTE: The Gentoo developer(s) maintaining Icinga have discontinued + support at this time. It may be possible that a new Gentoo developer will + update Icinga at a later date. The natural replacement is Icinga 2 + (net-analyzer/icinga2). +

+ + + CVE-2017-16882 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-32.xml b/metadata/glsa/glsa-202007-32.xml new file mode 100644 index 000000000000..4d7d455e0ba0 --- /dev/null +++ b/metadata/glsa/glsa-202007-32.xml @@ -0,0 +1,45 @@ + + + + Sarg: Local privilege escalation + A flaw in Sarg may allow local privilege escalation. + sarg + 2020-07-27 + 2020-07-27 + 706748 + local + + + 2.4.0 + 2.4.0 + + + +

Sarg (Squid Analysis Report Generator) is a tool that provides many + informations about the Squid web proxy server users activities: time, + sites, traffic, etc. +

+ + +

A flaw in Sarg’s handling of temporary directories was discovered.

+ + +

A local attacker may be able to escalate privileges.

+ + +

There is no known workaround at this time.

+ + +

All Sarg users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/sarg-2.4.0" + + + + CVE-2019-18932 + + b-man + sam_c + diff --git a/metadata/glsa/glsa-202007-33.xml b/metadata/glsa/glsa-202007-33.xml new file mode 100644 index 000000000000..4a0344ccad06 --- /dev/null +++ b/metadata/glsa/glsa-202007-33.xml @@ -0,0 +1,52 @@ + + + + OSSEC: Multiple vulnerabilities + Multiple vulnerabilities have been found in OSSEC, the worst of + which could result in the arbitrary execution of code. + + ossec-hids + 2020-07-27 + 2020-07-27 + 707826 + local, remote + + + 3.6.0 + 3.6.0 + + + +

OSSEC is a full platform to monitor and control your system(s).

+ + +

Multiple vulnerabilities have been discovered in OSSEC. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All OSSEC users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/ossec-hids-3.6.0" + + + + CVE-2020-8442 + CVE-2020-8443 + CVE-2020-8444 + CVE-2020-8445 + CVE-2020-8446 + CVE-2020-8447 + CVE-2020-8448 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-34.xml b/metadata/glsa/glsa-202007-34.xml new file mode 100644 index 000000000000..dc1ab39bcc13 --- /dev/null +++ b/metadata/glsa/glsa-202007-34.xml @@ -0,0 +1,51 @@ + + + + Apache Ant: Multiple vulnerabilities + Apache Ant uses various insecure temporary files possibly allowing + local code execution. + + ant + 2020-07-27 + 2020-07-27 + 723086 + local + + + 1.10.8 + 1.10.8 + + + +

Ant is a Java-based build tool similar to ‘make’ that uses XML + configuration files. +

+ + +

Apache Ant was found to be using multiple insecure temporary files which + may disclose sensitive information or execute code from an unsafe local + location. +

+ + +

A local attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Apache Ant users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/ant-1.10.8" + + + + CVE-2020-1945 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-35.xml b/metadata/glsa/glsa-202007-35.xml new file mode 100644 index 000000000000..0e50ed083b7f --- /dev/null +++ b/metadata/glsa/glsa-202007-35.xml @@ -0,0 +1,50 @@ + + + + ReportLab: Arbitrary code execution + A vulnerability allowing arbitrary code execution was found in + ReportLab. + + reportlab + 2020-07-27 + 2020-07-27 + 710738 + remote + + + 3.5.42 + 3.5.42 + + + +

ReportLab is an Open Source Python library for generating PDFs and + graphics. +

+ + +

ReportLab was found to be mishandling XML documents and may evaluate the + contents without checking for their safety. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All ReportLab users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/reportlab-3.5.42" + + + + CVE-2019-17626 + + b-man + sam_c + diff --git a/metadata/glsa/glsa-202007-36.xml b/metadata/glsa/glsa-202007-36.xml new file mode 100644 index 000000000000..d02db4bdd62c --- /dev/null +++ b/metadata/glsa/glsa-202007-36.xml @@ -0,0 +1,52 @@ + + + + DjVu: Multiple vulnerabilities + Multiple vulnerabilities have been found in DjVu, the worst of + which could result in a Denial of Service condition. + + djvu + 2020-07-27 + 2020-07-27 + 536720 + 718552 + local, remote + + + 3.5.27-r2 + 3.5.27-r2 + + + +

DjVu is a web-centric format and software platform for distributing + documents and images. +

+ + +

Multiple vulnerabilities have been discovered in DjVu. Please review the + CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All DjVu users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/djvu-3.5.27-r2" + + + + CVE-2019-15142 + CVE-2019-15143 + CVE-2019-15144 + CVE-2019-15145 + + b-man + sam_c + diff --git a/metadata/glsa/glsa-202007-37.xml b/metadata/glsa/glsa-202007-37.xml new file mode 100644 index 000000000000..939c72834665 --- /dev/null +++ b/metadata/glsa/glsa-202007-37.xml @@ -0,0 +1,48 @@ + + + + AWStats: Multiple vulnerabilities + Multiple vulnerabilities have been found in AWStats, the worst of + which could result in the arbitrary execution of code. + + awstats + 2020-07-27 + 2020-07-27 + 646786 + remote + + + 7.8 + 7.8 + + + +

AWStats is an advanced log file analyzer and statistics generator.

+ + +

Multiple vulnerabilities have been discovered in AWStats. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All AWStats users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-misc/awstats-7.8" + + + + + CVE-2017-1000501 + + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-38.xml b/metadata/glsa/glsa-202007-38.xml new file mode 100644 index 000000000000..7af45ddf4b6d --- /dev/null +++ b/metadata/glsa/glsa-202007-38.xml @@ -0,0 +1,52 @@ + + + + QtGui: Arbitrary code execution + A use-after-free was discovered in QtGui's Markdown handling code + possibly allowing a remote attacker to execute arbitrary code. + + qtgui + 2020-07-27 + 2020-07-27 + 719732 + remote + + + 5.14.2 + 5.14.2 + + + +

QtGui is a module for the Qt toolkit.

+ + +

QtGui’s setMarkdown has a use-after-free related to + QTextMarkdownImporter::insertBlock. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All QtGui users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtgui-5.14.2" + + +

Note that the Qt suite is best kept in sync, so a world upgrade may be + advisable to keep your system in a good state. +

+ + + CVE-2020-12267 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-39.xml b/metadata/glsa/glsa-202007-39.xml new file mode 100644 index 000000000000..58f929084ad3 --- /dev/null +++ b/metadata/glsa/glsa-202007-39.xml @@ -0,0 +1,60 @@ + + + + Binutils: Multiple vulnerabilities + Multiple vulnerabilities have been found in Binutils, the worst of + which could result in a Denial of Service condition. + + binutils + 2020-07-27 + 2020-07-27 + 688836 + 690590 + 711324 + remote + + + 2.33.1 + 2.33.1 + + + +

The GNU Binutils are a collection of tools to create, modify and analyse + binary files. Many of the files use BFD, the Binary File Descriptor + library, to do low-level manipulation. +

+ + +

Multiple vulnerabilities have been discovered in Binutils. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Binutils users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.33.1" + + + + CVE-2019-12972 + CVE-2019-14250 + CVE-2019-14444 + CVE-2019-17450 + CVE-2019-17451 + CVE-2019-12972 + CVE-2019-14250 + CVE-2019-14444 + CVE-2019-17450 + CVE-2019-17451 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-40.xml b/metadata/glsa/glsa-202007-40.xml new file mode 100644 index 000000000000..e9df7724c5a4 --- /dev/null +++ b/metadata/glsa/glsa-202007-40.xml @@ -0,0 +1,54 @@ + + + + Thin: Privilege escalation + A vulnerability was discovered in Thin which may allow local + attackers to kill arbitrary processes (denial of service). + + thin + 2020-07-27 + 2020-07-27 + 642200 + local + + + 1.7.2 + + + +

Thin is a small and fast Ruby web server.

+ + +

It was discovered that Gentoo’s Thin ebuild does not properly handle + its temporary runtime directories. This only affects OpenRC systems, as + the flaw was exploitable via the init script. +

+ + +

A local attacker could cause denial of service by killing arbitrary + processes. +

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for Thin. We recommend that users + unmerge Thin: +

+ + + # emerge --unmerge "www-servers/thin" + + +

NOTE: The Gentoo developer(s) maintaining Thin have discontinued support + at this time. It may be possible that a new Gentoo developer will update + Thin at a later date. There are many other web servers available in the + tree in the www-servers category. +

+ + + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-41.xml b/metadata/glsa/glsa-202007-41.xml new file mode 100644 index 000000000000..bf2f0ca2363b --- /dev/null +++ b/metadata/glsa/glsa-202007-41.xml @@ -0,0 +1,58 @@ + + + + Roundcube: Multiple vulnerabilities + A flaw in Roundcube's handling of configuration files may allow + arbitrary code execution, amongst other vulnerabilities. + + Roundcube + 2020-07-27 + 2020-07-27 + 720876 + remote + + + 1.4.4 + 1.3.11 + 1.4.4 + 1.3.11 + + + +

Free and open source webmail software for the masses, written in PHP.

+ + +

Multiple vulnerabilities have been discovered in Roundcube. Please + review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Roundcube 1.4.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/roundcube-1.4.4" + + +

All Roundcube 1.3.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/roundcube-1.3.11" + + + + CVE-2020-12625 + CVE-2020-12626 + CVE-2020-12640 + CVE-2020-12641 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-42.xml b/metadata/glsa/glsa-202007-42.xml new file mode 100644 index 000000000000..ec32f06457cf --- /dev/null +++ b/metadata/glsa/glsa-202007-42.xml @@ -0,0 +1,48 @@ + + + + LHa: Buffer overflow + LHa has a buffer overflow in its compression utility with + unspecified impact. + + lha + 2020-07-27 + 2020-07-27 + 572418 + remote + + + 114i_p20201004 + 114i_p20201004 + + + +

LHa is a console-based program for packing and unpacking LHarc archives.

+ + +

A buffer overflow in LHa’s compression code was discovered which can + be triggered by a crafted input file. +

+ + +

A remote attacker could send a specially crafted file possibly resulting + in a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All LHa users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/lha-114i_p20201004" + + + + CVE-2016-1925 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-43.xml b/metadata/glsa/glsa-202007-43.xml new file mode 100644 index 000000000000..ea037b2c0230 --- /dev/null +++ b/metadata/glsa/glsa-202007-43.xml @@ -0,0 +1,46 @@ + + + + TRE: Multiple vulnerabilities + Multiple vulnerabilities have been found in TRE, the worst of which + could result in the arbitrary execution of code. + + tre + 2020-07-27 + 2020-07-27 + 597616 + remote + + + 0.8.0-r2 + 0.8.0-r2 + + + +

TRE is the free and portable approximate regex matching library.

+ + +

Multiple vulnerabilities have been discovered in TRE. Please review the + CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All TRE users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/tre-0.8.0-r2" + + + + CVE-2016-8859 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-44.xml b/metadata/glsa/glsa-202007-44.xml new file mode 100644 index 000000000000..faf4a14f3b73 --- /dev/null +++ b/metadata/glsa/glsa-202007-44.xml @@ -0,0 +1,52 @@ + + + + FreeXL: Multiple vulnerabilities + Multiple vulnerabilities have been found in FreeXL, the worst of + which could result in a Denial of Service condition. + + freexl + 2020-07-27 + 2020-07-27 + 648700 + remote + + + 1.0.5 + 1.0.5 + + + +

FreeXL is an open source library to extract valid data from within an + Excel (.xls) spreadsheet. +

+ + +

Multiple vulnerabilities have been discovered in FreeXL. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All FreeXL users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/freexl-1.0.5" + + + + CVE-2018-7435 + CVE-2018-7436 + CVE-2018-7437 + CVE-2018-7438 + CVE-2018-7439 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-45.xml b/metadata/glsa/glsa-202007-45.xml new file mode 100644 index 000000000000..0e64d8ef9f33 --- /dev/null +++ b/metadata/glsa/glsa-202007-45.xml @@ -0,0 +1,50 @@ + + + + NTFS-3G: Remote code execution, possible privilege escalation + A buffer overflow in NTFS-3g might allow local or remote + attacker(s) to execute arbitrary code, or escalate privileges. + + ntfs-3g + 2020-07-27 + 2020-07-27 + 717640 + remote + + + 2017.3.23-r3 + 2017.3.23-r3 + + + +

NTFS-3G is a stable, full-featured, read-write NTFS driver for various + operating systems. +

+ + +

An integer underflow issue exists in NTFS-3G which may cause a heap + buffer overflow with crafted input. +

+ + +

A remote attacker may be able to execute arbitrary code while a local + attacker may be able to escalate privileges. +

+ + +

There is no known workaround at this time.

+ + +

All NTFS-3G users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/ntfs3g-2017.3.23-r3" + + + + CVE-2019-9755 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-46.xml b/metadata/glsa/glsa-202007-46.xml new file mode 100644 index 000000000000..f4248489fd19 --- /dev/null +++ b/metadata/glsa/glsa-202007-46.xml @@ -0,0 +1,46 @@ + + + + D-Bus: Denial of service + A local Denial of Service vulnerability was discovered in D-Bus. + d-bus + 2020-07-27 + 2020-07-27 + 727104 + local + + + 1.12.18 + 1.12.18 + + + +

D-Bus is a message bus system which processes can use to talk to each + other. +

+ + +

D-Bus does not correctly dispose of old connections meaning that it is + possible for D-Bus to hit a connection limit. +

+ + +

An attacker could cause a possible Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All D-Bus users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.12.18" + + + + CVE-2020-12049 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-47.xml b/metadata/glsa/glsa-202007-47.xml new file mode 100644 index 000000000000..17e4f2257369 --- /dev/null +++ b/metadata/glsa/glsa-202007-47.xml @@ -0,0 +1,49 @@ + + + + Okular: Local restricted command execution + A logic error in Okular might allow an attacker to execute + arbitrary code. + + okular + 2020-07-27 + 2020-07-27 + 712490 + local, remote + + + 19.12.3-r1 + 19.12.3-r1 + + + +

Okular is a universal document viewer based on KPDF.

+ + +

A logic error was discovered in Okular, which results in trusting action + links within a PDF, possibly allowing execution of a binary. +

+ + +

A remote attacker could entice a user to open a specially crafted PDF + using Okular, possibly resulting in execution of arbitrary code with the + privileges of the process or a Denial of Service condition. +

+ + +

Avoid opening PDFs from an untrusted source.

+ + +

All Okular users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-apps/okular-19.12.3-r1" + + + + CVE-2020-9359 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-48.xml b/metadata/glsa/glsa-202007-48.xml new file mode 100644 index 000000000000..d89382e831b1 --- /dev/null +++ b/metadata/glsa/glsa-202007-48.xml @@ -0,0 +1,50 @@ + + + + OCaml: Arbitrary code execution + An integer overflow was discovered in OCaml's standard library, + possibly allowing arbitrary execution of code. + + ocaml + 2020-07-27 + 2020-07-27 + 719134 + remote + + + 4.09.0 + 4.09.0 + + + +

OCaml is a high-level, strongly-typed, functional, and object-oriented + programming language from the ML family of languages +

+ + +

The caml_ba_deserialize function in byterun/bigarray.c in the standard + library of OCaml has an integer overflow. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All OCaml users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/ocaml-4.09.0" + + + + CVE-2018-9838 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-49.xml b/metadata/glsa/glsa-202007-49.xml new file mode 100644 index 000000000000..b49d290f49ff --- /dev/null +++ b/metadata/glsa/glsa-202007-49.xml @@ -0,0 +1,49 @@ + + + + Mozilla Network Security Service (NSS): Information disclosure + NSS has an information disclosure vulnerability when handling DSA + keys. + + nss + 2020-07-27 + 2020-07-27 + 726842 + local, remote + + + 3.52.1 + 3.52.1 + + + +

The Mozilla Network Security Service (NSS) is a library implementing + security features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS + #12, S/MIME and X.509 certificates. +

+ + +

NSS was found to not always perform constant-time operations when + working with DSA key material. +

+ + +

An attacker may be able to obtain information about a DSA private key.

+ + +

There is no known workaround at this time.

+ + +

All NSS users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.52.1" + + + + CVE-2020-12399 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-50.xml b/metadata/glsa/glsa-202007-50.xml new file mode 100644 index 000000000000..850b4d3f9307 --- /dev/null +++ b/metadata/glsa/glsa-202007-50.xml @@ -0,0 +1,49 @@ + + + + GLib Networking: Improper certificate validation + GLib Networking was not properly verifying TLS certificates in all + circumstances, possibly allowing an integrity/confidentiality compromise. + + glib-networking + 2020-07-27 + 2020-07-27 + 725880 + remote + + + 2.62.4 + 2.62.4 + + + +

Network-related giomodules for glib

+ + +

GTlsClientConnection skips hostname verification of the server’s TLS + certificate if the application fails to specify the expected server + identity. +

+ + +

There may be a breach of integrity or confidentiality in connections + made using GLib Networking. +

+ + +

There is no known workaround at this time.

+ + +

All GLib Networking users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/glib-networking-2.62.4" + + + + CVE-2020-13645 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-51.xml b/metadata/glsa/glsa-202007-51.xml new file mode 100644 index 000000000000..c31beb155884 --- /dev/null +++ b/metadata/glsa/glsa-202007-51.xml @@ -0,0 +1,44 @@ + + + + FileZilla: Untrusted search path + A vulnerability was found in FileZilla which might allow privilege + escalation. + + filezilla + 2020-07-27 + 2020-07-27 + 717726 + remote + + + 3.47.2.1 + 3.47.2.1 + + + +

FileZilla is an open source FTP client.

+ + +

It was discovered that FileZilla uses an untrusted search path.

+ + +

An attacker could use a malicious binary to escalate privileges.

+ + +

There is no known workaround at this time.

+ + +

All FileZilla users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/filezilla-3.47.2.1" + + + + CVE-2019-5429 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-52.xml b/metadata/glsa/glsa-202007-52.xml new file mode 100644 index 000000000000..ca15b4d4aab7 --- /dev/null +++ b/metadata/glsa/glsa-202007-52.xml @@ -0,0 +1,49 @@ + + + + mujs: Multiple vulnerabilities + + Multiple vulnerabilities have been found in mujs, the worst of + which could result in a Denial of Service condition. + + mujs + 2020-07-28 + 2020-07-28 + 719248 + remote + + + 1.0.6 + 1.0.6 + + + +

mujs is an embeddable Javascript interpreter in C.

+ + +

Multiple vulnerabilities have been discovered in mujs. Please review the + CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All mujs users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/mujs-" + + + + CVE-2019-11411 + CVE-2019-11412 + CVE-2019-11413 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-53.xml b/metadata/glsa/glsa-202007-53.xml new file mode 100644 index 000000000000..4a0f3ad7e39f --- /dev/null +++ b/metadata/glsa/glsa-202007-53.xml @@ -0,0 +1,50 @@ + + + + Dropbear: Multiple vulnerabilities + Multiple vulnerabilities have been found in Dropbear, the worst of + which could result in a Denial of Service condition. + + dropbear + 2020-07-28 + 2020-07-28 + 723848 + remote + + + 2020.80 + 2020.80 + + + +

Dropbear is an SSH server and client designed with a small memory + footprint. +

+ + +

Multiple vulnerabilities have been discovered in Dropbear. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Dropbear users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/dropbear-2020.80" + + + + CVE-2018-0739 + CVE-2018-12437 + CVE-2018-20685 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-54.xml b/metadata/glsa/glsa-202007-54.xml new file mode 100644 index 000000000000..72209c22213f --- /dev/null +++ b/metadata/glsa/glsa-202007-54.xml @@ -0,0 +1,49 @@ + + + + rsync: Multiple vulnerabilities + Multiple vulnerabilities have been found in rsync, the worst of + which could result in a Denial of Service condition. + + rsync + 2020-07-28 + 2020-07-28 + 728852 + remote + + + 3.2.0 + 3.2.0 + + + +

File transfer program to keep remote files into sync.

+ + +

Multiple vulnerabilities have been discovered in rsync (within bundled + zlib). Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All rsync users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/rsync-3.2.0" + + + + CVE-2016-9840 + CVE-2016-9841 + CVE-2016-9842 + CVE-2016-9843 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-55.xml b/metadata/glsa/glsa-202007-55.xml new file mode 100644 index 000000000000..cb2f337bffdb --- /dev/null +++ b/metadata/glsa/glsa-202007-55.xml @@ -0,0 +1,50 @@ + + + + libetpan: Improper STARTTLS handling + A vulnerability was discovered in libetpan's STARTTLS handling, + possibly allowing an integrity/confidentiality compromise. + + libetpan + 2020-07-28 + 2020-07-28 + 734130 + remote + + + 1.9.4-r1 + 1.9.4-r1 + + + +

libetpan is a portable, efficient middleware for different kinds of mail + access. +

+ + +

It was discovered that libetpan was not properly handling state within + the STARTTLS protocol handshake. +

+ + +

There may be a breach of integrity or confidentiality in connections + made using libetpan with STARTTLS. +

+ + +

There is no known workaround at this time.

+ + +

All libetpan users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libetpan-1.9.4-r1" + + + + CVE-2020-15953 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-56.xml b/metadata/glsa/glsa-202007-56.xml new file mode 100644 index 000000000000..f71973e186f1 --- /dev/null +++ b/metadata/glsa/glsa-202007-56.xml @@ -0,0 +1,48 @@ + + + + Claws Mail: Improper STARTTLS handling + A vulnerability was discovered in Claws Mail's STARTTLS handling, + possibly allowing an integrity/confidentiality compromise. + + claws-mail + 2020-07-28 + 2020-07-28 + 733684 + remote + + + 3.17.6 + 3.17.6 + + + +

Claws Mail is a GTK based e-mail client.

+ + +

It was discovered that Claws Mail was not properly handling state within + the STARTTLS protocol handshake. +

+ + +

There may be a breach of integrity or confidentiality in connections + made using Claws Mail with STARTTLS. +

+ + +

There is no known workaround at this time.

+ + +

All Claws Mail users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/claws-mail-3.17.6" + + + + CVE-2020-15917 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-57.xml b/metadata/glsa/glsa-202007-57.xml new file mode 100644 index 000000000000..3c2e72d851ec --- /dev/null +++ b/metadata/glsa/glsa-202007-57.xml @@ -0,0 +1,65 @@ + + + + Mutt, Neomutt: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mutt and Neomutt, the + worst of which could result in an access restriction bypass. + + mutt,neomutt + 2020-07-28 + 2020-07-28 + 728294 + 728302 + 728708 + remote + + + 1.14.4 + 1.14.4 + + + 20200619 + 20200619 + + + +

Mutt is a small but very powerful text-based mail client.

+ +

NeoMutt is a command line mail reader (or MUA). It’s a fork of Mutt + with added features. +

+ + +

Multiple vulnerabilities have been discovered in Mutt and Neomutt. + Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Mutt users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mutt-1.14.4" + + +

All Neomutt users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/neomutt-20200619" + + + + CVE-2020-14093 + CVE-2020-14154 + CVE-2020-14954 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-58.xml b/metadata/glsa/glsa-202007-58.xml new file mode 100644 index 000000000000..5e62fba956d3 --- /dev/null +++ b/metadata/glsa/glsa-202007-58.xml @@ -0,0 +1,54 @@ + + + + FFmpeg: Multiple vulnerabilities + Multiple vulnerabilities have been found in FFmpeg, the worst of + which could result in the arbitrary execution of code. + + ffmpeg + 2020-07-28 + 2020-07-28 + 718012 + 719940 + 727450 + remote + + + 4.2.4 + 4.2.4 + + + +

FFmpeg is a complete, cross-platform solution to record, convert and + stream audio and video. +

+ + +

Multiple vulnerabilities have been discovered in FFmpeg. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All FFmpeg users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-4.2.4" + + + + CVE-2019-13312 + CVE-2019-15942 + CVE-2020-12284 + CVE-2020-13904 + CVE-2020-14212 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-59.xml b/metadata/glsa/glsa-202007-59.xml new file mode 100644 index 000000000000..affe1e42944e --- /dev/null +++ b/metadata/glsa/glsa-202007-59.xml @@ -0,0 +1,70 @@ + + + + Chromium, Google Chrome: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + + chromium,google-chrome + 2020-07-29 + 2020-07-29 + 734150 + remote + + + 84.0.4147.105 + 84.0.4147.105 + + + 84.0.4147.105 + 84.0.4147.105 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ +

Google Chrome is one fast, simple, and secure browser for all your + devices. +

+ + +

Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-84.0.4147.105" + + +

All Google Chrome users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-84.0.4147.105" + + + + CVE-2020-6532 + CVE-2020-6537 + CVE-2020-6538 + CVE-2020-6539 + CVE-2020-6540 + CVE-2020-6541 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-60.xml b/metadata/glsa/glsa-202007-60.xml new file mode 100644 index 000000000000..5edcdfccdf53 --- /dev/null +++ b/metadata/glsa/glsa-202007-60.xml @@ -0,0 +1,62 @@ + + + + Mozilla Firefox: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which could result in the arbitrary execution of code. + + firefox + 2020-07-30 + 2020-07-30 + 734324 + remote + + + 68.11.0 + 68.11.0 + + + 68.11.0 + 68.11.0 + + + +

Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. +

+ + +

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Firefox users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-68.11.0" + + +

All Mozilla Firefox binary users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-68.11.0" + + + + + CVE-2020-15652 + CVE-2020-15659 + CVE-2020-6463 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-61.xml b/metadata/glsa/glsa-202007-61.xml new file mode 100644 index 000000000000..1b54bb27dfc9 --- /dev/null +++ b/metadata/glsa/glsa-202007-61.xml @@ -0,0 +1,55 @@ + + + + WebKitGTK+: Multiple vulnerabilities + Multiple vulnerabilities have been found in WebKitGTK+, the worst + of which could result in the arbitrary execution of code. + + webkitgtk+ + 2020-07-31 + 2020-07-31 + 734584 + remote + + + 2.28.4 + 2.28.4 + + + +

WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, from hybrid + HTML/CSS applications to full-fledged web browsers. +

+ + +

Multiple vulnerabilities have been discovered in WebKitGTK+. Please + review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All WebKitGTK+ users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.28.4" + + + + + CVE-2020-9862 + CVE-2020-9893 + CVE-2020-9894 + CVE-2020-9895 + CVE-2020-9915 + CVE-2020-9925 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-62.xml b/metadata/glsa/glsa-202007-62.xml new file mode 100644 index 000000000000..6186762c7c92 --- /dev/null +++ b/metadata/glsa/glsa-202007-62.xml @@ -0,0 +1,51 @@ + + + + PyCrypto: Weak key generation + A flaw in PyCrypto allow remote attackers to obtain sensitive + information. + + pycrypto + 2020-07-31 + 2020-07-31 + 703682 + remote + + + 2.6.1-r2 + + + +

PyCrypto is the Python Cryptography Toolkit.

+ + +

It was discovered that PyCrypto incorrectly generated ElGamal key + parameters. +

+ + +

Attackers may be able to obtain sensitive information by reading + ciphertext data. +

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for PyCrypto. We recommend that users + unmerge PyCrypto: +

+ +

# emerge --unmerge “dev-python/pycrypto”

+ +

NOTE: The Gentoo developer(s) maintaining PyCrypto have discontinued + support at this time. PyCryptodome is the canonical successor to + PyCrypto. +

+ + + CVE-2018-6594 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-63.xml b/metadata/glsa/glsa-202007-63.xml new file mode 100644 index 000000000000..b9966a5a0bfb --- /dev/null +++ b/metadata/glsa/glsa-202007-63.xml @@ -0,0 +1,53 @@ + + + + SNMP Trap Translator: Multiple vulnerabilities + Multiple vulnerabilities have been found in SNMP Trap Translator, + the worst of which could allow attackers to execute arbitrary shell code. + + snmptt + 2020-07-31 + 2020-08-16 + 733478 + remote + + + 1.4.1 + 1.4.1 + + + +

SNMP Trap Translator (SNMPTT) is an SNMP trap handler written in Perl.

+ + +

It was found that SNMP Trap Translator does not drop privileges as + configured and does not properly escape shell commands in certain + functions. +

+ + +

A remote attacker, by sending a malicious crafted SNMP trap, could + possibly execute arbitrary shell code with the privileges of the process + or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All SNMP Trap Translator users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/snmptt-1.4.1" + + + + + SNMPTT 1.4.1 ChangeLog + + CVE-2020-24361 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-64.xml b/metadata/glsa/glsa-202007-64.xml new file mode 100644 index 000000000000..1267eab96bc4 --- /dev/null +++ b/metadata/glsa/glsa-202007-64.xml @@ -0,0 +1,68 @@ + + + + Mozilla Thunderbird: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could result in the arbitrary execution of code. + + thunderbird + 2020-07-31 + 2020-07-31 + 734978 + remote + + + 68.11.0 + 68.11.0 + + + 68.11.0 + 68.11.0 + + + +

Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. +

+ + +

Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Thunderbird users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-68.11.0" + + +

All Mozilla Thunderbird binary users should upgrade to the latest + version: +

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-68.11.0" + + + + CVE-2020-15652 + CVE-2020-15659 + CVE-2020-6463 + CVE-2020-6514 + + MFSA-2020-35 + + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202007-65.xml b/metadata/glsa/glsa-202007-65.xml new file mode 100644 index 000000000000..afb2aede7b0c --- /dev/null +++ b/metadata/glsa/glsa-202007-65.xml @@ -0,0 +1,52 @@ + + + + libsndfile: Multiple vulnerabilities + Multiple vulnerabilities have been found in libsndfile, the worst + of which could result in a Denial of Service condition. + + libsndfile + 2020-07-31 + 2020-07-31 + 631674 + 671834 + remote + + + 1.0.29_pre2_p20191024 + 1.0.29_pre2_p20191024 + + + +

libsndfile is a C library for reading and writing files containing + sampled sound. +

+ + +

Multiple vulnerabilities have been discovered in libsndfile. Please + review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All libsndfile users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-libs/libsndfile-1.0.29_pre2_p20191024" + + + + CVE-2017-14245 + CVE-2017-14246 + CVE-2019-3832 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202008-01.xml b/metadata/glsa/glsa-202008-01.xml new file mode 100644 index 000000000000..3027067a0ec7 --- /dev/null +++ b/metadata/glsa/glsa-202008-01.xml @@ -0,0 +1,77 @@ + + + + Python: Multiple vulnerabilities + Multiple vulnerabilities have been found in Python, the worst of + which could result in a Denial of Service condition. + + python + 2020-08-02 + 2020-08-02 + 728668 + 732498 + remote + + + 2.7.18-r1 + 3.6.11-r2 + 3.7.8-r2 + 3.8.4-r1 + 2.7.18-r1 + 3.6.11-r2 + 3.7.8-r2 + 3.8.4-r1 + + + +

Python is an interpreted, interactive, object-oriented programming + language. +

+ + +

Multiple vulnerabilities have been discovered in Python. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Python 2.7 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.18-r1" + + +

All Python 3.6 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.6.11-r2" + + +

All Python 3.7 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.7.8-r2" + + +

All Python 3.8 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.8.4-r1" + + + + CVE-2019-20907 + CVE-2020-14422 + + sam_c + b-man + diff --git a/metadata/glsa/glsa-202008-02.xml b/metadata/glsa/glsa-202008-02.xml new file mode 100644 index 000000000000..fb25e051732c --- /dev/null +++ b/metadata/glsa/glsa-202008-02.xml @@ -0,0 +1,50 @@ + + + + GNU GLOBAL: Arbitrary code execution + A vulnerability in GNU GLOBAL was discovered, possibly allowing + remote attackers to execute arbitrary code. + + global + 2020-08-08 + 2020-08-08 + 646348 + remote + + + 6.6.4 + 6.6.4 + + + +

GNU GLOBAL is a source code tagging system that works the same way + across diverse environments, such as Emacs editor, Vi editor, Less + viewer, Bash shell, various web browsers, etc. +

+ + +

A vulnerability was found in an undocumented function of gozilla.

+ + +

A remote attacker could entice a user to open a specially crafted URL + using GNU GLOBAL, possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All GNU GLOBAL users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-util/global-6.6.4" + + + + CVE-2017-17531 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202008-03.xml b/metadata/glsa/glsa-202008-03.xml new file mode 100644 index 000000000000..3aac543e24c9 --- /dev/null +++ b/metadata/glsa/glsa-202008-03.xml @@ -0,0 +1,51 @@ + + + + Ark: Arbitrary code execution + Ark was found to allow arbitrary file overwrite, possibly allowing + arbitrary code execution. + + ark + 2020-08-08 + 2020-08-08 + 734622 + remote + + + 20.04.3-r1 + 20.04.3-r1 + + + +

Ark is a graphical file compression/decompression utility with support + for multiple formats. +

+ + +

A maliciously crafted archive with “../” in the file path(s) could + install files anywhere in the user’s home directory upon extraction. +

+ + +

A remote attacker could entice a user to open a specially crafted + archive using Ark, possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. +

+ + +

Avoid opening untrusted archives.

+ + +

All Ark users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-apps/ark-20.04.3-r1" + + + + CVE-2020-16116 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202008-04.xml b/metadata/glsa/glsa-202008-04.xml new file mode 100644 index 000000000000..cfae51c02fa5 --- /dev/null +++ b/metadata/glsa/glsa-202008-04.xml @@ -0,0 +1,51 @@ + + + + Apache: Multiple vulnerabilities + Multiple vulnerabilities have been found in Apache, the worst of + which could result in the arbitrary execution of code. + + apache + 2020-08-08 + 2020-08-08 + 736282 + remote + + + 2.4.46 + 2.4.46 + + + +

The Apache HTTP server is one of the most popular web servers on the + Internet. +

+ + +

Multiple vulnerabilities have been discovered in Apache. Please review + the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Apache users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.46" + + + + CVE-2020-11984 + CVE-2020-11985 + CVE-2020-11993 + CVE-2020-9490 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202008-05.xml b/metadata/glsa/glsa-202008-05.xml new file mode 100644 index 000000000000..bf2114ea11b5 --- /dev/null +++ b/metadata/glsa/glsa-202008-05.xml @@ -0,0 +1,50 @@ + + + + gThumb: Arbitrary code execution + A buffer overflow in gThumb might allow remote attacker(s) to + execute arbitrary code. + + gthumb + 2020-08-08 + 2020-08-08 + 712932 + remote + + + 3.10.0 + 3.10.0 + + + +

gThumb is an image viewer and browser for GNOME.

+ + +

A heap-based buffer overflow in gThumb’s + _cairo_image_surface_create_from_jpeg() function, located in + extensions/cairo_io/cairo-image-surface-jpeg.c was discovered. +

+ + +

A remote attacker could entice a user to open a specially crafted image + file using gThumb, possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All gThumb users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/gthumb-3.10.0" + + + + CVE-2019-20326 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202008-06.xml b/metadata/glsa/glsa-202008-06.xml new file mode 100644 index 000000000000..56806d91c751 --- /dev/null +++ b/metadata/glsa/glsa-202008-06.xml @@ -0,0 +1,50 @@ + + + + iproute2: Denial of service + A use-after-free was found in iproute2, possibly allowing a Denial + of Service condition. + + iproute2 + 2020-08-08 + 2020-08-08 + 722144 + remote + + + 5.1.0 + 5.1.0 + + + +

iproute2 is a set of tools for managing Linux network routing and + advanced features. +

+ + +

iproute2 was found to contain a use-after-free in get_netnsid_from_name + in ip/ipnetns.c. +

+ + +

A remote attacker, able to feed iproute2 crafted data, may be able to + cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All iproute2 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/iproute2-5.1.0" + + + + CVE-2019-20795 + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202008-07.xml b/metadata/glsa/glsa-202008-07.xml new file mode 100644 index 000000000000..9105017da983 --- /dev/null +++ b/metadata/glsa/glsa-202008-07.xml @@ -0,0 +1,80 @@ + + + + Chromium, Google Chrome: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + + chromium,google-chrome + 2020-08-12 + 2020-08-12 + 736659 + remote + + + 84.0.4147.125 + 84.0.4147.125 + + + 84.0.4147.125 + 84.0.4147.125 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ +

Google Chrome is one fast, simple, and secure browser for all your + devices. +

+ + +

Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. +

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-84.0.4147.125" + + +

All Google Chrome users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-84.0.4147.125" + + + + CVE-2020-6542 + CVE-2020-6543 + CVE-2020-6544 + CVE-2020-6545 + CVE-2020-6547 + CVE-2020-6548 + CVE-2020-6549 + CVE-2020-6550 + CVE-2020-6551 + CVE-2020-6552 + CVE-2020-6553 + CVE-2020-6554 + CVE-2020-6555 + + Upstream advisory + + + sam_c + sam_c + diff --git a/metadata/glsa/glsa-202008-08.xml b/metadata/glsa/glsa-202008-08.xml new file mode 100644 index 000000000000..52d74e694184 --- /dev/null +++ b/metadata/glsa/glsa-202008-08.xml @@ -0,0 +1,51 @@ + + + + Mozilla Network Security Service (NSS): Multiple vulnerabilities + NSS has multiple information disclosure vulnerabilities when + handling secret key material. + + nss + 2020-08-19 + 2020-08-19 + 734986 + local, remote + + + 3.55 + 3.55 + + + +

The Mozilla Network Security Service (NSS) is a library implementing + security features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS + #12, S/MIME and X.509 certificates. +

+ + +

Multiple vulnerabilities have been discovered in NSS. Please review the + CVE identifiers referenced below for details. +

+ + +

An attacker may be able to obtain information about secret key material.

+ + +

There is no known workaround at this time.

+ + +

All NSS users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.55" + + + + CVE-2020-12400 + CVE-2020-12401 + CVE-2020-12403 + + sam_c + sam_c + diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index fc19913358c1..2a502486c9de 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sat, 04 Jul 2020 12:38:23 +0000 +Tue, 25 Aug 2020 08:08:40 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 5b35d35831c1..f48ce2bd341f 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -09c33520f8549f6a3210280c21940e14768be95d 1593200484 2020-06-26T19:41:24+00:00 +46214b1b461f1f9ad005b644d885569d46e4e959 1597835404 2020-08-19T11:10:04+00:00 -- cgit v1.2.3