From a25cc082a26782e5d39ded4559c91ff11bc3c299 Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@koprulu.sector>
Date: Mon, 13 May 2024 00:01:18 +0100
Subject: gentoo auto-resync : 13:05:2024 - 00:01:18

---
 metadata/glsa/Manifest           |  30 ++++++++---------
 metadata/glsa/Manifest.files.gz  | Bin 574093 -> 574732 bytes
 metadata/glsa/glsa-202405-30.xml |  41 +++++++++++++++++++++++
 metadata/glsa/glsa-202405-31.xml |  42 +++++++++++++++++++++++
 metadata/glsa/glsa-202405-32.xml |  70 +++++++++++++++++++++++++++++++++++++++
 metadata/glsa/glsa-202405-33.xml |  43 ++++++++++++++++++++++++
 metadata/glsa/timestamp.chk      |   2 +-
 metadata/glsa/timestamp.commit   |   2 +-
 8 files changed, 213 insertions(+), 17 deletions(-)
 create mode 100644 metadata/glsa/glsa-202405-30.xml
 create mode 100644 metadata/glsa/glsa-202405-31.xml
 create mode 100644 metadata/glsa/glsa-202405-32.xml
 create mode 100644 metadata/glsa/glsa-202405-33.xml

(limited to 'metadata/glsa')

diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 521fd5137495..adbff233571f 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 574093 BLAKE2B 318df115096d845985002a8b8e0f637d274e4e65edb2b9281542fee47cc506c5721051233f56472e2abd4118c170378e212be985d9a5f0ecbe6cb563bc0ee4b4 SHA512 091fa28c9a2e9dbf89c9f0d5538945e5b8fb4d2c99dd9e17cbb56c9703372becd5bb5b92c85c33997f22b700a438afb6954c2601cb7bf26223a2de8b571cca02
-TIMESTAMP 2024-05-11T22:10:25Z
+MANIFEST Manifest.files.gz 574732 BLAKE2B a9af568292017c04921c94b0421560fe7456a5d38c31f88c289c55cbf154a7f32d7194e92bc4452cfce078c6b4b96bdd84c71c75026bcd85d4c04b0e07c3843c SHA512 fd203e50e5e1207e6138c4a3c7cd9f2a98a93e63a79a365e3c1f7b27118ab820f748267ce6723c39fb2b2b8421c30bbb4801558a32b92c9c5b6aeefdce2d561c
+TIMESTAMP 2024-05-12T22:10:24Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmY/7NFfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmZBPlBfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klAeTxAAoJpaBSQWTGbR945p44PUxVJagheTgIMb0wVwCvXwV290yttIDhTZpNtb
-E5/4/lLz1RtJ3Prj44BeMYoQz5RRjZTuTnATAl0fjXlIkVwrg1vnANLuSZnsapxi
-vYwmdhMsOuYyusFTpryjZOdhxVeNQq7tkssJezAjxqJSLAwSXrsXaRsPRyO2l4kg
-oYLu2crpyWXh0TPh2tcoffSD1Oe/zhvQHxaBkCgdf8QqZFizlV6FLNfzjftN/KxM
-es0Q/XKnFuKWEk8BJh6b3tBXZ8YCSHSw225DCKwwewHv0+OH3w/ctIPFXRDmb42N
-fvctEuDoUEJ4CDIlkMOL48eAdiDxBn9/fUvpEiNj/bbYLkM9gbuFThcpQYTLhixk
-I2EcjQRYqND5G+lFl3rckxGAkEFYqbYunZt1qRgLQ86nAgYvFUm90RLTDSQG8DXu
-JusYJbwcOJFhKuDHQkhyZqQcjJUIx6TXprtkSrodIf3GYhmbYfwkOtNnZUKmQPn3
-JqUHcqFT+v7ppv4xH5JStBV9Qu5UH8CJddfP3u3B9OarG+4L0sBE4hu9HDNrPiD/
-5zg3iM0FcEkUopbcQ2/Yjgt8NOPWyWtLFX2znFFDOYG5wHfPJHhIS2klYJA85jRU
-09bKE+7eFtGEomNFtd5JUQvDYQ2QEvHslnwNcbVbX1AkwbbbB9Y=
-=NI1I
+klB34xAAne8z5dqfi3LSq93aUcdAELKzpVhSIvaTXFt4zHb1eMzbPtllPnap6oWM
+PxbFQLOPw0k2BMpl4mbNp8J5NFSsc8B8tnEkYoudh+OGW2XBo+wsuQq+Wr4U2oYC
+jfC3iK1fQxiD++KZjNgwhtyco6EJ53y8/J4e16+stjMbxOlVYtFs0pv+aEkxWSST
+Lay9n/Og9zBbTz5Y5aujOXoIC/9RGwB35cWlDaD2layW4f7PXyQ323W/L+eG6Msn
+1J7ATY9gnN6YhtS3FTW9C1+GfHZGIan4J1oGKL/TL/cG12rp+WkKcF0YZemg26jC
+WM7udjYqsshewiVwctyriQyYywg8wyJBF3okBmza7UW53qoYlELrVxTFF86KYHnH
+REQGe1pR810SQTBgGpDPqDeLDB5tB9xXpDWjuRFWGqfEIYhexfAx6dVCNy0ugWeY
+XJHuZ7hBpzvGGc7qcmq3bYhTlknRcT1h9UFnykSyWNdqx0W2mZM4eiV7obWesPzz
+2n0p1ssiNLtZjlV08T228GCndMLP8/EO84EjmfnJCXL9QNjrzKOVhmfgTExVwDnv
+omt2rjK69sXeTV+6n9q/un8vtllxKbOxwv7u0XPasDWwUYS8yBVYsWZ9qCyJ3Nl+
+12/mE5VuoWDXlJs4qLJZPzSRzdILPZ7krGyerRg+NZk5ClsWM9I=
+=Dqja
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index cf8e319c001b..20178e449e06 100644
Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ
diff --git a/metadata/glsa/glsa-202405-30.xml b/metadata/glsa/glsa-202405-30.xml
new file mode 100644
index 000000000000..f0b94267f965
--- /dev/null
+++ b/metadata/glsa/glsa-202405-30.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-30">
+    <title>Rebar3: Command Injection</title>
+    <synopsis>A vulnerability has been discovered in Rebar3, which can lead to command injection.</synopsis>
+    <product type="ebuild">rebar-bin</product>
+    <announced>2024-05-12</announced>
+    <revised count="1">2024-05-12</revised>
+    <bug>749363</bug>
+    <access>local</access>
+    <affected>
+        <package name="dev-util/rebar-bin" auto="yes" arch="*">
+            <unaffected range="ge">3.14.4</unaffected>
+            <vulnerable range="lt">3.14.4</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>A sophisticated build-tool for Erlang projects that follows OTP principles.</p>
+    </background>
+    <description>
+        <p>Rebar3 is vulnerable to OS command injection via the URL parameter of a dependency specification.</p>
+    </description>
+    <impact type="normal">
+        <p>A vulnerability has been discovered in Rebar3. Please review the CVE identifier referenced below for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>Gentoo has discontinued support for Rebar3 binary package. We recommend that users unmerge it:</p>
+        
+        <code>
+          # emerge --ask --depclean "dev-util/rebar-bin"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13802">CVE-2020-13802</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-12T05:10:21.260403Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-12T05:10:21.264061Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202405-31.xml b/metadata/glsa/glsa-202405-31.xml
new file mode 100644
index 000000000000..d2997188de7d
--- /dev/null
+++ b/metadata/glsa/glsa-202405-31.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-31">
+    <title>Kubelet: Privilege Escalation</title>
+    <synopsis>A vulnerability has been discovered in Kubelet, which can lead to privilege escalation.</synopsis>
+    <product type="ebuild">kubelet</product>
+    <announced>2024-05-12</announced>
+    <revised count="1">2024-05-12</revised>
+    <bug>918665</bug>
+    <access>remote</access>
+    <affected>
+        <package name="sys-cluster/kubelet" auto="yes" arch="*">
+            <unaffected range="ge">1.28.5</unaffected>
+            <vulnerable range="lt">1.28.5</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Kubelet is a Kubernetes Node Agent.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in Kubelet. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Kubelet users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-cluster/kubelet-1.28.5"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5528">CVE-2023-5528</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-12T05:13:03.608382Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-12T05:13:03.612681Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202405-32.xml b/metadata/glsa/glsa-202405-32.xml
new file mode 100644
index 000000000000..18738749ec53
--- /dev/null
+++ b/metadata/glsa/glsa-202405-32.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-32">
+    <title>Mozilla Thunderbird: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution.</synopsis>
+    <product type="ebuild">thunderbird,thunderbird-bin</product>
+    <announced>2024-05-12</announced>
+    <revised count="1">2024-05-12</revised>
+    <bug>925123</bug>
+    <bug>926533</bug>
+    <bug>930381</bug>
+    <access>local and remote</access>
+    <affected>
+        <package name="mail-client/thunderbird" auto="yes" arch="*">
+            <unaffected range="ge">115.10.0</unaffected>
+            <vulnerable range="lt">115.10.0</vulnerable>
+        </package>
+        <package name="mail-client/thunderbird-bin" auto="yes" arch="*">
+            <unaffected range="ge">115.10.0</unaffected>
+            <vulnerable range="lt">115.10.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Mozilla Thunderbird is a popular open-source email client from the Mozilla project.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.10.0"
+        </code>
+        
+        <p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.10.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1546">CVE-2024-1546</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1547">CVE-2024-1547</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1548">CVE-2024-1548</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1549">CVE-2024-1549</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1550">CVE-2024-1550</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1551">CVE-2024-1551</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1552">CVE-2024-1552</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1553">CVE-2024-1553</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1936">CVE-2024-1936</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2609">CVE-2024-2609</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3302">CVE-2024-3302</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3854">CVE-2024-3854</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3857">CVE-2024-3857</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3859">CVE-2024-3859</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3861">CVE-2024-3861</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3864">CVE-2024-3864</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-12T05:22:33.946434Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-12T05:22:33.951011Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/glsa-202405-33.xml b/metadata/glsa/glsa-202405-33.xml
new file mode 100644
index 000000000000..daa04af5cf0e
--- /dev/null
+++ b/metadata/glsa/glsa-202405-33.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-33">
+    <title>PoDoFo: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in PoDoFo, the worst of which could lead to code execution.</synopsis>
+    <product type="ebuild">podofo</product>
+    <announced>2024-05-12</announced>
+    <revised count="1">2024-05-12</revised>
+    <bug>906105</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-text/podofo" auto="yes" arch="*">
+            <unaffected range="ge">0.10.1</unaffected>
+            <vulnerable range="lt">0.10.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>PoDoFo is a free portable C++ library to work with the PDF file format.</p>
+    </background>
+    <description>
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All PoDoFo users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-text/podofo-0.10.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31566">CVE-2023-31566</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31567">CVE-2023-31567</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-12T05:25:34.545530Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-12T05:25:34.548474Z">graaff</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 01d539bc2f1c..4fe00c2cbcc9 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Sat, 11 May 2024 22:10:21 +0000
+Sun, 12 May 2024 22:10:17 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 9fd299452b65..717eb7ab54a1 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-88bffd0cf8491b108b57ac229b72f8b472c31ed1 1715166997 2024-05-08T11:16:37Z
+7ec9123210ab90f66e0a193a5064f3f36a58faac 1715491587 2024-05-12T05:26:27Z
-- 
cgit v1.2.3