From de49812990871e1705b64051c35161d5e6400269 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 24 Dec 2018 14:11:38 +0000 Subject: gentoo resync : 24.12.2018 --- metadata/glsa/Manifest | 30 +++++------ metadata/glsa/Manifest.files.gz | Bin 431078 -> 434883 bytes metadata/glsa/glsa-201805-14.xml | 1 - metadata/glsa/glsa-201811-10.xml | 96 +++++++++++++++++++++++++++++++++ metadata/glsa/glsa-201811-11.xml | 54 +++++++++++++++++++ metadata/glsa/glsa-201811-12.xml | 85 +++++++++++++++++++++++++++++ metadata/glsa/glsa-201811-13.xml | 113 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-201811-14.xml | 76 ++++++++++++++++++++++++++ metadata/glsa/glsa-201811-15.xml | 75 ++++++++++++++++++++++++++ metadata/glsa/glsa-201811-16.xml | 56 +++++++++++++++++++ metadata/glsa/glsa-201811-17.xml | 81 ++++++++++++++++++++++++++++ metadata/glsa/glsa-201811-18.xml | 52 ++++++++++++++++++ metadata/glsa/glsa-201811-19.xml | 51 ++++++++++++++++++ metadata/glsa/glsa-201811-20.xml | 50 +++++++++++++++++ metadata/glsa/glsa-201811-21.xml | 53 ++++++++++++++++++ metadata/glsa/glsa-201811-22.xml | 55 +++++++++++++++++++ metadata/glsa/glsa-201811-23.xml | 63 ++++++++++++++++++++++ metadata/glsa/glsa-201811-24.xml | 94 ++++++++++++++++++++++++++++++++ metadata/glsa/glsa-201812-01.xml | 82 ++++++++++++++++++++++++++++ metadata/glsa/glsa-201812-02.xml | 50 +++++++++++++++++ metadata/glsa/glsa-201812-03.xml | 48 +++++++++++++++++ metadata/glsa/glsa-201812-04.xml | 74 +++++++++++++++++++++++++ metadata/glsa/glsa-201812-05.xml | 48 +++++++++++++++++ metadata/glsa/glsa-201812-06.xml | 51 ++++++++++++++++++ metadata/glsa/glsa-201812-07.xml | 52 ++++++++++++++++++ metadata/glsa/glsa-201812-08.xml | 46 ++++++++++++++++ metadata/glsa/glsa-201812-09.xml | 56 +++++++++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 29 files changed, 1578 insertions(+), 18 deletions(-) create mode 100644 metadata/glsa/glsa-201811-10.xml create mode 100644 metadata/glsa/glsa-201811-11.xml create mode 100644 metadata/glsa/glsa-201811-12.xml create mode 100644 metadata/glsa/glsa-201811-13.xml create mode 100644 metadata/glsa/glsa-201811-14.xml create mode 100644 metadata/glsa/glsa-201811-15.xml create mode 100644 metadata/glsa/glsa-201811-16.xml create mode 100644 metadata/glsa/glsa-201811-17.xml create mode 100644 metadata/glsa/glsa-201811-18.xml create mode 100644 metadata/glsa/glsa-201811-19.xml create mode 100644 metadata/glsa/glsa-201811-20.xml create mode 100644 metadata/glsa/glsa-201811-21.xml create mode 100644 metadata/glsa/glsa-201811-22.xml create mode 100644 metadata/glsa/glsa-201811-23.xml create mode 100644 metadata/glsa/glsa-201811-24.xml create mode 100644 metadata/glsa/glsa-201812-01.xml create mode 100644 metadata/glsa/glsa-201812-02.xml create mode 100644 metadata/glsa/glsa-201812-03.xml create mode 100644 metadata/glsa/glsa-201812-04.xml create mode 100644 metadata/glsa/glsa-201812-05.xml create mode 100644 metadata/glsa/glsa-201812-06.xml create mode 100644 metadata/glsa/glsa-201812-07.xml create mode 100644 metadata/glsa/glsa-201812-08.xml create mode 100644 metadata/glsa/glsa-201812-09.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 66be81562320..4ad4dd7fd115 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 431078 BLAKE2B a37fcfee71256f9d40f60594c0e23daa5c659172c73db4acde25cfdd707e9c953c72c601225f03add857a3a4cd00dd0e4d133ce2a5780bc2e304faaa458a4319 SHA512 34e61d1ae19c99e2490f0ce5a8c731b8cbbf25f056f7432c3433599c2ba70347a4dc032b240a0b1d37227f95691c4c78e3d496bae3d66dff4167de8de8693f5d -TIMESTAMP 2018-11-18T08:38:36Z +MANIFEST Manifest.files.gz 434883 BLAKE2B 437fd719358cb224888b8071f01d60b1548cd1a82f20093903aa74e9fe63671e56f03a20ed426aae11e7d6fdd7027beb57804429044781bc9dc3557ccbbcb5a8 SHA512 16828091dc592888ea79b76c0a3e0ec358317e4c345386d11d12983b85a84ed74ba2d650d8af4f0f90a313afdad1a7fd1808666df2dca69ee70f2802b663b733 +TIMESTAMP 2018-12-24T12:38:37Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlvxJQxfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlwg001fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klAQNA/+LYW4R8jPLBp08Reh78sEkHJSZMNLmPt6DYCqB6ao31iMkwo+5nZj/TxI -VJ+n56iXlY7hm2EvU/SOnta0rONG6QMxFPrOgDMsYsT9o1Qk/ybodPJifB+HW+M9 -pDmuMIyr+hJgYsc/udiEI0t6lT6V83f4DZIbVzt4kHk9VYPYXrj4VpcvQVI3uy1H -yy3Akdb3zSOeR7gOam0WvWDfFnGD2oeNmR1wp+qpYuHsSvfrSlx0hJtrFUS21teL -WFso2irh0whV8FqvpHFgA8E7/OX/qNmoEy/6gzWWMhz5McoO6/NX9+FS65lP+PFw -Ee/DGREMtG0rv0RdwuncsSpRscF/myzo//d394VWFQSVUCS+una6OrGyPOmkYAUh -Dk7cF/skISpOGqbts9aPlJrNwxH1fmEXpBZoeqvlm2VXjaKGYTkQNCcjYuGEuouz -RvPbIB5dSEdYM+EWDBHbamixdYscx/RtL8vi1Y2nLnR50M82lKy5zG65VEh21RSl -r00r7eHJBS7la9XcNqH4Wj6UAF2aUVI8knYRWfK5tg8yzJYbDSVXIYjmUYHfBkBo -JdZX2xTnkxm7FqgM7SjojFMWyfgwBp5lGWjzaR40+zXoLnN3fxFjAxE8rxaCdO7h -gsiteLC0/G3AtxTqEXh/3HtmWktyQDv3Uq6QGAeTRZ7Pjsqcm7s= -=KWRB +klD2fA/+Mt4p7KROekLVq9HOgIgdDD+/hFUAs5tYJr23IPJ+6LYiP4J3UyN4D13V +lzK9GLnnuyWJDAAPZNsFCPltdO0z90YBrMegKUP1WnZe+Px0oXyPQNIlK4ccesfv +Tr/6k31JZ18fULHCH21Zr+U1TS0Gx6J7V+P+WV6qr7OchkRAoENcnW2gJuAtbmmm +9RCHsICYRL2lFRaGGJq2KlVHlMosLetqF6ATeQIjHWHpZDQaxXpMdYo+9JDqp7dM +w9THEXHeiJFG6QKqaDMNvduac8zm/wTqk35Q+F4ueE7zndo4wx45tz6CJZt0eqEx +EJ4J5GTdzqQ0LOD0dJHjbBcg93eF+dCpQQHhAQ4nqiZre196ZirDMEBka1JDeX9W +rkeCzxKrVKfi3l3udbRxVEM88fi3DB9Mf3u4cwvR2q586KZkZRblGjSII/NMtJJW +dLPklyjA/O1b7w1mNO3de/yiDlTz5S27/ovB/WzbBPTsCyxAUKu6Xii5Y69iqLV4 +qyx4SvGNztlf2bOs3G6o6cGfkH5C3BeIqL0GVfahqF8eti/UvAgNIDlR/uzWBwVl +s6HmzaKioaz/Oh4vzR9WOKxtPDfnbfkNrAqA8x/AJXS3gLk5cbWmM1RKRnDq7JjU +XlZUdy627zUiqHQ5ROz0FuvGf0ddKJTO2DNRmy0Eu4tagv+XYAk= +=YM9t -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz index f7610bd56006..5d40da810995 100644 Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ diff --git a/metadata/glsa/glsa-201805-14.xml b/metadata/glsa/glsa-201805-14.xml index 3199c6204d0b..31c73fc72867 100644 --- a/metadata/glsa/glsa-201805-14.xml +++ b/metadata/glsa/glsa-201805-14.xml @@ -44,7 +44,6 @@ CVE-2018-1120 - CVE-2018-1121 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 diff --git a/metadata/glsa/glsa-201811-10.xml b/metadata/glsa/glsa-201811-10.xml new file mode 100644 index 000000000000..6a170b56f670 --- /dev/null +++ b/metadata/glsa/glsa-201811-10.xml @@ -0,0 +1,96 @@ + + + + Chromium: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which allows remote attackers to execute arbitrary + code. + + chromium + 2018-11-23 + 2018-11-23 + 665340 + 666502 + 668986 + remote + + + 70.0.3538.67 + 70.0.3538.67 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ + +

Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifiers and Google Chrome + Releases for details. +

+ + +

A remote attacker could execute arbitrary code, escalate privileges, + cause a heap buffer overflow, obtain sensitive information, or spoof a + URL. +

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-70.0.3538.67" + + + + CVE-2018-16065 + CVE-2018-16066 + CVE-2018-16067 + CVE-2018-16068 + CVE-2018-16069 + CVE-2018-16070 + CVE-2018-16071 + CVE-2018-16072 + CVE-2018-16073 + CVE-2018-16074 + CVE-2018-16075 + CVE-2018-16076 + CVE-2018-16077 + CVE-2018-16078 + CVE-2018-16079 + CVE-2018-16080 + CVE-2018-16081 + CVE-2018-16082 + CVE-2018-16083 + CVE-2018-16084 + CVE-2018-16085 + CVE-2018-16086 + CVE-2018-16087 + CVE-2018-16088 + CVE-2018-17462 + CVE-2018-17463 + CVE-2018-17464 + CVE-2018-17465 + CVE-2018-17466 + CVE-2018-17467 + CVE-2018-17468 + CVE-2018-17469 + CVE-2018-17470 + CVE-2018-17471 + CVE-2018-17472 + CVE-2018-17473 + CVE-2018-17474 + CVE-2018-17475 + CVE-2018-17476 + CVE-2018-17477 + CVE-2018-5179 + + BlueKnight + b-man + diff --git a/metadata/glsa/glsa-201811-11.xml b/metadata/glsa/glsa-201811-11.xml new file mode 100644 index 000000000000..8412907a0271 --- /dev/null +++ b/metadata/glsa/glsa-201811-11.xml @@ -0,0 +1,54 @@ + + + + Asterisk: Multiple vulnerabilities + Multiple vulnerabilities have been found in Asterisk, the worst of + which could result in a Denial of Service condition. + + asterisk + 2018-11-24 + 2018-11-24 + 636972 + 645710 + 668848 + remote + + + 13.23.1 + 13.23.1 + + + +

A Modular Open Source PBX System.

+ + +

Multiple vulnerabilities have been discovered in Asterisk. Please review + the referenced CVE identifiers for details. +

+ + +

A remote attacker could cause a Denial of Service condition or conduct + information gathering. +

+ + +

There is no known workaround at this time.

+ + +

All Asterisk users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/asterisk-13.23.1" + + + + CVE-2017-16671 + CVE-2017-16672 + CVE-2017-17850 + CVE-2018-12227 + CVE-2018-17281 + + BlueKnight + b-man + diff --git a/metadata/glsa/glsa-201811-12.xml b/metadata/glsa/glsa-201811-12.xml new file mode 100644 index 000000000000..884021ffa325 --- /dev/null +++ b/metadata/glsa/glsa-201811-12.xml @@ -0,0 +1,85 @@ + + + + GPL Ghostscript: Multiple vulnerabilities + Multiple vulnerabilities have been found in GPL Ghostscript, the + worst of which could result in the execution of arbitrary code. + + ghostscript + 2018-11-24 + 2018-11-24 + 618820 + 626418 + 635426 + 655404 + 668846 + 671732 + remote + + + 9.26 + 9.26 + + + +

Ghostscript is an interpreter for the PostScript language and for PDF.

+ + +

Multiple vulnerabilities have been discovered in GPL Ghostscript. Please + review the CVE identifiers referenced below for additional information. +

+ + +

A context-dependent attacker could entice a user to open a specially + crafted PostScript file or PDF document using GPL Ghostscript possibly + resulting in the execution of arbitrary code with the privileges of the + process, a Denial of Service condition, or other unspecified impacts, +

+ + +

There is no known workaround at this time.

+ + +

All GPL Ghostscript users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-9.26" + + + + CVE-2017-11714 + CVE-2017-7948 + CVE-2017-9610 + CVE-2017-9611 + CVE-2017-9612 + CVE-2017-9618 + CVE-2017-9619 + CVE-2017-9620 + CVE-2017-9726 + CVE-2017-9727 + CVE-2017-9739 + CVE-2017-9740 + CVE-2017-9835 + CVE-2018-10194 + CVE-2018-15908 + CVE-2018-15909 + CVE-2018-15910 + CVE-2018-15911 + CVE-2018-16509 + CVE-2018-16510 + CVE-2018-16511 + CVE-2018-16513 + CVE-2018-16539 + CVE-2018-16540 + CVE-2018-16541 + CVE-2018-16542 + CVE-2018-16543 + CVE-2018-16585 + CVE-2018-16802 + CVE-2018-18284 + CVE-2018-19409 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201811-13.xml b/metadata/glsa/glsa-201811-13.xml new file mode 100644 index 000000000000..8878b70ffa3d --- /dev/null +++ b/metadata/glsa/glsa-201811-13.xml @@ -0,0 +1,113 @@ + + + + Mozilla Thunderbird: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could lead to the execution of arbitrary code. + + mozilla,thunderbird + 2018-11-24 + 2018-11-24 + 651862 + 656092 + 660342 + 669960 + 670102 + remote + + + 60.3.0 + 60.3.0 + + + 60.3.0 + 60.3.0 + + + +

Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. +

+ + +

Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the referenced Mozilla Foundation Security Advisories and + CVE identifiers below for details. +

+ + +

A remote attacker may be able to execute arbitrary code, cause a Denial + of Service condition, obtain sensitive information, or conduct Cross-Site + Request Forgery (CSRF). +

+ + +

There is no known workaround at this time.

+ + +

All Thunderbird users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-60.3.0" + + +

All Thunderbird binary users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-60.3.0" + + + + CVE-2017-16541 + CVE-2018-12359 + CVE-2018-12360 + CVE-2018-12361 + CVE-2018-12362 + CVE-2018-12363 + CVE-2018-12364 + CVE-2018-12365 + CVE-2018-12366 + CVE-2018-12367 + CVE-2018-12371 + CVE-2018-12372 + CVE-2018-12373 + CVE-2018-12374 + CVE-2018-12376 + CVE-2018-12377 + CVE-2018-12378 + CVE-2018-12379 + CVE-2018-12383 + CVE-2018-12385 + CVE-2018-12389 + CVE-2018-12390 + CVE-2018-12391 + CVE-2018-12392 + CVE-2018-12393 + CVE-2018-5125 + CVE-2018-5127 + CVE-2018-5129 + CVE-2018-5144 + CVE-2018-5145 + CVE-2018-5146 + CVE-2018-5150 + CVE-2018-5154 + CVE-2018-5155 + CVE-2018-5156 + CVE-2018-5159 + CVE-2018-5161 + CVE-2018-5162 + CVE-2018-5168 + CVE-2018-5170 + CVE-2018-5178 + CVE-2018-5183 + CVE-2018-5184 + CVE-2018-5185 + CVE-2018-5187 + CVE-2018-5188 + + whissi + b-man + diff --git a/metadata/glsa/glsa-201811-14.xml b/metadata/glsa/glsa-201811-14.xml new file mode 100644 index 000000000000..ed1a2af2cfcf --- /dev/null +++ b/metadata/glsa/glsa-201811-14.xml @@ -0,0 +1,76 @@ + + + + Exiv2: Multiple vulnerabilities + Multiple vulnerabilities have been found in Exiv2, the worst of + which could result in a Denial of Service condition. + + exiv2 + 2018-11-24 + 2018-11-24 + 647810 + 647812 + 647816 + 652822 + 655842 + 655958 + 658236 + remote + + + 0.26_p20180811-r3 + 0.26_p20180811-r3 + + + +

Exiv2 is a C++ library and a command line utility to manage image + metadata. +

+ + +

Multiple vulnerabilities have been discovered in Exiv2. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could cause a Denial of Service condition or obtain + sensitive information via a specially crafted file. +

+ + +

There is no known workaround at this time.

+ + +

All Exiv2 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-gfx/exiv2-0.26_p20180811-r3" + + + + CVE-2017-17723 + CVE-2017-17724 + CVE-2018-10780 + CVE-2018-10958 + CVE-2018-10998 + CVE-2018-10999 + CVE-2018-11037 + CVE-2018-11531 + CVE-2018-12264 + CVE-2018-12265 + CVE-2018-5772 + CVE-2018-8976 + CVE-2018-8977 + CVE-2018-9144 + CVE-2018-9145 + CVE-2018-9146 + CVE-2018-9303 + CVE-2018-9304 + CVE-2018-9305 + CVE-2018-9306 + + BlueKnight + b-man + diff --git a/metadata/glsa/glsa-201811-15.xml b/metadata/glsa/glsa-201811-15.xml new file mode 100644 index 000000000000..9bc3a33123f6 --- /dev/null +++ b/metadata/glsa/glsa-201811-15.xml @@ -0,0 +1,75 @@ + + + + MuPDF: Multiple vulnerabilities + Multiple vulnerabilities have been found in MuPDF, the worst of + which could allow the remote execution of arbitrary code. + + mupdf + 2018-11-26 + 2018-11-26 + 634678 + 646010 + 651828 + 658618 + remote + + + 1.13.0 + 1.13.0 + + + +

A lightweight PDF, XPS, and E-book viewer.

+ + +

Multiple vulnerabilities have been discovered in MuPDF. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker, by enticing a user to process a specially crafted + file, could possibly execute arbitrary code, cause a Denial of Service + condition, or have other unspecified impacts. +

+ + +

There is no known workaround at this time.

+ + +

All MuPDF users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/mupdf-1.13.0" + + + + CVE-2017-15587 + CVE-2017-17858 + + CVE-2018-1000036 + + + CVE-2018-1000037 + + + CVE-2018-1000038 + + + CVE-2018-1000039 + + + CVE-2018-1000040 + + + CVE-2018-1000051 + + CVE-2018-5686 + CVE-2018-6187 + CVE-2018-6192 + CVE-2018-6544 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201811-16.xml b/metadata/glsa/glsa-201811-16.xml new file mode 100644 index 000000000000..84dd194857e5 --- /dev/null +++ b/metadata/glsa/glsa-201811-16.xml @@ -0,0 +1,56 @@ + + + + strongSwan: Multiple vulnerabilities + Multiple vulnerabilities have been found in strongSwan, the worst + of which could lead to a Denial of Service condition. + + strongswan + 2018-11-26 + 2018-11-26 + 648610 + 656338 + 658230 + 668862 + remote + + + 5.7.1 + 5.7.1 + + + +

strongSwan is an IPSec implementation for Linux.

+ + +

Multiple vulnerabilities have been discovered in strongSwan. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could cause a Denial of Service condition or + impersonate a user. +

+ + +

There is no known workaround at this time.

+ + +

All strongSwan users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-vpn/strongswan-5.7.1" + + + + CVE-2018-10811 + CVE-2018-16151 + CVE-2018-16152 + CVE-2018-17540 + CVE-2018-5388 + CVE-2018-6459 + + whissi + b-man + diff --git a/metadata/glsa/glsa-201811-17.xml b/metadata/glsa/glsa-201811-17.xml new file mode 100644 index 000000000000..252a12c83dba --- /dev/null +++ b/metadata/glsa/glsa-201811-17.xml @@ -0,0 +1,81 @@ + + + + Binutils: Multiple vulnerabilities + Multiple vulnerabilities have been found in Binutils, the worst of + which may allow remote attackers to cause a Denial of Service condition. + + binutils + 2018-11-27 + 2018-11-27 + 634196 + 637642 + 639692 + 639768 + 647798 + 649690 + remote + + + 2.30-r2 + 2.30-r2 + + + +

The GNU Binutils are a collection of tools to create, modify and analyse + binary files. Many of the files use BFD, the Binary File Descriptor + library, to do low-level manipulation. +

+ + +

Multiple vulnerabilities have been discovered in Binutils. Please review + the referenced CVE identifiers for details. +

+ + +

A remote attacker, by enticing a user to compile/execute a specially + crafted ELF, object, PE, or binary file, could possibly cause a Denial of + Service condition or have other unspecified impacts. +

+ + +

There is no known workaround at this time.

+ + +

All Binutils users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.30-r2" + + + + CVE-2017-14933 + CVE-2017-16826 + CVE-2017-16827 + CVE-2017-16828 + CVE-2017-16829 + CVE-2017-16830 + CVE-2017-16831 + CVE-2017-16832 + CVE-2017-17080 + CVE-2017-17121 + CVE-2017-17122 + CVE-2017-17123 + CVE-2017-17124 + CVE-2017-17125 + CVE-2017-17126 + CVE-2018-6543 + CVE-2018-6759 + CVE-2018-6872 + CVE-2018-7208 + CVE-2018-7568 + CVE-2018-7569 + CVE-2018-7570 + CVE-2018-7642 + CVE-2018-7643 + CVE-2018-8945 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201811-18.xml b/metadata/glsa/glsa-201811-18.xml new file mode 100644 index 000000000000..b69d0f0ebc34 --- /dev/null +++ b/metadata/glsa/glsa-201811-18.xml @@ -0,0 +1,52 @@ + + + + Tablib: Arbitrary command execution + A vulnerability in Tablib might allow remote attackers to execute + arbitrary python commands. + + tablib + 2018-11-27 + 2018-11-27 + 621884 + remote + + + 0.12.1 + 0.12.1 + + + +

Tablib is an MIT Licensed format-agnostic tabular dataset library, + written in Python. It allows you to import, export, and manipulate + tabular data sets. +

+ + +

A vulnerability was discovered in Tablib’s Databook loading + functionality, due to improper input validation. +

+ + +

A remote attacker, by enticing the user to process a specially crafted + Databook via YAML, could possibly execute arbitrary python commands with + the privilege of the process. +

+ + +

There is no known workaround at this time.

+ + +

All Tablib users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/tablib-0.12.1" + + + + CVE-2017-2810 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201811-19.xml b/metadata/glsa/glsa-201811-19.xml new file mode 100644 index 000000000000..d4a6a1ca3efb --- /dev/null +++ b/metadata/glsa/glsa-201811-19.xml @@ -0,0 +1,51 @@ + + + + Libav: Multiple vulnerabilities + Multiple vulnerabilities have been found in Libav, the worst of + which may allow a Denial of Service condition. + + libav + 2018-11-27 + 2018-11-27 + 637458 + remote + + + 12.3 + 12.3 + + + +

Libav is a complete solution to record, convert and stream audio and + video. +

+ + +

Multiple vulnerabilities have been discovered in Libav. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker, via a crafted Smacker stream, could cause a Denial of + Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Libav users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-video/libav-12.3" + + + + CVE-2017-16803 + CVE-2017-7862 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201811-20.xml b/metadata/glsa/glsa-201811-20.xml new file mode 100644 index 000000000000..ac3e7b0d2894 --- /dev/null +++ b/metadata/glsa/glsa-201811-20.xml @@ -0,0 +1,50 @@ + + + + spice-gtk: Remote code execution + A vulnerability in spice-gtk could allow an attacker to remotely + execute arbitrary code. + + spice-gtk + 2018-11-27 + 2018-11-27 + 650878 + local, remote + + + 0.34 + 0.34 + + + +

spice-gtk is a set of GObject and Gtk objects for connecting to Spice + servers and a client GUI. +

+ + +

A vulnerability was found in spice-gtk client due to the incorrect use + of integer types and missing overflow checks. +

+ + +

An attacker, by enticing the user to join a malicious server, could + remotely execute arbitrary code or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All spice-gtk users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/spice-gtk-0.34" + + + + CVE-2017-12194 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201811-21.xml b/metadata/glsa/glsa-201811-21.xml new file mode 100644 index 000000000000..043d61a724ff --- /dev/null +++ b/metadata/glsa/glsa-201811-21.xml @@ -0,0 +1,53 @@ + + + + OpenSSL: Multiple vulnerabilities + Multiple vulnerabilities have been found in OpenSSL, the worst of + which may lead to a Denial of Service condition. + + openssl + 2018-11-28 + 2018-11-28 + 651730 + 653434 + remote + + + 1.0.2o + 1.0.2o + + + +

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the + Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. +

+ + +

Multiple vulnerabilities have been discovered in OpenSSL. Please review + the referenced CVE identifiers for details. +

+ + +

A remote attacker could cause a Denial of Service condition, obtain + private keying material, or gain access to sensitive information. +

+ + +

There is no known workaround at this time.

+ + +

All OpenSSL users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2o" + + + + CVE-2018-0733 + CVE-2018-0737 + CVE-2018-0739 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201811-22.xml b/metadata/glsa/glsa-201811-22.xml new file mode 100644 index 000000000000..9095c67e0ca8 --- /dev/null +++ b/metadata/glsa/glsa-201811-22.xml @@ -0,0 +1,55 @@ + + + + RPM: Multiple vulnerabilities + Multiple vulnerabilities have been found in RPM, the worst of which + could allow a remote attacker to escalate privileges. + + rpm + 2018-11-28 + 2018-11-28 + 533740 + 638636 + remote + + + 4.14.1 + 4.14.1 + + + +

The Red Hat Package Manager (RPM) is a command line driven package + management system capable of installing, uninstalling, verifying, + querying, and updating computer software packages. +

+ + +

Multiple vulnerabilities have been discovered in RPM. Please review the + CVE identifiers referenced below for details. +

+ + +

A remote attacker, by enticing the user to process a specially crafted + RPM file, could escalate privileges, execute arbitrary code, or cause a + Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All RPM users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/rpm-4.14.1" + + + + CVE-2013-6435 + CVE-2014-8118 + CVE-2017-7501 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201811-23.xml b/metadata/glsa/glsa-201811-23.xml new file mode 100644 index 000000000000..0d34b1b9a6c4 --- /dev/null +++ b/metadata/glsa/glsa-201811-23.xml @@ -0,0 +1,63 @@ + + + + libsndfile: Multiple vulnerabilities + Multiple vulnerabilities have been found in libsndfile, the worst + of which might allow remote attackers to cause a Denial of Service + condition. + + libsndfile + 2018-11-30 + 2018-11-30 + 618016 + 624814 + 627152 + 631634 + 660452 + remote + + + 1.0.28-r4 + 1.0.28-r4 + + + +

libsndfile is a C library for reading and writing files containing + sampled sound. +

+ + +

Multiple vulnerabilities have been discovered in libsndfile. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker, by enticing a user to open a specially crafted file, + could cause a Denial of Service condition or have other unspecified + impacts. +

+ + +

There is no known workaround at this time.

+ + +

All libsndfile users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libsndfile-1.0.28-r4" + + + + CVE-2017-12562 + CVE-2017-14634 + CVE-2017-6892 + CVE-2017-8361 + CVE-2017-8362 + CVE-2017-8363 + CVE-2017-8365 + CVE-2018-13139 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201811-24.xml b/metadata/glsa/glsa-201811-24.xml new file mode 100644 index 000000000000..212d0afcbe45 --- /dev/null +++ b/metadata/glsa/glsa-201811-24.xml @@ -0,0 +1,94 @@ + + + + PostgreSQL: SQL injection + A SQL injection in PostgreSQL may allow attackers to execute + arbitrary SQL statements. + + postgresql + 2018-11-30 + 2018-12-03 + 670724 + remote + + + 9.3.25 + 9.4.20 + 9.5.15 + 9.6.11 + 10.6 + 11.1 + 9.3.25 + 9.4.20 + 9.5.15 + 9.6.11 + 10.6 + 11.1 + + + +

PostgreSQL is an open source object-relational database management + system. +

+ + +

A vulnerability was discovered in PostgreSQL’s pg_upgrade and pg_dump.

+ + +

An attacker, by enticing a user to process a specially crafted trigger + definition, can execute arbitrary SQL statements with superuser + privileges. +

+ + +

There is no known workaround at this time.

+ + +

All PostgreSQL 9.3.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.25" + + +

All PostgreSQL 9.4.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.20" + + +

All PostgreSQL 9.5.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.15" + + +

All PostgreSQL 9.6.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.11" + + +

All PostgreSQL 10.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.6" + + +

All PostgreSQL 11.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.1" + + + + CVE-2018-16850 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201812-01.xml b/metadata/glsa/glsa-201812-01.xml new file mode 100644 index 000000000000..7ad1abf85e77 --- /dev/null +++ b/metadata/glsa/glsa-201812-01.xml @@ -0,0 +1,82 @@ + + + + PHP: Multiple vulnerabilities + Multiple vulnerabilities have been found in PHP, the worst of which + could result in a Denial of Service condition. + + php + 2018-12-02 + 2018-12-03 + 658092 + 666256 + local, remote + + + 5.6.38 + 7.0.32 + 7.1.22 + 7.2.10 + 5.6.38 + 7.0.32 + 7.1.22 + 7.2.10 + + + +

PHP is an open source general-purpose scripting language that is + especially suited for web development. +

+ + +

Multiple vulnerabilities have been discovered in PHP. Please review the + referenced CVE identifiers for details. +

+ + +

An attacker could cause a Denial of Service condition or obtain + sensitive information. +

+ + +

There is no known workaround at this time.

+ + +

All PHP 5.6.X users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-5.6.38" + + +

All PHP 7.0.X users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.0.32" + + +

All PHP 7.1.X users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.1.22" + + +

All PHP 7.2.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.2.10" + + + + CVE-2018-10545 + CVE-2018-10546 + CVE-2018-10548 + CVE-2018-10549 + CVE-2018-17082 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201812-02.xml b/metadata/glsa/glsa-201812-02.xml new file mode 100644 index 000000000000..b4cd500b400d --- /dev/null +++ b/metadata/glsa/glsa-201812-02.xml @@ -0,0 +1,50 @@ + + + + ConnMan: Multiple vulnerabilities + Multiple vulnerabilities have been found in ConnMan, the worst of + which could result in the remote execution of code. + + connman + 2018-12-02 + 2018-12-02 + 628566 + 630028 + remote + + + 1.35-r1 + 1.35-r1 + + + +

ConnMan provides a daemon for managing Internet connections.

+ + +

Multiple vulnerabilities have been discovered in ConnMan. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker, via a crafted DNS packet, could remotely execute code + or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All ConnMan users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/connman-1.35-r1" + + + + CVE-2017-12865 + CVE-2017-5716 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201812-03.xml b/metadata/glsa/glsa-201812-03.xml new file mode 100644 index 000000000000..859d27b0cf4a --- /dev/null +++ b/metadata/glsa/glsa-201812-03.xml @@ -0,0 +1,48 @@ + + + + Nagios: Privilege escalation + A vulnerability in Nagios allows local users to escalate + privileges. + + nagios + 2018-12-02 + 2018-12-02 + 629380 + local + + + 4.3.4 + 4.3.4 + + + +

Nagios is an open source host, service and network monitoring program.

+ + +

A vulnerability in Nagios was discovered due to the improper handling of + configuration files which can be owned by a non-root user. +

+ + +

A local attacker can escalate privileges to root by leveraging access to + a non-root owned configuration file. +

+ + +

There is no known workaround at this time.

+ + +

All Nagios users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/nagios-core-4.3.4" + + + + CVE-2017-14312 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201812-04.xml b/metadata/glsa/glsa-201812-04.xml new file mode 100644 index 000000000000..11749f2722a8 --- /dev/null +++ b/metadata/glsa/glsa-201812-04.xml @@ -0,0 +1,74 @@ + + + + WebkitGTK+: Multiple vulnerabilities + Multiple vulnerabilities have been found in WebKitGTK+, the worst + of which may lead to arbitrary code execution. + + webkitgtk + 2018-12-02 + 2018-12-02 + 667892 + remote + + + 2.22.0 + 2.22.0 + + + +

WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, from hybrid + HTML/CSS applications to full-fledged web browsers. +

+ + +

Multiple vulnerabilities have been discovered in WebKitGTK+. Please + review the referenced CVE identifiers for details. +

+ + +

A remote attacker could execute arbitrary commands or cause a Denial of + Service condition via maliciously crafted web content. +

+ + +

There is no known workaround at this time.

+ + +

All WebkitGTK+ users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.22.0" + + + + CVE-2018-4191 + CVE-2018-4197 + CVE-2018-4207 + CVE-2018-4208 + CVE-2018-4209 + CVE-2018-4210 + CVE-2018-4212 + CVE-2018-4213 + CVE-2018-4299 + CVE-2018-4306 + CVE-2018-4309 + CVE-2018-4311 + CVE-2018-4312 + CVE-2018-4314 + CVE-2018-4315 + CVE-2018-4316 + CVE-2018-4317 + CVE-2018-4318 + CVE-2018-4319 + CVE-2018-4323 + CVE-2018-4328 + CVE-2018-4358 + CVE-2018-4359 + CVE-2018-4361 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201812-05.xml b/metadata/glsa/glsa-201812-05.xml new file mode 100644 index 000000000000..a40c55455c52 --- /dev/null +++ b/metadata/glsa/glsa-201812-05.xml @@ -0,0 +1,48 @@ + + + + EDE: Privilege escalation + A vulnerability in EDE could result in privilege escalation. + ede, emacs + 2018-12-06 + 2018-12-06 + 398241 + local + + + 1.07 + 1.07 + + + +

A package that simplifies the task of creating, building, and debugging + large programs with Emacs. It provides some of the features of an IDE, or + Integrated Development Environment, in Emacs. +

+ + +

An untrusted search path vulnerability was discovered in EDE.

+ + +

A local attacker could escalate his privileges via a specially crafted + Lisp expression in a Project.ede file in the directory or a parent + directory of an opened file. +

+ + +

There is no known workaround at this time.

+ + +

All EDE users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-xemacs/ede-1.07" + + + + CVE-2012-0035 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201812-06.xml b/metadata/glsa/glsa-201812-06.xml new file mode 100644 index 000000000000..6cae9b0ffc5e --- /dev/null +++ b/metadata/glsa/glsa-201812-06.xml @@ -0,0 +1,51 @@ + + + + CouchDB: Multiple vulnerabilities + Multiple vulnerabilities have been found in CouchDB, the worst of + which could lead to the remote execution of code. + + couchdb + 2018-12-15 + 2018-12-15 + 630796 + 660908 + 663164 + remote + + + 2.1.2 + + + +

Apache CouchDB is a distributed, fault-tolerant and schema-free + document-oriented database. +

+ + +

Multiple vulnerabilities have been discovered in CouchDB. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could execute arbitrary code or escalate privileges.

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for CouchDB and recommends that users + unmerge the package: +

+ + + # emerge --unmerge "dev-db/couchdb" + + + + CVE-2018-11769 + CVE-2018-8007 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201812-07.xml b/metadata/glsa/glsa-201812-07.xml new file mode 100644 index 000000000000..85756596a16c --- /dev/null +++ b/metadata/glsa/glsa-201812-07.xml @@ -0,0 +1,52 @@ + + + + SpamAssassin: Multiple vulnerabilities + Multiple vulnerabilities have been found in SpamAssassin, the worst + of which may lead to remote code execution. + + spamassassin + 2018-12-15 + 2018-12-15 + 666348 + remote + + + 3.4.2-r2 + 3.4.2-r2 + + + +

SpamAssassin is an extensible email filter used to identify junk email.

+ + +

Multiple vulnerabilities have been discovered in SpamAssassin. Please + review the referenced CVE identifiers for details. +

+ + +

A remote attacker could execute arbitrary code, escalate privileges, or + cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All SpamAssassin users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-filter/spamassassin-3.4.2-r2" + + + + CVE-2016-1238 + CVE-2017-15705 + CVE-2018-11780 + CVE-2018-11781 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201812-08.xml b/metadata/glsa/glsa-201812-08.xml new file mode 100644 index 000000000000..b7bbb1f774aa --- /dev/null +++ b/metadata/glsa/glsa-201812-08.xml @@ -0,0 +1,46 @@ + + + + Scala: Privilege escalation + A vulnerability in Scala could result in privilege escalation. + scala + 2018-12-15 + 2018-12-15 + 637940 + local + + + 2.12.4 + 2.12.4 + + + +

Scala combines object-oriented and functional programming in one + concise, high-level language. +

+ + +

It was discovered that Scala’s compilation daemon does not properly + manage permissions for private files. +

+ + +

A local attacker could escalate privileges.

+ + +

There is no known workaround at this time.

+ + +

All Scala users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/scala-2.12.4" + + + + CVE-2017-15288 + + b-man + b-man + diff --git a/metadata/glsa/glsa-201812-09.xml b/metadata/glsa/glsa-201812-09.xml new file mode 100644 index 000000000000..e8bfec595a2f --- /dev/null +++ b/metadata/glsa/glsa-201812-09.xml @@ -0,0 +1,56 @@ + + + + Go: Multiple vulnerabilities + Multiple vulnerabilities have been found in Go, the worst which + could lead to the execution of arbitrary code. + + go + 2018-12-21 + 2018-12-21 + 673234 + remote + + + 1.10.7 + 1.10.7 + + + +

Go is an open source programming language that makes it easy to build + simple, reliable, and efficient software. +

+ + +

Multiple vulnerabilities have been discovered in Go. Please review the + CVE identifiers referenced below for details. +

+ + +

A remote attacker could cause arbitrary code execution by passing + specially crafted Go packages the ‘go get -u’ command. +

+ +

The remote attacker could also craft pathological inputs causing a CPU + based Denial of Service condition via the crypto/x509 package. +

+ + +

There is no known workaround at this time.

+ + +

All Go users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/go-1.10.7" + + + + CVE-2018-16873 + CVE-2018-16874 + CVE-2018-16875 + + Zlogene + Zlogene + diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 78275940bcba..c1d7f511533e 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sun, 18 Nov 2018 08:38:33 +0000 +Mon, 24 Dec 2018 12:38:34 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 222bb03a9e88..15938ec9fb67 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -d0ed5c4d9d5a03355ab534b5784906e0956ea022 1541809004 2018-11-10T00:16:44+00:00 +50b59faac05c76419ff9b3a69d1e89f8a5c99678 1545393597 2018-12-21T11:59:57+00:00 -- cgit v1.2.3