From f65628136faa35d0c4d3b5e7332275c7b35fcd96 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 3 Nov 2018 08:36:22 +0000 Subject: gentoo resync : 03.11.2018 --- metadata/glsa/Manifest | 30 ++++++------ metadata/glsa/Manifest.files.gz | Bin 428694 -> 429647 bytes metadata/glsa/glsa-201810-05.xml | 61 ++++++++++++++++++++++++ metadata/glsa/glsa-201810-06.xml | 83 +++++++++++++++++++++++++++++++++ metadata/glsa/glsa-201810-07.xml | 77 ++++++++++++++++++++++++++++++ metadata/glsa/glsa-201810-08.xml | 98 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/glsa-201810-09.xml | 53 +++++++++++++++++++++ metadata/glsa/glsa-201810-10.xml | 52 +++++++++++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 10 files changed, 441 insertions(+), 17 deletions(-) create mode 100644 metadata/glsa/glsa-201810-05.xml create mode 100644 metadata/glsa/glsa-201810-06.xml create mode 100644 metadata/glsa/glsa-201810-07.xml create mode 100644 metadata/glsa/glsa-201810-08.xml create mode 100644 metadata/glsa/glsa-201810-09.xml create mode 100644 metadata/glsa/glsa-201810-10.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 77eff0246fb7..272b5617c473 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 428694 BLAKE2B dabc73e7c83c08ff4414f8dfe425db9d08d60f1de16c53a7c98425dd351f75aef67c86f4f46fa49d9af0f986df502dbf33d34aadd4caf3fe51750483097dd276 SHA512 b2b7dd8ffb3bb5a6c89e9fdde743f3194735a002d556d9fb28adce939bf73e893fe8f97076dafbaf7704e3774b68ba08d842b8b20bfd7e9173e3cbc864b40bae -TIMESTAMP 2018-10-27T11:08:41Z +MANIFEST Manifest.files.gz 429647 BLAKE2B a411cce710ab8dd39a655bd0e0cc190fbcae6f53119ffd89cae0be474bd52b18b9f669c37dc08ddc9e6dc2a29bf677b9015df98cc57c2d30284d663c0b745fe0 SHA512 727e13fbfd98dfc90a62c0a63c29d8331a6b94e4b42d913790e4a78f814e95d07a616b3b426612b6bfed54ee01f6b9889ca7c2f42345120b9b84f4679ebf482d +TIMESTAMP 2018-11-03T07:38:39Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlvURzlfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlvdUH9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCHbQ/+LC0FkJAKahTXNb6BooRWLWHt/XunLq9LjLJTYRUEC2niBy3DE9u0oCr0 -h44PzynpU/W5u145TszqOehMEf6bxF8JQmZUumJZGWAdJBAUuvP1ChoLEHdJfKnz -YMVh434plGc+6FFEc6IedjC6hgY3MBXer8gZqMcglQmBkMi2KiHt0gguRR/cMr9H -mR1A5EUJlw+2HYZK6KnnUSew1PgiXYxQvtzL22ikpNtM2sqCx8X6h0aCEuH4rDHN -j1cnuqTijbkzZ8sqsv511EgBPzBXP384HiYPhPa+IJpWbUPhobaHLCKsl5BrlVZc -+qFF/UNUoB3r1ffcVc29KuLm3JQZUH6IJQvhh8IO/IT7U6olHM0t3NBA69i/LNqq -ehOSASp80WsCGW/bRFg4Ev5xUMqNUJi6ETqNZOiI4sRpNxoGzed3Emj01IORGUTq -q9PS2gZVjWBODLYzRvPg51t3RcxF7d569BK5uzxICbMh/4zE5bCo/RgcNngjl7aC -lzkUt3ht/FStSfVg9d2JpE1Q433MFqIWYsUBMXLsTGmpzCrOhBEq9JeejwAlO8VU -jDdTvobn0P+u67iia+170LONrNeNiCf39ZTnVvKbjCnqlQPZnuyD3Eodab3oVTDQ -O5lLnSX19vmZqwYckdmWL0fi7fZeT+MvIDv2lvTmB0PqdZ6/w9E= -=TRHh +klB9HhAAloTGT9BfjtX6lE1xv7+YdKOjU8YbkFR4rbjKI2zGnYqQAc8ZM1zss3+q +pRDBwW1Bgp3LavCqFdTDVAqVQ2CiGjzAvWAyjYqjQnWyi+2mlgbgB1WpJLufd32P +647NlKJcpIzGBW2CrL/fkQiqYkeYKx1fr9nr+BJoLYK7hPZbewKNITU2OsiV+TtM +wgJ7uFECAbluJbdDnJPrY+8mYNpAaHrxmvzPx61hHq3rbMP3V8IC0753QUPhgKbr +NzIKDX+HbQXN5eydTyUHvPIe2n/F/Xj6r3gYa+NwbynnI5ggjBChkaLrKLHzjpVE +oUUox9auS/AsN5gxHOaCGZUZ0sDnx/QKAhOKSF20b7MVU8pIPpBtM/C/JASprKSo +QN2YywpdSioqLf6wcTxxsn0bRu4QlNter8fpe38ai76V2n7GSxxZ0bJrVjzaw18b +uEkuA+ZWaRE6bkokhUSkTTfQImlOKcH18TXUtivPcjFqichlNacys+ErunG0Z97V +A5wpJW343ERkqNOwYvrmfNK3DYUQ/KcAuEq/pu5SxpSCbZdfh9gwSkXZv5zVKjpL +QbAAOyTOhx0vTmc+9fBtNRfUkiepJHYOlt1SiyljYOrhdp28WBzPgvrFoeOcGXeM +WSuPl143uqYvamOWXXIY5fOy4gUGoJLxlCnScLQ8i3JbqAud8z0= +=YiFX -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz index a7c025fba987..d0b2412ba016 100644 Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ diff --git a/metadata/glsa/glsa-201810-05.xml b/metadata/glsa/glsa-201810-05.xml new file mode 100644 index 000000000000..d88bef878a13 --- /dev/null +++ b/metadata/glsa/glsa-201810-05.xml @@ -0,0 +1,61 @@ + + + + xkbcommon: Multiple vulnerabilities + Multiple vulnerabilities have been found in xkbcommon, the worst of + which may lead to a Denial of Service condition. + + libxkbcommon + 2018-10-30 + 2018-10-30 + 665702 + local + + + 0.8.2 + 0.8.2 + + + +

xkbcommon is a library to handle keyboard descriptions, including + loading them from disk, parsing them and handling their state. +

+ + +

Multiple vulnerabilities have been discovered in libxkbcommon. Please + review the CVE identifiers referenced below for details. +

+ + +

A local attacker could supply a specially crafted keymap file possibly + resulting in a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All libxkbcommon users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/libxkbcommon-0.8.2" + + + + + CVE-2018-15853 + CVE-2018-15854 + CVE-2018-15855 + CVE-2018-15856 + CVE-2018-15857 + CVE-2018-15858 + CVE-2018-15859 + CVE-2018-15861 + CVE-2018-15862 + CVE-2018-15863 + CVE-2018-15864 + + whissi + whissi + diff --git a/metadata/glsa/glsa-201810-06.xml b/metadata/glsa/glsa-201810-06.xml new file mode 100644 index 000000000000..9481d47a7e3d --- /dev/null +++ b/metadata/glsa/glsa-201810-06.xml @@ -0,0 +1,83 @@ + + + + Xen: Multiple vulnerabilities + Multiple vulnerabilities have been found in Xen, the worst of which + could cause a Denial of Service condition. + + xen + 2018-10-30 + 2018-10-30 + 643350 + 655188 + 655544 + 659442 + local + + + 4.10.1-r2 + 4.10.1-r2 + + + 4.10.1-r2 + 4.10.1-r2 + + + +

Xen is a bare-metal hypervisor.

+ + + +

Multiple vulnerabilities have been discovered in Xen. Please review the + referenced CVE identifiers for details. +

+ + +

A local attacker could cause a Denial of Service condition or disclose + sensitive information. +

+ + +

There is no known workaround at this time.

+ + +

All Xen users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.10.1-r2" + + +

All Xen tools users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-tools-4.10.1-r2" + + + + + CVE-2017-5715 + CVE-2017-5753 + CVE-2017-5754 + CVE-2018-10471 + CVE-2018-10472 + CVE-2018-10981 + CVE-2018-10982 + CVE-2018-12891 + CVE-2018-12892 + CVE-2018-12893 + CVE-2018-15468 + CVE-2018-15469 + CVE-2018-15470 + CVE-2018-3620 + CVE-2018-3646 + CVE-2018-5244 + CVE-2018-7540 + CVE-2018-7541 + CVE-2018-7542 + + whissi + irishluck83 + diff --git a/metadata/glsa/glsa-201810-07.xml b/metadata/glsa/glsa-201810-07.xml new file mode 100644 index 000000000000..a261c2f224d1 --- /dev/null +++ b/metadata/glsa/glsa-201810-07.xml @@ -0,0 +1,77 @@ + + + + Mutt, NeoMutt: Multiple vulnerabilities + Multiple vulnerabilities have been found in Mutt and NeoMutt, the + worst of which allows for arbitrary code execution. + + mutt, neomutt + 2018-10-30 + 2018-10-30 + 661436 + remote + + + 1.10.1 + 1.10.1 + + + 20180716 + 20180716 + + + +

Mutt is a small but very powerful text-based mail client.

+ +

NeoMutt is a command line mail reader (or MUA). It’s a fork of Mutt + with added features. +

+ + +

Multiple vulnerabilities have been discovered in Mutt, and NeoMutt. + Please review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to open a specially crafted mail + message or connect to malicious mail server using Mutt or NeoMutt, + possibly resulting in execution of arbitrary code or directory traversal + with the privileges of the process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Mutt users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-client/mutt-1.10.1" + + +

All NeoMuutt users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/neomutt-20180716" + + + + + CVE-2018-14349 + CVE-2018-14350 + CVE-2018-14351 + CVE-2018-14352 + CVE-2018-14353 + CVE-2018-14354 + CVE-2018-14355 + CVE-2018-14356 + CVE-2018-14357 + CVE-2018-14358 + CVE-2018-14359 + CVE-2018-14362 + + whissi + irishluck83 + diff --git a/metadata/glsa/glsa-201810-08.xml b/metadata/glsa/glsa-201810-08.xml new file mode 100644 index 000000000000..bcb0c46bb2bd --- /dev/null +++ b/metadata/glsa/glsa-201810-08.xml @@ -0,0 +1,98 @@ + + + + PostgreSQL: Multiple vulnerabilities + Multiple vulnerabilities have been found in PostgreSQL, the worst + which could lead to privilege escalation. + + postgresql + 2018-10-30 + 2018-10-30 + 603716 + 603720 + 664332 + local, remote + + + 9.3.24 + 9.4.19 + 9.5.14 + 9.6.10 + 10.5 + 10.5 + + + +

PostgreSQL is an open source object-relational database management + system. +

+ + +

Multiple vulnerabilities have been discovered in PostgreSQL. Please + review the referenced CVE identifiers for details. +

+ +

In addition it was discovered that Gentoo’s PostgreSQL installation + suffered from a privilege escalation vulnerability due to a runscript + which called OpenRC’s checkpath() on a user controlled path and allowed + user running PostgreSQL to kill arbitrary processes via PID file + manipulation. +

+ + +

A remote attacker could bypass certain client-side connection security + features, read arbitrary server memory or alter certain data. +

+ +

In addition, a local attacker could gain privileges or cause a Denial of + Service condition by killing arbitrary processes. +

+ + +

There is no known workaround at this time.

+ + +

All PostgreSQL users up to 9.3 should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.24:9.3" + + +

All PostgreSQL 9.4 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.19:9.4" + + +

All PostgreSQL 9.5 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.14:9.5" + + +

All PostgreSQL 9.6 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.10:9.6" + + +

All PostgreSQL 10 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.5:10" + + + + + CVE-2018-10915 + CVE-2018-10925 + CVE-2018-1115 + + irishluck83 + irishluck83 + diff --git a/metadata/glsa/glsa-201810-09.xml b/metadata/glsa/glsa-201810-09.xml new file mode 100644 index 000000000000..8931f25127fc --- /dev/null +++ b/metadata/glsa/glsa-201810-09.xml @@ -0,0 +1,53 @@ + + + + X.Org X Server: Privilege escalation + A vulnerability in X.Org X Server allows local users to escalate + privileges. + + xorg x server + 2018-10-30 + 2018-10-30 + 669588 + local + + + 1.20.3 + 1.20.3 + + + +

The X Window System is a graphical windowing system based on a + client/server model. +

+ + +

An incorrect permission check for -modulepath and -logfile options when + starting Xorg. X server allows unprivileged users with the ability to log + in to the system via physical console to escalate their privileges and + run arbitrary code under root privileges. +

+ + +

A local attacker can escalate privileges to root by passing crafted + parameters to the X.org X server. +

+ + +

There is no known workaround at this time.

+ + +

All X.Org X Server users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.20.3" + + + + + CVE-2018-14665 + + whissi + whissi + diff --git a/metadata/glsa/glsa-201810-10.xml b/metadata/glsa/glsa-201810-10.xml new file mode 100644 index 000000000000..017ec0c1e539 --- /dev/null +++ b/metadata/glsa/glsa-201810-10.xml @@ -0,0 +1,52 @@ + + + + systemd: Multiple vulnerabilities + Multiple vulnerabilities have been found in systemd, the worst of + which may allow execution of arbitrary code. + + systemd + 2018-10-30 + 2018-10-30 + 669664 + 669716 + local, remote + + + 239-r2 + 239-r2 + + + +

A system and service manager.

+ + +

Multiple vulnerabilities have been discovered in systemd. Please review + the CVE identifiers referenced below for details. +

+ + +

An attacker could possibly execute arbitrary code, cause a Denial of + Service condition, or gain escalated privileges. +

+ + +

There is no known workaround at this time.

+ + +

All systemd users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/systemd-239-r2" + + + + + CVE-2018-15686 + CVE-2018-15687 + CVE-2018-15688 + + whissi + whissi + diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 77cae2d1b813..00851f29a882 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Sat, 27 Oct 2018 11:08:37 +0000 +Sat, 03 Nov 2018 07:38:35 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index 99c3f6f2fa78..41fb03066c8c 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -5788e60d7bd138f44ae3b948a0da0c8ddfc7359a 1539817877 2018-10-17T23:11:17+00:00 +3fe134c9c609fe0fa952396df0dd91b901ef64de 1540938926 2018-10-30T22:35:26+00:00 -- cgit v1.2.3