diff options
| author | Liguros - Gitlab CI/CD [master] <gitlab@liguros.net> | 2021-01-27 18:53:03 +0000 |
|---|---|---|
| committer | Liguros - Gitlab CI/CD [master] <gitlab@liguros.net> | 2021-01-27 18:53:03 +0000 |
| commit | 3482ddf943eff7b8848f1fb31350b99ce349e86a (patch) | |
| tree | 9c9bb6ec6679e9dc44a84d87ba611989409b12ca /metadata | |
| parent | 8e8120eabdd28020aa69c7a60505cce2edd20adc (diff) | |
| download | baldeagleos-repo-21.1.3.tar.gz baldeagleos-repo-21.1.3.tar.xz baldeagleos-repo-21.1.3.zip | |
Updating liguros repov21.1.3
Diffstat (limited to 'metadata')
25 files changed, 1537 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-202101-11.xml b/metadata/glsa/glsa-202101-11.xml new file mode 100644 index 000000000000..317df24d34d7 --- /dev/null +++ b/metadata/glsa/glsa-202101-11.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-11"> + <title>Zabbix: Root privilege escalation</title> + <synopsis>Multiple vulnerabilities were discovered in Gentoo's ebuild for + Zabbix which could lead to root privilege escalation. + </synopsis> + <product type="ebuild">zabbix</product> + <announced>2021-01-21</announced> + <revised count="1">2021-01-21</revised> + <bug>629882</bug> + <bug>629884</bug> + <access>local</access> + <affected> + <package name="net-analyzer/zabbix" auto="yes" arch="*"> + <unaffected range="ge" slot="0/3.0">3.0.30</unaffected> + <unaffected range="ge" slot="0/4.0">4.0.18</unaffected> + <vulnerable range="lt">4.4.6</vulnerable> + </package> + </affected> + <background> + <p>Zabbix is software for monitoring applications, networks, and servers.</p> + </background> + <description> + <p>It was discovered that Gentoo’s Zabbix ebuild did not properly set + permissions or placed the pid file in an unsafe directory. + </p> + </description> + <impact type="normal"> + <p>A local attacker could escalate privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Zabbix 3.0.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=net-analyzer/zabbix-3.0.30:0/3.0" + </code> + + <p>All Zabbix 4.0.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=net-analyzer/zabbix-4.0.18:0/4.0" + </code> + + <p>All other Zabbix users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/zabbix-4.4.6" + </code> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2020-04-16T06:25:12Z">BlueKnight</metadata> + <metadata tag="submitter" timestamp="2021-01-21T19:18:35Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-12.xml b/metadata/glsa/glsa-202101-12.xml new file mode 100644 index 000000000000..10de65bdd4a6 --- /dev/null +++ b/metadata/glsa/glsa-202101-12.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-12"> + <title>Wireshark: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Wireshark, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">wireshark</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>759541</bug> + <bug>760800</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/wireshark" auto="yes" arch="*"> + <unaffected range="ge">3.4.2</unaffected> + <vulnerable range="lt">3.4.2</vulnerable> + </package> + </affected> + <background> + <p>Wireshark is a network protocol analyzer formerly known as ethereal.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Wireshark. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Wireshark users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-3.4.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26418">CVE-2020-26418</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26419">CVE-2020-26419</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26420">CVE-2020-26420</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26421">CVE-2020-26421</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26422">CVE-2020-26422</uri> + </references> + <metadata tag="requester" timestamp="2021-01-22T00:09:25Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-22T16:10:45Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-13.xml b/metadata/glsa/glsa-202101-13.xml new file mode 100644 index 000000000000..e5c9507b0d3a --- /dev/null +++ b/metadata/glsa/glsa-202101-13.xml @@ -0,0 +1,91 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-13"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">google-chrome,chromium</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>766207</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">88.0.4324.96</unaffected> + <vulnerable range="lt">88.0.4324.96</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">88.0.4324.96</unaffected> + <vulnerable range="lt">88.0.4324.96</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-88.0.4324.96" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-88.0.4324.96" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16044">CVE-2020-16044</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21117">CVE-2021-21117</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21118">CVE-2021-21118</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21119">CVE-2021-21119</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21120">CVE-2021-21120</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21121">CVE-2021-21121</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21122">CVE-2021-21122</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21123">CVE-2021-21123</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21124">CVE-2021-21124</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21125">CVE-2021-21125</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21126">CVE-2021-21126</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21127">CVE-2021-21127</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21128">CVE-2021-21128</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21129">CVE-2021-21129</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21130">CVE-2021-21130</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21131">CVE-2021-21131</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21132">CVE-2021-21132</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21133">CVE-2021-21133</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21134">CVE-2021-21134</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21135">CVE-2021-21135</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21136">CVE-2021-21136</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21137">CVE-2021-21137</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21138">CVE-2021-21138</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21139">CVE-2021-21139</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21140">CVE-2021-21140</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21141">CVE-2021-21141</uri> + </references> + <metadata tag="requester" timestamp="2021-01-22T00:15:06Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-22T16:11:56Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-14.xml b/metadata/glsa/glsa-202101-14.xml new file mode 100644 index 000000000000..f8ce93e509b1 --- /dev/null +++ b/metadata/glsa/glsa-202101-14.xml @@ -0,0 +1,67 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-14"> + <title>Mozilla Thunderbird: Remote code execution</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird, + the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">thunderbird</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>765088</bug> + <access>remote</access> + <affected> + <package name="mail-client/thunderbird" auto="yes" arch="*"> + <unaffected range="ge">78.6.1</unaffected> + <vulnerable range="lt">78.6.1</vulnerable> + </package> + <package name="mail-client/thunderbird-bin" auto="yes" arch="*"> + <unaffected range="ge">78.6.1</unaffected> + <vulnerable range="lt">78.6.1</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. + </p> + </background> + <description> + <p>A use-after-free bug was discovered in Mozilla Thunderbird handling of + SCTP. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Thunderbird users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-78.6.1" + </code> + + <p>All Mozilla Thunderbird binary users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=mail-client/thunderbird-bin-78.6.1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16044">CVE-2020-16044</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2021-02/"> + MFSA-2021-02 + </uri> + </references> + <metadata tag="requester" timestamp="2021-01-22T00:15:52Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-22T16:13:18Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-15.xml b/metadata/glsa/glsa-202101-15.xml new file mode 100644 index 000000000000..3762d3444f79 --- /dev/null +++ b/metadata/glsa/glsa-202101-15.xml @@ -0,0 +1,70 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-15"> + <title>VirtualBox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in VirtualBox, the worst + of which could result in privilege escalation. + </synopsis> + <product type="ebuild">virtualbox</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>750782</bug> + <bug>766348</bug> + <access>remote</access> + <affected> + <package name="app-emulation/virtualbox" auto="yes" arch="*"> + <unaffected range="ge">6.1.18</unaffected> + <vulnerable range="lt">6.1.18</vulnerable> + </package> + </affected> + <background> + <p>VirtualBox is a powerful virtualization product from Oracle.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in VirtualBox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All VirtualBox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.18" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14872">CVE-2020-14872</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14881">CVE-2020-14881</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14884">CVE-2020-14884</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14885">CVE-2020-14885</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14886">CVE-2020-14886</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14889">CVE-2020-14889</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14892">CVE-2020-14892</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2073">CVE-2021-2073</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2074">CVE-2021-2074</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2086">CVE-2021-2086</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2111">CVE-2021-2111</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2112">CVE-2021-2112</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2119">CVE-2021-2119</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2120">CVE-2021-2120</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2121">CVE-2021-2121</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2123">CVE-2021-2123</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2124">CVE-2021-2124</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2125">CVE-2021-2125</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2126">CVE-2021-2126</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2127">CVE-2021-2127</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2128">CVE-2021-2128</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2129">CVE-2021-2129</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2130">CVE-2021-2130</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2131">CVE-2021-2131</uri> + </references> + <metadata tag="requester" timestamp="2021-01-18T03:00:34Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-22T16:14:33Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-16.xml b/metadata/glsa/glsa-202101-16.xml new file mode 100644 index 000000000000..2f7ed9ee6712 --- /dev/null +++ b/metadata/glsa/glsa-202101-16.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-16"> + <title>KDE Connect: Denial of service</title> + <synopsis>A vulnerability in KDE Connect could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">kde-connect</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>746401</bug> + <access>remote</access> + <affected> + <package name="kde-misc/kdeconnect" auto="yes" arch="*"> + <unaffected range="ge">20.04.3-r1</unaffected> + <vulnerable range="lt">20.04.3-r1</vulnerable> + </package> + </affected> + <background> + <p>KDE Connect is a project that enables all your devices to communicate + with each other. + </p> + </background> + <description> + <p>Multiple issues causing excessive resource consumption were found in KDE + Connect. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All KDE Connect users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=kde-misc/kdeconnect-20.04.3-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26164">CVE-2020-26164</uri> + </references> + <metadata tag="requester" timestamp="2021-01-22T00:28:04Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-22T16:16:11Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-17.xml b/metadata/glsa/glsa-202101-17.xml new file mode 100644 index 000000000000..9fd515383c4c --- /dev/null +++ b/metadata/glsa/glsa-202101-17.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-17"> + <title>Dnsmasq: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Dnsmasq, the worst of + which may allow remote attackers to execute arbitrary code. + </synopsis> + <product type="ebuild">dnsmasq</product> + <announced>2021-01-22</announced> + <revised count="1">2021-01-22</revised> + <bug>766126</bug> + <access>local, remote</access> + <affected> + <package name="net-dns/dnsmasq" auto="yes" arch="*"> + <unaffected range="ge">2.83</unaffected> + <vulnerable range="lt">2.83</vulnerable> + </package> + </affected> + <background> + <p>Dnsmasq is a lightweight and easily-configurable DNS forwarder and DHCP + server. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Dnsmasq. Please review + the references below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker, by sending specially crafted DNS replies, could possibly + execute arbitrary code with the privileges of the process, perform a + cache poisoning attack or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Dnsmasq users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.83" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25681">CVE-2020-25681</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25682">CVE-2020-25682</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25683">CVE-2020-25683</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25684">CVE-2020-25684</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25685">CVE-2020-25685</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25686">CVE-2020-25686</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25687">CVE-2020-25687</uri> + </references> + <metadata tag="requester" timestamp="2021-01-21T20:58:48Z">whissi</metadata> + <metadata tag="submitter" timestamp="2021-01-22T17:55:39Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-18.xml b/metadata/glsa/glsa-202101-18.xml new file mode 100644 index 000000000000..03d6e27b19ce --- /dev/null +++ b/metadata/glsa/glsa-202101-18.xml @@ -0,0 +1,90 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-18"> + <title>Python: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Python, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">python</product> + <announced>2021-01-24</announced> + <revised count="1">2021-01-24</revised> + <bug>749339</bug> + <bug>759928</bug> + <bug>766189</bug> + <access>remote</access> + <affected> + <package name="dev-lang/python" auto="yes" arch="*"> + <unaffected range="ge" slot="2.7">2.7.18-r6</unaffected> + <unaffected range="ge" slot="3.6">3.6.12-r2</unaffected> + <unaffected range="ge" slot="3.7">3.7.9-r2</unaffected> + <unaffected range="ge" slot="3.8">3.8.7-r1</unaffected> + <unaffected range="ge" slot="3.9">3.9.1-r1</unaffected> + <vulnerable range="lt" slot="2.7">2.7.18-r6</vulnerable> + <vulnerable range="lt" slot="3.6">3.6.12-r2</vulnerable> + <vulnerable range="lt" slot="3.7">3.7.9-r2</vulnerable> + <vulnerable range="lt" slot="3.8">3.8.7-r1</vulnerable> + <vulnerable range="lt" slot="3.9">3.9.1-r1</vulnerable> + </package> + </affected> + <background> + <p>Python is an interpreted, interactive, object-oriented programming + language. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Python. Please review + the bugs referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Python 2.7 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.18-r5" + </code> + + <p>All Python 3.6 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.6.12-r1" + </code> + + <p>All Python 3.7 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.7.9-r1" + </code> + + <p>All Python 3.8 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.8.6-r1" + </code> + + <p>All Python 3.9 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/python-3.9.0-r1" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26116">CVE-2020-26116</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3177">CVE-2021-3177</uri> + </references> + <metadata tag="requester" timestamp="2021-01-04T03:36:56Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-24T23:58:22Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-19.xml b/metadata/glsa/glsa-202101-19.xml new file mode 100644 index 000000000000..866c37dcdf8a --- /dev/null +++ b/metadata/glsa/glsa-202101-19.xml @@ -0,0 +1,86 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-19"> + <title>OpenJDK: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in OpenJDK, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">openjdk</product> + <announced>2021-01-25</announced> + <revised count="1">2021-01-25</revised> + <bug>705992</bug> + <bug>750833</bug> + <access>remote</access> + <affected> + <package name="dev-java/openjdk" auto="yes" arch="*"> + <unaffected range="ge">8.272_p10</unaffected> + <vulnerable range="lt">8.272_p10</vulnerable> + </package> + <package name="dev-java/openjdk-bin" auto="yes" arch="*"> + <unaffected range="ge">8.272_p10</unaffected> + <vulnerable range="lt">8.272_p10</vulnerable> + </package> + <package name="dev-java/openjdk-jre-bin" auto="yes" arch="*"> + <unaffected range="ge">8.272_p10</unaffected> + <vulnerable range="lt">8.272_p10</vulnerable> + </package> + </affected> + <background> + <p>OpenJDK is a free and open-source implementation of the Java Platform, + Standard Edition. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenJDK. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenJDK users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-8.272_p10" + </code> + + <p>All OpenJDK (binary) users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-8.272_p10" + </code> + + <p>All OpenJDK JRE (binary) users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=dev-java/openjdk-jre-bin-8.272_p10" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14779">CVE-2020-14779</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14781">CVE-2020-14781</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14782">CVE-2020-14782</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14792">CVE-2020-14792</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14796">CVE-2020-14796</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14797">CVE-2020-14797</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14798">CVE-2020-14798</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14803">CVE-2020-14803</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2583">CVE-2020-2583</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2590">CVE-2020-2590</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2593">CVE-2020-2593</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2601">CVE-2020-2601</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2604">CVE-2020-2604</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2654">CVE-2020-2654</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2659">CVE-2020-2659</uri> + </references> + <metadata tag="requester" timestamp="2020-11-01T10:46:07Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-25T00:02:23Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-20.xml b/metadata/glsa/glsa-202101-20.xml new file mode 100644 index 000000000000..c4fc0f6dd37c --- /dev/null +++ b/metadata/glsa/glsa-202101-20.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-20"> + <title>glibc: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in glibc, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">glibc</product> + <announced>2021-01-25</announced> + <revised count="1">2021-01-25</revised> + <bug>611344</bug> + <bug>717058</bug> + <bug>720730</bug> + <bug>758359</bug> + <access>local, remote</access> + <affected> + <package name="sys-libs/glibc" auto="yes" arch="*"> + <unaffected range="ge">2.32-r5</unaffected> + <vulnerable range="lt">2.32-r5</vulnerable> + </package> + </affected> + <background> + <p>glibc is a package that contains the GNU C library.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in glibc. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All glibc users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.32-r5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-10228">CVE-2016-10228</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1752">CVE-2020-1752</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-29562">CVE-2020-29562</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-29573">CVE-2020-29573</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6096">CVE-2020-6096</uri> + </references> + <metadata tag="requester" timestamp="2020-12-27T17:59:30Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-25T00:05:08Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-21.xml b/metadata/glsa/glsa-202101-21.xml new file mode 100644 index 000000000000..38c63fc9f4d1 --- /dev/null +++ b/metadata/glsa/glsa-202101-21.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-21"> + <title>Flatpak: Sandbox escape</title> + <synopsis>A vulnerability was discovered in Flatpak which could allow a + remote attacker to execute arbitrary code. + </synopsis> + <product type="ebuild">flatpak</product> + <announced>2021-01-25</announced> + <revised count="1">2021-01-25</revised> + <bug>765457</bug> + <access>remote</access> + <affected> + <package name="sys-apps/flatpak" auto="yes" arch="*"> + <unaffected range="ge">1.10.0</unaffected> + <vulnerable range="lt">1.10.0</vulnerable> + </package> + </affected> + <background> + <p>Flatpak is a Linux application sandboxing and distribution framework.</p> + </background> + <description> + <p>A bug was discovered in the flatpak-portal service that can allow + sandboxed applications to execute arbitrary code on the host system (a + sandbox escape). + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted + Flatpak app possibly resulting in execution of arbitrary code with the + privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>As a workaround, this vulnerability can be mitigated by preventing the + flatpak-portal service from starting, but that mitigation will prevent + many Flatpak apps from working correctly. It is highly recommended to + upgrade. + </p> + </workaround> + <resolution> + <p>All Flatpak users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.10.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21261">CVE-2021-21261</uri> + </references> + <metadata tag="requester" timestamp="2021-01-22T00:26:55Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-25T00:07:24Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-22.xml b/metadata/glsa/glsa-202101-22.xml new file mode 100644 index 000000000000..36a94ff168ac --- /dev/null +++ b/metadata/glsa/glsa-202101-22.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-22"> + <title>libvirt: Unintended access to /dev/mapper/control</title> + <synopsis>A vulnerability in libvirt may allow root privilege escalation.</synopsis> + <product type="ebuild">libvirt</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>739948</bug> + <access>local</access> + <affected> + <package name="app-emulation/libvirt" auto="yes" arch="*"> + <unaffected range="ge">6.7.0</unaffected> + <vulnerable range="lt">6.7.0</vulnerable> + </package> + </affected> + <background> + <p>libvirt is a C toolkit for manipulating virtual machines.</p> + </background> + <description> + <p>A file descriptor for /dev/mapper/control was insufficiently protected.</p> + </description> + <impact type="high"> + <p>A local attacker may be able to escalate to root privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libvirt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/libvirt-6.7.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14339">CVE-2020-14339</uri> + </references> + <metadata tag="requester" timestamp="2020-10-05T23:25:12Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:10:19Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-23.xml b/metadata/glsa/glsa-202101-23.xml new file mode 100644 index 000000000000..d3ba7f305498 --- /dev/null +++ b/metadata/glsa/glsa-202101-23.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-23"> + <title>PEAR Archive_Tar: Directory traversal</title> + <synopsis>Multiple vulnerabilities have been found in PEAR Archive_Tar, the + worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">PEAR-Archive_Tar</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>755653</bug> + <bug>766036</bug> + <access>remote</access> + <affected> + <package name="dev-php/PEAR-Archive_Tar" auto="yes" arch="*"> + <unaffected range="ge">1.4.12</unaffected> + <vulnerable range="lt">1.4.12</vulnerable> + </package> + </affected> + <background> + <p>This class provides handling of tar files in PHP.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PEAR Archive_Tar. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PEAR-Archive_Tar users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Archive_Tar-1.4.12" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28948">CVE-2020-28948</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28949">CVE-2020-28949</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36193">CVE-2020-36193</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T23:43:27Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:10:53Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-24.xml b/metadata/glsa/glsa-202101-24.xml new file mode 100644 index 000000000000..3e9fb3f77765 --- /dev/null +++ b/metadata/glsa/glsa-202101-24.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-24"> + <title>cfitsio: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in cfitsio, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">cfitsio</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>673944</bug> + <access>remote</access> + <affected> + <package name="sci-libs/cfitsio" auto="yes" arch="*"> + <unaffected range="ge">3.490</unaffected> + <vulnerable range="lt">3.490</vulnerable> + </package> + </affected> + <background> + <p>A C and Fortran library for manipulating FITS files.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in cfitsio. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All cfitsio users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-libs/cfitsio-3.490" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3846">CVE-2018-3846</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3847">CVE-2018-3847</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3848">CVE-2018-3848</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3849">CVE-2018-3849</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T23:40:35Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:12:33Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-25.xml b/metadata/glsa/glsa-202101-25.xml new file mode 100644 index 000000000000..6914662437b5 --- /dev/null +++ b/metadata/glsa/glsa-202101-25.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-25"> + <title>Mutt: Denial of service</title> + <synopsis>A vulnerability in Mutt could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">mutt</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>765790</bug> + <access>remote</access> + <affected> + <package name="mail-client/mutt" auto="yes" arch="*"> + <unaffected range="ge">2.0.4-r1</unaffected> + <vulnerable range="lt">2.0.4-r1</vulnerable> + </package> + </affected> + <background> + <p>Mutt is a small but very powerful text-based mail client.</p> + </background> + <description> + <p>A memory leak could occur when a crafted email message is received.</p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mutt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mutt-2.0.4-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3181">CVE-2021-3181</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T23:33:22Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:13:00Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-26.xml b/metadata/glsa/glsa-202101-26.xml new file mode 100644 index 000000000000..64fbf2c1b631 --- /dev/null +++ b/metadata/glsa/glsa-202101-26.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-26"> + <title>f2fs-tools: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in f2fs-tools, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">f2fs-tools</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>749318</bug> + <access>remote</access> + <affected> + <package name="sys-fs/f2fs-tools" auto="yes" arch="*"> + <unaffected range="ge">1.14.0</unaffected> + <vulnerable range="lt">1.14.0</vulnerable> + </package> + </affected> + <background> + <p>Tools for Flash-Friendly File System (F2FS).</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in f2fs-tools. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All f2fs-tools users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/f2fs-tools-1.14.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6104">CVE-2020-6104</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6105">CVE-2020-6105</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6106">CVE-2020-6106</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6107">CVE-2020-6107</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6108">CVE-2020-6108</uri> + </references> + <metadata tag="requester" timestamp="2020-11-01T10:45:37Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:13:26Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-27.xml b/metadata/glsa/glsa-202101-27.xml new file mode 100644 index 000000000000..776a91822460 --- /dev/null +++ b/metadata/glsa/glsa-202101-27.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-27"> + <title>FreeRADIUS: Root privilege escalation</title> + <synopsis>Multiple vulnerabilities were discovered in Gentoo's systemd unit + for FreeRADIUS which could lead to root privilege escalation. + </synopsis> + <product type="ebuild">freeradius</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>630910</bug> + <access>local</access> + <affected> + <package name="net-dialup/freeradius" auto="yes" arch="*"> + <unaffected range="ge">3.0.20-r1</unaffected> + <vulnerable range="lt">3.0.20-r1</vulnerable> + </package> + </affected> + <background> + <p>FreeRADIUS is a modular, high performance free RADIUS suite.</p> + </background> + <description> + <p>It was discovered that Gentoo’s FreeRADIUS systemd unit set + permissions on an unsafe directory on start. + </p> + </description> + <impact type="normal"> + <p>A local attacker could escalate privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All FreeRADIUS users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-dialup/freeradius-3.0.20-r1" + </code> + </resolution> + <references> + </references> + <metadata tag="requester" timestamp="2021-01-25T21:55:08Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:13:46Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-28.xml b/metadata/glsa/glsa-202101-28.xml new file mode 100644 index 000000000000..8ba014862bfd --- /dev/null +++ b/metadata/glsa/glsa-202101-28.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-28"> + <title>ncurses: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in ncurses, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">ncurses</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>698210</bug> + <access>remote</access> + <affected> + <package name="sys-apps/ncurses" auto="yes" arch="*"> + <unaffected range="ge">6.2</unaffected> + <vulnerable range="lt">6.2</vulnerable> + </package> + </affected> + <background> + <p>A console display library.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in ncurses. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ncurses users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/ncurses-6.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17594">CVE-2019-17594</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17595">CVE-2019-17595</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T17:12:09Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:14:57Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-29.xml b/metadata/glsa/glsa-202101-29.xml new file mode 100644 index 000000000000..5f2c0b02b104 --- /dev/null +++ b/metadata/glsa/glsa-202101-29.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-29"> + <title>OpenJPEG: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in OpenJPEG, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">openjpeg</product> + <announced>2021-01-26</announced> + <revised count="2">2021-01-26</revised> + <bug>711260</bug> + <bug>718918</bug> + <access>remote</access> + <affected> + <package name="media-libs/openjpeg" auto="yes" arch="*"> + <unaffected range="ge" slot="2">2.4.0</unaffected> + <vulnerable range="lt" slot="2">2.4.0</vulnerable> + <vulnerable range="lt" slot="1">1.5.2-r1</vulnerable> + </package> + </affected> + <background> + <p>OpenJPEG is an open-source JPEG 2000 library.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in OpenJPEG. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All OpenJPEG 2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/openjpeg-2.4.0:2" + </code> + + <p>Gentoo has discontinued support OpenJPEG 1.x and any dependent packages + should now be using OpenJPEG 2 or have dropped support for the library. + We recommend that users unmerge OpenJPEG 1.x: + </p> + + <code> + # emerge --unmerge "media-libs/openjpeg:1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-21010">CVE-2018-21010</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12973">CVE-2019-12973</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15389">CVE-2020-15389</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27814">CVE-2020-27814</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27841">CVE-2020-27841</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27842">CVE-2020-27842</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27843">CVE-2020-27843</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27844">CVE-2020-27844</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27845">CVE-2020-27845</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T20:17:39Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T02:54:20Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-30.xml b/metadata/glsa/glsa-202101-30.xml new file mode 100644 index 000000000000..0c4e07eeaaa7 --- /dev/null +++ b/metadata/glsa/glsa-202101-30.xml @@ -0,0 +1,151 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-30"> + <title>Qt WebEngine: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Qt WebEngine, the worst + of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">qtwebengine</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>734600</bug> + <bug>754852</bug> + <access>remote</access> + <affected> + <package name="dev-qt/qtwebengine" auto="yes" arch="*"> + <unaffected range="ge">5.15.2</unaffected> + <vulnerable range="lt">5.15.2</vulnerable> + </package> + </affected> + <background> + <p>Library for rendering dynamic web content in Qt5 C++ and QML + applications. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Qt WebEngine. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Qt WebEngine users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15959">CVE-2020-15959</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15959">CVE-2020-15959</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15960">CVE-2020-15960</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15960">CVE-2020-15960</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15961">CVE-2020-15961</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15961">CVE-2020-15961</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15962">CVE-2020-15962</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15962">CVE-2020-15962</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15963">CVE-2020-15963</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15963">CVE-2020-15963</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15964">CVE-2020-15964</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15964">CVE-2020-15964</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15965">CVE-2020-15965</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15965">CVE-2020-15965</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15966">CVE-2020-15966</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15966">CVE-2020-15966</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15968">CVE-2020-15968</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15968">CVE-2020-15968</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15969">CVE-2020-15969</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15969">CVE-2020-15969</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15972">CVE-2020-15972</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15972">CVE-2020-15972</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15974">CVE-2020-15974</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15974">CVE-2020-15974</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15976">CVE-2020-15976</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15976">CVE-2020-15976</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15977">CVE-2020-15977</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15977">CVE-2020-15977</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15978">CVE-2020-15978</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15978">CVE-2020-15978</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15979">CVE-2020-15979</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15979">CVE-2020-15979</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15985">CVE-2020-15985</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15985">CVE-2020-15985</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15987">CVE-2020-15987</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15987">CVE-2020-15987</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15989">CVE-2020-15989</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15989">CVE-2020-15989</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15992">CVE-2020-15992</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15992">CVE-2020-15992</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16001">CVE-2020-16001</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16001">CVE-2020-16001</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16002">CVE-2020-16002</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16002">CVE-2020-16002</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16003">CVE-2020-16003</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16003">CVE-2020-16003</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6467">CVE-2020-6467</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6467">CVE-2020-6467</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6470">CVE-2020-6470</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6470">CVE-2020-6470</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6471">CVE-2020-6471</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6471">CVE-2020-6471</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6472">CVE-2020-6472</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6473">CVE-2020-6473</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6474">CVE-2020-6474</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6475">CVE-2020-6475</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6476">CVE-2020-6476</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6480">CVE-2020-6480</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6481">CVE-2020-6481</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6482">CVE-2020-6482</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6483">CVE-2020-6483</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6486">CVE-2020-6486</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6487">CVE-2020-6487</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6489">CVE-2020-6489</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6490">CVE-2020-6490</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6506">CVE-2020-6506</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6510">CVE-2020-6510</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6511">CVE-2020-6511</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6512">CVE-2020-6512</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6513">CVE-2020-6513</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6514">CVE-2020-6514</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6518">CVE-2020-6518</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6523">CVE-2020-6523</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6524">CVE-2020-6524</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6526">CVE-2020-6526</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6529">CVE-2020-6529</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6530">CVE-2020-6530</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6531">CVE-2020-6531</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6532">CVE-2020-6532</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6533">CVE-2020-6533</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6534">CVE-2020-6534</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6535">CVE-2020-6535</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6540">CVE-2020-6540</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6541">CVE-2020-6541</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6542">CVE-2020-6542</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6543">CVE-2020-6543</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6544">CVE-2020-6544</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6545">CVE-2020-6545</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6548">CVE-2020-6548</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6549">CVE-2020-6549</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6550">CVE-2020-6550</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6551">CVE-2020-6551</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6555">CVE-2020-6555</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6557">CVE-2020-6557</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6559">CVE-2020-6559</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6561">CVE-2020-6561</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6562">CVE-2020-6562</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6569">CVE-2020-6569</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6570">CVE-2020-6570</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6571">CVE-2020-6571</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6573">CVE-2020-6573</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6575">CVE-2020-6575</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6576">CVE-2020-6576</uri> + </references> + <metadata tag="requester" timestamp="2021-01-25T23:03:36Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T00:15:52Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-31.xml b/metadata/glsa/glsa-202101-31.xml new file mode 100644 index 000000000000..3d7dcd82f908 --- /dev/null +++ b/metadata/glsa/glsa-202101-31.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-31"> + <title>Cacti: Remote code execution</title> + <synopsis>A vulnerability in Cacti could lead to remote code execution.</synopsis> + <product type="ebuild">cacti</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>765019</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/cacti" auto="yes" arch="*"> + <unaffected range="ge">1.2.16-r1</unaffected> + <vulnerable range="lt">1.2.16-r1</vulnerable> + </package> + </affected> + <background> + <p>Cacti is a complete frontend to rrdtool.</p> + </background> + <description> + <p>The side_id parameter in data_debug.php does not properly verify input + allowing SQL injection. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Cacti users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-1.2.16-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35701">CVE-2020-35701</uri> + </references> + <metadata tag="requester" timestamp="2021-01-26T00:34:29Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T23:38:21Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-32.xml b/metadata/glsa/glsa-202101-32.xml new file mode 100644 index 000000000000..2c1a6dd3ef52 --- /dev/null +++ b/metadata/glsa/glsa-202101-32.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-32"> + <title>Mutt, NeoMutt: Information disclosure</title> + <synopsis>A weakness was discovered in Mutt and NeoMutt's TLS handshake + handling + </synopsis> + <product type="ebuild">NeoMutt</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>755833</bug> + <bug>755866</bug> + <access>remote</access> + <affected> + <package name="mail-client/mutt" auto="yes" arch="*"> + <unaffected range="ge">2.0.2</unaffected> + <vulnerable range="lt">2.0.2</vulnerable> + </package> + <package name="mail-client/neomutt" auto="yes" arch="*"> + <unaffected range="ge">20201120</unaffected> + <vulnerable range="lt">20201120</vulnerable> + </package> + </affected> + <background> + <p>Mutt is a small but very powerful text-based mail client.</p> + + <p>NeoMutt is a command line mail reader (or MUA). It’s a fork of Mutt + with added features. + </p> + </background> + <description> + <p>A weakness in TLS handshake handling was found which may allow + information disclosure. + </p> + </description> + <impact type="normal"> + <p>A remote attacker may be able to cause information disclosure.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mutt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mutt-2.0.2" + </code> + + <p>All NeoMutt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/neomutt-20201120" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28896">CVE-2020-28896</uri> + </references> + <metadata tag="requester" timestamp="2021-01-26T00:28:06Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T23:39:28Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-33.xml b/metadata/glsa/glsa-202101-33.xml new file mode 100644 index 000000000000..a53bfabd5cd9 --- /dev/null +++ b/metadata/glsa/glsa-202101-33.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-33"> + <title>sudo: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in sudo, the worst of + which could result in privilege escalation. + </synopsis> + <product type="ebuild">sudo</product> + <announced>2021-01-26</announced> + <revised count="1">2021-01-26</revised> + <bug>764986</bug> + <bug>767364</bug> + <access>local</access> + <affected> + <package name="app-admin/sudo" auto="yes" arch="*"> + <unaffected range="ge">1.9.5_p2</unaffected> + <vulnerable range="lt">1.9.5_p2</vulnerable> + </package> + </affected> + <background> + <p>sudo (su “do”) allows a system administrator to delegate authority + to give certain users (or groups of users) the ability to run some (or + all) commands as root or another user while providing an audit trail of + the commands and their arguments. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in sudo. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>Local users are able to gain unauthorized privileges on the system or + determine the existence of files. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All sudo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.5_p2" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23239">CVE-2021-23239</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23240">CVE-2021-23240</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3156">CVE-2021-3156</uri> + <uri link="https://www.sudo.ws/alerts/sudoedit_selinux.html">Upstream + advisory (CVE-2020-23240) + </uri> + <uri link="https://www.sudo.ws/alerts/unescape_overflow.html">Upstream + advisory (CVE-2021-3156) + </uri> + </references> + <metadata tag="requester" timestamp="2021-01-26T22:52:21Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-26T23:40:46Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-34.xml b/metadata/glsa/glsa-202101-34.xml new file mode 100644 index 000000000000..bedeea759a1d --- /dev/null +++ b/metadata/glsa/glsa-202101-34.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-34"> + <title>Telegram Desktop: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Telegram, the worst of + which could result in information disclosure. + </synopsis> + <product type="ebuild">telegram</product> + <announced>2021-01-27</announced> + <revised count="1">2021-01-27</revised> + <bug>736774</bug> + <bug>749288</bug> + <access>remote</access> + <affected> + <package name="net-im/telegram-desktop" auto="yes" arch="*"> + <unaffected range="ge">2.4.4</unaffected> + <vulnerable range="lt">2.4.4</vulnerable> + </package> + </affected> + <background> + <p>Telegram is a messaging app with a focus on speed and security.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Telegram Desktop. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Telegram Desktop users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/telegram-desktop-2.4.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-17448">CVE-2020-17448</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25824">CVE-2020-25824</uri> + </references> + <metadata tag="requester" timestamp="2021-01-27T04:40:13Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2021-01-27T16:13:13Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202101-35.xml b/metadata/glsa/glsa-202101-35.xml new file mode 100644 index 000000000000..974a6a240ef5 --- /dev/null +++ b/metadata/glsa/glsa-202101-35.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202101-35"> + <title>phpMyAdmin: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in phpMyAdmin, allowing + remote attackers to conduct XSS. + </synopsis> + <product type="ebuild">phpmyadmin</product> + <announced>2021-01-27</announced> + <revised count="1">2021-01-27</revised> + <bug>747805</bug> + <access>remote</access> + <affected> + <package name="dev-db/phpmyadmin" auto="yes" arch="*"> + <unaffected range="ge" slot="4.9.6">4.9.6</unaffected> + <vulnerable range="lt" slot="4.9.6">4.9.6</vulnerable> + </package> + </affected> + <background> + <p>phpMyAdmin is a web-based management tool for MySQL databases.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in phpMyAdmin. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All phpMyAdmin users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-4.9.6" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26934">CVE-2020-26934</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26935">CVE-2020-26935</uri> + </references> + <metadata tag="requester" timestamp="2020-11-19T19:31:06Z">whissi</metadata> + <metadata tag="submitter" timestamp="2021-01-27T16:14:41Z">b-man</metadata> +</glsa> |