diff options
| author |   Repository mirror & CI <repomirrorci@gentoo.org> | 2020-09-14 00:10:07 +0000 |
|---|---|---|
| committer | Repository mirror & CI <repomirrorci@gentoo.org> | 2020-09-14 00:10:07 +0000 |
| commit | 9f8fa4eb848cb2ae8d721dcfc1bf3ad690c4c440 (patch) | |
| tree | 0fee7faa1943ee764e04d1db734f5e85e75be661 /metadata/glsa | |
| parent | Merge updates from master (diff) | |
| parent | [ GLSA 202009-12 ] ZeroMQ: Denial of service (diff) | |
| download | gentoo-9f8fa4eb848cb2ae8d721dcfc1bf3ad690c4c440.tar.gz gentoo-9f8fa4eb848cb2ae8d721dcfc1bf3ad690c4c440.tar.bz2 gentoo-9f8fa4eb848cb2ae8d721dcfc1bf3ad690c4c440.zip | |
Merge commit '7204454a89cbf14c4905c5fdedcd66553a95e8aa' into master
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/glsa-202009-04.xml | 44 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-05.xml | 50 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-06.xml | 44 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-07.xml | 47 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-08.xml | 49 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-09.xml | 53 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-10.xml | 67 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-11.xml | 48 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202009-12.xml | 51 |
9 files changed, 453 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-202009-04.xml b/metadata/glsa/glsa-202009-04.xml new file mode 100644 index 000000000000..c3a3e40d2dba --- /dev/null +++ b/metadata/glsa/glsa-202009-04.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-04"> + <title>Qt GUI: Buffer overflow</title> + <synopsis>Qt GUI has a buffer overflow with unspecified impact.</synopsis> + <product type="ebuild">qtgui</product> + <announced>2020-09-13</announced> + <revised count="1">2020-09-13</revised> + <bug>736924</bug> + <access>local, remote</access> + <affected> + <package name="dev-qt/qtgui" auto="yes" arch="*"> + <unaffected range="ge">5.14.2-r1</unaffected> + <vulnerable range="lt">5.14.2-r1</vulnerable> + </package> + </affected> + <background> + <p>The GUI module and platform plugins for the Qt5 framework.</p> + </background> + <description> + <p>It was discovered that Qt GUI’s XBM parser did not properly handle X + BitMap files. + </p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Qt GUI users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtgui-5.14.2-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-17507">CVE-2020-17507</uri> + </references> + <metadata tag="requester" timestamp="2020-09-13T22:36:51Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-09-13T23:24:26Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-05.xml b/metadata/glsa/glsa-202009-05.xml new file mode 100644 index 000000000000..6ae334f3e7dd --- /dev/null +++ b/metadata/glsa/glsa-202009-05.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-05"> + <title>GStreamer RTSP Server: Denial of service</title> + <synopsis>A vulnerability in GStreamer RTSP Server could lead to a Denial of + Service condition. + </synopsis> + <product type="ebuild">gst-rtsp-server</product> + <announced>2020-09-13</announced> + <revised count="1">2020-09-13</revised> + <bug>715100</bug> + <access>local, remote</access> + <affected> + <package name="media-libs/gst-rtsp-server" auto="yes" arch="*"> + <unaffected range="ge">1.16.2</unaffected> + <vulnerable range="lt">1.16.2</vulnerable> + </package> + </affected> + <background> + <p>RTSP server library based on GStreamer.</p> + </background> + <description> + <p>It was discovered that GStreamer RTSP Server did not properly handle + authentication. + </p> + </description> + <impact type="normal"> + <p>A remote attacker, by sending specially crafted authentication requests, + could possibly cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GStreamer RTSP Server users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=media-libs/gst-rtsp-server-1.16.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6095">CVE-2020-6095</uri> + </references> + <metadata tag="requester" timestamp="2020-09-13T22:27:11Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-09-13T23:24:44Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-06.xml b/metadata/glsa/glsa-202009-06.xml new file mode 100644 index 000000000000..4b5a2bdb6342 --- /dev/null +++ b/metadata/glsa/glsa-202009-06.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-06"> + <title>GNOME File Roller: Directory traversal</title> + <synopsis>A vulnerability in GNOME File Roller could lead to a directory + traversal attack. + </synopsis> + <product type="ebuild">file-roller</product> + <announced>2020-09-13</announced> + <revised count="1">2020-09-13</revised> + <bug>717362</bug> + <access>local, remote</access> + <affected> + <package name="app-arch/file-roller" auto="yes" arch="*"> + <unaffected range="ge">3.36.3</unaffected> + <vulnerable range="lt">3.36.3</vulnerable> + </package> + </affected> + <background> + <p>File Roller is an archive manager for the GNOME desktop environment.</p> + </background> + <description> + <p>It was discovered that GNOME File Roller incorrectly handled symlinks.</p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GNOME File Roller users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/file-roller-3.36.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11736">CVE-2020-11736</uri> + </references> + <metadata tag="requester" timestamp="2020-09-13T22:21:19Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-09-13T23:25:31Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-07.xml b/metadata/glsa/glsa-202009-07.xml new file mode 100644 index 000000000000..7722f7890932 --- /dev/null +++ b/metadata/glsa/glsa-202009-07.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-07"> + <title>Perl DBI: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in the Perl module DBI, + the worst of which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">dbi</product> + <announced>2020-09-13</announced> + <revised count="1">2020-09-13</revised> + <bug>732636</bug> + <access>local</access> + <affected> + <package name="dev-perl/DBI" auto="yes" arch="*"> + <unaffected range="ge">1.643.0</unaffected> + <vulnerable range="lt">1.643.0</vulnerable> + </package> + </affected> + <background> + <p>A database access module for the Perl programming language.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in the Perl module DBI. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Perl DBI module users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-perl/DBI-1.643.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14392">CVE-2020-14392</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14393">CVE-2020-14393</uri> + </references> + <metadata tag="requester" timestamp="2020-09-13T21:54:26Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-09-13T23:26:05Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-08.xml b/metadata/glsa/glsa-202009-08.xml new file mode 100644 index 000000000000..f95557751113 --- /dev/null +++ b/metadata/glsa/glsa-202009-08.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-08"> + <title>GNOME Shell: Information disclosure</title> + <synopsis>An information disclosure vulnerability in GNOME Shell might allow + local attackers to obtain sensitive information. + </synopsis> + <product type="ebuild">gnome-shell</product> + <announced>2020-09-13</announced> + <revised count="1">2020-09-13</revised> + <bug>736802</bug> + <access>local</access> + <affected> + <package name="gnome-base/gnome-shell" auto="yes" arch="*"> + <unaffected range="ge">3.34.5-r1</unaffected> + <vulnerable range="lt">3.34.5-r1</vulnerable> + </package> + </affected> + <background> + <p>GNOME Shell provides core user interface functions for the GNOME 3 + desktop, like switching to windows and launching applications. + </p> + </background> + <description> + <p>It was discovered that GNOME Shell incorrectly handled the login screen + password dialog. + </p> + </description> + <impact type="low"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All GNOME Shell users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=gnome-base/gnome-shell-3.34.5-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-17489">CVE-2020-17489</uri> + </references> + <metadata tag="requester" timestamp="2020-09-13T22:02:20Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-09-13T23:26:21Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-09.xml b/metadata/glsa/glsa-202009-09.xml new file mode 100644 index 000000000000..4716f54af843 --- /dev/null +++ b/metadata/glsa/glsa-202009-09.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-09"> + <title>Nextcloud Desktop Sync client: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Nextcloud Desktop Sync + client, the worst of which may allow execution of arbitrary code. + </synopsis> + <product type="ebuild">nextcloud-client</product> + <announced>2020-09-13</announced> + <revised count="1">2020-09-13</revised> + <bug>736649</bug> + <access>remote</access> + <affected> + <package name="net-misc/nextcloud-client" auto="yes" arch="*"> + <unaffected range="ge">2.6.5</unaffected> + <vulnerable range="lt">2.6.5</vulnerable> + </package> + </affected> + <background> + <p>Nextcloud Desktop Sync client can synchronize one or more directories to + Nextcloud server. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Nextcloud Desktop Sync + client. Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Nextcloud Desktop Sync client users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/nextcloud-client-2.6.5" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8189">CVE-2020-8189</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8224">CVE-2020-8224</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8227">CVE-2020-8227</uri> + </references> + <metadata tag="requester" timestamp="2020-09-12T20:28:32Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-09-13T23:26:38Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-10.xml b/metadata/glsa/glsa-202009-10.xml new file mode 100644 index 000000000000..3ff0e04b3374 --- /dev/null +++ b/metadata/glsa/glsa-202009-10.xml @@ -0,0 +1,67 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-10"> + <title>PHP: Denial of service</title> + <synopsis>A vulnerabilities in PHP could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">PHP</product> + <announced>2020-09-13</announced> + <revised count="1">2020-09-13</revised> + <bug>736158</bug> + <access>local, remote</access> + <affected> + <package name="dev-lang/php" auto="yes" arch="*"> + <unaffected range="ge" slot="7.2">7.2.33</unaffected> + <unaffected range="ge" slot="7.3">7.3.21</unaffected> + <unaffected range="ge" slot="7.4">7.4.9</unaffected> + <vulnerable range="lt" slot="7.2">7.2.33</vulnerable> + <vulnerable range="lt" slot="7.3">7.3.21</vulnerable> + <vulnerable range="lt" slot="7.4">7.4.9</vulnerable> + </package> + </affected> + <background> + <p>PHP is an open source general-purpose scripting language that is + especially suited for web development. + </p> + </background> + <description> + <p>It was discovered that PHP did not properly handle PHAR files.</p> + </description> + <impact type="low"> + <p>A remote attacker could entice a user to open a specially crafted PHAR + file using PHP, possibly allowing attacker to obtain sensitive + information or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PHP 7.2 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.2.33" + </code> + + <p>All PHP 7.3 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.3.21" + </code> + + <p>All PHP 7.4 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.9" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7068">CVE-2020-7068</uri> + </references> + <metadata tag="requester" timestamp="2020-09-12T20:12:49Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-09-13T23:26:59Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-11.xml b/metadata/glsa/glsa-202009-11.xml new file mode 100644 index 000000000000..0db2968196ad --- /dev/null +++ b/metadata/glsa/glsa-202009-11.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-11"> + <title>ProFTPD: Denial of service</title> + <synopsis>A vulnerability in ProFTPD could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">proftpd</product> + <announced>2020-09-13</announced> + <revised count="1">2020-09-13</revised> + <bug>733376</bug> + <access>local, remote</access> + <affected> + <package name="net-ftp/proftpd" auto="yes" arch="*"> + <unaffected range="ge">1.3.7a</unaffected> + <vulnerable range="lt">1.3.7a</vulnerable> + </package> + </affected> + <background> + <p>ProFTPD is an advanced and very configurable FTP server.</p> + </background> + <description> + <p>It was found that ProFTPD did not properly handle invalid SCP commands.</p> + </description> + <impact type="low"> + <p>An authenticated remote attacker could issue invalid SCP commands, + possibly resulting in a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ProFTPD users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.7a" + </code> + </resolution> + <references> + <uri link="https://github.com/proftpd/proftpd/issues/1043">Invalid SCP + command leads to null pointer dereference + </uri> + </references> + <metadata tag="requester" timestamp="2020-09-12T20:04:18Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-09-13T23:27:17Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202009-12.xml b/metadata/glsa/glsa-202009-12.xml new file mode 100644 index 000000000000..a29860260437 --- /dev/null +++ b/metadata/glsa/glsa-202009-12.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202009-12"> + <title>ZeroMQ: Denial of service</title> + <synopsis>A vulnerability in ZeroMQ could lead to a Denial of Service + condition. + </synopsis> + <product type="ebuild">zeromq</product> + <announced>2020-09-13</announced> + <revised count="1">2020-09-13</revised> + <bug>740574</bug> + <access>local, remote</access> + <affected> + <package name="net-libs/zeromq" auto="yes" arch="*"> + <unaffected range="ge">4.3.3</unaffected> + <vulnerable range="lt">4.3.3</vulnerable> + </package> + </affected> + <background> + <p>Looks like an embeddable networking library but acts like a concurrency + framework. + </p> + </background> + <description> + <p>It was discovered that ZeroMQ does not properly handle connecting peers + before a handshake is completed. + </p> + </description> + <impact type="normal"> + <p>An unauthenticated remote attacker able to connect to a ZeroMQ endpoint, + even with CURVE encryption/authentication enabled, can cause a Denial of + Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All ZeroMQ users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/zeromq-4.3.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15166">CVE-2020-15166</uri> + </references> + <metadata tag="requester" timestamp="2020-09-12T19:44:05Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-09-13T23:27:38Z">whissi</metadata> +</glsa> |