diff options
| author |   Repository mirror & CI <repomirrorci@gentoo.org> | 2020-11-11 04:05:33 +0000 |
|---|---|---|
| committer | Repository mirror & CI <repomirrorci@gentoo.org> | 2020-11-11 04:05:33 +0000 |
| commit | 8b1cb1f832a0847b50b7e1cd11cad66cc449a435 (patch) | |
| tree | 624670446392a7fab79367b78c19e32abc34cf38 /metadata/glsa | |
| parent | 2020-11-11 01:35:28 UTC (diff) | |
| parent | [ GLSA 202011-14 ] MariaDB: Remote code execution (diff) | |
| download | gentoo-8b1cb1f832a0847b50b7e1cd11cad66cc449a435.tar.gz gentoo-8b1cb1f832a0847b50b7e1cd11cad66cc449a435.tar.bz2 gentoo-8b1cb1f832a0847b50b7e1cd11cad66cc449a435.zip | |
Merge commit '85d2754949c49070bea44df8f904e9e985c57532' into master
Diffstat (limited to 'metadata/glsa')
| -rw-r--r-- | metadata/glsa/glsa-202011-06.xml | 78 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202011-07.xml | 84 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202011-08.xml | 52 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202011-09.xml | 57 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202011-10.xml | 48 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202011-11.xml | 46 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202011-12.xml | 73 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202011-13.xml | 51 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202011-14.xml | 74 |
9 files changed, 563 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-202011-06.xml b/metadata/glsa/glsa-202011-06.xml new file mode 100644 index 000000000000..f3f187929c41 --- /dev/null +++ b/metadata/glsa/glsa-202011-06.xml @@ -0,0 +1,78 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202011-06"> + <title>Xen: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Xen, the worst of which + could result in privilege escalation. + </synopsis> + <product type="ebuild">xen</product> + <announced>2020-11-11</announced> + <revised count="3">2020-11-11</revised> + <bug>744202</bug> + <bug>750779</bug> + <bug>753692</bug> + <access>remote</access> + <affected> + <package name="app-emulation/xen" auto="yes" arch="*"> + <unaffected range="ge">4.13.2</unaffected> + <vulnerable range="lt">4.13.2</vulnerable> + </package> + <package name="app-emulation/xen-tools" auto="yes" arch="*"> + <unaffected range="ge">4.13.2</unaffected> + <vulnerable range="lt">4.13.2</vulnerable> + </package> + </affected> + <background> + <p>Xen is a bare-metal hypervisor.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Xen. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Xen users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.13.1-r5" + </code> + + <p>All Xen Tools users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-tools-4.13.1-r5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25595">CVE-2020-25595</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25596">CVE-2020-25596</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25597">CVE-2020-25597</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25598">CVE-2020-25598</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25599">CVE-2020-25599</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25600">CVE-2020-25600</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25601">CVE-2020-25601</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25602">CVE-2020-25602</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25603">CVE-2020-25603</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25604">CVE-2020-25604</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27670">CVE-2020-27670</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27671">CVE-2020-27671</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27672">CVE-2020-27672</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27673">CVE-2020-27673</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27674">CVE-2020-27674</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27675">CVE-2020-27675</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-345.html">XSA-345</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-346.html">XSA-346</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-347.html">XSA-347</uri> + </references> + <metadata tag="requester" timestamp="2020-10-23T04:14:51Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-11-11T03:40:50Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202011-07.xml b/metadata/glsa/glsa-202011-07.xml new file mode 100644 index 000000000000..19e8efe6d69a --- /dev/null +++ b/metadata/glsa/glsa-202011-07.xml @@ -0,0 +1,84 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202011-07"> + <title>Mozilla Firefox: Remote code execution</title> + <synopsis>A use-after-free in Mozilla Firefox might allow remote attacker(s) + to execute arbitrary code. + </synopsis> + <product type="ebuild">firefox</product> + <announced>2020-11-11</announced> + <revised count="1">2020-11-11</revised> + <bug>753773</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge">82.0.3</unaffected> + <unaffected range="ge" slot="0/esr78">78.4.1</unaffected> + <vulnerable range="lt">82.0.3</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge">82.0.3</unaffected> + <unaffected range="ge" slot="0/esr78">78.4.1</unaffected> + <vulnerable range="lt">78.4.1</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + project. + </p> + </background> + <description> + <p>Invalid assumptions when emitting the the MCallGetProperty opcode in the + JavaScript JIT may result in a use-after-free condition. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-82.0.3" + </code> + + <p>All Mozilla Firefox (bin) users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/firefox-bin-78.4.1:0/esr78" + </code> + + <p>All Mozilla Firefox (ESR) users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-82.0.3" + </code> + + <p>All Mozilla Firefox (ESR) bin users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/firefox-bin-78.4.1:0/esr78" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26950">CVE-2020-26950</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/"> + MFSA-2020-49 + </uri> + </references> + <metadata tag="requester" timestamp="2020-11-09T20:03:19Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-11-11T03:36:43Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202011-08.xml b/metadata/glsa/glsa-202011-08.xml new file mode 100644 index 000000000000..c91c014dc588 --- /dev/null +++ b/metadata/glsa/glsa-202011-08.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202011-08"> + <title>Wireshark: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Wireshark, the worst of + which could result in a Denial of Service condition. + </synopsis> + <product type="ebuild">wireshark</product> + <announced>2020-11-11</announced> + <revised count="1">2020-11-11</revised> + <bug>750692</bug> + <access>remote</access> + <affected> + <package name="net-analyzer/wireshark" auto="yes" arch="*"> + <unaffected range="ge">3.4.0</unaffected> + <vulnerable range="lt">3.4.0</vulnerable> + </package> + </affected> + <background> + <p>Wireshark is a network protocol analyzer formerly known as ethereal.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Wireshark. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Wireshark users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-3.4.0" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26575">CVE-2020-26575</uri> + <uri link="https://www.wireshark.org/security/wnpa-sec-2020-14"> + wnpa-sec-2020-14 + </uri> + <uri link="https://www.wireshark.org/security/wnpa-sec-2020-15"> + wnpa-sec-2020-15 + </uri> + </references> + <metadata tag="requester" timestamp="2020-11-08T10:31:07Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-11-11T03:36:48Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202011-09.xml b/metadata/glsa/glsa-202011-09.xml new file mode 100644 index 000000000000..fba58488bdff --- /dev/null +++ b/metadata/glsa/glsa-202011-09.xml @@ -0,0 +1,57 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202011-09"> + <title>QEMU: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in QEMU, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">qemu</product> + <announced>2020-11-11</announced> + <revised count="1">2020-11-11</revised> + <bug>720896</bug> + <bug>725634</bug> + <bug>743649</bug> + <access>local, remote</access> + <affected> + <package name="app-emulation/qemu" auto="yes" arch="*"> + <unaffected range="ge">5.1.0-r1</unaffected> + <vulnerable range="lt">5.1.0-r1</vulnerable> + </package> + </affected> + <background> + <p>QEMU is a generic and open source machine emulator and virtualizer.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in QEMU. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All QEMU users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/qemu-5.1.0-r1" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10717">CVE-2020-10717</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10761">CVE-2020-10761</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13253">CVE-2020-13253</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13361">CVE-2020-13361</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13362">CVE-2020-13362</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13659">CVE-2020-13659</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13754">CVE-2020-13754</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13791">CVE-2020-13791</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13800">CVE-2020-13800</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14364">CVE-2020-14364</uri> + </references> + <metadata tag="requester" timestamp="2020-11-07T02:00:43Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-11-11T03:36:56Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202011-10.xml b/metadata/glsa/glsa-202011-10.xml new file mode 100644 index 000000000000..3126f1b174d5 --- /dev/null +++ b/metadata/glsa/glsa-202011-10.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202011-10"> + <title>tmux: Buffer overflow</title> + <synopsis>A buffer overflow in tmux might allow remote attacker(s) to execute + arbitrary code. + </synopsis> + <product type="ebuild">tmux</product> + <announced>2020-11-11</announced> + <revised count="1">2020-11-11</revised> + <bug>753206</bug> + <access>remote</access> + <affected> + <package name="app-misc/tmux" auto="yes" arch="*"> + <unaffected range="ge">3.1c</unaffected> + <vulnerable range="lt">3.1c</vulnerable> + </package> + </affected> + <background> + <p>tmux is a terminal multiplexer.</p> + </background> + <description> + <p>A flaw in tmux’s handling of escape characters was discovered which + may allow a buffer overflow. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All tmux users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-misc/tmux-3.1c" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27347">CVE-2020-27347</uri> + </references> + <metadata tag="requester" timestamp="2020-11-09T23:15:04Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-11-11T03:36:59Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202011-11.xml b/metadata/glsa/glsa-202011-11.xml new file mode 100644 index 000000000000..ee062a506924 --- /dev/null +++ b/metadata/glsa/glsa-202011-11.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202011-11"> + <title>Blueman: Local privilege escalation</title> + <synopsis>A privilege escalation vulnerability has been discovered in + Blueman. + </synopsis> + <product type="ebuild">blueman</product> + <announced>2020-11-11</announced> + <revised count="2">2020-11-11</revised> + <bug>751556</bug> + <access>local</access> + <affected> + <package name="net-wireless/blueman" auto="yes" arch="*"> + <unaffected range="ge">2.1.4</unaffected> + <vulnerable range="lt">2.1.4</vulnerable> + </package> + </affected> + <background> + <p>Blueman is a simple and intuitive GTK+ Bluetooth Manager.</p> + </background> + <description> + <p>Where Polkit is not used and the default permissions have been changed + on a specific rule file, control of a local DHCP daemon may be possible. + </p> + </description> + <impact type="high"> + <p>A local attacker may be able to achieve root privilege escalation.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Blueman users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-wireless/blueman-2.1.4" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15238">CVE-2020-15238</uri> + </references> + <metadata tag="requester" timestamp="2020-11-01T02:23:14Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-11-11T03:43:42Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202011-12.xml b/metadata/glsa/glsa-202011-12.xml new file mode 100644 index 000000000000..03f1f501dfbc --- /dev/null +++ b/metadata/glsa/glsa-202011-12.xml @@ -0,0 +1,73 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202011-12"> + <title>Chromium, Google Chrome: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Chromium and Google + Chrome, the worst of which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">chromium,google-chrome</product> + <announced>2020-11-11</announced> + <revised count="1">2020-11-11</revised> + <bug>750854</bug> + <bug>752375</bug> + <bug>753848</bug> + <access>remote</access> + <affected> + <package name="www-client/chromium" auto="yes" arch="*"> + <unaffected range="ge">86.0.4240.193</unaffected> + <vulnerable range="lt">86.0.4240.193</vulnerable> + </package> + <package name="www-client/google-chrome" auto="yes" arch="*"> + <unaffected range="ge">86.0.4240.193</unaffected> + <vulnerable range="lt">86.0.4240.193</vulnerable> + </package> + </affected> + <background> + <p>Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. + </p> + + <p>Google Chrome is one fast, simple, and secure browser for all your + devices. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Chromium users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-86.0.4240.193" + </code> + + <p>All Google Chrome users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/google-chrome-86.0.4240.193" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15999">CVE-2020-15999</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16004">CVE-2020-16004</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16005">CVE-2020-16005</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16006">CVE-2020-16006</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16008">CVE-2020-16008</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16009">CVE-2020-16009</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16016">CVE-2020-16016</uri> + </references> + <metadata tag="requester" timestamp="2020-11-10T22:00:45Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-11-11T03:37:14Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202011-13.xml b/metadata/glsa/glsa-202011-13.xml new file mode 100644 index 000000000000..b5f28160775e --- /dev/null +++ b/metadata/glsa/glsa-202011-13.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202011-13"> + <title>Salt: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Salt, the worst of + which could result in the arbitrary execution of code. + </synopsis> + <product type="ebuild">salt</product> + <announced>2020-11-11</announced> + <revised count="1">2020-11-11</revised> + <bug>753266</bug> + <access>remote</access> + <affected> + <package name="app-admin/salt" auto="yes" arch="*"> + <unaffected range="ge">3000.5</unaffected> + <vulnerable range="lt">3000.5</vulnerable> + </package> + </affected> + <background> + <p>Salt is a remote execution and configuration manager.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Salt. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Salt users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/salt-3000.5" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16846">CVE-2020-16846</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-17490">CVE-2020-17490</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25592">CVE-2020-25592</uri> + <uri link="https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/"> + Upstream advisory + </uri> + </references> + <metadata tag="requester" timestamp="2020-11-09T23:14:31Z">sam_c</metadata> + <metadata tag="submitter" timestamp="2020-11-11T03:38:41Z">sam_c</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202011-14.xml b/metadata/glsa/glsa-202011-14.xml new file mode 100644 index 000000000000..2ae7a8c2ec92 --- /dev/null +++ b/metadata/glsa/glsa-202011-14.xml @@ -0,0 +1,74 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202011-14"> + <title>MariaDB: Remote code execution</title> + <synopsis>A vulnerability has been discovered in MariaDB which could result + in the arbitrary execution of code. + </synopsis> + <product type="ebuild">mariadb</product> + <announced>2020-11-11</announced> + <revised count="1">2020-11-11</revised> + <bug>747166</bug> + <access>local, remote</access> + <affected> + <package name="dev-db/mariadb" auto="yes" arch="*"> + <unaffected range="ge" slot="10.5">10.5.6</unaffected> + <unaffected range="ge" slot="10.4">10.4.13-r3</unaffected> + <unaffected range="ge" slot="10.3">10.3.23-r3</unaffected> + <unaffected range="ge" slot="10.2">10.2.22-r3</unaffected> + <vulnerable range="lt">10.5.6</vulnerable> + </package> + </affected> + <background> + <p>MariaDB is an enhanced, drop-in replacement for MySQL.</p> + </background> + <description> + <p>It was discovered that MariaDB did not properly validate the content of + a packet received from a server. + </p> + </description> + <impact type="high"> + <p>A remote attacker could send a specially crafted packet to WSREP + service, possibly resulting in execution of arbitrary code with the + privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All MariaDB 10.5.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.5.6:10.5" + </code> + + <p>All MariaDB 10.4.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.4.13-r3:10.4" + </code> + + <p>All MariaDB 10.3.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.3.23-r3:10.3" + </code> + + <p>All MariaDB 10.2.x users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.2.22-r3:10.2" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15180">CVE-2020-15180</uri> + </references> + <metadata tag="requester" timestamp="2020-11-08T21:17:21Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-11-11T03:38:51Z">whissi</metadata> +</glsa> |