Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
authorRepository mirror & CI <repomirrorci@gentoo.org>2019-03-14 02:04:23 +0000
committerRepository mirror & CI <repomirrorci@gentoo.org>2019-03-14 02:04:23 +0000
commit3a815004fe937903d5f5e6a050a9ba70f8921051 (patch)
tree6a3c71d3a1b5ef84b2ecd827b23d8c0866e3b7ca /metadata/glsa
parent2019-03-14 01:04:26 UTC (diff)
parent[ GLSA 201903-14 ] Oracle JDK/JRE: Multiple vulnerabilities (diff)
downloadgentoo-3a815004fe937903d5f5e6a050a9ba70f8921051.tar.gz
gentoo-3a815004fe937903d5f5e6a050a9ba70f8921051.tar.bz2
gentoo-3a815004fe937903d5f5e6a050a9ba70f8921051.zip
Merge commit '17152e28d973dd918d88b38fdcc6e83f34c921f2'
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/glsa-201903-09.xml50
-rw-r--r--metadata/glsa/glsa-201903-10.xml59
-rw-r--r--metadata/glsa/glsa-201903-11.xml49
-rw-r--r--metadata/glsa/glsa-201903-12.xml61
-rw-r--r--metadata/glsa/glsa-201903-13.xml52
-rw-r--r--metadata/glsa/glsa-201903-14.xml82
6 files changed, 353 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-201903-09.xml b/metadata/glsa/glsa-201903-09.xml
new file mode 100644
index 000000000000..036d610ff7a3
--- /dev/null
+++ b/metadata/glsa/glsa-201903-09.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-09">
+ <title>GNU C Library: Arbitrary descriptor allocation</title>
+ <synopsis>A vulnerability in the GNU C Library could result in a Denial of
+ Service condition.
+ </synopsis>
+ <product type="ebuild">glibc</product>
+ <announced>2019-03-14</announced>
+ <revised count="1">2019-03-14</revised>
+ <bug>617938</bug>
+ <access>remote</access>
+ <affected>
+ <package name="sys-libs/glibc" auto="yes" arch="*">
+ <unaffected range="ge">2.26.0</unaffected>
+ <vulnerable range="lt">2.26.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>The GNU C library is the standard C library used by Gentoo Linux
+ systems.
+ </p>
+ </background>
+ <description>
+ <p>A vulnerability was discovered in the GNU C Library functions xdr_bytes
+ and xdr_string.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker, by sending a crafted UDP packet, could cause a Denial
+ of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All GNU C Library users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=sys-libs/glibc-2.26.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19591">CVE-2018-19591</uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-12-30T15:32:10Z">Zlogene</metadata>
+ <metadata tag="submitter" timestamp="2019-03-14T01:31:55Z">Zlogene</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201903-10.xml b/metadata/glsa/glsa-201903-10.xml
new file mode 100644
index 000000000000..afb36ae60d5c
--- /dev/null
+++ b/metadata/glsa/glsa-201903-10.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-10">
+ <title>OpenSSL: Multiple vulnerabilities</title>
+ <synopsis>Multiple Information Disclosure vulnerabilities in OpenSSL allow
+ attackers to obtain sensitive information.
+ </synopsis>
+ <product type="ebuild">openssl</product>
+ <announced>2019-03-14</announced>
+ <revised count="1">2019-03-14</revised>
+ <bug>673056</bug>
+ <bug>678564</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="dev-libs/openssl" auto="yes" arch="*">
+ <unaffected range="ge">1.0.2r</unaffected>
+ <vulnerable range="lt">1.0.2r</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
+ (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
+ purpose cryptography library.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in OpenSSL. Please review
+ the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker to obtain sensitive information, caused by the failure
+ to immediately close the TCP connection after the hosts encounter a
+ zero-length record with valid padding.
+ </p>
+
+ <p>A local attacker could run a malicious process next to legitimate
+ processes using the architecture’s parallel thread running capabilities
+ to leak encrypted data from the CPU’s internal processes.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All OpenSSL users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-libs/openssl-1.0.2r"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5407">CVE-2018-5407</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1559">CVE-2019-1559</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-01-07T18:47:40Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2019-03-14T01:34:24Z">Zlogene</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201903-11.xml b/metadata/glsa/glsa-201903-11.xml
new file mode 100644
index 000000000000..7eea14bf14fa
--- /dev/null
+++ b/metadata/glsa/glsa-201903-11.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-11">
+ <title>XRootD: Remote code execution</title>
+ <synopsis>A vulnerability was discovered in XRootD which could lead to the
+ remote execution of code.
+ </synopsis>
+ <product type="ebuild">xrootd</product>
+ <announced>2019-03-14</announced>
+ <revised count="1">2019-03-14</revised>
+ <bug>638420</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-libs/xrootd" auto="yes" arch="*">
+ <unaffected range="ge">4.8.3</unaffected>
+ <vulnerable range="lt">4.8.3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>A project that aims at giving high performance, scalable, and fault
+ tolerant access to data repositories of many kinds.
+ </p>
+ </background>
+ <description>
+ <p>A shell command injection was discovered in XRootD.</p>
+
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could execute arbitrary code.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All XRootD users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-libs/xrootd-4.8.3"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-1000215">
+ CVE-2017-1000215
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-03-10T02:02:16Z">BlueKnight</metadata>
+ <metadata tag="submitter" timestamp="2019-03-14T01:35:58Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201903-12.xml b/metadata/glsa/glsa-201903-12.xml
new file mode 100644
index 000000000000..ddbe0d19b08a
--- /dev/null
+++ b/metadata/glsa/glsa-201903-12.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-12">
+ <title>WebkitGTK+: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in WebkitGTK+, the worst
+ of which could result in the arbitrary execution of code.
+ </synopsis>
+ <product type="ebuild">webkit-gtk</product>
+ <announced>2019-03-14</announced>
+ <revised count="1">2019-03-14</revised>
+ <bug>672108</bug>
+ <bug>674702</bug>
+ <bug>678334</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-libs/webkit-gtk" auto="yes" arch="*">
+ <unaffected range="ge">2.22.6</unaffected>
+ <vulnerable range="lt">2.22.6</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine,
+ suitable for projects requiring any kind of web integration, from hybrid
+ HTML/CSS applications to full-fledged web browsers.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please
+ review the referenced CVE identifiers for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>An attacker could execute arbitrary code or conduct cross-site
+ scripting.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All WebkitGTK+ users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-libs/webkit-gtk-2.22.6"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6212">CVE-2019-6212</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6215">CVE-2019-6215</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6216">CVE-2019-6216</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6217">CVE-2019-6217</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6226">CVE-2019-6226</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6227">CVE-2019-6227</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6229">CVE-2019-6229</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6233">CVE-2019-6233</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6234">CVE-2019-6234</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-03-07T21:59:07Z">BlueKnight</metadata>
+ <metadata tag="submitter" timestamp="2019-03-14T01:37:23Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201903-13.xml b/metadata/glsa/glsa-201903-13.xml
new file mode 100644
index 000000000000..11e3fcfdcde5
--- /dev/null
+++ b/metadata/glsa/glsa-201903-13.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-13">
+ <title>BIND: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in BIND, the worst of
+ which could result in a Denial of Service condition.
+ </synopsis>
+ <product type="ebuild">bind</product>
+ <announced>2019-03-14</announced>
+ <revised count="1">2019-03-14</revised>
+ <bug>657654</bug>
+ <bug>666946</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-dns/bind" auto="yes" arch="*">
+ <unaffected range="ge">9.12.1_p2-r1</unaffected>
+ <vulnerable range="lt">9.12.1_p2-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>BIND (Berkeley Internet Name Domain) is a Name Server.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in BIND. Please review the
+ CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>BIND can improperly permit recursive query service to unauthorized
+ clients possibly resulting in a Denial of Service condition or to be used
+ in DNS reflection attacks.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All bind users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-dns/bind-9.12.1_p2-r1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5738">CVE-2018-5738</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5740">CVE-2018-5740</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5741">CVE-2018-5741</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-03-10T00:30:31Z">BlueKnight</metadata>
+ <metadata tag="submitter" timestamp="2019-03-14T01:41:21Z">BlueKnight</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201903-14.xml b/metadata/glsa/glsa-201903-14.xml
new file mode 100644
index 000000000000..88f56cdca5e3
--- /dev/null
+++ b/metadata/glsa/glsa-201903-14.xml
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-14">
+ <title>Oracle JDK/JRE: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Oracle’s JDK and JRE
+ software suites.
+ </synopsis>
+ <product type="ebuild">oracle-jdk-bin,oracle-jre-bin</product>
+ <announced>2019-03-14</announced>
+ <revised count="1">2019-03-14</revised>
+ <bug>653560</bug>
+ <bug>661456</bug>
+ <bug>676134</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-java/oracle-jdk-bin" auto="yes" arch="*">
+ <unaffected range="ge">1.8.0.202</unaffected>
+ <vulnerable range="lt">1.8.0.202</vulnerable>
+ </package>
+ <package name="dev-java/oracle-jre-bin" auto="yes" arch="*">
+ <unaffected range="ge">1.8.0.202</unaffected>
+ <vulnerable range="lt">1.8.0.202</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Java Platform, Standard Edition (Java SE) lets you develop and deploy
+ Java applications on desktops and servers, as well as in today’s
+ demanding embedded environments. Java offers the rich user interface,
+ performance, versatility, portability, and security that today’s
+ applications require.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Oracle’s JDK and JRE
+ software suites. Please review the CVE identifiers referenced below for
+ details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could possibly execute arbitrary code with the
+ privileges of the process, gain access to information, or cause a Denial
+ of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Oracle JDK bin users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=dev-java/oracle-jdk-bin-1.8.0.202"
+ </code>
+
+ <p>All Oracle JRE bin users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=dev-java/oracle-jre-bin-1.8.0.202"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2790">CVE-2018-2790</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2794">CVE-2018-2794</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2795">CVE-2018-2795</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2796">CVE-2018-2796</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2797">CVE-2018-2797</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2798">CVE-2018-2798</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2799">CVE-2018-2799</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2800">CVE-2018-2800</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2811">CVE-2018-2811</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2814">CVE-2018-2814</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-2815">CVE-2018-2815</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2422">CVE-2019-2422</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2426">CVE-2019-2426</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-03-10T05:01:22Z">BlueKnight</metadata>
+ <metadata tag="submitter" timestamp="2019-03-14T01:44:42Z">BlueKnight</metadata>
+</glsa>