Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
authorRepository mirror & CI <repomirrorci@gentoo.org>2021-05-26 10:35:05 +0000
committerRepository mirror & CI <repomirrorci@gentoo.org>2021-05-26 10:35:05 +0000
commite4acd4690b0ce070067f1019e99ee565758f4915 (patch)
tree90477b147c240f1b6de73e6f9a5506fd91196d8d /metadata/glsa
parentMerge updates from master (diff)
parent[ GLSA 202105-34 ] Bash: Privilege escalation (diff)
downloadgentoo-e4acd4690b0ce070067f1019e99ee565758f4915.tar.gz
gentoo-e4acd4690b0ce070067f1019e99ee565758f4915.tar.bz2
gentoo-e4acd4690b0ce070067f1019e99ee565758f4915.zip
Merge commit '126e2ff3be2ddb15585b97888222fc70b6eaebd5'
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/glsa-202105-29.xml49
-rw-r--r--metadata/glsa/glsa-202105-30.xml52
-rw-r--r--metadata/glsa/glsa-202105-31.xml54
-rw-r--r--metadata/glsa/glsa-202105-32.xml92
-rw-r--r--metadata/glsa/glsa-202105-33.xml55
-rw-r--r--metadata/glsa/glsa-202105-34.xml45
6 files changed, 347 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-202105-29.xml b/metadata/glsa/glsa-202105-29.xml
new file mode 100644
index 000000000000..e2507b22b90b
--- /dev/null
+++ b/metadata/glsa/glsa-202105-29.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-29">
+ <title>Tar: Denial of service</title>
+ <synopsis>A vulnerability in Tar could lead to a Denial of Service condition.</synopsis>
+ <product type="ebuild">tar</product>
+ <announced>2021-05-26</announced>
+ <revised count="1">2021-05-26</revised>
+ <bug>778548</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="app-arch/tar" auto="yes" arch="*">
+ <unaffected range="ge">1.34</unaffected>
+ <vulnerable range="lt">1.34</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>The Tar program provides the ability to create and manipulate tar
+ archives.
+ </p>
+ </background>
+ <description>
+ <p>It was discovered that GNU Tar had a memory leak when processing archive
+ headers.
+ </p>
+ </description>
+ <impact type="low">
+ <p>A remote attacker could entice a user to open a specially crafted
+ archive using Tar, possibly resulting in a Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Tar users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-arch/tar-1.34"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20193">CVE-2021-20193</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-05-24T01:03:25Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2021-05-26T10:11:52Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202105-30.xml b/metadata/glsa/glsa-202105-30.xml
new file mode 100644
index 000000000000..4cbf0070e7eb
--- /dev/null
+++ b/metadata/glsa/glsa-202105-30.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-30">
+ <title>MuPDF: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in MuPDF, the worst of
+ which could result in a Denial of Service condition.
+ </synopsis>
+ <product type="ebuild">mupdf</product>
+ <announced>2021-05-26</announced>
+ <revised count="1">2021-05-26</revised>
+ <bug>747151</bug>
+ <bug>772311</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="app-text/mupdf" auto="yes" arch="*">
+ <unaffected range="ge">1.18.0-r3</unaffected>
+ <vulnerable range="lt">1.18.0-r3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>MuPDF is a lightweight PDF viewer and toolkit written in portable C.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in MuPDF. Please review
+ the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="low">
+ <p>A remote attacker could entice a user to open a specially crafted PDF
+ document using MuPDF, possibly resulting in a Denial of Service condition
+ or have other unspecified impact.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All MuPDF users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-text/mupdf-1.18.0-r3"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26519">CVE-2020-26519</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3407">CVE-2021-3407</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-05-25T21:00:36Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2021-05-26T10:12:11Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202105-31.xml b/metadata/glsa/glsa-202105-31.xml
new file mode 100644
index 000000000000..05d9ce89b585
--- /dev/null
+++ b/metadata/glsa/glsa-202105-31.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-31">
+ <title>Nettle: Denial of service</title>
+ <synopsis>A vulnerability in Nettle could lead to a Denial of Service
+ condition.
+ </synopsis>
+ <product type="ebuild">nettle</product>
+ <announced>2021-05-26</announced>
+ <revised count="1">2021-05-26</revised>
+ <bug>780483</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="dev-libs/nettle" auto="yes" arch="*">
+ <unaffected range="ge">3.7.2</unaffected>
+ <vulnerable range="lt">3.7.2</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Nettle is a cryptographic library that is designed to fit easily in
+ almost any context: In cryptographic toolkits for object-oriented
+ languages, such as C++, Python, or Pike, in applications like lsh or
+ GnuPG, or even in kernel space.
+ </p>
+ </background>
+ <description>
+ <p>It was discovered that Nettle incorrectly handled signature
+ verification.
+ </p>
+ </description>
+ <impact type="low">
+ <p>A remote attacker could send a specially crafted valid-looking input
+ signature, possibly resulting in a Denial of Service condition or force
+ an invalid signature.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Nettle users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-libs/nettle-3.7.2"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20305">CVE-2021-20305</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-05-25T20:00:54Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2021-05-26T10:12:28Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202105-32.xml b/metadata/glsa/glsa-202105-32.xml
new file mode 100644
index 000000000000..44edeaa40bfd
--- /dev/null
+++ b/metadata/glsa/glsa-202105-32.xml
@@ -0,0 +1,92 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-32">
+ <title>PostgreSQL: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in PostgreSQL, the worst
+ of which could result in information disclosure.
+ </synopsis>
+ <product type="ebuild">postgresql</product>
+ <announced>2021-05-26</announced>
+ <revised count="1">2021-05-26</revised>
+ <bug>771942</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="dev-db/postgresql" auto="yes" arch="*">
+ <unaffected range="ge" slot="9.5">9.5.25</unaffected>
+ <unaffected range="ge" slot="9.6">9.6.21</unaffected>
+ <unaffected range="ge" slot="10">10.16</unaffected>
+ <unaffected range="ge" slot="11">11.11</unaffected>
+ <unaffected range="ge" slot="12">12.6</unaffected>
+ <unaffected range="ge" slot="13">13.2</unaffected>
+ <vulnerable range="lt">13.2</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>PostgreSQL is an open source object-relational database management
+ system.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in PostgreSQL. Please
+ review the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="low">
+ <p>An authenticated remote attacker, by executing malicious crafted
+ queries, could possibly disclose sensitive information.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All PostgreSQL 9.5.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.5.25:9.5"
+ </code>
+
+ <p>All PostgreSQL 9.6.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.6.21:9.6"
+ </code>
+
+ <p>All PostgreSQL 10.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-10.16:10"
+ </code>
+
+ <p>All PostgreSQL 11.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-11.11:11"
+ </code>
+
+ <p>All PostgreSQL 12.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-12.6:12"
+ </code>
+
+ <p>All PostgreSQL 13.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-13.2:13"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20229">CVE-2021-20229</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3393">CVE-2021-3393</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-05-25T18:56:02Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2021-05-26T10:12:52Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202105-33.xml b/metadata/glsa/glsa-202105-33.xml
new file mode 100644
index 000000000000..dddf99d66910
--- /dev/null
+++ b/metadata/glsa/glsa-202105-33.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-33">
+ <title>containerd: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in containerd, the worst
+ of which could result in privilege escalation.
+ </synopsis>
+ <product type="ebuild">containerd</product>
+ <announced>2021-05-26</announced>
+ <revised count="1">2021-05-26</revised>
+ <bug>758137</bug>
+ <bug>775329</bug>
+ <access>local</access>
+ <affected>
+ <package name="app-emulation/containerd" auto="yes" arch="*">
+ <unaffected range="ge">1.4.4</unaffected>
+ <vulnerable range="lt">1.4.4</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Containerd is a daemon with an API and a command line client, to manage
+ containers on one machine. It uses runC to run containers according to
+ the OCI specification.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in containerd. Please
+ review the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="high">
+ <p>A local attacker, able to run a malicious container in the same network
+ namespace as the shim, could possibly escalate privileges. Furthermore,
+ an attacker could disclose sensitive information.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All containerd users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-emulation/containerd-1.4.4"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15257">CVE-2020-15257</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21334">CVE-2021-21334</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-05-25T19:40:34Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2021-05-26T10:13:09Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202105-34.xml b/metadata/glsa/glsa-202105-34.xml
new file mode 100644
index 000000000000..31c7e3ef7065
--- /dev/null
+++ b/metadata/glsa/glsa-202105-34.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-34">
+ <title>Bash: Privilege escalation</title>
+ <synopsis>A vulnerability in Bash may allow users to escalate privileges.</synopsis>
+ <product type="ebuild">bash</product>
+ <announced>2021-05-26</announced>
+ <revised count="1">2021-05-26</revised>
+ <bug>702488</bug>
+ <access>local</access>
+ <affected>
+ <package name="app-shells/bash" auto="yes" arch="*">
+ <unaffected range="ge">5.0_p11-r1</unaffected>
+ <vulnerable range="lt">5.0_p11-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Bash is the standard GNU Bourne Again SHell.</p>
+ </background>
+ <description>
+ <p>It was discovered that Bash incorrectly dropped privileges by setting
+ its effective UID to its real UID.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A local attacker could possibly escalate privileges.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Bash users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-shells/bash-5.0_p11-r1"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18276">CVE-2019-18276</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-05-25T19:22:45Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2021-05-26T10:13:27Z">whissi</metadata>
+</glsa>