diff options
| author |   Repository mirror & CI <repomirrorci@gentoo.org> | 2020-03-14 16:43:44 +0000 |
|---|---|---|
| committer | Repository mirror & CI <repomirrorci@gentoo.org> | 2020-03-14 16:43:44 +0000 |
| commit | 3e4f0914d4e9c6d473b522168c6fe982006ee452 (patch) | |
| tree | 9ae3c5c4662ff4e3c20f6e0205df627667656f58 /metadata | |
| parent | Merge updates from master (diff) | |
| parent | [ GLSA 202003-13 ] musl: Stack-based buffer overflow (diff) | |
| download | gentoo-3e4f0914d4e9c6d473b522168c6fe982006ee452.tar.gz gentoo-3e4f0914d4e9c6d473b522168c6fe982006ee452.tar.bz2 gentoo-3e4f0914d4e9c6d473b522168c6fe982006ee452.zip | |
Merge commit '2a2b13faa4a2d504cef8b70d2154bcdde7e12e57'
Diffstat (limited to 'metadata')
| -rw-r--r-- | metadata/glsa/glsa-202003-09.xml | 6 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202003-11.xml | 42 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202003-12.xml | 55 | ||||
| -rw-r--r-- | metadata/glsa/glsa-202003-13.xml | 53 |
4 files changed, 153 insertions, 3 deletions
diff --git a/metadata/glsa/glsa-202003-09.xml b/metadata/glsa/glsa-202003-09.xml index a1ace12511cd..60427a9d7ac9 100644 --- a/metadata/glsa/glsa-202003-09.xml +++ b/metadata/glsa/glsa-202003-09.xml @@ -1,13 +1,13 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="202003-09"> - <title>OpenID library for Ruby: Server Side Request Forgery</title> + <title>OpenID library for Ruby: Server-Side Request Forgery</title> <synopsis>A vulnerability in OpenID library for Ruby at worst might allow an attacker to bypass authentication. </synopsis> <product type="ebuild">ruby-openid</product> <announced>2020-03-14</announced> - <revised count="1">2020-03-14</revised> + <revised count="2">2020-03-14</revised> <bug>698464</bug> <access>remote</access> <affected> @@ -52,5 +52,5 @@ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11027">CVE-2019-11027</uri> </references> <metadata tag="requester" timestamp="2020-03-13T02:03:43Z">whissi</metadata> - <metadata tag="submitter" timestamp="2020-03-14T14:58:38Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-14T16:10:29Z">whissi</metadata> </glsa> diff --git a/metadata/glsa/glsa-202003-11.xml b/metadata/glsa/glsa-202003-11.xml new file mode 100644 index 000000000000..d8f1f2bd9813 --- /dev/null +++ b/metadata/glsa/glsa-202003-11.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-11"> + <title>SVG Salamander: Server-Side Request Forgery</title> + <synopsis>A SSRF may allow remote attackers to forge illegitimate requests.</synopsis> + <product type="ebuild">svgsalamander</product> + <announced>2020-03-14</announced> + <revised count="1">2020-03-14</revised> + <bug>607720</bug> + <access>remote</access> + <affected> + <package name="dev-java/svgsalamander" auto="yes" arch="*"> + <vulnerable range="le">0.0-r2</vulnerable> + </package> + </affected> + <background> + <p>SVG Salamander is a light weight SVG renderer and animator for Java.</p> + </background> + <description> + <p>A Server-Side Request Forgery was discovered in SVG Salamander.</p> + </description> + <impact type="normal"> + <p>An attacker, by sending a specially crafted SVG file, can conduct SSRF.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for SVG Salamander. We recommend that + users unmerge SVG Salamander: + </p> + + <code> + # emerge --unmerge "dev-java/svgsalamander" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-5617">CVE-2017-5617</uri> + </references> + <metadata tag="requester" timestamp="2019-09-15T02:33:02Z">b-man</metadata> + <metadata tag="submitter" timestamp="2020-03-14T16:07:50Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-12.xml b/metadata/glsa/glsa-202003-12.xml new file mode 100644 index 000000000000..4232a5655da1 --- /dev/null +++ b/metadata/glsa/glsa-202003-12.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-12"> + <title>sudo: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in sudo, the worst of + which could result in privilege escalation. + </synopsis> + <product type="ebuild">sudo</product> + <announced>2020-03-14</announced> + <revised count="1">2020-03-14</revised> + <bug>697462</bug> + <bug>707574</bug> + <access>local</access> + <affected> + <package name="app-admin/sudo" auto="yes" arch="*"> + <unaffected range="ge">1.8.31</unaffected> + <vulnerable range="lt">1.8.31</vulnerable> + </package> + </affected> + <background> + <p>sudo (su “do”) allows a system administrator to delegate authority + to give certain users (or groups of users) the ability to run some (or + all) commands as root or another user while providing an audit trail of + the commands and their arguments. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in sudo. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>A local attacker could expose or corrupt memory information, inject code + to be run as a root user or cause a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All sudo users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.31" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14287">CVE-2019-14287</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18634">CVE-2019-18634</uri> + </references> + <metadata tag="requester" timestamp="2020-02-29T15:42:31Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-14T16:20:57Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202003-13.xml b/metadata/glsa/glsa-202003-13.xml new file mode 100644 index 000000000000..c6295d56b2fc --- /dev/null +++ b/metadata/glsa/glsa-202003-13.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202003-13"> + <title>musl: Stack-based buffer overflow</title> + <synopsis>A stack-based buffer overflow in musl might allow an attacker to + have an application dependent impact. + </synopsis> + <product type="ebuild">musl</product> + <announced>2020-03-14</announced> + <revised count="1">2020-03-14</revised> + <bug>711276</bug> + <access>local, remote</access> + <affected> + <package name="sys-libs/musl" auto="yes" arch="*"> + <unaffected range="ge">1.1.24</unaffected> + <vulnerable range="lt">1.1.24</vulnerable> + </package> + </affected> + <background> + <p>musl is an implementation of the C standard library built on top of the + Linux system call API, including interfaces defined in the base language + standard, POSIX, and widely agreed-upon extensions. + </p> + </background> + <description> + <p>A flaw in musl libc’s arch-specific math assembly code for i386 was + found which can lead to x87 stack overflow in the execution of subsequent + math code. + </p> + </description> + <impact type="normal"> + <p>Impact depends on how the application built against musl libc handles + the ABI-violating x87 state. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All musl users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/musl-1.1.24" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14697">CVE-2019-14697</uri> + </references> + <metadata tag="requester" timestamp="2020-03-03T20:43:59Z">whissi</metadata> + <metadata tag="submitter" timestamp="2020-03-14T16:36:31Z">whissi</metadata> +</glsa> |