Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
authorRepository mirror & CI <repomirrorci@gentoo.org>2022-09-25 14:03:13 +0000
committerRepository mirror & CI <repomirrorci@gentoo.org>2022-09-25 14:03:13 +0000
commit5a216dcddcd3938f1bc8077bb5fb152dc5c0cf43 (patch)
tree559771edecb462d3861a8cc6392a90f591bead53 /metadata/glsa
parentMerge updates from master (diff)
parent[ GLSA 202209-08 ] fix bug reference typo (diff)
downloadgentoo-5a216dcddcd3938f1bc8077bb5fb152dc5c0cf43.tar.gz
gentoo-5a216dcddcd3938f1bc8077bb5fb152dc5c0cf43.tar.bz2
gentoo-5a216dcddcd3938f1bc8077bb5fb152dc5c0cf43.zip
Merge commit '2570332a2b988e5bec8319e9b7bcfceb39048f5d'
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/glsa-202209-06.xml49
-rw-r--r--metadata/glsa/glsa-202209-07.xml40
-rw-r--r--metadata/glsa/glsa-202209-08.xml41
-rw-r--r--metadata/glsa/glsa-202209-09.xml47
-rw-r--r--metadata/glsa/glsa-202209-10.xml40
-rw-r--r--metadata/glsa/glsa-202209-11.xml44
-rw-r--r--metadata/glsa/glsa-202209-12.xml53
-rw-r--r--metadata/glsa/glsa-202209-13.xml42
-rw-r--r--metadata/glsa/glsa-202209-14.xml44
-rw-r--r--metadata/glsa/glsa-202209-15.xml64
10 files changed, 464 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-202209-06.xml b/metadata/glsa/glsa-202209-06.xml
new file mode 100644
index 000000000000..717b6c92accc
--- /dev/null
+++ b/metadata/glsa/glsa-202209-06.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202209-06">
+ <title>Rizin: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in Rizin, the worst of which could lead to arbitrary code execution.</synopsis>
+ <product type="ebuild">rizin</product>
+ <announced>2022-09-25</announced>
+ <revised count="1">2022-09-25</revised>
+ <bug>861524</bug>
+ <bug>868999</bug>
+ <access>local and remote</access>
+ <affected>
+ <package name="dev-util/rizin" auto="yes" arch="*">
+ <unaffected range="ge">0.4.1</unaffected>
+ <vulnerable range="lt">0.4.1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Rizin is a reverse engineering framework for binary analysis.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Rizin. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Rizin users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-util/rizin-0.4.1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34612">CVE-2022-34612</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36039">CVE-2022-36039</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36040">CVE-2022-36040</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36041">CVE-2022-36041</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36042">CVE-2022-36042</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36043">CVE-2022-36043</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36044">CVE-2022-36044</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-09-25T13:33:58.550630Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-09-25T13:33:58.562441Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202209-07.xml b/metadata/glsa/glsa-202209-07.xml
new file mode 100644
index 000000000000..556fa69ed9a8
--- /dev/null
+++ b/metadata/glsa/glsa-202209-07.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202209-07">
+ <title>Mrxvt: Arbitrary Code Execution</title>
+ <synopsis>A vulnerability has been discovered in Mrxvt which could allow for arbitrary code execution</synopsis>
+ <product type="ebuild">mrxvt</product>
+ <announced>2022-09-25</announced>
+ <revised count="1">2022-09-25</revised>
+ <bug>791004</bug>
+ <access>local and remote</access>
+ <affected>
+ <package name="x11-terms/mrxvt" auto="yes" arch="*">
+ <vulnerable range="le">0.5.4</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Mrxvt is a multi-tabbed rxvt clone with XFT, transparent background and CJK support.</p>
+ </background>
+ <description>
+ <p>Mrxvt mishandles certain escape sequences, some of which allow for shell command execution.</p>
+ </description>
+ <impact type="normal">
+ <p>An attacker with sufficient access to write arbitrary text to the Mrxvt terminal could execute arbitrary code.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>Gentoo has discontinued support for Mrxvt. We recommend that users remove it:</p>
+
+ <code>
+ # emerge --ask --depclean "x11-terms/mrxvt"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33477">CVE-2021-33477</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-09-25T13:34:13.204482Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-09-25T13:34:13.210077Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202209-08.xml b/metadata/glsa/glsa-202209-08.xml
new file mode 100644
index 000000000000..9687477405a8
--- /dev/null
+++ b/metadata/glsa/glsa-202209-08.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202209-08">
+ <title>Smokeping: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in Smokeping, the worst of which could result in root privilege escalation.</synopsis>
+ <product type="ebuild">smokeping</product>
+ <announced>2022-09-25</announced>
+ <revised count="1">2022-09-25</revised>
+ <bug>631140</bug>
+ <bug>602652</bug>
+ <access>local</access>
+ <affected>
+ <package name="net-analyzer/smokeping" auto="yes" arch="*">
+ <vulnerable range="le">2.7.3-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Smokeping is a powerful latency measurement tool</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Smokeping. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="normal">
+ <p>A local attacker which gains access to the smokeping user could gain root privileges.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>Gentoo has discontinued support for Smokeping. We recommend that users remove it:</p>
+
+ <code>
+ # emerge --ask --depclean "net-analyzer/smokeping"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-20147">CVE-2017-20147</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-09-25T13:34:27.263575Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-09-25T13:34:27.268533Z">ajak</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202209-09.xml b/metadata/glsa/glsa-202209-09.xml
new file mode 100644
index 000000000000..83bd6e71ede3
--- /dev/null
+++ b/metadata/glsa/glsa-202209-09.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202209-09">
+ <title>Smarty: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Smarty, the worst of which could result in remote code execution</synopsis>
+ <product type="ebuild">smarty</product>
+ <announced>2022-09-25</announced>
+ <revised count="1">2022-09-25</revised>
+ <bug>830980</bug>
+ <bug>845180</bug>
+ <bug>870100</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-php/smarty" auto="yes" arch="*">
+ <unaffected range="ge">4.2.1</unaffected>
+ <vulnerable range="lt">4.2.1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Smarty is a template engine for PHP. The &#34;template security&#34; feature of Smarty is designed to help reduce the risk of a system compromise when you have untrusted parties editing templates.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Smarty. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Smarty users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-php/smarty-4.2.1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-25047">CVE-2018-25047</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21408">CVE-2021-21408</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-29454">CVE-2021-29454</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29221">CVE-2022-29221</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-09-25T13:34:41.298611Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-09-25T13:34:41.303400Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202209-10.xml b/metadata/glsa/glsa-202209-10.xml
new file mode 100644
index 000000000000..9e9ae3a3bb95
--- /dev/null
+++ b/metadata/glsa/glsa-202209-10.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202209-10">
+ <title>Logcheck: Root privilege escalation</title>
+ <synopsis>A vulnerability has been discovered in Logcheck&#39;s ebuilds which could allow for root privilege escalation.</synopsis>
+ <product type="ebuild">logcheck</product>
+ <announced>2022-09-25</announced>
+ <revised count="1">2022-09-25</revised>
+ <bug>630752</bug>
+ <access>remote</access>
+ <affected>
+ <package name="app-admin/logcheck" auto="yes" arch="*">
+ <vulnerable range="le">1.3.23</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Logcheck mails anomalies in the system logfiles to the administrator.</p>
+ </background>
+ <description>
+ <p>The pkg_postinst phase of the Logcheck ebuilds recursively chown the /etc/logcheck and /var/lib/logcheck directories. If the logcheck adds hardlinks to other files in these directories, the chown call will follow the link and transfer ownership of any file to the logcheck user.</p>
+ </description>
+ <impact type="normal">
+ <p>A local attacker with access to the logcheck user could escalate to root privileges.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>Gentoo has discontinued support for Logcheck. We recommend that users remove it:</p>
+
+ <code>
+ # emerge --ask --depclean "app-admin/logcheck"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-20148">CVE-2017-20148</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-09-25T13:34:57.482832Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-09-25T13:34:57.487714Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202209-11.xml b/metadata/glsa/glsa-202209-11.xml
new file mode 100644
index 000000000000..d1599df5c764
--- /dev/null
+++ b/metadata/glsa/glsa-202209-11.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202209-11">
+ <title>HarfBuzz: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in HarfBuzz, the worst of which could result in arbitrary code execution.</synopsis>
+ <product type="ebuild">harfbuzz</product>
+ <announced>2022-09-25</announced>
+ <revised count="1">2022-09-25</revised>
+ <bug>830372</bug>
+ <bug>856049</bug>
+ <access>remote</access>
+ <affected>
+ <package name="media-libs/harfbuzz" auto="yes" arch="*">
+ <unaffected range="ge">4.4.0</unaffected>
+ <vulnerable range="lt">4.4.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>HarfBuzz is an OpenType text shaping engine.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in HarfBuzz. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All HarfBuzz users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-libs/harfbuzz-4.4.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45931">CVE-2021-45931</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-33068">CVE-2022-33068</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-09-25T13:35:18.213772Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-09-25T13:35:18.218222Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202209-12.xml b/metadata/glsa/glsa-202209-12.xml
new file mode 100644
index 000000000000..f7b8e7ebc453
--- /dev/null
+++ b/metadata/glsa/glsa-202209-12.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202209-12">
+ <title>GRUB: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in GRUB, the worst of which may allow for secureboot bypass.</synopsis>
+ <product type="ebuild">grub</product>
+ <announced>2022-09-25</announced>
+ <revised count="1">2022-09-25</revised>
+ <bug>850535</bug>
+ <bug>835082</bug>
+ <access>local</access>
+ <affected>
+ <package name="sys-boot/grub" auto="yes" arch="*">
+ <unaffected range="ge">2.06</unaffected>
+ <vulnerable range="lt">2.06</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>GNU GRUB is a multiboot boot loader used by most Linux systems.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in GRUB. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All GRUB users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-boot/grub-2.06-r3"
+ </code>
+
+ <p>After upgrading, make sure to run the grub-install command with options appropriate for your system. See the GRUB2 Gentoo Wiki page for directions. Your system will be vulnerable until this action is performed.</p>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3695">CVE-2021-3695</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3696">CVE-2021-3696</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3697">CVE-2021-3697</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3981">CVE-2021-3981</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28733">CVE-2022-28733</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28734">CVE-2022-28734</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28735">CVE-2022-28735</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28736">CVE-2022-28736</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28737">CVE-2022-28737</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-09-25T13:35:30.406656Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-09-25T13:35:30.411250Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202209-13.xml b/metadata/glsa/glsa-202209-13.xml
new file mode 100644
index 000000000000..507d8dd2000e
--- /dev/null
+++ b/metadata/glsa/glsa-202209-13.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202209-13">
+ <title>libaacplus: Denial of Service</title>
+ <synopsis>Multiple vulnerabilities have been discovered in libaacplus, the worst of which could result in denial of service.</synopsis>
+ <product type="ebuild">libaacplus</product>
+ <announced>2022-09-25</announced>
+ <revised count="1">2022-09-25</revised>
+ <bug>618000</bug>
+ <access>local and remote</access>
+ <affected>
+ <package name="media-libs/libaacplus" auto="yes" arch="*">
+ <vulnerable range="le">2.0.2-r3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>libaacplus is an HE-AAC+ v2 library, based on the reference implementation.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in libaacplus. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>Gentoo has discontinued suport for libaacplus. We recommend that users remove it:</p>
+
+ <code>
+ # emerge --ask --depclean "media-libs/libaacplus"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-7603">CVE-2017-7603</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-7604">CVE-2017-7604</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-7605">CVE-2017-7605</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-09-25T13:35:43.192701Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-09-25T13:35:43.197563Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202209-14.xml b/metadata/glsa/glsa-202209-14.xml
new file mode 100644
index 000000000000..eebe11b4cc67
--- /dev/null
+++ b/metadata/glsa/glsa-202209-14.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202209-14">
+ <title>Fetchmail: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in Fetchmail, the worst of which could result in email disclosure to third parties.</synopsis>
+ <product type="ebuild">fetchmail</product>
+ <announced>2022-09-25</announced>
+ <revised count="1">2022-09-25</revised>
+ <bug>810676</bug>
+ <bug>804921</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-mail/fetchmail" auto="yes" arch="*">
+ <unaffected range="ge">6.4.22</unaffected>
+ <vulnerable range="lt">6.4.22</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Fetchmail is a remote mail retrieval and forwarding utility.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Fetchmail. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="low">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Fetchmail users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.4.22"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36386">CVE-2021-36386</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39272">CVE-2021-39272</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-09-25T13:35:56.538201Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-09-25T13:35:56.542922Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202209-15.xml b/metadata/glsa/glsa-202209-15.xml
new file mode 100644
index 000000000000..17ecb3f121ef
--- /dev/null
+++ b/metadata/glsa/glsa-202209-15.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202209-15">
+ <title>Oracle JDK/JRE: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Oracle JDK and JRE, the worst of which could result in the arbitrary execution of code.</synopsis>
+ <product type="ebuild">oracle-jdk-bin,oracle-jre-bin</product>
+ <announced>2022-09-25</announced>
+ <revised count="1">2022-09-25</revised>
+ <bug>732630</bug>
+ <bug>717638</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-java/oracle-jdk-bin" auto="yes" arch="*">
+ <vulnerable range="le">11.0.2</vulnerable>
+ </package>
+ <package name="dev-java/oracle-jre-bin" auto="yes" arch="*">
+ <vulnerable range="le">1.8.0.202</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Java Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in today&#39;s demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that today&#39;s applications require.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Oracle&#39;s JDK and JRE software suites. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="normal">
+ <p>Certain uses of untrusted data by Oracle JDK and JRE could result in arbitrary code execution.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>Gentoo has discontinued support for the Oracle JDK and JRE. We recommend that users remove it, and use dev-java/openjdk, dev-java/openjdk-bin, or dev-java/openjdk-jre-bin instead:</p>
+
+ <code>
+ # emerge --ask --depclean "dev-java/oracle-jre-bin"
+ # emerge --ask --depclean "dev-java/oracle-jdk-bin"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2585">CVE-2020-2585</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2755">CVE-2020-2755</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2756">CVE-2020-2756</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2757">CVE-2020-2757</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2773">CVE-2020-2773</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2781">CVE-2020-2781</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2800">CVE-2020-2800</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2803">CVE-2020-2803</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2805">CVE-2020-2805</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14556">CVE-2020-14556</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14562">CVE-2020-14562</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14573">CVE-2020-14573</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14577">CVE-2020-14577</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14578">CVE-2020-14578</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14579">CVE-2020-14579</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14581">CVE-2020-14581</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14583">CVE-2020-14583</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14593">CVE-2020-14593</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14621">CVE-2020-14621</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14664">CVE-2020-14664</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-09-25T13:36:11.652902Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-09-25T13:36:11.657278Z">ajak</metadata>
+</glsa> \ No newline at end of file