Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
authorRepository mirror & CI <repomirrorci@gentoo.org>2019-03-28 03:04:27 +0000
committerRepository mirror & CI <repomirrorci@gentoo.org>2019-03-28 03:04:27 +0000
commitc2448ed3491b6667bc34a3f249e84b8deb789c86 (patch)
tree66576d56d79ae3d9db8215322dd1f1d9be7c5c45 /metadata/glsa
parentMerge updates from master (diff)
parent[ GLSA 201903-23 ] Chromium: Multiple vulnerabilities (diff)
downloadgentoo-c2448ed3491b6667bc34a3f249e84b8deb789c86.tar.gz
gentoo-c2448ed3491b6667bc34a3f249e84b8deb789c86.tar.bz2
gentoo-c2448ed3491b6667bc34a3f249e84b8deb789c86.zip
Merge commit '821df578dd1e4239ed7205c587587491907ef45c'
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/glsa-201903-17.xml65
-rw-r--r--metadata/glsa/glsa-201903-18.xml55
-rw-r--r--metadata/glsa/glsa-201903-19.xml56
-rw-r--r--metadata/glsa/glsa-201903-20.xml69
-rw-r--r--metadata/glsa/glsa-201903-21.xml54
-rw-r--r--metadata/glsa/glsa-201903-22.xml46
-rw-r--r--metadata/glsa/glsa-201903-23.xml76
7 files changed, 421 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-201903-17.xml b/metadata/glsa/glsa-201903-17.xml
new file mode 100644
index 000000000000..f561605e8c58
--- /dev/null
+++ b/metadata/glsa/glsa-201903-17.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-17">
+ <title>SDL2_Image: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in the image loading
+ library
+ for Simple DirectMedia Layer, the worst of which could result in the remote
+ execution of arbitrary code.
+ </synopsis>
+ <product type="ebuild">sdl_image</product>
+ <announced>2019-03-28</announced>
+ <revised count="1">2019-03-28</revised>
+ <bug>655226</bug>
+ <bug>674132</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="media-libs/sdl2-image" auto="yes" arch="*">
+ <unaffected range="ge">2.0.4</unaffected>
+ <vulnerable range="lt">2.0.4</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>SDL_image is an image file library that loads images as SDL surfaces,
+ and supports various formats like BMP, GIF, JPEG, LBM, PCX, PNG, PNM,
+ TGA, TIFF, XCF, XPM, and XV.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in SDL2_Image. Please
+ review the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker, by enticing a user to process a specially crafted
+ image file, could execute arbitrary code, cause a Denial of Service
+ condition, or obtain sensitive information.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All SDL2_Image users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=media-libs/sdl2-image-2.0.4"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12122">CVE-2017-12122</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14440">CVE-2017-14440</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14441">CVE-2017-14441</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14442">CVE-2017-14442</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14448">CVE-2017-14448</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14449">CVE-2017-14449</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14450">CVE-2017-14450</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3837">CVE-2018-3837</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3838">CVE-2018-3838</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3839">CVE-2018-3839</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-3977">CVE-2018-3977</uri>
+ </references>
+ <metadata tag="requester" timestamp="2018-12-02T21:13:59Z">b-man</metadata>
+ <metadata tag="submitter" timestamp="2019-03-28T02:06:35Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201903-18.xml b/metadata/glsa/glsa-201903-18.xml
new file mode 100644
index 000000000000..8a568d6c284b
--- /dev/null
+++ b/metadata/glsa/glsa-201903-18.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-18">
+ <title>GD: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in GD, the worst of which
+ could result in the remote execution of arbitrary code.
+ </synopsis>
+ <product type="ebuild">gd</product>
+ <announced>2019-03-28</announced>
+ <revised count="1">2019-03-28</revised>
+ <bug>664732</bug>
+ <bug>679702</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="media-libs/gd" auto="yes" arch="*">
+ <unaffected range="ge">2.2.5-r2</unaffected>
+ <vulnerable range="lt">2.2.5-r2</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>GD is a graphic library for fast image creation.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in GD. Please review the
+ CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could entice a user to process a specially crafted
+ image, possibly resulting in execution of arbitrary code or a Denial of
+ Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All GD users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=media-libs/gd-2.2.5-r2"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000222">
+ CVE-2018-1000222
+ </uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5711">CVE-2018-5711</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6977">CVE-2019-6977</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6978">CVE-2019-6978</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-03-10T05:25:03Z">BlueKnight</metadata>
+ <metadata tag="submitter" timestamp="2019-03-28T02:09:10Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201903-19.xml b/metadata/glsa/glsa-201903-19.xml
new file mode 100644
index 000000000000..1594fdca63ff
--- /dev/null
+++ b/metadata/glsa/glsa-201903-19.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-19">
+ <title>NASM: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in NASM, the worst of
+ which could result in the remote execution of arbitrary code.
+ </synopsis>
+ <product type="ebuild">nasm</product>
+ <announced>2019-03-28</announced>
+ <revised count="1">2019-03-28</revised>
+ <bug>635358</bug>
+ <bug>659550</bug>
+ <bug>670884</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-lang/nasm" auto="yes" arch="*">
+ <unaffected range="ge">2.14.02</unaffected>
+ <vulnerable range="lt">2.14.02</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>NASM is a 80x86 assembler that has been created for portability and
+ modularity. NASM supports Pentium, P6, SSE MMX, and 3DNow extensions. It
+ also supports a wide range of objects formats (ELF, a.out, COFF, etc),
+ and has its own disassembler.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in NASM. Please review the
+ CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="high">
+ <p>A remote attacker could cause a Denial of Service condition or execute
+ arbitrary code.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All NASM users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-lang/nasm-2.14.02"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-10686">CVE-2017-10686</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11111">CVE-2017-11111</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14228">CVE-2017-14228</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-03-10T04:10:57Z">BlueKnight</metadata>
+ <metadata tag="submitter" timestamp="2019-03-28T02:11:39Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201903-20.xml b/metadata/glsa/glsa-201903-20.xml
new file mode 100644
index 000000000000..87cc4d4c6744
--- /dev/null
+++ b/metadata/glsa/glsa-201903-20.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-20">
+ <title>cabextract, libmspack: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in cabextract and
+ libmspack, the worst of which could result in a Denial of Service.
+ </synopsis>
+ <product type="ebuild">cabextract, libmspack</product>
+ <announced>2019-03-28</announced>
+ <revised count="1">2019-03-28</revised>
+ <bug>662874</bug>
+ <bug>669280</bug>
+ <access>remote</access>
+ <affected>
+ <package name="app-arch/cabextract" auto="yes" arch="*">
+ <unaffected range="ge">1.8</unaffected>
+ <vulnerable range="lt">1.8</vulnerable>
+ </package>
+ <package name="dev-libs/libmspack" auto="yes" arch="*">
+ <unaffected range="ge">0.8_alpha</unaffected>
+ <vulnerable range="lt">0.8_alpha</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>cabextract is free software for extracting Microsoft cabinet files.</p>
+
+ <p>libmspack is a portable library for some loosely related Microsoft
+ compression formats
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in cabextract and
+ libmspack. Please review the CVE identifiers referenced below for
+ details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE’s for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All cabextract users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-arch/cabextract-1.8"
+ </code>
+
+ <p>All libmspack users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-libs/libmspack-0.8_alpha"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14679">CVE-2018-14679</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14680">CVE-2018-14680</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14681">CVE-2018-14681</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14682">CVE-2018-14682</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18584">CVE-2018-18584</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18585">CVE-2018-18585</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18586">CVE-2018-18586</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-03-24T19:20:01Z">b-man</metadata>
+ <metadata tag="submitter" timestamp="2019-03-28T02:14:01Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201903-21.xml b/metadata/glsa/glsa-201903-21.xml
new file mode 100644
index 000000000000..bfbf093933d1
--- /dev/null
+++ b/metadata/glsa/glsa-201903-21.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-21">
+ <title>Apache: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Apache Web Server, the
+ worst of which could result in a Denial of Service condition.
+ </synopsis>
+ <product type="ebuild">apache</product>
+ <announced>2019-03-28</announced>
+ <revised count="1">2019-03-28</revised>
+ <bug>676064</bug>
+ <access>remote</access>
+ <affected>
+ <package name="www-servers/apache" auto="yes" arch="*">
+ <unaffected range="ge">2.4.38-r1</unaffected>
+ <vulnerable range="lt">2.4.38-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>The Apache HTTP server is one of the most popular web servers on the
+ Internet.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Apache. Please review
+ the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker can possibly cause a Denial of Service condition or
+ could bypass mod_session_cookie expiration time.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Apache users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=www-servers/apache-2.4.38-r1"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17189">CVE-2018-17189</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17190">CVE-2018-17190</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17199">CVE-2018-17199</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-0190">CVE-2019-0190</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-03-24T13:34:22Z">BlueKnight</metadata>
+ <metadata tag="submitter" timestamp="2019-03-28T02:17:53Z">Zlogene</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201903-22.xml b/metadata/glsa/glsa-201903-22.xml
new file mode 100644
index 000000000000..a4ca5781ef35
--- /dev/null
+++ b/metadata/glsa/glsa-201903-22.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-22">
+ <title>ZeroMQ: Code execution</title>
+ <synopsis>An overflow was discovered in ZeroMQ which could lead to arbitrary
+ code execution.
+ </synopsis>
+ <product type="ebuild">zeromq</product>
+ <announced>2019-03-28</announced>
+ <revised count="1">2019-03-28</revised>
+ <bug>675376</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="net-libs/zeromq" auto="yes" arch="*">
+ <unaffected range="ge">4.3.1</unaffected>
+ <vulnerable range="lt">4.3.1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Looks like an embeddable networking library but acts like a concurrency
+ framework
+ </p>
+ </background>
+ <description>
+ <p>Please reference the CVE for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please reference the CVE for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All ZeroMQ users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-libs/zeromq-4.3.1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6250">CVE-2019-6250</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-03-24T14:21:11Z">BlueKnight</metadata>
+ <metadata tag="submitter" timestamp="2019-03-28T02:20:04Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201903-23.xml b/metadata/glsa/glsa-201903-23.xml
new file mode 100644
index 000000000000..cd7a6ab5f4c2
--- /dev/null
+++ b/metadata/glsa/glsa-201903-23.xml
@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201903-23">
+ <title>Chromium: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Chromium, the worst of
+ which could result in the remote execution of code.
+ </synopsis>
+ <product type="ebuild">chromium</product>
+ <announced>2019-03-28</announced>
+ <revised count="1">2019-03-28</revised>
+ <bug>671550</bug>
+ <bug>677066</bug>
+ <bug>679530</bug>
+ <bug>680242</bug>
+ <access>remote</access>
+ <affected>
+ <package name="www-client/chromium" auto="yes" arch="*">
+ <unaffected range="ge">73.0.3683.75</unaffected>
+ <vulnerable range="lt">73.0.3683.75</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Chromium is an open-source browser project that aims to build a safer,
+ faster, and more stable way for all users to experience the web.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Chromium and Google
+ Chrome. Please review the referenced CVE identifiers and Google Chrome
+ Releases for details.
+ </p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers and Google Chrome Releases
+ for details.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Chromium users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=www-client/chromium-73.0.3683.75"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17479">CVE-2018-17479</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5786">CVE-2019-5786</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5786">CVE-2019-5786</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5787">CVE-2019-5787</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5788">CVE-2019-5788</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5789">CVE-2019-5789</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5790">CVE-2019-5790</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5791">CVE-2019-5791</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5792">CVE-2019-5792</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5793">CVE-2019-5793</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5794">CVE-2019-5794</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5795">CVE-2019-5795</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5796">CVE-2019-5796</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5797">CVE-2019-5797</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5798">CVE-2019-5798</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5799">CVE-2019-5799</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5800">CVE-2019-5800</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5801">CVE-2019-5801</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5802">CVE-2019-5802</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5803">CVE-2019-5803</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5804">CVE-2019-5804</uri>
+ </references>
+ <metadata tag="requester" timestamp="2019-03-24T22:13:31Z">BlueKnight</metadata>
+ <metadata tag="submitter" timestamp="2019-03-28T02:22:18Z">b-man</metadata>
+</glsa>