Merge commit 'ea9671c73a3b7457c7e4487c1c538557855dfa44' into master

4 files changed, 215 insertions, 0 deletions

diff --git a/metadata/glsa/glsa-202008-21.xml b/metadata/glsa/glsa-202008-21.xml
new file mode 100644
index 000000000000..95b86052c097
--- /dev/null
+++ b/metadata/glsa/glsa-202008-21.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202008-21">
+  <title>Kleopatra: Remote code execution</title>
+  <synopsis>A vulnerability in Kleopatra allows arbitrary execution of code.</synopsis>
+  <product type="ebuild">kleopatra</product>
+  <announced>2020-08-30</announced>
+  <revised count="1">2020-08-30</revised>
+  <bug>739556</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="kde-apps/kleopatra" auto="yes" arch="*">
+      <unaffected range="ge">20.04.3-r1</unaffected>
+      <vulnerable range="lt">20.04.3-r1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Kleopatra is a certificate manager and a universal crypto GUI. It
+      supports managing X.509 and OpenPGP certificates in the GpgSM keybox and
+      retrieving certificates from LDAP servers.
+    </p>
+  </background>
+  <description>
+    <p>Kleopatra did not safely escape command line parameters provided by
+      URLs, which it configures itself to handle.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to process a specially crafted URL
+      via openpgp4fpr handler, possibly resulting in execution of arbitrary
+      code with the privileges of the process, or cause a Denial of Service
+      condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Kleopatra users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=kde-apps/kleopatra-20.04.3-r1"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-24972">CVE-2020-24972</uri>
+  </references>
+  <metadata tag="requester" timestamp="2020-08-30T18:54:35Z">sam_c</metadata>
+  <metadata tag="submitter" timestamp="2020-08-30T21:04:03Z">sam_c</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202008-22.xml b/metadata/glsa/glsa-202008-22.xml
new file mode 100644
index 000000000000..acef962fdfde
--- /dev/null
+++ b/metadata/glsa/glsa-202008-22.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202008-22">
+  <title>targetcli-fb: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in targetcli-fb, the worst
+    of which could result in privilege escalation.
+  </synopsis>
+  <product type="ebuild">targetcli-fb</product>
+  <announced>2020-08-30</announced>
+  <revised count="1">2020-08-30</revised>
+  <bug>736086</bug>
+  <access>local</access>
+  <affected>
+    <package name="sys-block/targetcli-fb" auto="yes" arch="*">
+      <unaffected range="ge">2.1.53</unaffected>
+      <vulnerable range="lt">2.1.53</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Tool for managing the Linux LIO kernel target.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in targetcli-fb. Please
+      review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Please review the referenced CVE identifiers for details.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All targetcli-fb users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-block/targetcli-fb-2.1.53"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10699">CVE-2020-10699</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13867">CVE-2020-13867</uri>
+  </references>
+  <metadata tag="requester" timestamp="2020-08-29T02:17:40Z">sam_c</metadata>
+  <metadata tag="submitter" timestamp="2020-08-30T21:08:50Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202008-23.xml b/metadata/glsa/glsa-202008-23.xml
new file mode 100644
index 000000000000..c4ea9bb57133
--- /dev/null
+++ b/metadata/glsa/glsa-202008-23.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202008-23">
+  <title>chrony: Symlink vulnerability</title>
+  <synopsis>A vulnerability in chrony may allow a privileged attacker to cause
+    data loss via a symlink.
+  </synopsis>
+  <product type="ebuild">chrony</product>
+  <announced>2020-08-30</announced>
+  <revised count="1">2020-08-30</revised>
+  <bug>738154</bug>
+  <access>local</access>
+  <affected>
+    <package name="net-misc/chrony" auto="yes" arch="*">
+      <unaffected range="ge">3.5.1</unaffected>
+      <vulnerable range="lt">3.5.1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>chrony is a versatile implementation of the Network Time Protocol (NTP).</p>
+  </background>
+  <description>
+    <p>It was found that chrony did not check whether its PID file was a
+      symlink.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A local attacker could perform symlink attack(s) to overwrite arbitrary
+      files with root privileges.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All chrony users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-misc/chrony-3.5.1"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14367">CVE-2020-14367</uri>
+    <uri link="https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2020/08/msg00000.html">
+      chrony-3.5.1 release announcement
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2020-08-25T23:32:37Z">sam_c</metadata>
+  <metadata tag="submitter" timestamp="2020-08-30T21:09:20Z">sam_c</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202008-24.xml b/metadata/glsa/glsa-202008-24.xml
new file mode 100644
index 000000000000..a8c11cd49f78
--- /dev/null
+++ b/metadata/glsa/glsa-202008-24.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202008-24">
+  <title>OpenJDK: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in OpenJDK, the worst of
+    which could result in the arbitrary execution of code.
+  </synopsis>
+  <product type="ebuild">openjdk</product>
+  <announced>2020-08-30</announced>
+  <revised count="1">2020-08-30</revised>
+  <bug>732624</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-java/openjdk" auto="yes" arch="*">
+      <unaffected range="ge" slot="8">8.262_p01</unaffected>
+      <vulnerable range="lt" slot="8">8.262_p01</vulnerable>
+    </package>
+    <package name="dev-java/openjdk-bin" auto="yes" arch="*">
+      <unaffected range="ge" slot="8">8.262_p01</unaffected>
+      <vulnerable range="lt" slot="8">8.262_p01</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>OpenJDK is a free and open-source implementation of the Java Platform,
+      Standard Edition.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in OpenJDK. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Please review the referenced CVE identifiers for details.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All OpenJDK users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-java/openjdk-8.262_p01"
+    </code>
+    
+    <p>All OpenJDK binary users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-java/openjdk-bin-8.262_p01"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14556">CVE-2020-14556</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14562">CVE-2020-14562</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14573">CVE-2020-14573</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14578">CVE-2020-14578</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14579">CVE-2020-14579</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14583">CVE-2020-14583</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14593">CVE-2020-14593</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14621">CVE-2020-14621</uri>
+  </references>
+  <metadata tag="requester" timestamp="2020-08-26T14:46:09Z">sam_c</metadata>
+  <metadata tag="submitter" timestamp="2020-08-30T21:12:11Z">sam_c</metadata>
+</glsa>