Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
authorRepository mirror & CI <repomirrorci@gentoo.org>2021-07-07 08:06:42 +0000
committerRepository mirror & CI <repomirrorci@gentoo.org>2021-07-07 08:06:42 +0000
commitd357434a51ca9ee8d30fcb865bcdf9789d25d037 (patch)
tree65d4c6913b03a5ed12a9a64c7652e02be736551b /metadata/glsa
parentMerge updates from master (diff)
parent[ GLSA 202107-13 ] GLib: Multiple vulnerabilities (diff)
downloadgentoo-d357434a51ca9ee8d30fcb865bcdf9789d25d037.tar.gz
gentoo-d357434a51ca9ee8d30fcb865bcdf9789d25d037.tar.bz2
gentoo-d357434a51ca9ee8d30fcb865bcdf9789d25d037.zip
Merge commit 'c1efa66777eb5882c671c8ee704a208989dab1fc'
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/glsa-202107-09.xml80
-rw-r--r--metadata/glsa/glsa-202107-10.xml51
-rw-r--r--metadata/glsa/glsa-202107-11.xml47
-rw-r--r--metadata/glsa/glsa-202107-12.xml51
-rw-r--r--metadata/glsa/glsa-202107-13.xml52
5 files changed, 281 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-202107-09.xml b/metadata/glsa/glsa-202107-09.xml
new file mode 100644
index 000000000000..355d53f8722a
--- /dev/null
+++ b/metadata/glsa/glsa-202107-09.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202107-09">
+ <title>Mozilla Firefox: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the
+ worst of which could result in the arbitrary execution of code.
+ </synopsis>
+ <product type="ebuild">firefox</product>
+ <announced>2021-07-07</announced>
+ <revised count="1">2021-07-07</revised>
+ <bug>794082</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="www-client/firefox" auto="yes" arch="*">
+ <unaffected range="ge" slot="0/esr78">78.11.0</unaffected>
+ <unaffected range="ge">89.0</unaffected>
+ <vulnerable range="lt">89.0</vulnerable>
+ </package>
+ <package name="www-client/firefox-bin" auto="yes" arch="*">
+ <unaffected range="ge" slot="0/esr78">78.11.0</unaffected>
+ <unaffected range="ge">89.0</unaffected>
+ <vulnerable range="lt">89.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Mozilla Firefox is a popular open-source web browser from the Mozilla
+ project.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please
+ review the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Mozilla Firefox ESR users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=www-client/firefox-78.11.0"
+ </code>
+
+ <p>All Mozilla Firefox ESR binary users should upgrade to the latest
+ version:
+ </p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=www-client/firefox-bin-78.11.0"
+ </code>
+
+ <p>All Mozilla Firefox users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=www-client/firefox-89.0"
+ </code>
+
+ <p>All Mozilla Firefox binary users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=www-client/firefox-bin-89.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-29959">CVE-2021-29959</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-29960">CVE-2021-29960</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-29961">CVE-2021-29961</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-29966">CVE-2021-29966</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-07-06T03:15:54Z">sam_c</metadata>
+ <metadata tag="submitter" timestamp="2021-07-07T07:46:37Z">sam_c</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202107-10.xml b/metadata/glsa/glsa-202107-10.xml
new file mode 100644
index 000000000000..b271ec42cba4
--- /dev/null
+++ b/metadata/glsa/glsa-202107-10.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202107-10">
+ <title>TCG TPM2 Software Stack: Information disclosure</title>
+ <synopsis>A bug in TCG TPM2 Software Stack may result in information
+ disclosure to a local attacker.
+ </synopsis>
+ <product type="ebuild">tpm2-tss</product>
+ <announced>2021-07-07</announced>
+ <revised count="1">2021-07-07</revised>
+ <bug>746563</bug>
+ <access>local</access>
+ <affected>
+ <package name="app-crypt/tpm2-tss" auto="yes" arch="*">
+ <unaffected range="ge">2.4.3</unaffected>
+ <vulnerable range="lt">2.4.3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>TCG TPM2 Software Stack is a library to interface with trusted platform
+ modules.
+ </p>
+ </background>
+ <description>
+ <p>TCG TPM2 Software Stack did not appropriately apply FAPI policies to
+ protect data encrypted with the trusted platform module.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>Data encrypted using TCG TPM2 Software Stack (tpm2-tss) may not be
+ protected from an attacker.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All tpm2-tss users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-crypt/tpm2-tss-2.4.3"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-24455">CVE-2020-24455</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-05-24T14:04:16Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2021-07-07T07:58:39Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202107-11.xml b/metadata/glsa/glsa-202107-11.xml
new file mode 100644
index 000000000000..33c7a57948fd
--- /dev/null
+++ b/metadata/glsa/glsa-202107-11.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202107-11">
+ <title>OpenDoas: Insufficient environment filtering</title>
+ <synopsis>A vulnerability in OpenDoas could lead to privilege escalation.</synopsis>
+ <product type="ebuild">doas</product>
+ <announced>2021-07-07</announced>
+ <revised count="1">2021-07-07</revised>
+ <bug>767781</bug>
+ <access>local</access>
+ <affected>
+ <package name="app-admin/doas" auto="yes" arch="*">
+ <unaffected range="ge">6.8.1</unaffected>
+ <vulnerable range="lt">6.8.1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>OpenDoas allows users to run commands as other users.</p>
+ </background>
+ <description>
+ <p>OpenDoas does not properly filter the PATH variable from the resulting
+ shell after escalating privileges.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A local attacker with control of a user’s PATH variable could escalate
+ privileges if that user uses OpenDoas with a poisoned PATH variable.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All OpenDoas users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-admin/doas-6.8.1"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-25016">CVE-2019-25016</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-05-30T16:48:56Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2021-07-07T07:59:33Z">ajak</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202107-12.xml b/metadata/glsa/glsa-202107-12.xml
new file mode 100644
index 000000000000..3dc6bc469258
--- /dev/null
+++ b/metadata/glsa/glsa-202107-12.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202107-12">
+ <title>Schism Tracker: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Schism Tracker, the
+ worst of which could result in denial of service.
+ </synopsis>
+ <product type="ebuild">schismtracker</product>
+ <announced>2021-07-07</announced>
+ <revised count="1">2021-07-07</revised>
+ <bug>711210</bug>
+ <access>local</access>
+ <affected>
+ <package name="media-sound/schismtracker" auto="yes" arch="*">
+ <unaffected range="ge">20190805</unaffected>
+ <vulnerable range="lt">20190805</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Schism Tracker is a free implementation of Impulse Tracker, a tool used
+ to create high quality music.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Schism Tracker. Please
+ review the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="low">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Schism Tracker users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=media-sound/schismtracker-20190805"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14465">CVE-2019-14465</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14523">CVE-2019-14523</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-06-02T11:30:32Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2021-07-07T08:00:28Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202107-13.xml b/metadata/glsa/glsa-202107-13.xml
new file mode 100644
index 000000000000..bb98e4f0139c
--- /dev/null
+++ b/metadata/glsa/glsa-202107-13.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202107-13">
+ <title>GLib: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in GLib, the worst of
+ which could result in the arbitrary execution of code.
+ </synopsis>
+ <product type="ebuild">glib</product>
+ <announced>2021-07-07</announced>
+ <revised count="1">2021-07-07</revised>
+ <bug>768753</bug>
+ <bug>775632</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="dev-libs/glib" auto="yes" arch="*">
+ <unaffected range="ge">2.66.8</unaffected>
+ <vulnerable range="lt">2.66.8</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>GLib is a library providing a number of GNOME’s core objects and
+ functions.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in GLib. Please review the
+ CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All GLib users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-libs/glib-2.66.8"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-27218">CVE-2021-27218</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-27219">CVE-2021-27219</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28153">CVE-2021-28153</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-05-24T01:51:26Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2021-07-07T08:01:06Z">whissi</metadata>
+</glsa>