bump(metadata/glsa): sync with upstream

This commit is contained in:
David Michael 2017-11-10 10:21:50 -05:00
parent 20690f0a4f
commit ba24d4a071
8 changed files with 445 additions and 2 deletions

View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-28">
<title>Jython: Arbitrary code execution</title>
<synopsis>A vulnerability in Jython may lead to arbitrary code execution.
</synopsis>
<product type="ebuild">Jython</product>
<announced>2017-10-29</announced>
<revised>2017-10-29: 1</revised>
<bug>621876</bug>
<access>remote</access>
<affected>
<package name="dev-java/jython" auto="yes" arch="*">
<unaffected range="ge">2.7.0-r2</unaffected>
<vulnerable range="lt">2.7.0-r2</vulnerable>
</package>
</affected>
<background>
<p>An implementation of Python written in Java.</p>
</background>
<description>
<p>It was found that Jython is vulnerable to arbitrary code execution by
sending a serialized function to the deserializer.
</p>
</description>
<impact type="normal">
<p>Remote execution of arbitrary code by enticing a user to execute
malicious code.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Jython users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-java/jython-2.7.0-r2"
</code>
</resolution>
<references>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000">
CVE-2016-4000
</uri>
</references>
<metadata tag="requester" timestamp="2017-10-26T13:31:13Z">jmbailey</metadata>
<metadata tag="submitter" timestamp="2017-10-29T17:17:48Z">jmbailey</metadata>
</glsa>

View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-29">
<title>Asterisk: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Asterisk, the worst of
which allows remote execution of arbitrary shell commands.
</synopsis>
<product type="ebuild">asterisk</product>
<announced>2017-10-29</announced>
<revised>2017-10-29: 1</revised>
<bug>629682</bug>
<bug>629692</bug>
<bug>633856</bug>
<access>remote</access>
<affected>
<package name="net-misc/asterisk" auto="yes" arch="*">
<unaffected range="ge">11.25.3</unaffected>
<vulnerable range="lt">11.25.3</vulnerable>
</package>
</affected>
<background>
<p>A Modular Open Source PBX System.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Asterisk. Please review
the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could execute arbitrary code, cause a denial of
service condition, or cause an unauthorized data disclosure by enticing a
user to run malicious code.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Asterisk users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/asterisk-13.17.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14098">CVE-2017-14098</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14099">
CVE-2017-14099
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14100">
CVE-2017-14100
</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14603">CVE-2017-14603</uri>
</references>
<metadata tag="requester" timestamp="2017-10-26T14:19:30Z">jmbailey</metadata>
<metadata tag="submitter" timestamp="2017-10-29T19:14:13Z">jmbailey</metadata>
</glsa>

View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-30">
<title>X.Org Server: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in X.Org Server the worst
of which could allow a local attacker to replace shared memory segments.
</synopsis>
<product type="ebuild">X.Org Server</product>
<announced>2017-10-29</announced>
<revised>2017-10-29: 1</revised>
<bug>493294</bug>
<bug>611350</bug>
<bug>633910</bug>
<access>local</access>
<affected>
<package name="x11-base/xorg-server" auto="yes" arch="*">
<unaffected range="ge">1.19.4</unaffected>
<vulnerable range="lt">1.19.4</vulnerable>
</package>
</affected>
<background>
<p>The X.Org project provides an open source implementation of the X Window
System.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in X.Org Server. Please
review the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A local attacker could cause a global buffer overflow or a Denial of
Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time</p>
</workaround>
<resolution>
<p>All X.Org Server users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=x11-base/xorg-server-1.19.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6424">
CVE-2013-6424
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13721">
CVE-2017-13721
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13723">
CVE-2017-13723
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2624">
CVE-2017-2624
</uri>
</references>
<metadata tag="requester" timestamp="2017-10-25T07:28:16Z">jmbailey</metadata>
<metadata tag="submitter" timestamp="2017-10-29T19:44:06Z">jmbailey</metadata>
</glsa>

View File

@ -0,0 +1,114 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-31">
<title>Oracle JDK/JRE: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Oracle's JDK and JRE
software suites, the worst of which can be remotely exploited without
authentication.
</synopsis>
<product type="ebuild">oracle,jdk,jre</product>
<announced>2017-10-29</announced>
<revised>2017-10-29: 1</revised>
<bug>635030</bug>
<access>remote</access>
<affected>
<package name="dev-java/oracle-jdk-bin" auto="yes" arch="*">
<unaffected range="ge">1.8.0.152-r1</unaffected>
<vulnerable range="lt">1.8.0.152-r1</vulnerable>
</package>
<package name="dev-java/oracle-jre-bin" auto="yes" arch="*">
<unaffected range="ge">1.8.0.152-r1</unaffected>
<vulnerable range="lt">1.8.0.152-r1</vulnerable>
</package>
</affected>
<background>
<p>Java Platform, Standard Edition (Java SE) lets you develop and deploy
Java applications on desktops and servers, as well as in todays
demanding embedded environments. Java offers the rich user interface,
performance, versatility, portability, and security that todays
applications require.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Oracles Java SE.
Please review the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could cause a Denial of Service condition, modify
arbitrary data, or have numerous other impacts.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Oracle JDK users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=dev-java/oracle-jdk-bin-1.8.0.152-r1"
</code>
<p>All Oracle JRE users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=dev-java/oracle-jre-bin-1.8.0.152-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10274">
CVE-2017-10274
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10281">
CVE-2017-10281
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10285">
CVE-2017-10285
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10293">
CVE-2017-10293
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10295">
CVE-2017-10295
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10309">
CVE-2017-10309
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10345">
CVE-2017-10345
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10346">
CVE-2017-10346
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10347">
CVE-2017-10347
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10348">
CVE-2017-10348
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10349">
CVE-2017-10349
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10350">
CVE-2017-10350
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10355">
CVE-2017-10355
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10356">
CVE-2017-10356
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10357">
CVE-2017-10357
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10388">
CVE-2017-10388
</uri>
</references>
<metadata tag="requester" timestamp="2017-10-24T17:32:20Z">jmbailey</metadata>
<metadata tag="submitter" timestamp="2017-10-29T22:47:00Z">jmbailey</metadata>
</glsa>

View File

@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-32">
<title>Apache: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Apache, the worst of
which may result in the loss of secrets.
</synopsis>
<product type="ebuild">Apache</product>
<announced>2017-10-29</announced>
<revised>2017-10-29: 1</revised>
<bug>622240</bug>
<bug>624868</bug>
<bug>631308</bug>
<access>remote</access>
<affected>
<package name="www-servers/apache" auto="yes" arch="*">
<unaffected range="ge">2.4.27-r1</unaffected>
<vulnerable range="lt">2.4.27-r1</vulnerable>
</package>
</affected>
<background>
<p>The Apache HTTP server is one of the most popular web servers on the
Internet.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Apache. Please review
the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>The Optionsbleed vulnerability can leak arbitrary memory from the server
process that may contain secrets. Additionally attackers may cause a
Denial of Service condition, bypass authentication, or cause information
loss.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Apache users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-servers/apache-2.4.27-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3167">
CVE-2017-3167
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3169">
CVE-2017-3169
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7659">
CVE-2017-7659
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7668">
CVE-2017-7668
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7679">
CVE-2017-7679
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9788">
CVE-2017-9788
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9789">
CVE-2017-9789
</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798">
CVE-2017-9798
</uri>
</references>
<metadata tag="requester" timestamp="2017-10-23T01:26:58Z">jmbailey</metadata>
<metadata tag="submitter" timestamp="2017-10-29T23:04:17Z">jmbailey</metadata>
</glsa>

View File

@ -0,0 +1,82 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201711-01">
<title>libxml2: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libxml2, the worst of
which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">libxml2</product>
<announced>2017-11-10</announced>
<revised>2017-11-10: 2</revised>
<bug>599192</bug>
<bug>605208</bug>
<bug>618604</bug>
<bug>622914</bug>
<bug>623206</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libxml2" auto="yes" arch="*">
<unaffected range="ge">2.9.4-r3</unaffected>
<vulnerable range="lt">2.9.4-r3</vulnerable>
</package>
</affected>
<background>
<p>libxml2 is the XML (eXtended Markup Language) C parser and toolkit
initially developed for the Gnome project.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libxml2. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to process a specially crafted XML
document, could remotely execute arbitrary code, conduct XML External
Entity (XXE) attacks, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libxml2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/libxml2-2.9.4-r3"
</code>
<p>Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these packages.
</p>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9318">
CVE-2016-9318
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0663">
CVE-2017-0663
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5969">
CVE-2017-5969
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7375">
CVE-2017-7375
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9047">
CVE-2017-9047
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9048">
CVE-2017-9048
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9049">
CVE-2017-9049
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9050">
CVE-2017-9050
</uri>
</references>
<metadata tag="requester" timestamp="2017-10-15T04:17:50Z">chrisadr</metadata>
<metadata tag="submitter" timestamp="2017-11-10T02:24:16Z">b-man</metadata>
</glsa>

View File

@ -1 +1 @@
Mon, 23 Oct 2017 17:39:28 +0000
Fri, 10 Nov 2017 14:38:58 +0000

View File

@ -1 +1 @@
3c64211d24fa5a633310d841c0bd5cddc991cc02 1508723227 2017-10-23T01:47:07+00:00
4ad72e046fa706e5fe66f5299894eb730f6b5bba 1510281582 2017-11-10T02:39:42+00:00