Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRepository QA checks <repo-qa-checks@gentoo.org>2016-12-12 00:04:56 +0000
committerRepository QA checks <repo-qa-checks@gentoo.org>2016-12-12 00:04:56 +0000
commit7e3f29dc5c3bb0052adf5516e59691b5cdbcbfbe (patch)
tree635c7d4782c08a0d269714af628b32b9c0df64f6
parentMerge updates from master (diff)
parentAdd GLSA 201612-30 (diff)
downloadgentoo-7e3f29dc5c3bb0052adf5516e59691b5cdbcbfbe.tar.gz
gentoo-7e3f29dc5c3bb0052adf5516e59691b5cdbcbfbe.tar.bz2
gentoo-7e3f29dc5c3bb0052adf5516e59691b5cdbcbfbe.zip
Merge commit '5027814af02f2d5fc522f96980478fdc9b080407'
Diffstat
-rw-r--r--metadata/glsa/glsa-201612-27.xml6
-rw-r--r--metadata/glsa/glsa-201612-28.xml46
-rw-r--r--metadata/glsa/glsa-201612-29.xml51
-rw-r--r--metadata/glsa/glsa-201612-30.xml54
4 files changed, 154 insertions, 3 deletions
diff --git a/metadata/glsa/glsa-201612-27.xml b/metadata/glsa/glsa-201612-27.xml
index e7441e5ede77..f4fd7f646d61 100644
--- a/metadata/glsa/glsa-201612-27.xml
+++ b/metadata/glsa/glsa-201612-27.xml
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-27">
- <title>VirtualBox: Multiple vulnerabilities [REVIEW]</title>
+ <title>VirtualBox: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in VirtualBox, the worst
of which allows local users to escalate privileges.
</synopsis>
<product type="ebuild">virtualbox</product>
<announced>December 11, 2016</announced>
- <revised>December 11, 2016: 1</revised>
+ <revised>December 11, 2016: 2</revised>
<bug>505274</bug>
<bug>537218</bug>
<bug>550964</bug>
@@ -71,5 +71,5 @@
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5613">CVE-2016-5613</uri>
</references>
<metadata tag="requester" timestamp="Wed, 23 Nov 2016 00:13:06 +0000">whissi</metadata>
- <metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:37:27 +0000">b-man</metadata>
+ <metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:42:01 +0000">b-man</metadata>
</glsa>
diff --git a/metadata/glsa/glsa-201612-28.xml b/metadata/glsa/glsa-201612-28.xml
new file mode 100644
index 000000000000..6b944e4c3006
--- /dev/null
+++ b/metadata/glsa/glsa-201612-28.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-28">
+ <title>Docker: Privilege escalation</title>
+ <synopsis>A vulnerability in Docker could lead to the escalation of
+ privileges.
+ </synopsis>
+ <product type="ebuild"></product>
+ <announced>December 11, 2016</announced>
+ <revised>December 11, 2016: 1</revised>
+ <bug>581236</bug>
+ <access>remote</access>
+ <affected>
+ <package name="app-emulation/docker" auto="yes" arch="*">
+ <unaffected range="ge">1.11.0</unaffected>
+ <vulnerable range="lt">1.11.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Docker is the world’s leading software containerization platform.</p>
+ </background>
+ <description>
+ <p>Docker does not properly distinguish between numeric UIDs and string
+ usernames.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>Local attackers could possibly escalate their privileges.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Docker users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-emulation/docker-1.11.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3697">CVE-2016-3697</uri>
+ </references>
+ <metadata tag="requester" timestamp="Sat, 26 Nov 2016 00:31:47 +0000">b-man</metadata>
+ <metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:40:37 +0000">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201612-29.xml b/metadata/glsa/glsa-201612-29.xml
new file mode 100644
index 000000000000..a5f95961fbeb
--- /dev/null
+++ b/metadata/glsa/glsa-201612-29.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-29">
+ <title>libmms: Remote execution of arbitrary code</title>
+ <synopsis>A heap-based buffer overflow vulnerability in libmms might allow
+ remote attackers to execute arbitrary code.
+ </synopsis>
+ <product type="ebuild">libmms</product>
+ <announced>December 11, 2016</announced>
+ <revised>December 11, 2016: 1</revised>
+ <bug>507822</bug>
+ <access>remote</access>
+ <affected>
+ <package name="media-libs/libmms" auto="yes" arch="*">
+ <unaffected range="ge">0.6.4</unaffected>
+ <vulnerable range="lt">0.6.4</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>libmms is a library for downloading (streaming) media files using the
+ mmst and mmsh protocols.
+ </p>
+ </background>
+ <description>
+ <p>A heap-based buffer overflow was discovered in the get_answer function
+ within mmsh.c of libmms.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker might send a specially crafted MMS over HTTP (MMSH)
+ response, possibly resulting in the remote execution of arbitrary code
+ with the privileges of the process.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All libmms users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=media-libs/libmms-0.6.4"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2892">CVE-2014-2892</uri>
+ </references>
+ <metadata tag="requester" timestamp="Sun, 27 Nov 2016 10:19:34 +0000">b-man</metadata>
+ <metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:47:07 +0000">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201612-30.xml b/metadata/glsa/glsa-201612-30.xml
new file mode 100644
index 000000000000..f64bf35d55ee
--- /dev/null
+++ b/metadata/glsa/glsa-201612-30.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-30">
+ <title>SoX: User-assisted execution of arbitrary code</title>
+ <synopsis>Multiple heap overflows in SoX may allow remote attackers to
+ execute arbitrary code.
+ </synopsis>
+ <product type="ebuild">sox</product>
+ <announced>December 11, 2016</announced>
+ <revised>December 11, 2016: 1</revised>
+ <bug>533296</bug>
+ <access>remote</access>
+ <affected>
+ <package name="media-sound/sox" auto="yes" arch="*">
+ <unaffected range="ge">14.4.2</unaffected>
+ <vulnerable range="lt">14.4.2</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>SoX is a command line utility that can convert various formats of
+ computer audio files in to other formats.
+ </p>
+ </background>
+ <description>
+ <p>A heap-based buffer overflow can be triggered when processing a
+ malicious NIST Sphere or WAV audio file.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could coerce the victim to run SoX against their
+ malicious file. This may be leveraged by an attacker to gain control of
+ program execution with the privileges of the user.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All SoX users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=media-sound/sox-14.4.2"
+ </code>
+
+ </resolution>
+ <references>
+ <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8145">
+ CVE-2014-8145
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="Wed, 23 Nov 2016 00:47:17 +0000">whissi</metadata>
+ <metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:50:03 +0000">b-man</metadata>
+</glsa>