diff options
author | Repository mirror & CI <repomirrorci@gentoo.org> | 2021-07-08 04:23:22 +0000 |
---|---|---|
committer | Repository mirror & CI <repomirrorci@gentoo.org> | 2021-07-08 04:23:22 +0000 |
commit | ddb858df50a682f5315d4e9ec1c36c883c30a3ef (patch) | |
tree | 7301876f152df829198cba504c9818a8c8570eac | |
parent | 2021-07-08 04:06:54 UTC (diff) | |
parent | [ GLSA 202107-19 ] Jinja: Denial of service (diff) | |
download | gentoo-ddb858df50a682f5315d4e9ec1c36c883c30a3ef.tar.gz gentoo-ddb858df50a682f5315d4e9ec1c36c883c30a3ef.tar.bz2 gentoo-ddb858df50a682f5315d4e9ec1c36c883c30a3ef.zip |
Merge commit '87db1c532ba9e64836890a3c105fac77e62cbc0e'
-rw-r--r-- | metadata/glsa/glsa-202107-14.xml | 51 | ||||
-rw-r--r-- | metadata/glsa/glsa-202107-15.xml | 50 | ||||
-rw-r--r-- | metadata/glsa/glsa-202107-16.xml | 65 | ||||
-rw-r--r-- | metadata/glsa/glsa-202107-17.xml | 48 | ||||
-rw-r--r-- | metadata/glsa/glsa-202107-18.xml | 53 | ||||
-rw-r--r-- | metadata/glsa/glsa-202107-19.xml | 48 |
6 files changed, 315 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-202107-14.xml b/metadata/glsa/glsa-202107-14.xml new file mode 100644 index 000000000000..5a10a179d0c8 --- /dev/null +++ b/metadata/glsa/glsa-202107-14.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-14"> + <title>rclone: Weak random number generation</title> + <synopsis>rclone uses weak random number generation such that generated + passwords can be easily cracked. + </synopsis> + <product type="ebuild">rclone</product> + <announced>2021-07-08</announced> + <revised count="1">2021-07-08</revised> + <bug>755638</bug> + <access>local</access> + <affected> + <package name="net-misc/rclone" auto="yes" arch="*"> + <unaffected range="ge">1.53.3</unaffected> + <vulnerable range="lt">1.53.3</vulnerable> + </package> + </affected> + <background> + <p>rclone is a problem to sync files to and from various cloud storage + providers. + </p> + </background> + <description> + <p>Passwords generated with rclone were insecurely generated and are + vulnerable to brute force attacks. + </p> + </description> + <impact type="normal"> + <p>Data kept secret with a password generated by rclone may be disclosed to + a local attacker. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All rclone users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/rclone-1.53.3" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28924">CVE-2020-28924</uri> + </references> + <metadata tag="requester" timestamp="2021-05-31T20:48:28Z">whissi</metadata> + <metadata tag="submitter" timestamp="2021-07-08T03:19:54Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-15.xml b/metadata/glsa/glsa-202107-15.xml new file mode 100644 index 000000000000..79b937641f54 --- /dev/null +++ b/metadata/glsa/glsa-202107-15.xml @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-15"> + <title>blktrace: Buffer overflow</title> + <synopsis>A buffer overflow in blktrace might allow arbitrary code execution.</synopsis> + <product type="ebuild">blktrace</product> + <announced>2021-07-08</announced> + <revised count="1">2021-07-08</revised> + <bug>655146</bug> + <access>local, remote</access> + <affected> + <package name="sys-block/blktrace" auto="yes" arch="*"> + <unaffected range="ge">1.2.0_p20210419122502</unaffected> + <vulnerable range="lt">1.2.0_p20210419122502</vulnerable> + </package> + </affected> + <background> + <p>blktrace shows detailed information about what is happening on a block + device IO queue. + </p> + </background> + <description> + <p>A crafted file could cause a buffer overflow in the ‘dev_map_read’ + function because the device and devno arrays are too small. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted file + using blktrace, possibly resulting in execution of arbitrary code with + the privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All blktrace users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=sys-block/blktrace-1.2.0_p20210419122502" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10689">CVE-2018-10689</uri> + </references> + <metadata tag="requester" timestamp="2021-07-06T00:11:19Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-08T03:29:36Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-16.xml b/metadata/glsa/glsa-202107-16.xml new file mode 100644 index 000000000000..389a5b9374de --- /dev/null +++ b/metadata/glsa/glsa-202107-16.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-16"> + <title>Privoxy: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Privoxy, the worst of + which could result in Denial of Service. + </synopsis> + <product type="ebuild">privoxy</product> + <announced>2021-07-08</announced> + <revised count="1">2021-07-08</revised> + <bug>758428</bug> + <bug>768096</bug> + <bug>771960</bug> + <access>remote</access> + <affected> + <package name="net-proxy/privoxy" auto="yes" arch="*"> + <unaffected range="ge">3.0.32</unaffected> + <vulnerable range="lt">3.0.32</vulnerable> + </package> + </affected> + <background> + <p>Privoxy is a web proxy with advanced filtering capabilities for + enhancing privacy. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in privoxy. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could cause a possible Denial of Service condition.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Privoxy users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-proxy/privoxy-3.0.32" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35502">CVE-2020-35502</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20209">CVE-2021-20209</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20210">CVE-2021-20210</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20211">CVE-2021-20211</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20212">CVE-2021-20212</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20213">CVE-2021-20213</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20214">CVE-2021-20214</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20215">CVE-2021-20215</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20216">CVE-2021-20216</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20217">CVE-2021-20217</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20272">CVE-2021-20272</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20273">CVE-2021-20273</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20274">CVE-2021-20274</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20275">CVE-2021-20275</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20276">CVE-2021-20276</uri> + </references> + <metadata tag="requester" timestamp="2021-05-31T21:51:37Z">whissi</metadata> + <metadata tag="submitter" timestamp="2021-07-08T03:36:21Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-17.xml b/metadata/glsa/glsa-202107-17.xml new file mode 100644 index 000000000000..4646661b6380 --- /dev/null +++ b/metadata/glsa/glsa-202107-17.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-17"> + <title>Mechanize: Command injection</title> + <synopsis>A file named by an attacker being utilized by Mechanize could + result in arbitrary code execution. + </synopsis> + <product type="ebuild">mechanize</product> + <announced>2021-07-08</announced> + <revised count="1">2021-07-08</revised> + <bug>768609</bug> + <access>local, remote</access> + <affected> + <package name="dev-ruby/mechanize" auto="yes" arch="*"> + <unaffected range="ge">2.7.7</unaffected> + <vulnerable range="lt">2.7.7</vulnerable> + </package> + </affected> + <background> + <p>Mechanize is a Ruby library used for automating interaction with + websites. + </p> + </background> + <description> + <p>Mechanize does not neutralize filename input and could allow arbitrary + code execution if an attacker can control filenames used by Mechanize. + </p> + </description> + <impact type="high"> + <p>Please review the referenced CVE identifiers for details.</p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mechanize users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/mechanize-2.7.7" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21289">CVE-2021-21289</uri> + </references> + <metadata tag="requester" timestamp="2021-05-31T21:54:48Z">whissi</metadata> + <metadata tag="submitter" timestamp="2021-07-08T03:38:36Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-18.xml b/metadata/glsa/glsa-202107-18.xml new file mode 100644 index 000000000000..f05d598c50b4 --- /dev/null +++ b/metadata/glsa/glsa-202107-18.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-18"> + <title>BladeEnc: Buffer overflow</title> + <synopsis>A buffer overflow in BladeEnc might allow arbitrary code execution.</synopsis> + <product type="ebuild">bladeenc</product> + <announced>2021-07-08</announced> + <revised count="1">2021-07-08</revised> + <bug>631394</bug> + <access>remote</access> + <affected> + <package name="media-sound/bladeenc" auto="yes" arch="*"> + <vulnerable range="lt">0.94.2-r1</vulnerable> + </package> + </affected> + <background> + <p>BladeEnc is an mp3 encoder.</p> + </background> + <description> + <p>A crafted file could cause a buffer overflow in the iteration_loop + function in BladeEnc. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted using + BladeEnc, possibly resulting in execution of arbitrary code with the + privileges of the process or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>Gentoo has discontinued support for BladeEnc. We recommend that users + unmerge ssvnc: + </p> + + <code> + # emerge --ask --depclean "media-sound/bladeenc" + </code> + + <p>NOTE: The Gentoo developer(s) maintaining BladeEnc have discontinued + support at this time. It may be possible that a new Gentoo developer will + update BladeEnc at a later date. We do not have a suggestion for a + replacement at this time. + </p> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14648">CVE-2017-14648</uri> + </references> + <metadata tag="requester" timestamp="2021-07-05T23:50:22Z">ajak</metadata> + <metadata tag="submitter" timestamp="2021-07-08T03:44:12Z">ajak</metadata> +</glsa> diff --git a/metadata/glsa/glsa-202107-19.xml b/metadata/glsa/glsa-202107-19.xml new file mode 100644 index 000000000000..75efc2f17de5 --- /dev/null +++ b/metadata/glsa/glsa-202107-19.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="202107-19"> + <title>Jinja: Denial of service</title> + <synopsis>An inefficient regular expression could be exploited to cause a + Denial of Service condition. + </synopsis> + <product type="ebuild">jinja2</product> + <announced>2021-07-08</announced> + <revised count="1">2021-07-08</revised> + <bug>768300</bug> + <access>remote</access> + <affected> + <package name="dev-python/jinja" auto="yes" arch="*"> + <unaffected range="ge">2.11.3</unaffected> + <vulnerable range="lt">2.11.3</vulnerable> + </package> + </affected> + <background> + <p>Jinja is a template engine written in pure Python.</p> + </background> + <description> + <p>The ‘urlize’ filter in Jinja utilized an inefficient regular + expression that could be exploited to consume excess CPU. + </p> + </description> + <impact type="low"> + <p>An attacker could cause a Denial of Service condition via crafted input + to the ‘urlize’ Jinja filter. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Jinja users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/jinja-2.11.3" + </code> + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28493">CVE-2020-28493</uri> + </references> + <metadata tag="requester" timestamp="2021-05-31T21:46:47Z">whissi</metadata> + <metadata tag="submitter" timestamp="2021-07-08T04:02:25Z">ajak</metadata> +</glsa> |