Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
authorRepository mirror & CI <repomirrorci@gentoo.org>2023-01-11 05:32:20 +0000
committerRepository mirror & CI <repomirrorci@gentoo.org>2023-01-11 05:32:20 +0000
commit2a3cf2fe07454caf7bca94982256c24e88d1420b (patch)
tree2e2c13570101836a4e3664dfb881c5ec2ca6b791 /metadata/glsa
parentMerge updates from master (diff)
parent[ GLSA 202301-09 ] protobuf-java: Denial of Service (diff)
downloadgentoo-2a3cf2fe07454caf7bca94982256c24e88d1420b.tar.gz
gentoo-2a3cf2fe07454caf7bca94982256c24e88d1420b.tar.bz2
gentoo-2a3cf2fe07454caf7bca94982256c24e88d1420b.zip
Merge commit 'da9b5483883fcc611753d44d34c0ede9188ce21c'
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/glsa-202301-01.xml72
-rw-r--r--metadata/glsa/glsa-202301-02.xml46
-rw-r--r--metadata/glsa/glsa-202301-03.xml42
-rw-r--r--metadata/glsa/glsa-202301-04.xml42
-rw-r--r--metadata/glsa/glsa-202301-05.xml42
-rw-r--r--metadata/glsa/glsa-202301-06.xml43
-rw-r--r--metadata/glsa/glsa-202301-07.xml43
-rw-r--r--metadata/glsa/glsa-202301-08.xml62
-rw-r--r--metadata/glsa/glsa-202301-09.xml44
9 files changed, 436 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-202301-01.xml b/metadata/glsa/glsa-202301-01.xml
new file mode 100644
index 000000000000..70ca0247214c
--- /dev/null
+++ b/metadata/glsa/glsa-202301-01.xml
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202301-01">
+ <title>NTFS-3G: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in NTFS-3G, the worst of which could result in arbitrary code execution.</synopsis>
+ <product type="ebuild">ntfs3g</product>
+ <announced>2023-01-11</announced>
+ <revised count="1">2023-01-11</revised>
+ <bug>878885</bug>
+ <bug>847598</bug>
+ <bug>811156</bug>
+ <access>remote</access>
+ <affected>
+ <package name="sys-fs/ntfs3g" auto="yes" arch="*">
+ <unaffected range="ge">2022.10.3</unaffected>
+ <vulnerable range="lt">2022.10.3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>NTFS-3G is a stable, full-featured, read-write NTFS driver for various operating systems.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in NTFS-3G. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All NTFS-3G users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-fs/ntfs3g-2022.10.3"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33285">CVE-2021-33285</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33286">CVE-2021-33286</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33287">CVE-2021-33287</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33289">CVE-2021-33289</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35266">CVE-2021-35266</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35267">CVE-2021-35267</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35268">CVE-2021-35268</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35269">CVE-2021-35269</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39251">CVE-2021-39251</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39252">CVE-2021-39252</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39253">CVE-2021-39253</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39254">CVE-2021-39254</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39255">CVE-2021-39255</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39256">CVE-2021-39256</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39257">CVE-2021-39257</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39258">CVE-2021-39258</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39259">CVE-2021-39259</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39260">CVE-2021-39260</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39261">CVE-2021-39261</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39262">CVE-2021-39262</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39263">CVE-2021-39263</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30783">CVE-2022-30783</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30784">CVE-2022-30784</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30785">CVE-2022-30785</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30786">CVE-2022-30786</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30787">CVE-2022-30787</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30788">CVE-2022-30788</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30789">CVE-2022-30789</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40284">CVE-2022-40284</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-01-11T05:15:14.346677Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2023-01-11T05:15:14.351130Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202301-02.xml b/metadata/glsa/glsa-202301-02.xml
new file mode 100644
index 000000000000..c0474688c143
--- /dev/null
+++ b/metadata/glsa/glsa-202301-02.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202301-02">
+ <title>Twisted: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in Twisted, the worst of which could result in denial of service.</synopsis>
+ <product type="ebuild">twisted</product>
+ <announced>2023-01-11</announced>
+ <revised count="1">2023-01-11</revised>
+ <bug>878499</bug>
+ <bug>834542</bug>
+ <bug>832875</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-python/twisted" auto="yes" arch="*">
+ <unaffected range="ge">22.10.0</unaffected>
+ <vulnerable range="lt">22.10.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Twisted is an asynchronous networking framework written in Python.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Twisted. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="low">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Twisted users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-python/twisted-22.10.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21712">CVE-2022-21712</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21716">CVE-2022-21716</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39348">CVE-2022-39348</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-01-11T05:16:16.479507Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2023-01-11T05:16:16.483411Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202301-03.xml b/metadata/glsa/glsa-202301-03.xml
new file mode 100644
index 000000000000..638c1289373c
--- /dev/null
+++ b/metadata/glsa/glsa-202301-03.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202301-03">
+ <title>scikit-learn: Denial of Service</title>
+ <synopsis>A vulnerability was found in scikit-learn which could result in denial of service.</synopsis>
+ <product type="ebuild">scikit-learn</product>
+ <announced>2023-01-11</announced>
+ <revised count="1">2023-01-11</revised>
+ <bug>758323</bug>
+ <access>remote</access>
+ <affected>
+ <package name="sci-libs/scikit-learn" auto="yes" arch="*">
+ <unaffected range="ge">1.1.1</unaffected>
+ <vulnerable range="lt">1.1.1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>scikit-learn is a machine learning library for Python.</p>
+ </background>
+ <description>
+ <p>When supplied with a crafted model SVM, predict() can result in a null pointer dereference.</p>
+ </description>
+ <impact type="low">
+ <p>An attcker capable of providing a crafted model to scikit-learn can result in denial of service.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All scikit-learn users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sci-libs/scikit-learn-1.1.1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28975">CVE-2020-28975</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-01-11T05:16:33.475780Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2023-01-11T05:16:33.478230Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202301-04.xml b/metadata/glsa/glsa-202301-04.xml
new file mode 100644
index 000000000000..fe8451696aa2
--- /dev/null
+++ b/metadata/glsa/glsa-202301-04.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202301-04">
+ <title>jupyter_core: Arbitrary Code Execution</title>
+ <synopsis>A vulnerability has been discovered in jupyter_core which could allow for the execution of code as another user.</synopsis>
+ <product type="ebuild">jupyter_core</product>
+ <announced>2023-01-11</announced>
+ <revised count="1">2023-01-11</revised>
+ <bug>878497</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-python/jupyter_core" auto="yes" arch="*">
+ <unaffected range="ge">4.11.2</unaffected>
+ <vulnerable range="lt">4.11.2</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>jupyter_core contains core Jupyter functionality.</p>
+ </background>
+ <description>
+ <p>jupyter_core trusts files for execution in the current working directory without validating ownership of those files.</p>
+ </description>
+ <impact type="high">
+ <p>By writing to a directory that is used a the current working directory for jupyter_core by another user, users can elevate privileges to those of another user.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All jupyter_core users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-python/jupyter_core-4.11.2"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39286">CVE-2022-39286</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-01-11T05:17:05.951365Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2023-01-11T05:17:05.954259Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202301-05.xml b/metadata/glsa/glsa-202301-05.xml
new file mode 100644
index 000000000000..2aa72064076d
--- /dev/null
+++ b/metadata/glsa/glsa-202301-05.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202301-05">
+ <title>Apache Commons Text: Arbitrary Code Execution</title>
+ <synopsis>A vulnerability has been discovered in Apache Commons Text which could result in arbitrary code execution.</synopsis>
+ <product type="ebuild">commons-text</product>
+ <announced>2023-01-11</announced>
+ <revised count="1">2023-01-11</revised>
+ <bug>877577</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-java/commons-text" auto="yes" arch="*">
+ <unaffected range="ge">1.10.0</unaffected>
+ <vulnerable range="lt">1.10.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Apache Commons Text is a library focused on algorithms working on strings.</p>
+ </background>
+ <description>
+ <p>Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is &#34;${prefix:name}&#34;, where &#34;prefix&#34; is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. The set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - &#34;script&#34; - execute expressions using the JVM script execution engine (javax.script) - &#34;dns&#34; - resolve dns records - &#34;url&#34; - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.</p>
+ </description>
+ <impact type="high">
+ <p>Crafted input to Apache Commons Text could trigger remote code execution.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Apache Commons Text users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-java/commons-text-1.10.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42889">CVE-2022-42889</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-01-11T05:18:10.785619Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2023-01-11T05:18:10.790088Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202301-06.xml b/metadata/glsa/glsa-202301-06.xml
new file mode 100644
index 000000000000..3bc783307940
--- /dev/null
+++ b/metadata/glsa/glsa-202301-06.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202301-06">
+ <title>liblouis: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in liblouis, the worst of which could result in denial of service.</synopsis>
+ <product type="ebuild">liblouis</product>
+ <announced>2023-01-11</announced>
+ <revised count="1">2023-01-11</revised>
+ <bug>835093</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-libs/liblouis" auto="yes" arch="*">
+ <unaffected range="ge">3.22.0</unaffected>
+ <vulnerable range="lt">3.22.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>liblouis is an open-source braille translator and back-translator.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in liblouis. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="low">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All liblouis users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/liblouis-3.22.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26981">CVE-2022-26981</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31783">CVE-2022-31783</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-01-11T05:18:26.543131Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2023-01-11T05:18:26.546170Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202301-07.xml b/metadata/glsa/glsa-202301-07.xml
new file mode 100644
index 000000000000..432c14e7f6ff
--- /dev/null
+++ b/metadata/glsa/glsa-202301-07.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202301-07">
+ <title>Alpine: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Alpine, the worst of which could result in denial of service.</synopsis>
+ <product type="ebuild">alpine</product>
+ <announced>2023-01-11</announced>
+ <revised count="1">2023-01-11</revised>
+ <bug>807613</bug>
+ <access>remote</access>
+ <affected>
+ <package name="mail-client/alpine" auto="yes" arch="*">
+ <unaffected range="ge">2.25</unaffected>
+ <vulnerable range="lt">2.25</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Alpine is an easy to use text-based based mail and news client.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Alpine. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="low">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Alpine users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-client/alpine-2.25"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38370">CVE-2021-38370</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46853">CVE-2021-46853</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-01-11T05:18:50.361361Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2023-01-11T05:18:50.363738Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202301-08.xml b/metadata/glsa/glsa-202301-08.xml
new file mode 100644
index 000000000000..0eeadca35f79
--- /dev/null
+++ b/metadata/glsa/glsa-202301-08.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202301-08">
+ <title>Mbed TLS: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could result in arbitrary code execution.</synopsis>
+ <product type="ebuild">mbedtls</product>
+ <announced>2023-01-11</announced>
+ <revised count="1">2023-01-11</revised>
+ <bug>857813</bug>
+ <bug>829660</bug>
+ <bug>801376</bug>
+ <bug>778254</bug>
+ <bug>764317</bug>
+ <bug>740108</bug>
+ <bug>730752</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-libs/mbedtls" auto="yes" arch="*">
+ <unaffected range="ge">2.28.1</unaffected>
+ <vulnerable range="lt">2.28.1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Mbed TLS (previously PolarSSL) is an “easy to understand, use, integrate and expand” implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Mbed TLS. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Mbed TLS users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-libs/mbedtls-2.28.1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16150">CVE-2020-16150</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36421">CVE-2020-36421</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36422">CVE-2020-36422</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36423">CVE-2020-36423</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36424">CVE-2020-36424</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36425">CVE-2020-36425</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36426">CVE-2020-36426</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36475">CVE-2020-36475</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36476">CVE-2020-36476</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36477">CVE-2020-36477</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36478">CVE-2020-36478</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-43666">CVE-2021-43666</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44732">CVE-2021-44732</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45450">CVE-2021-45450</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35409">CVE-2022-35409</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-01-11T05:19:06.415631Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2023-01-11T05:19:06.418706Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202301-09.xml b/metadata/glsa/glsa-202301-09.xml
new file mode 100644
index 000000000000..eb192eec70b8
--- /dev/null
+++ b/metadata/glsa/glsa-202301-09.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202301-09">
+ <title>protobuf-java: Denial of Service</title>
+ <synopsis>A vulnerability has been discovered in protobuf-java which could result in denial of service.</synopsis>
+ <product type="ebuild">protobuf-java</product>
+ <announced>2023-01-11</announced>
+ <revised count="1">2023-01-11</revised>
+ <bug>876903</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-java/protobuf-java" auto="yes" arch="*">
+ <unaffected range="ge">3.20.3</unaffected>
+ <vulnerable range="lt">3.20.3</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>protobuf-java contains the Java bindings for Google&#39;s Protocol Buffers.</p>
+ </background>
+ <description>
+ <p>Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.</p>
+ </description>
+ <impact type="low">
+ <p>Crafted input can trigger a denial of service via long garbage collection pauses.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All protobuf-java users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-java/protobuf-java-3.20.3"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3171">CVE-2022-3171</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3509">CVE-2022-3509</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3510">CVE-2022-3510</uri>
+ </references>
+ <metadata tag="requester" timestamp="2023-01-11T05:19:53.039305Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2023-01-11T05:19:53.043563Z">ajak</metadata>
+</glsa> \ No newline at end of file