Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--glsa-202403-04.xml12
-rw-r--r--glsa-202405-29.xml121
-rw-r--r--glsa-202405-30.xml41
-rw-r--r--glsa-202405-31.xml42
-rw-r--r--glsa-202405-32.xml70
-rw-r--r--glsa-202405-33.xml43
6 files changed, 326 insertions, 3 deletions
diff --git a/glsa-202403-04.xml b/glsa-202403-04.xml
index abe20743..51f84120 100644
--- a/glsa-202403-04.xml
+++ b/glsa-202403-04.xml
@@ -5,13 +5,15 @@
<synopsis>A backdoor has been discovered in XZ utils that could lead to remote compromise of systems.</synopsis>
<product type="ebuild">xz-utils</product>
<announced>2024-03-29</announced>
- <revised count="1">2024-03-29</revised>
+ <revised count="2">2024-05-29</revised>
<bug>928134</bug>
<access>remote</access>
<affected>
<package name="app-arch/xz-utils" auto="yes" arch="*">
<unaffected range="lt">5.6.0</unaffected>
- <vulnerable range="ge">5.6.0</vulnerable>
+ <unaffected range="gt">5.6.1</unaffected>
+ <vulnerable range="eq">5.6.0</vulnerable>
+ <vulnerable range="eq">5.6.1</vulnerable>
</package>
</affected>
<background>
@@ -32,10 +34,14 @@ Analysis is still ongoing, however, and additional vectors may still be identifi
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
- <p>All XZ utils users should downgrade to the latest version before the backdoor was introduced:</p>
+ <p>All XZ utils users should upgrade to the latest fixed version, or downgrade to the latest version before the backdoor was introduced:</p>
<code>
# emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;app-arch/xz-utils-5.6.1"
+ </code>
+ <code>
+ # emerge --sync
# emerge --ask --oneshot --verbose "&lt;app-arch/xz-utils-5.6.0"
</code>
</resolution>
diff --git a/glsa-202405-29.xml b/glsa-202405-29.xml
new file mode 100644
index 00000000..fa25f946
--- /dev/null
+++ b/glsa-202405-29.xml
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-29">
+ <title>Node.js: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in Node.js.</synopsis>
+ <product type="ebuild">nodejs</product>
+ <announced>2024-05-08</announced>
+ <revised count="1">2024-05-08</revised>
+ <bug>772422</bug>
+ <bug>781704</bug>
+ <bug>800986</bug>
+ <bug>805053</bug>
+ <bug>807775</bug>
+ <bug>811273</bug>
+ <bug>817938</bug>
+ <bug>831037</bug>
+ <bug>835615</bug>
+ <bug>857111</bug>
+ <bug>865627</bug>
+ <bug>872692</bug>
+ <bug>879617</bug>
+ <bug>918086</bug>
+ <bug>918614</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-libs/nodejs" auto="yes" arch="*">
+ <unaffected range="ge">16.20.2</unaffected>
+ <unaffected range="ge">18.17.1</unaffected>
+ <unaffected range="ge">20.5.1</unaffected>
+ <vulnerable range="lt">16.20.2</vulnerable>
+ <vulnerable range="lt">18.17.1</vulnerable>
+ <vulnerable range="lt">20.5.1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Node.js. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="low">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Node.js 20 users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-libs/nodejs-20.5.1"
+ </code>
+
+ <p>All Node.js 18 users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-libs/nodejs-18.17.1"
+ </code>
+
+ <p>All Node.js 16 users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-libs/nodejs-16.20.2"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7774">CVE-2020-7774</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3672">CVE-2021-3672</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22883">CVE-2021-22883</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22884">CVE-2021-22884</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22918">CVE-2021-22918</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22930">CVE-2021-22930</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22931">CVE-2021-22931</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22939">CVE-2021-22939</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22940">CVE-2021-22940</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22959">CVE-2021-22959</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22960">CVE-2021-22960</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37701">CVE-2021-37701</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37712">CVE-2021-37712</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39134">CVE-2021-39134</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39135">CVE-2021-39135</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44531">CVE-2021-44531</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44532">CVE-2021-44532</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44533">CVE-2021-44533</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0778">CVE-2022-0778</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3602">CVE-2022-3602</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3786">CVE-2022-3786</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21824">CVE-2022-21824</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32212">CVE-2022-32212</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32213">CVE-2022-32213</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32214">CVE-2022-32214</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32215">CVE-2022-32215</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32222">CVE-2022-32222</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35255">CVE-2022-35255</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35256">CVE-2022-35256</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35948">CVE-2022-35948</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35949">CVE-2022-35949</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43548">CVE-2022-43548</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30581">CVE-2023-30581</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30582">CVE-2023-30582</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30583">CVE-2023-30583</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30584">CVE-2023-30584</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30586">CVE-2023-30586</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30587">CVE-2023-30587</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30588">CVE-2023-30588</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30589">CVE-2023-30589</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30590">CVE-2023-30590</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32002">CVE-2023-32002</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32003">CVE-2023-32003</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32004">CVE-2023-32004</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32005">CVE-2023-32005</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32006">CVE-2023-32006</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32558">CVE-2023-32558</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32559">CVE-2023-32559</uri>
+ </references>
+ <metadata tag="requester" timestamp="2024-05-08T11:16:15.398000Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2024-05-08T11:16:15.402000Z">graaff</metadata>
+</glsa> \ No newline at end of file
diff --git a/glsa-202405-30.xml b/glsa-202405-30.xml
new file mode 100644
index 00000000..f0b94267
--- /dev/null
+++ b/glsa-202405-30.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-30">
+ <title>Rebar3: Command Injection</title>
+ <synopsis>A vulnerability has been discovered in Rebar3, which can lead to command injection.</synopsis>
+ <product type="ebuild">rebar-bin</product>
+ <announced>2024-05-12</announced>
+ <revised count="1">2024-05-12</revised>
+ <bug>749363</bug>
+ <access>local</access>
+ <affected>
+ <package name="dev-util/rebar-bin" auto="yes" arch="*">
+ <unaffected range="ge">3.14.4</unaffected>
+ <vulnerable range="lt">3.14.4</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>A sophisticated build-tool for Erlang projects that follows OTP principles.</p>
+ </background>
+ <description>
+ <p>Rebar3 is vulnerable to OS command injection via the URL parameter of a dependency specification.</p>
+ </description>
+ <impact type="normal">
+ <p>A vulnerability has been discovered in Rebar3. Please review the CVE identifier referenced below for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>Gentoo has discontinued support for Rebar3 binary package. We recommend that users unmerge it:</p>
+
+ <code>
+ # emerge --ask --depclean "dev-util/rebar-bin"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13802">CVE-2020-13802</uri>
+ </references>
+ <metadata tag="requester" timestamp="2024-05-12T05:10:21.260403Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2024-05-12T05:10:21.264061Z">graaff</metadata>
+</glsa> \ No newline at end of file
diff --git a/glsa-202405-31.xml b/glsa-202405-31.xml
new file mode 100644
index 00000000..d2997188
--- /dev/null
+++ b/glsa-202405-31.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-31">
+ <title>Kubelet: Privilege Escalation</title>
+ <synopsis>A vulnerability has been discovered in Kubelet, which can lead to privilege escalation.</synopsis>
+ <product type="ebuild">kubelet</product>
+ <announced>2024-05-12</announced>
+ <revised count="1">2024-05-12</revised>
+ <bug>918665</bug>
+ <access>remote</access>
+ <affected>
+ <package name="sys-cluster/kubelet" auto="yes" arch="*">
+ <unaffected range="ge">1.28.5</unaffected>
+ <vulnerable range="lt">1.28.5</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Kubelet is a Kubernetes Node Agent.</p>
+ </background>
+ <description>
+ <p>A vulnerability has been discovered in Kubelet. Please review the CVE identifier referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Kubelet users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-cluster/kubelet-1.28.5"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5528">CVE-2023-5528</uri>
+ </references>
+ <metadata tag="requester" timestamp="2024-05-12T05:13:03.608382Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2024-05-12T05:13:03.612681Z">graaff</metadata>
+</glsa> \ No newline at end of file
diff --git a/glsa-202405-32.xml b/glsa-202405-32.xml
new file mode 100644
index 00000000..18738749
--- /dev/null
+++ b/glsa-202405-32.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-32">
+ <title>Mozilla Thunderbird: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution.</synopsis>
+ <product type="ebuild">thunderbird,thunderbird-bin</product>
+ <announced>2024-05-12</announced>
+ <revised count="1">2024-05-12</revised>
+ <bug>925123</bug>
+ <bug>926533</bug>
+ <bug>930381</bug>
+ <access>local and remote</access>
+ <affected>
+ <package name="mail-client/thunderbird" auto="yes" arch="*">
+ <unaffected range="ge">115.10.0</unaffected>
+ <vulnerable range="lt">115.10.0</vulnerable>
+ </package>
+ <package name="mail-client/thunderbird-bin" auto="yes" arch="*">
+ <unaffected range="ge">115.10.0</unaffected>
+ <vulnerable range="lt">115.10.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Mozilla Thunderbird is a popular open-source email client from the Mozilla project.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.10.0"
+ </code>
+
+ <p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.10.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1546">CVE-2024-1546</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1547">CVE-2024-1547</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1548">CVE-2024-1548</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1549">CVE-2024-1549</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1550">CVE-2024-1550</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1551">CVE-2024-1551</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1552">CVE-2024-1552</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1553">CVE-2024-1553</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1936">CVE-2024-1936</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2609">CVE-2024-2609</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3302">CVE-2024-3302</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3854">CVE-2024-3854</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3857">CVE-2024-3857</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3859">CVE-2024-3859</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3861">CVE-2024-3861</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3864">CVE-2024-3864</uri>
+ </references>
+ <metadata tag="requester" timestamp="2024-05-12T05:22:33.946434Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2024-05-12T05:22:33.951011Z">graaff</metadata>
+</glsa> \ No newline at end of file
diff --git a/glsa-202405-33.xml b/glsa-202405-33.xml
new file mode 100644
index 00000000..daa04af5
--- /dev/null
+++ b/glsa-202405-33.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-33">
+ <title>PoDoFo: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in PoDoFo, the worst of which could lead to code execution.</synopsis>
+ <product type="ebuild">podofo</product>
+ <announced>2024-05-12</announced>
+ <revised count="1">2024-05-12</revised>
+ <bug>906105</bug>
+ <access>remote</access>
+ <affected>
+ <package name="app-text/podofo" auto="yes" arch="*">
+ <unaffected range="ge">0.10.1</unaffected>
+ <vulnerable range="lt">0.10.1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>PoDoFo is a free portable C++ library to work with the PDF file format.</p>
+ </background>
+ <description>
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All PoDoFo users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-text/podofo-0.10.1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31566">CVE-2023-31566</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31567">CVE-2023-31567</uri>
+ </references>
+ <metadata tag="requester" timestamp="2024-05-12T05:25:34.545530Z">graaff</metadata>
+ <metadata tag="submitter" timestamp="2024-05-12T05:25:34.548474Z">graaff</metadata>
+</glsa> \ No newline at end of file