Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata
diff options
context:
space:
mode:
authorRepository mirror & CI <repomirrorci@gentoo.org>2021-01-27 00:32:53 +0000
committerRepository mirror & CI <repomirrorci@gentoo.org>2021-01-27 00:32:53 +0000
commitf502500cd3f90996f90c87b28df89ffefa38050f (patch)
treee25ed75abdd5d0d571bb1076c89b4fd9c31c80bc /metadata
parentMerge updates from master (diff)
parent[ GLSA 202101-33 ] sudo: Multiple vulnerabilities (diff)
downloadgentoo-f502500cd3f90996f90c87b28df89ffefa38050f.tar.gz
gentoo-f502500cd3f90996f90c87b28df89ffefa38050f.tar.bz2
gentoo-f502500cd3f90996f90c87b28df89ffefa38050f.zip
Merge commit 'e05354f4a5975cee7f8a2b344c85fa45c401e17c' into master
Diffstat (limited to 'metadata')
-rw-r--r--metadata/glsa/glsa-202101-31.xml46
-rw-r--r--metadata/glsa/glsa-202101-32.xml62
-rw-r--r--metadata/glsa/glsa-202101-33.xml61
3 files changed, 169 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-202101-31.xml b/metadata/glsa/glsa-202101-31.xml
new file mode 100644
index 000000000000..3d7dcd82f908
--- /dev/null
+++ b/metadata/glsa/glsa-202101-31.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202101-31">
+ <title>Cacti: Remote code execution</title>
+ <synopsis>A vulnerability in Cacti could lead to remote code execution.</synopsis>
+ <product type="ebuild">cacti</product>
+ <announced>2021-01-26</announced>
+ <revised count="1">2021-01-26</revised>
+ <bug>765019</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-analyzer/cacti" auto="yes" arch="*">
+ <unaffected range="ge">1.2.16-r1</unaffected>
+ <vulnerable range="lt">1.2.16-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Cacti is a complete frontend to rrdtool.</p>
+ </background>
+ <description>
+ <p>The side_id parameter in data_debug.php does not properly verify input
+ allowing SQL injection.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could possibly execute arbitrary code with the
+ privileges of the process or cause a Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Cacti users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-analyzer/cacti-1.2.16-r1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35701">CVE-2020-35701</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-01-26T00:34:29Z">sam_c</metadata>
+ <metadata tag="submitter" timestamp="2021-01-26T23:38:21Z">sam_c</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202101-32.xml b/metadata/glsa/glsa-202101-32.xml
new file mode 100644
index 000000000000..2c1a6dd3ef52
--- /dev/null
+++ b/metadata/glsa/glsa-202101-32.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202101-32">
+ <title>Mutt, NeoMutt: Information disclosure</title>
+ <synopsis>A weakness was discovered in Mutt and NeoMutt's TLS handshake
+ handling
+ </synopsis>
+ <product type="ebuild">NeoMutt</product>
+ <announced>2021-01-26</announced>
+ <revised count="1">2021-01-26</revised>
+ <bug>755833</bug>
+ <bug>755866</bug>
+ <access>remote</access>
+ <affected>
+ <package name="mail-client/mutt" auto="yes" arch="*">
+ <unaffected range="ge">2.0.2</unaffected>
+ <vulnerable range="lt">2.0.2</vulnerable>
+ </package>
+ <package name="mail-client/neomutt" auto="yes" arch="*">
+ <unaffected range="ge">20201120</unaffected>
+ <vulnerable range="lt">20201120</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Mutt is a small but very powerful text-based mail client.</p>
+
+ <p>NeoMutt is a command line mail reader (or MUA). It’s a fork of Mutt
+ with added features.
+ </p>
+ </background>
+ <description>
+ <p>A weakness in TLS handshake handling was found which may allow
+ information disclosure.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker may be able to cause information disclosure.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Mutt users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=mail-client/mutt-2.0.2"
+ </code>
+
+ <p>All NeoMutt users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=mail-client/neomutt-20201120"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28896">CVE-2020-28896</uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-01-26T00:28:06Z">sam_c</metadata>
+ <metadata tag="submitter" timestamp="2021-01-26T23:39:28Z">sam_c</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202101-33.xml b/metadata/glsa/glsa-202101-33.xml
new file mode 100644
index 000000000000..a53bfabd5cd9
--- /dev/null
+++ b/metadata/glsa/glsa-202101-33.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202101-33">
+ <title>sudo: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in sudo, the worst of
+ which could result in privilege escalation.
+ </synopsis>
+ <product type="ebuild">sudo</product>
+ <announced>2021-01-26</announced>
+ <revised count="1">2021-01-26</revised>
+ <bug>764986</bug>
+ <bug>767364</bug>
+ <access>local</access>
+ <affected>
+ <package name="app-admin/sudo" auto="yes" arch="*">
+ <unaffected range="ge">1.9.5_p2</unaffected>
+ <vulnerable range="lt">1.9.5_p2</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>sudo (su “do”) allows a system administrator to delegate authority
+ to give certain users (or groups of users) the ability to run some (or
+ all) commands as root or another user while providing an audit trail of
+ the commands and their arguments.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in sudo. Please review the
+ CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="high">
+ <p>Local users are able to gain unauthorized privileges on the system or
+ determine the existence of files.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All sudo users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-admin/sudo-1.9.5_p2"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23239">CVE-2021-23239</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23240">CVE-2021-23240</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3156">CVE-2021-3156</uri>
+ <uri link="https://www.sudo.ws/alerts/sudoedit_selinux.html">Upstream
+ advisory (CVE-2020-23240)
+ </uri>
+ <uri link="https://www.sudo.ws/alerts/unescape_overflow.html">Upstream
+ advisory (CVE-2021-3156)
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2021-01-26T22:52:21Z">sam_c</metadata>
+ <metadata tag="submitter" timestamp="2021-01-26T23:40:46Z">sam_c</metadata>
+</glsa>