Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata/glsa
diff options
context:
space:
mode:
authorRepository mirror & CI <repomirrorci@gentoo.org>2022-11-22 04:02:13 +0000
committerRepository mirror & CI <repomirrorci@gentoo.org>2022-11-22 04:02:13 +0000
commit41fef069fec38148647ca2ae2a33a99fcba7e8f4 (patch)
tree8e018385de1531a6982f5573312a768e6bbc789d /metadata/glsa
parentMerge updates from master (diff)
parent[ GLSA 202211-11 ] GPL Ghostscript: Multiple Vulnerabilities (diff)
downloadgentoo-41fef069fec38148647ca2ae2a33a99fcba7e8f4.tar.gz
gentoo-41fef069fec38148647ca2ae2a33a99fcba7e8f4.tar.bz2
gentoo-41fef069fec38148647ca2ae2a33a99fcba7e8f4.zip
Merge commit 'ae2df9a36eb30967fc9dd392f63bc7af60249272'
Diffstat (limited to 'metadata/glsa')
-rw-r--r--metadata/glsa/glsa-202211-03.xml65
-rw-r--r--metadata/glsa/glsa-202211-04.xml87
-rw-r--r--metadata/glsa/glsa-202211-05.xml65
-rw-r--r--metadata/glsa/glsa-202211-06.xml89
-rw-r--r--metadata/glsa/glsa-202211-07.xml42
-rw-r--r--metadata/glsa/glsa-202211-08.xml42
-rw-r--r--metadata/glsa/glsa-202211-09.xml44
-rw-r--r--metadata/glsa/glsa-202211-10.xml54
-rw-r--r--metadata/glsa/glsa-202211-11.xml44
9 files changed, 532 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-202211-03.xml b/metadata/glsa/glsa-202211-03.xml
new file mode 100644
index 000000000000..237aa0d806c8
--- /dev/null
+++ b/metadata/glsa/glsa-202211-03.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202211-03">
+ <title>PHP: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in PHP, the worst of which could result in arbitrary code execution.</synopsis>
+ <product type="ebuild">php</product>
+ <announced>2022-11-19</announced>
+ <revised count="1">2022-11-19</revised>
+ <bug>867913</bug>
+ <bug>873376</bug>
+ <bug>877853</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-lang/php" auto="yes" arch="*">
+ <unaffected range="ge" slot="8.1">8.1.12</unaffected>
+ <unaffected range="ge" slot="8.0">8.0.25</unaffected>
+ <unaffected range="ge" slot="7.4">7.4.33</unaffected>
+ <vulnerable range="lt" slot="8.1">8.1.12</vulnerable>
+ <vulnerable range="lt" slot="8.0">8.0.25</vulnerable>
+ <vulnerable range="lt" slot="7.4">7.4.33</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="normal">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All PHP 7.4 users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.33"
+ </code>
+
+ <p>All PHP 8.0 users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-8.0.25"
+ </code>
+
+ <p>All PHP 8.1 users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-8.1.12"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31628">CVE-2022-31628</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31629">CVE-2022-31629</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31630">CVE-2022-31630</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-37454">CVE-2022-37454</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-11-19T03:32:18.817744Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-11-19T03:32:18.825295Z">sam</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202211-04.xml b/metadata/glsa/glsa-202211-04.xml
new file mode 100644
index 000000000000..ba61adcd9ec4
--- /dev/null
+++ b/metadata/glsa/glsa-202211-04.xml
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202211-04">
+ <title>PostgreSQL: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in PostgreSQL, the worst of which could result in remote code execution.</synopsis>
+ <product type="ebuild">postgresql</product>
+ <announced>2022-11-19</announced>
+ <revised count="1">2022-11-19</revised>
+ <bug>793734</bug>
+ <bug>808984</bug>
+ <bug>823125</bug>
+ <bug>865255</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-db/postgresql" auto="yes" arch="*">
+ <unaffected range="ge">14.5</unaffected>
+ <unaffected range="ge" slot="13">13.8</unaffected>
+ <unaffected range="ge" slot="12">12.12</unaffected>
+ <unaffected range="ge" slot="11">11.17</unaffected>
+ <unaffected range="ge" slot="10">10.22</unaffected>
+ <vulnerable range="lt" slot="14">14.5</vulnerable>
+ <vulnerable range="lt" slot="13">13.8</vulnerable>
+ <vulnerable range="lt" slot="12">12.12</vulnerable>
+ <vulnerable range="lt" slot="11">11.17</vulnerable>
+ <vulnerable range="lt">10.22</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>PostgreSQL is an open source object-relational database management system.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All PostgreSQL 10.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.22:10"
+ </code>
+
+ <p>All PostgreSQL 11.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.17:11"
+ </code>
+
+ <p>All PostgreSQL 12.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.12:12"
+ </code>
+
+ <p>All PostgreSQL 13.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.8:13"
+ </code>
+
+ <p>All PostgreSQL 14.x users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.5:14"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3677">CVE-2021-3677</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23214">CVE-2021-23214</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23222">CVE-2021-23222</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32027">CVE-2021-32027</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32028">CVE-2021-32028</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1552">CVE-2022-1552</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2625">CVE-2022-2625</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-11-19T03:33:10.915978Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-11-19T03:33:10.920639Z">sam</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202211-05.xml b/metadata/glsa/glsa-202211-05.xml
new file mode 100644
index 000000000000..b1b775bd9e81
--- /dev/null
+++ b/metadata/glsa/glsa-202211-05.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202211-05">
+ <title>Mozilla Thunderbird: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution.</synopsis>
+ <product type="ebuild">thunderbird,thunderbird-bin</product>
+ <announced>2022-11-22</announced>
+ <revised count="1">2022-11-22</revised>
+ <bug>881407</bug>
+ <access>remote</access>
+ <affected>
+ <package name="mail-client/thunderbird" auto="yes" arch="*">
+ <unaffected range="ge">102.5.0</unaffected>
+ <vulnerable range="lt">102.5.0</vulnerable>
+ </package>
+ <package name="mail-client/thunderbird-bin" auto="yes" arch="*">
+ <unaffected range="ge">102.5.0</unaffected>
+ <vulnerable range="lt">102.5.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Mozilla Thunderbird is a popular open-source email client from the Mozilla project.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Mozilla Thunderbird binary users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.5.0"
+ </code>
+
+ <p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.5.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45403">CVE-2022-45403</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45404">CVE-2022-45404</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45405">CVE-2022-45405</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45406">CVE-2022-45406</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45408">CVE-2022-45408</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45409">CVE-2022-45409</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45410">CVE-2022-45410</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45411">CVE-2022-45411</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45412">CVE-2022-45412</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45416">CVE-2022-45416</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45418">CVE-2022-45418</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45420">CVE-2022-45420</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45421">CVE-2022-45421</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-11-22T03:50:21.079709Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-11-22T03:50:21.087736Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202211-06.xml b/metadata/glsa/glsa-202211-06.xml
new file mode 100644
index 000000000000..1fbd73ac2901
--- /dev/null
+++ b/metadata/glsa/glsa-202211-06.xml
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202211-06">
+ <title>Mozilla Firefox: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution.</synopsis>
+ <product type="ebuild">firefox,firefox-bin</product>
+ <announced>2022-11-22</announced>
+ <revised count="1">2022-11-22</revised>
+ <bug>881403</bug>
+ <access>remote</access>
+ <affected>
+ <package name="www-client/firefox" auto="yes" arch="*">
+ <unaffected range="ge" slot="rapid">107.0</unaffected>
+ <unaffected range="ge" slot="esr">102.5.0</unaffected>
+ <vulnerable range="lt" slot="rapid">107.0</vulnerable>
+ <vulnerable range="lt" slot="esr">102.5.0</vulnerable>
+ </package>
+ <package name="www-client/firefox-bin" auto="yes" arch="*">
+ <unaffected range="ge" slot="rapid">107.0</unaffected>
+ <unaffected range="ge" slot="esr">102.5.0</unaffected>
+ <vulnerable range="lt" slot="rapid">107.0</vulnerable>
+ <vulnerable range="lt" slot="esr">102.5.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Mozilla Firefox ESR binary users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.5.0"
+ </code>
+
+ <p>All Mozilla Firefox ESR users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-102.5.0"
+ </code>
+
+ <p>All Mozilla Firefox binary users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-107.0"
+ </code>
+
+ <p>All Mozilla Firefox users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-107.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40674">CVE-2022-40674</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45403">CVE-2022-45403</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45404">CVE-2022-45404</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45405">CVE-2022-45405</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45406">CVE-2022-45406</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45407">CVE-2022-45407</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45408">CVE-2022-45408</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45409">CVE-2022-45409</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45410">CVE-2022-45410</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45411">CVE-2022-45411</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45412">CVE-2022-45412</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45413">CVE-2022-45413</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45415">CVE-2022-45415</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45416">CVE-2022-45416</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45417">CVE-2022-45417</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45418">CVE-2022-45418</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45419">CVE-2022-45419</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45420">CVE-2022-45420</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45421">CVE-2022-45421</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-11-22T03:51:05.820873Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-11-22T03:51:05.825843Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202211-07.xml b/metadata/glsa/glsa-202211-07.xml
new file mode 100644
index 000000000000..045ffe019c9a
--- /dev/null
+++ b/metadata/glsa/glsa-202211-07.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202211-07">
+ <title>sysstat: Arbitrary Code Execution</title>
+ <synopsis>An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution.</synopsis>
+ <product type="ebuild">sysstat</product>
+ <announced>2022-11-22</announced>
+ <revised count="1">2022-11-22</revised>
+ <bug>880543</bug>
+ <access>local</access>
+ <affected>
+ <package name="app-admin/sysstat" auto="yes" arch="*">
+ <unaffected range="ge">12.7.1</unaffected>
+ <vulnerable range="lt">12.7.1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>sysstat is a package containing a number of performance monitoring utilities for Linux, including sar, mpstat, iostat and sa tools.</p>
+ </background>
+ <description>
+ <p>On 32 bit systems, an integer overflow can be triggered when displaying activity data files.</p>
+ </description>
+ <impact type="normal">
+ <p>Arbitrary code execution can be achieved via sufficiently crafted malicious input.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All sysstat users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.7.1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39377">CVE-2022-39377</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-11-22T03:51:28.943709Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-11-22T03:51:28.948154Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202211-08.xml b/metadata/glsa/glsa-202211-08.xml
new file mode 100644
index 000000000000..ef6062360272
--- /dev/null
+++ b/metadata/glsa/glsa-202211-08.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202211-08">
+ <title>sudo: Heap-Based Buffer Overread</title>
+ <synopsis>A vulnerability has been discovered in sudo which could result in denial of service.</synopsis>
+ <product type="ebuild">sudo</product>
+ <announced>2022-11-22</announced>
+ <revised count="1">2022-11-22</revised>
+ <bug>879209</bug>
+ <access>remote</access>
+ <affected>
+ <package name="app-admin/sudo" auto="yes" arch="*">
+ <unaffected range="ge">1.9.12-r1</unaffected>
+ <vulnerable range="lt">1.9.12-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>sudo allows a system administrator to give users the ability to run commands as other users.</p>
+ </background>
+ <description>
+ <p>In certain password input handling, sudo incorrectly assumes the password input is at least nine bytes in size, leading to a heap buffer overread.</p>
+ </description>
+ <impact type="normal">
+ <p>In the worst case, the heap buffer overread can result in the denial of service of the sudo process.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All sudo users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.12-r1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43995">CVE-2022-43995</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-11-22T03:52:48.652373Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-11-22T03:52:48.657000Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202211-09.xml b/metadata/glsa/glsa-202211-09.xml
new file mode 100644
index 000000000000..d17ced80428d
--- /dev/null
+++ b/metadata/glsa/glsa-202211-09.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202211-09">
+ <title>xterm: Arbitrary Code Execution</title>
+ <synopsis>A vulnerability has been found in xterm which could allow for arbitrary code execution.</synopsis>
+ <product type="ebuild">xterm</product>
+ <announced>2022-11-22</announced>
+ <revised count="1">2022-11-22</revised>
+ <bug>880747</bug>
+ <access>remote</access>
+ <affected>
+ <package name="x11-terms/xterm" auto="yes" arch="*">
+ <unaffected range="ge">375</unaffected>
+ <vulnerable range="lt">375</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>xterm is a terminal emulator for the X Window system.</p>
+ </background>
+ <description>
+ <p>xterm does not correctly handle control characters related to OSC 50 font ops sequence handling.</p>
+ </description>
+ <impact type="normal">
+ <p>The vulnerability allows text written to the terminal to write text to the terminal&#39;s command line. If the terminal&#39;s shell is zsh running with vi line editing mode, text written to the terminal can also trigger the execution of arbitrary commands via writing ^G to the terminal.</p>
+ </impact>
+ <workaround>
+ <p>As a workaround, users can disable xterm&#39;s usage of OSC 50 sequences by adding the following to the XResources configuration:
+
+XTerm*allowFontOps: false</p>
+ </workaround>
+ <resolution>
+ <p>All xterm users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=x11-terms/xterm-375"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45063">CVE-2022-45063</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-11-22T03:53:08.351235Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-11-22T03:53:08.356875Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202211-10.xml b/metadata/glsa/glsa-202211-10.xml
new file mode 100644
index 000000000000..2f53a15436f9
--- /dev/null
+++ b/metadata/glsa/glsa-202211-10.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202211-10">
+ <title>Pillow: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Pillow, the worst of which could result in arbitrary code execution.</synopsis>
+ <product type="ebuild">pillow</product>
+ <announced>2022-11-22</announced>
+ <revised count="1">2022-11-22</revised>
+ <bug>855683</bug>
+ <bug>878769</bug>
+ <bug>832598</bug>
+ <bug>830934</bug>
+ <bug>811450</bug>
+ <bug>802090</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-python/pillow" auto="yes" arch="*">
+ <unaffected range="ge">9.3.0</unaffected>
+ <vulnerable range="lt">9.3.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>The friendly PIL fork.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Pillow. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Pillow users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-python/pillow-9.3.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23437">CVE-2021-23437</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-34552">CVE-2021-34552</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22815">CVE-2022-22815</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22816">CVE-2022-22816</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22817">CVE-2022-22817</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24303">CVE-2022-24303</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45198">CVE-2022-45198</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45199">CVE-2022-45199</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-11-22T03:53:25.971741Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-11-22T03:53:25.978803Z">ajak</metadata>
+</glsa> \ No newline at end of file
diff --git a/metadata/glsa/glsa-202211-11.xml b/metadata/glsa/glsa-202211-11.xml
new file mode 100644
index 000000000000..4c3adcd09665
--- /dev/null
+++ b/metadata/glsa/glsa-202211-11.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202211-11">
+ <title>GPL Ghostscript: Multiple Vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in GPL Ghostscript, the worst of which could result in arbitrary code execution.</synopsis>
+ <product type="ebuild">ghostscript-gpl</product>
+ <announced>2022-11-22</announced>
+ <revised count="1">2022-11-22</revised>
+ <bug>852944</bug>
+ <bug>812509</bug>
+ <access>remote</access>
+ <affected>
+ <package name="app-text/ghostscript-gpl" auto="yes" arch="*">
+ <unaffected range="ge">9.56.1</unaffected>
+ <vulnerable range="lt">9.56.1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Ghostscript is an interpreter for the PostScript language and for PDF.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details.</p>
+ </description>
+ <impact type="high">
+ <p>Please review the referenced CVE identifiers for details.</p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All GPL Ghostscript users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-9.56.1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3781">CVE-2021-3781</uri>
+ <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2085">CVE-2022-2085</uri>
+ </references>
+ <metadata tag="requester" timestamp="2022-11-22T03:53:57.184664Z">ajak</metadata>
+ <metadata tag="submitter" timestamp="2022-11-22T03:53:57.190013Z">ajak</metadata>
+</glsa> \ No newline at end of file