Merge commit '8be70da072097589e0c5e9d0f931b10da789ee37'

6 files changed, 325 insertions, 0 deletions

diff --git a/metadata/glsa/glsa-202105-07.xml b/metadata/glsa/glsa-202105-07.xml
new file mode 100644
index 000000000000..500983dbb936
--- /dev/null
+++ b/metadata/glsa/glsa-202105-07.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-07">
+  <title>Telegram: Security bypass</title>
+  <synopsis>An insufficient session expiration has been reported in Telegram.</synopsis>
+  <product type="ebuild">telegram</product>
+  <announced>2021-05-26</announced>
+  <revised count="1">2021-05-26</revised>
+  <bug>771684</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-im/telegram-desktop" auto="yes" arch="*">
+      <unaffected range="ge">2.4.11</unaffected>
+      <vulnerable range="lt">2.4.11</vulnerable>
+    </package>
+    <package name="net-im/telegram-desktop-bin" auto="yes" arch="*">
+      <unaffected range="ge">2.4.11</unaffected>
+      <vulnerable range="lt">2.4.11</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Telegram is a cloud-based mobile and desktop messaging app with a focus
+      on security and speed.
+    </p>
+  </background>
+  <description>
+    <p>It was discovered that Telegram failed to invalidate a recently active
+      session.
+    </p>
+  </description>
+  <impact type="low">
+    <p>Please review the referenced CVE identifiers for details.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Telegram users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-im/telegram-desktop-2.4.11"
+    </code>
+    
+    <p>All Telegram binary users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=net-im/telegram-desktop-bin-2.4.11"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-27351">CVE-2021-27351</uri>
+  </references>
+  <metadata tag="requester" timestamp="2021-05-25T20:11:43Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2021-05-26T08:12:28Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202105-08.xml b/metadata/glsa/glsa-202105-08.xml
new file mode 100644
index 000000000000..72e5c500070c
--- /dev/null
+++ b/metadata/glsa/glsa-202105-08.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-08">
+  <title>ICU: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in ICU, the worst of which
+    could cause a Denial of Service condition.
+  </synopsis>
+  <product type="ebuild">icu</product>
+  <announced>2021-05-26</announced>
+  <revised count="1">2021-05-26</revised>
+  <bug>755704</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="dev-libs/icu" auto="yes" arch="*">
+      <unaffected range="ge">68.2</unaffected>
+      <vulnerable range="lt">68.2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>ICU is a mature, widely used set of C/C++ and Java libraries providing
+      Unicode and Globalization support for software applications.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in ICU. Please review the
+      upstream bugs referenced below for details.
+    </p>
+  </description>
+  <impact type="low">
+    <p>Remote attackers could cause a Denial of Service condition or possibly
+      have other unspecified impacts via unspecified vectors.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All ICU users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-libs/icu-68.2"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://chromium-review.googlesource.com/q/Iad839ac77d487d5e1b396bcdbc29bc7cd58a7ef8">
+      Chromium Change-Id Iad839ac77d487d5e1b396bcdbc29bc7cd58a7ef8
+    </uri>
+    <uri link="https://unicode-org.atlassian.net/browse/ICU-21383">ICU-21383</uri>
+    <uri link="https://unicode-org.atlassian.net/browse/ICU-21385">ICU-21385</uri>
+  </references>
+  <metadata tag="requester" timestamp="2021-05-25T16:34:40Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2021-05-26T08:13:14Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202105-09.xml b/metadata/glsa/glsa-202105-09.xml
new file mode 100644
index 000000000000..404c19997660
--- /dev/null
+++ b/metadata/glsa/glsa-202105-09.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-09">
+  <title>BusyBox: Denial of service</title>
+  <synopsis>A vulnerability in BusyBox might allow remote attackers to cause a
+    Denial of Service condition.
+  </synopsis>
+  <product type="ebuild">busybox</product>
+  <announced>2021-05-26</announced>
+  <revised count="1">2021-05-26</revised>
+  <bug>777255</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="sys-apps/busybox" auto="yes" arch="*">
+      <unaffected range="ge">1.32.1</unaffected>
+      <vulnerable range="lt">1.32.1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>BusyBox is a set of tools for embedded systems and is a replacement for
+      GNU Coreutils.
+    </p>
+  </background>
+  <description>
+    <p>It was discovered that BusyBox mishandled the error bit on the
+      huft_build result pointer when decompressing GZIP compressed data.
+    </p>
+  </description>
+  <impact type="low">
+    <p>A remote attacker could entice a user to open a specially crafted GZIP
+      file using BusyBox, possibly resulting in a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All BusyBox users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-apps/busybox-1.32.1"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28831">CVE-2021-28831</uri>
+  </references>
+  <metadata tag="requester" timestamp="2021-05-24T01:11:14Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2021-05-26T08:14:24Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202105-10.xml b/metadata/glsa/glsa-202105-10.xml
new file mode 100644
index 000000000000..aa151c4e9f25
--- /dev/null
+++ b/metadata/glsa/glsa-202105-10.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-10">
+  <title>GNOME Autoar: User-assisted execution of arbitrary code</title>
+  <synopsis>A vulnerability has been found in GNOME Autoar that could allow a
+    remote attacker to execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">gnome-autoar</product>
+  <announced>2021-05-26</announced>
+  <revised count="1">2021-05-26</revised>
+  <bug>768828</bug>
+  <bug>777126</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="app-arch/gnome-autoar" auto="yes" arch="*">
+      <unaffected range="ge">0.3.1</unaffected>
+      <vulnerable range="lt">0.3.1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>GNOME Autoar provides functions and widgets for GNOME applications which
+      want to use archives as a method to transfer directories over the
+      internet.
+    </p>
+  </background>
+  <description>
+    <p>It was discovered that GNOME Autoar could extract files outside of the
+      intended directory.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to open a specially crafted
+      archive using GNOME Autoar, possibly resulting in execution of arbitrary
+      code with the privileges of the process or a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All GNOME Autoar users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-arch/gnome-autoar-0.3.1"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36241">CVE-2020-36241</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28650">CVE-2021-28650</uri>
+  </references>
+  <metadata tag="requester" timestamp="2021-05-25T21:19:21Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2021-05-26T08:14:43Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202105-11.xml b/metadata/glsa/glsa-202105-11.xml
new file mode 100644
index 000000000000..548f498d4d3a
--- /dev/null
+++ b/metadata/glsa/glsa-202105-11.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-11">
+  <title>GNU Screen: User-assisted execution of arbitrary code</title>
+  <synopsis>A vulnerability in GNU screen may allow a remote attacker to
+    execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">screen</product>
+  <announced>2021-05-26</announced>
+  <revised count="1">2021-05-26</revised>
+  <bug>769770</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="app-misc/screen" auto="yes" arch="*">
+      <unaffected range="ge">4.8.0-r2</unaffected>
+      <vulnerable range="lt">4.8.0-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>GNU Screen is a full-screen window manager that multiplexes a physical
+      terminal between several processes, typically interactive shells.
+    </p>
+  </background>
+  <description>
+    <p>It was discovered that GNU screen did not properly handle certain UTF-8
+      character sequences.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to run a program where attacker
+      controls the output inside a GNU screen session, possibly resulting in
+      execution of arbitrary code with the privileges of the process or a
+      Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>This vulnerability can be mitigated by disabling UTF-8 processing in
+      .screenrc.
+    </p>
+  </workaround>
+  <resolution>
+    <p>All GNU screen users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-misc/screen-4.8.0-r2"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-26937">CVE-2021-26937</uri>
+  </references>
+  <metadata tag="requester" timestamp="2021-05-25T21:07:51Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2021-05-26T08:14:58Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-202105-12.xml b/metadata/glsa/glsa-202105-12.xml
new file mode 100644
index 000000000000..ad904d7afd3b
--- /dev/null
+++ b/metadata/glsa/glsa-202105-12.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202105-12">
+  <title>OpenSMTPD: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in OpenSMTPD, the worst of
+    which could result in a Denial of Service condition.
+  </synopsis>
+  <product type="ebuild">opensmtpd</product>
+  <announced>2021-05-26</announced>
+  <revised count="1">2021-05-26</revised>
+  <bug>761945</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="mail-mta/opensmtpd" auto="yes" arch="*">
+      <unaffected range="ge">6.8.0_p2</unaffected>
+      <vulnerable range="lt">6.8.0_p2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>OpenSMTPD is a lightweight but featured SMTP daemon from OpenBSD.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in OpenSMTPD. Please
+      review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="low">
+    <p>A remote attacker, by connecting to the SMTP listener daemon, could
+      possibly cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All OpenSMTPD users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=mail-mta/opensmtpd-6.8.0_p2"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35679">CVE-2020-35679</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35680">CVE-2020-35680</uri>
+  </references>
+  <metadata tag="requester" timestamp="2021-05-25T20:46:15Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2021-05-26T08:15:16Z">whissi</metadata>
+</glsa>