1 |
The first GLSA in glsa.git is GLSA-200310-03, the third GLSA of |
2 |
October 2003. It used roughly the same format of the GLSAs we release |
3 |
today, in 2022, making that format almost as old as me. |
4 |
|
5 |
Somewhere along the way, it started to become necessary to target |
6 |
multiple version ranges within the same package. The GLSA format |
7 |
isn't capable of expressing this. Thus, I propose a new format (an |
8 |
example of which I've attached inline below), with the following |
9 |
changes from the old format: |
10 |
|
11 |
- Rework affected to use XML-ified logical operators to specify the |
12 |
affected versions, and *don't* use different fields to specify |
13 |
vulnerable and unaffected versions. Instead, only list vulnerable |
14 |
versions, unaffected versions are implicit. |
15 |
|
16 |
- Drop synopsis and description fields. These fields contain the same |
17 |
information and will be superceded by the existing impact field. |
18 |
|
19 |
- Drop background field. This is usually just the package's |
20 |
description, or some similar text. No reason to reproduce it in |
21 |
GLSAs. |
22 |
|
23 |
What does everyone think? |
24 |
|
25 |
<?xml version="1.0" encoding="UTF-8"?> |
26 |
<!DOCTYPE glsa SYSTEM "https://www.gentoo.org/dtd/glsa-2.dtd"> |
27 |
<glsa id="202213-00"> |
28 |
<title>Nvidia Drivers: Multiple Vulnerabilities</title> |
29 |
<announced>2022-13-00</announced> |
30 |
<revised count="1">2022-13-00</revised> |
31 |
<bug>764512</bug> |
32 |
<bug>784596</bug> |
33 |
<bug>803389</bug> |
34 |
<bug>832867</bug> |
35 |
<bug>845063</bug> |
36 |
<bug>866527</bug> |
37 |
<affected> |
38 |
<any> |
39 |
<and> |
40 |
<constraint op="ge" atom="x11-drivers/nvidia-drivers-390"/> |
41 |
<constraint op="lt" atom="x11-drivers/nvidia-drivers-390.154"/> |
42 |
</and> |
43 |
<and> |
44 |
<constraint op="ge" atom="x11-drivers/nvidia-drivers-470"/> |
45 |
<constraint op="lt" atom="x11-drivers/nvidia-drivers-470.141.03"/> |
46 |
</and> |
47 |
<and> |
48 |
<constraint op="ge" atom="x11-drivers/nvidia-drivers-510.85"/> |
49 |
<constraint op="lt" atom="x11-drivers/nvidia-drivers-510.85.02"/> |
50 |
</and> |
51 |
<and> |
52 |
<constraint op="ge" atom="x11-drivers/nvidia-drivers-515.65"/> |
53 |
<constraint op="lt" atom="x11-drivers/nvidia-drivers-515.65.01"/> |
54 |
</and> |
55 |
</any> |
56 |
</affected> |
57 |
<impact type="high"> |
58 |
<p>These vulnerabilities could allow a local user with low privileges to gain root privileges.</p> |
59 |
</impact> |
60 |
<workaround> |
61 |
<p>There is no known workaround at this time.</p> |
62 |
</workaround> |
63 |
<resolution> |
64 |
<p>All Nvidia drivers 390 users should upgrade to the latest version:</p> |
65 |
|
66 |
<code> |
67 |
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-390.154" |
68 |
</code> |
69 |
|
70 |
<p>All Nvidia drivers 470 users should upgrade to the latest version:</p> |
71 |
|
72 |
<code> |
73 |
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-470.141.03" |
74 |
</code> |
75 |
|
76 |
<p>All Nvidia drivers 510 users should upgrade to the latest version:</p> |
77 |
|
78 |
<code> |
79 |
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-510.85.02" |
80 |
</code> |
81 |
|
82 |
<p>All Nvidia drivers 515.65.01 users should upgrade to the latest version:</p> |
83 |
|
84 |
<code> |
85 |
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-515.65.01" |
86 |
</code> |
87 |
</resolution> |
88 |
<references> |
89 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1052">CVE-2021-1052</uri> |
90 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1053">CVE-2021-1053</uri> |
91 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1056">CVE-2021-1056</uri> |
92 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE‑2021‑1076">CVE‑2021‑1076</uri> |
93 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE‑2021‑1077">CVE‑2021‑1077</uri> |
94 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1090">CVE-2021-1090</uri> |
95 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1093">CVE-2021-1093</uri> |
96 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1094">CVE-2021-1094</uri> |
97 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1095">CVE-2021-1095</uri> |
98 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE‑2022‑21813">CVE‑2022‑21813</uri> |
99 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE‑2022‑21814">CVE‑2022‑21814</uri> |
100 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28181">CVE-2022-28181</uri> |
101 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28183">CVE-2022-28183</uri> |
102 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28184">CVE-2022-28184</uri> |
103 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28185">CVE-2022-28185</uri> |
104 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31607">CVE-2022-31607</uri> |
105 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31608">CVE-2022-31608</uri> |
106 |
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31615">CVE-2022-31615</uri> |
107 |
</references> |
108 |
<metadata tag="requester" timestamp="2022-09-28T14:25:19.979184Z">larry</metadata> |
109 |
<metadata tag="reviewer" timestamp="2022-09-29T14:25:19.979184Z">notlarry</metadata> |
110 |
<metadata tag="submitter" timestamp="2022-09-30T14:25:19.985055Z">larry</metadata> |
111 |
</glsa> |