[gentoo-announce] [ GLSA 202312-08 ] LibRaw: Heap Buffer Overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202312-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: LibRaw: Heap Buffer Overflow Date: December 22, 2023 Bugs: #908041 ID: 202312-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been found in LibRaw where a heap buffer overflow may lead to an application crash. Background == LibRaw is a library for reading RAW files obtained from digital photo cameras. Affected packages = PackageVulnerableUnaffected - media-libs/libraw < 0.21.1-r1 >= 0.21.1-r1 Description === A vulnerability has been discovered in LibRaw. Please review the CVE identifier referenced below for details. Impact == A heap-buffer-overflow in raw2image_ex() caused by a maliciously crafted file may lead to an application crash. Workaround == There is no known workaround at this time. Resolution == All LibRaw users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libraw-0.21.1-r1" References == [ 1 ] CVE-2023-1729 https://nvd.nist.gov/vuln/detail/CVE-2023-1729 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202312-08 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202312-09 ] NASM: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202312-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: NASM: Multiple Vulnerabilities Date: December 22, 2023 Bugs: #686720, #903755 ID: 202312-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in NASM, the worst of which could lead to arbitrary code execution. Background == NASM is a 80x86 assembler that has been created for portability and modularity. NASM supports Pentium, P6, SSE MMX, and 3DNow extensions. It also supports a wide range of objects formats (ELF, a.out, COFF, etc), and has its own disassembler. Affected packages = PackageVulnerableUnaffected - dev-lang/nasm < 2.16.01 >= 2.16.01 Description === Multiple vulnerabilities have been discovered in NASM. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All NASM users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/nasm-2.16.01" References == [ 1 ] CVE-2019-8343 https://nvd.nist.gov/vuln/detail/CVE-2019-8343 [ 2 ] CVE-2020-21528 https://nvd.nist.gov/vuln/detail/CVE-2020-21528 [ 3 ] CVE-2022-44370 https://nvd.nist.gov/vuln/detail/CVE-2022-44370 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202312-09 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202312-07 ] QtWebEngine: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202312-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: QtWebEngine: Multiple Vulnerabilities Date: December 22, 2023 Bugs: #913050, #915465 ID: 202312-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilitiies have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Background == QtWebEngine is a library for rendering dynamic web content in Qt5 and Qt6 C++ and QML applications. Affected packages = Package Vulnerable Unaffected -- --- dev-qt/qtwebengine < 5.15.11_p20231120 >= 5.15.11_p20231120 Description === Multiple vulnerabilities have been discovered in QtWebEngine. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All QtWebEngine users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.11_p20231120" References == [ 1 ] CVE-2023-4068 https://nvd.nist.gov/vuln/detail/CVE-2023-4068 [ 2 ] CVE-2023-4069 https://nvd.nist.gov/vuln/detail/CVE-2023-4069 [ 3 ] CVE-2023-4070 https://nvd.nist.gov/vuln/detail/CVE-2023-4070 [ 4 ] CVE-2023-4071 https://nvd.nist.gov/vuln/detail/CVE-2023-4071 [ 5 ] CVE-2023-4072 https://nvd.nist.gov/vuln/detail/CVE-2023-4072 [ 6 ] CVE-2023-4073 https://nvd.nist.gov/vuln/detail/CVE-2023-4073 [ 7 ] CVE-2023-4074 https://nvd.nist.gov/vuln/detail/CVE-2023-4074 [ 8 ] CVE-2023-4075 https://nvd.nist.gov/vuln/detail/CVE-2023-4075 [ 9 ] CVE-2023-4076 https://nvd.nist.gov/vuln/detail/CVE-2023-4076 [ 10 ] CVE-2023-4077 https://nvd.nist.gov/vuln/detail/CVE-2023-4077 [ 11 ] CVE-2023-4078 https://nvd.nist.gov/vuln/detail/CVE-2023-4078 [ 12 ] CVE-2023-4761 https://nvd.nist.gov/vuln/detail/CVE-2023-4761 [ 13 ] CVE-2023-4762 https://nvd.nist.gov/vuln/detail/CVE-2023-4762 [ 14 ] CVE-2023-4763 https://nvd.nist.gov/vuln/detail/CVE-2023-4763 [ 15 ] CVE-2023-4764 https://nvd.nist.gov/vuln/detail/CVE-2023-4764 [ 16 ] CVE-2023-5218 https://nvd.nist.gov/vuln/detail/CVE-2023-5218 [ 17 ] CVE-2023-5473 https://nvd.nist.gov/vuln/detail/CVE-2023-5473 [ 18 ] CVE-2023-5474 https://nvd.nist.gov/vuln/detail/CVE-2023-5474 [ 19 ] CVE-2023-5475 https://nvd.nist.gov/vuln/detail/CVE-2023-5475 [ 20 ] CVE-2023-5476 https://nvd.nist.gov/vuln/detail/CVE-2023-5476 [ 21 ] CVE-2023-5477 https://nvd.nist.gov/vuln/detail/CVE-2023-5477 [ 22 ] CVE-2023-5478 https://nvd.nist.gov/vuln/detail/CVE-2023-5478 [ 23 ] CVE-2023-5479 https://nvd.nist.gov/vuln/detail/CVE-2023-5479 [ 24 ] CVE-2023-5480 https://nvd.nist.gov/vuln/detail/CVE-2023-5480 [ 25 ] CVE-2023-5481 https://nvd.nist.gov/vuln/detail/CVE-2023-5481 [ 26 ] CVE-2023-5482 https://nvd.nist.gov/vuln/detail/CVE-2023-5482 [ 27 ] CVE-2023-5483 https://nvd.nist.gov/vuln/detail/CVE-2023-5483 [ 28 ] CVE-2023-5484 https://nvd.nist.gov/vuln/detail/CVE-2023-5484 [ 29 ] CVE-2023-5485 https://nvd.nist.gov/vuln/detail/CVE-2023-5485 [ 30 ] CVE-2023-5486 https://nvd.nist.gov/vuln/detail/CVE-2023-5486 [ 31 ] CVE-2023-5487 https://nvd.nist.gov/vuln/detail/CVE-2023-5487 [ 32 ] CVE-2023-5849 https://nvd.nist.gov/vuln/detail/CVE-2023-5849 [ 33 ] CVE-2023-5850 https://nvd.nist.gov/vuln/detail/CVE-2023-5850 [ 34 ] CVE-2023-5851 https://nvd.nist.gov/vuln/detail/CVE-2023-5851 [ 35 ] CVE-2023-5852 https://nvd.nist.gov/vuln/detail/CVE-2023-5852 [ 36 ] CVE-2023-5853 https://nvd.nist.gov/vuln/detail/CVE-2023-5853 [ 37 ] CVE-2023-5854 https://nvd.nist.gov/vuln/detail/CVE-2023-5854 [ 38 ] CVE-2023-5855 https://nvd.nist.gov/vuln/detail/CVE-2023-5855 [ 39 ] CVE-2023-5856 https://nvd.nist.gov/vuln/detail/CVE-2023-5856 [ 40 ] CVE-2023-5857 https://nvd.nist.gov/vuln/detail/CVE-2023-5857 [ 41 ] CVE-2023-5858 https://nvd.nist.gov/vuln/detail/CVE-2023-5858 [ 42 ] CVE-2023-5859 https://nvd.nist.gov/vuln/detail/CVE-2023-5859 [ 43 ] CVE-2023-5996 https://nvd.nist.gov/vuln/detail/CVE-2023-5996 [ 44 ] CVE-2023-5997 https://nvd.nist.gov/vuln/detail/CVE-2023-5997 [ 45 ] CVE-2023-6112 https://nvd.nist.gov/vuln/detail/CVE-2023-6112 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
[gentoo-announce] [ GLSA 202312-05 ] libssh: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202312-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: libssh: Multiple Vulnerabilities Date: December 22, 2023 Bugs: #810517, #905746 ID: 202312-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in libssh, the worst of which could lead to remote code execution. Background == libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side. Affected packages = Package VulnerableUnaffected --- net-libs/libssh < 0.10.5 >= 0.10.5 Description === Multiple vulnerabilities have been discovered in libssh. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All libssh users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.10.5" References == [ 1 ] CVE-2021-3634 https://nvd.nist.gov/vuln/detail/CVE-2021-3634 [ 2 ] CVE-2023-1667 https://nvd.nist.gov/vuln/detail/CVE-2023-1667 [ 3 ] CVE-2023-2283 https://nvd.nist.gov/vuln/detail/CVE-2023-2283 [ 4 ] GHSL-2023-085 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202312-05 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202312-06 ] Exiv2: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202312-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Exiv2: Multiple Vulnerabilities Date: December 22, 2023 Bugs: #785646, #807346, #917650 ID: 202312-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Exiv2, the worst of which can lead to remote code execution. Background == Exiv2 is a C++ library and set of tools for parsing, editing and saving Exif and IPTC metadata from images. Exif, the Exchangeable image file format, specifies the addition of metadata tags to JPEG, TIFF and RIFF files. Affected packages = Package VulnerableUnaffected --- media-gfx/exiv2 < 0.28.1 >= 0.28.1 Description === Multiple vulnerabilities have been discovered in Exiv2. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Exiv2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/exiv2-0.28.1" References == [ 1 ] CVE-2020-18771 https://nvd.nist.gov/vuln/detail/CVE-2020-18771 [ 2 ] CVE-2020-18773 https://nvd.nist.gov/vuln/detail/CVE-2020-18773 [ 3 ] CVE-2020-18774 https://nvd.nist.gov/vuln/detail/CVE-2020-18774 [ 4 ] CVE-2020-18899 https://nvd.nist.gov/vuln/detail/CVE-2020-18899 [ 5 ] CVE-2021-29457 https://nvd.nist.gov/vuln/detail/CVE-2021-29457 [ 6 ] CVE-2021-29458 https://nvd.nist.gov/vuln/detail/CVE-2021-29458 [ 7 ] CVE-2021-29463 https://nvd.nist.gov/vuln/detail/CVE-2021-29463 [ 8 ] CVE-2021-29464 https://nvd.nist.gov/vuln/detail/CVE-2021-29464 [ 9 ] CVE-2021-29470 https://nvd.nist.gov/vuln/detail/CVE-2021-29470 [ 10 ] CVE-2021-29473 https://nvd.nist.gov/vuln/detail/CVE-2021-29473 [ 11 ] CVE-2021-29623 https://nvd.nist.gov/vuln/detail/CVE-2021-29623 [ 12 ] CVE-2021-31291 https://nvd.nist.gov/vuln/detail/CVE-2021-31291 [ 13 ] CVE-2021-31292 https://nvd.nist.gov/vuln/detail/CVE-2021-31292 [ 14 ] CVE-2021-32617 https://nvd.nist.gov/vuln/detail/CVE-2021-32617 [ 15 ] CVE-2021-32815 https://nvd.nist.gov/vuln/detail/CVE-2021-32815 [ 16 ] CVE-2021-34334 https://nvd.nist.gov/vuln/detail/CVE-2021-34334 [ 17 ] CVE-2021-34335 https://nvd.nist.gov/vuln/detail/CVE-2021-34335 [ 18 ] CVE-2021-37615 https://nvd.nist.gov/vuln/detail/CVE-2021-37615 [ 19 ] CVE-2021-37616 https://nvd.nist.gov/vuln/detail/CVE-2021-37616 [ 20 ] CVE-2021-37618 https://nvd.nist.gov/vuln/detail/CVE-2021-37618 [ 21 ] CVE-2021-37619 https://nvd.nist.gov/vuln/detail/CVE-2021-37619 [ 22 ] CVE-2021-37620 https://nvd.nist.gov/vuln/detail/CVE-2021-37620 [ 23 ] CVE-2021-37621 https://nvd.nist.gov/vuln/detail/CVE-2021-37621 [ 24 ] CVE-2021-37622 https://nvd.nist.gov/vuln/detail/CVE-2021-37622 [ 25 ] CVE-2021-37623 https://nvd.nist.gov/vuln/detail/CVE-2021-37623 [ 26 ] CVE-2023-44398 https://nvd.nist.gov/vuln/detail/CVE-2023-44398 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202312-06 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202312-04 ] Arduino: Remote Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202312-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Arduino: Remote Code Execution Date: December 22, 2023 Bugs: #830716 ID: 202312-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been found in Arduino which bundled a vulnerable version of log4j. Background == Arduino is an open-source AVR electronics prototyping platform. Affected packages = Package VulnerableUnaffected dev-embedded/arduino < 1.8.19 >= 1.8.19 Description === A vulnerability has been discovered in Arduino. Please review the CVE identifier referenced below for details. Impact == Arduino bundles a vulnerable version of log4j that may lead to remote code execution. Workaround == There is no known workaround at this time. Resolution == All Arduino users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-embedded/arduino-1.8.19" References == [ 1 ] CVE-2021-4104 https://nvd.nist.gov/vuln/detail/CVE-2021-4104 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202312-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature