date:20231222

[gentoo-announce] [ GLSA 202312-08 ] LibRaw: Heap Buffer Overflow

2023-12-22 Thread glsamaker

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 202312-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: LibRaw: Heap Buffer Overflow
 Date: December 22, 2023
 Bugs: #908041
   ID: 202312-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A vulnerability has been found in LibRaw where a heap buffer overflow
may lead to an application crash.

Background
==

LibRaw is a library for reading RAW files obtained from digital photo
cameras.

Affected packages
=

PackageVulnerableUnaffected
-    
media-libs/libraw  < 0.21.1-r1   >= 0.21.1-r1

Description
===

A vulnerability has been discovered in LibRaw. Please review the CVE
identifier referenced below for details.

Impact
==

A heap-buffer-overflow in raw2image_ex() caused by a maliciously crafted
file may lead to an application crash.

Workaround
==

There is no known workaround at this time.

Resolution
==

All LibRaw users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=media-libs/libraw-0.21.1-r1"

References
==

[ 1 ] CVE-2023-1729
  https://nvd.nist.gov/vuln/detail/CVE-2023-1729

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-08

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 202312-09 ] NASM: Multiple Vulnerabilities

2023-12-22 Thread glsamaker

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 202312-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: NASM: Multiple Vulnerabilities
 Date: December 22, 2023
 Bugs: #686720, #903755
   ID: 202312-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been discovered in NASM, the worst of
which could lead to arbitrary code execution.

Background
==

NASM is a 80x86 assembler that has been created for portability and
modularity. NASM supports Pentium, P6, SSE MMX, and 3DNow extensions. It
also supports a wide range of objects formats (ELF, a.out, COFF, etc),
and has its own disassembler.

Affected packages
=

PackageVulnerableUnaffected
-    
dev-lang/nasm  < 2.16.01 >= 2.16.01

Description
===

Multiple vulnerabilities have been discovered in NASM. Please review the
CVE identifiers referenced below for details.

Impact
==

Please review the referenced CVE identifiers for details.

Workaround
==

There is no known workaround at this time.

Resolution
==

All NASM users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-lang/nasm-2.16.01"

References
==

[ 1 ] CVE-2019-8343
  https://nvd.nist.gov/vuln/detail/CVE-2019-8343
[ 2 ] CVE-2020-21528
  https://nvd.nist.gov/vuln/detail/CVE-2020-21528
[ 3 ] CVE-2022-44370
  https://nvd.nist.gov/vuln/detail/CVE-2022-44370

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-09

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 202312-07 ] QtWebEngine: Multiple Vulnerabilities

2023-12-22 Thread glsamaker

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 202312-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: QtWebEngine: Multiple Vulnerabilities
 Date: December 22, 2023
 Bugs: #913050, #915465
   ID: 202312-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilitiies have been discovered in QtWebEngine, the worst
of which could lead to remote code execution.

Background
==

QtWebEngine is a library for rendering dynamic web content in Qt5 and
Qt6 C++ and QML applications.

Affected packages
=

Package Vulnerable   Unaffected
--  ---  
dev-qt/qtwebengine  < 5.15.11_p20231120  >= 5.15.11_p20231120

Description
===

Multiple vulnerabilities have been discovered in QtWebEngine. Please
review the CVE identifiers referenced below for details.

Impact
==

Please review the referenced CVE identifiers for details.

Workaround
==

There is no known workaround at this time.

Resolution
==

All QtWebEngine users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.11_p20231120"

References
==

[ 1 ] CVE-2023-4068
  https://nvd.nist.gov/vuln/detail/CVE-2023-4068
[ 2 ] CVE-2023-4069
  https://nvd.nist.gov/vuln/detail/CVE-2023-4069
[ 3 ] CVE-2023-4070
  https://nvd.nist.gov/vuln/detail/CVE-2023-4070
[ 4 ] CVE-2023-4071
  https://nvd.nist.gov/vuln/detail/CVE-2023-4071
[ 5 ] CVE-2023-4072
  https://nvd.nist.gov/vuln/detail/CVE-2023-4072
[ 6 ] CVE-2023-4073
  https://nvd.nist.gov/vuln/detail/CVE-2023-4073
[ 7 ] CVE-2023-4074
  https://nvd.nist.gov/vuln/detail/CVE-2023-4074
[ 8 ] CVE-2023-4075
  https://nvd.nist.gov/vuln/detail/CVE-2023-4075
[ 9 ] CVE-2023-4076
  https://nvd.nist.gov/vuln/detail/CVE-2023-4076
[ 10 ] CVE-2023-4077
  https://nvd.nist.gov/vuln/detail/CVE-2023-4077
[ 11 ] CVE-2023-4078
  https://nvd.nist.gov/vuln/detail/CVE-2023-4078
[ 12 ] CVE-2023-4761
  https://nvd.nist.gov/vuln/detail/CVE-2023-4761
[ 13 ] CVE-2023-4762
  https://nvd.nist.gov/vuln/detail/CVE-2023-4762
[ 14 ] CVE-2023-4763
  https://nvd.nist.gov/vuln/detail/CVE-2023-4763
[ 15 ] CVE-2023-4764
  https://nvd.nist.gov/vuln/detail/CVE-2023-4764
[ 16 ] CVE-2023-5218
  https://nvd.nist.gov/vuln/detail/CVE-2023-5218
[ 17 ] CVE-2023-5473
  https://nvd.nist.gov/vuln/detail/CVE-2023-5473
[ 18 ] CVE-2023-5474
  https://nvd.nist.gov/vuln/detail/CVE-2023-5474
[ 19 ] CVE-2023-5475
  https://nvd.nist.gov/vuln/detail/CVE-2023-5475
[ 20 ] CVE-2023-5476
  https://nvd.nist.gov/vuln/detail/CVE-2023-5476
[ 21 ] CVE-2023-5477
  https://nvd.nist.gov/vuln/detail/CVE-2023-5477
[ 22 ] CVE-2023-5478
  https://nvd.nist.gov/vuln/detail/CVE-2023-5478
[ 23 ] CVE-2023-5479
  https://nvd.nist.gov/vuln/detail/CVE-2023-5479
[ 24 ] CVE-2023-5480
  https://nvd.nist.gov/vuln/detail/CVE-2023-5480
[ 25 ] CVE-2023-5481
  https://nvd.nist.gov/vuln/detail/CVE-2023-5481
[ 26 ] CVE-2023-5482
  https://nvd.nist.gov/vuln/detail/CVE-2023-5482
[ 27 ] CVE-2023-5483
  https://nvd.nist.gov/vuln/detail/CVE-2023-5483
[ 28 ] CVE-2023-5484
  https://nvd.nist.gov/vuln/detail/CVE-2023-5484
[ 29 ] CVE-2023-5485
  https://nvd.nist.gov/vuln/detail/CVE-2023-5485
[ 30 ] CVE-2023-5486
  https://nvd.nist.gov/vuln/detail/CVE-2023-5486
[ 31 ] CVE-2023-5487
  https://nvd.nist.gov/vuln/detail/CVE-2023-5487
[ 32 ] CVE-2023-5849
  https://nvd.nist.gov/vuln/detail/CVE-2023-5849
[ 33 ] CVE-2023-5850
  https://nvd.nist.gov/vuln/detail/CVE-2023-5850
[ 34 ] CVE-2023-5851
  https://nvd.nist.gov/vuln/detail/CVE-2023-5851
[ 35 ] CVE-2023-5852
  https://nvd.nist.gov/vuln/detail/CVE-2023-5852
[ 36 ] CVE-2023-5853
  https://nvd.nist.gov/vuln/detail/CVE-2023-5853
[ 37 ] CVE-2023-5854
  https://nvd.nist.gov/vuln/detail/CVE-2023-5854
[ 38 ] CVE-2023-5855
  https://nvd.nist.gov/vuln/detail/CVE-2023-5855
[ 39 ] CVE-2023-5856
  https://nvd.nist.gov/vuln/detail/CVE-2023-5856
[ 40 ] CVE-2023-5857
  https://nvd.nist.gov/vuln/detail/CVE-2023-5857
[ 41 ] CVE-2023-5858
  https://nvd.nist.gov/vuln/detail/CVE-2023-5858
[ 42 ] CVE-2023-5859
  https://nvd.nist.gov/vuln/detail/CVE-2023-5859
[ 43 ] CVE-2023-5996
  https://nvd.nist.gov/vuln/detail/CVE-2023-5996
[ 44 ] CVE-2023-5997
  https://nvd.nist.gov/vuln/detail/CVE-2023-5997
[ 45 ] CVE-2023-6112
  https://nvd.nist.gov/vuln/detail/CVE-2023-6112

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

[gentoo-announce] [ GLSA 202312-05 ] libssh: Multiple Vulnerabilities

2023-12-22 Thread glsamaker

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 202312-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: libssh: Multiple Vulnerabilities
 Date: December 22, 2023
 Bugs: #810517, #905746
   ID: 202312-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been discovered in libssh, the worst of
which could lead to remote code execution.

Background
==

libssh is a multiplatform C library implementing the SSHv2 protocol on
client and server side.

Affected packages
=

Package  VulnerableUnaffected
---    
net-libs/libssh  < 0.10.5  >= 0.10.5

Description
===

Multiple vulnerabilities have been discovered in libssh. Please review
the CVE identifiers referenced below for details.

Impact
==

Please review the referenced CVE identifiers for details.

Workaround
==

There is no known workaround at this time.

Resolution
==

All libssh users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.10.5"

References
==

[ 1 ] CVE-2021-3634
  https://nvd.nist.gov/vuln/detail/CVE-2021-3634
[ 2 ] CVE-2023-1667
  https://nvd.nist.gov/vuln/detail/CVE-2023-1667
[ 3 ] CVE-2023-2283
  https://nvd.nist.gov/vuln/detail/CVE-2023-2283
[ 4 ] GHSL-2023-085

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-05

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 202312-06 ] Exiv2: Multiple Vulnerabilities

2023-12-22 Thread glsamaker

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 202312-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: Exiv2: Multiple Vulnerabilities
 Date: December 22, 2023
 Bugs: #785646, #807346, #917650
   ID: 202312-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been discovered in Exiv2, the worst of
which can lead to remote code execution.

Background
==

Exiv2 is a C++ library and set of tools for parsing, editing and saving
Exif and IPTC metadata from images. Exif, the Exchangeable image file
format, specifies the addition of metadata tags to JPEG, TIFF and RIFF
files.

Affected packages
=

Package  VulnerableUnaffected
---    
media-gfx/exiv2  < 0.28.1  >= 0.28.1

Description
===

Multiple vulnerabilities have been discovered in Exiv2. Please review
the CVE identifiers referenced below for details.

Impact
==

Please review the referenced CVE identifiers for details.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Exiv2 users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=media-gfx/exiv2-0.28.1"

References
==

[ 1 ] CVE-2020-18771
  https://nvd.nist.gov/vuln/detail/CVE-2020-18771
[ 2 ] CVE-2020-18773
  https://nvd.nist.gov/vuln/detail/CVE-2020-18773
[ 3 ] CVE-2020-18774
  https://nvd.nist.gov/vuln/detail/CVE-2020-18774
[ 4 ] CVE-2020-18899
  https://nvd.nist.gov/vuln/detail/CVE-2020-18899
[ 5 ] CVE-2021-29457
  https://nvd.nist.gov/vuln/detail/CVE-2021-29457
[ 6 ] CVE-2021-29458
  https://nvd.nist.gov/vuln/detail/CVE-2021-29458
[ 7 ] CVE-2021-29463
  https://nvd.nist.gov/vuln/detail/CVE-2021-29463
[ 8 ] CVE-2021-29464
  https://nvd.nist.gov/vuln/detail/CVE-2021-29464
[ 9 ] CVE-2021-29470
  https://nvd.nist.gov/vuln/detail/CVE-2021-29470
[ 10 ] CVE-2021-29473
  https://nvd.nist.gov/vuln/detail/CVE-2021-29473
[ 11 ] CVE-2021-29623
  https://nvd.nist.gov/vuln/detail/CVE-2021-29623
[ 12 ] CVE-2021-31291
  https://nvd.nist.gov/vuln/detail/CVE-2021-31291
[ 13 ] CVE-2021-31292
  https://nvd.nist.gov/vuln/detail/CVE-2021-31292
[ 14 ] CVE-2021-32617
  https://nvd.nist.gov/vuln/detail/CVE-2021-32617
[ 15 ] CVE-2021-32815
  https://nvd.nist.gov/vuln/detail/CVE-2021-32815
[ 16 ] CVE-2021-34334
  https://nvd.nist.gov/vuln/detail/CVE-2021-34334
[ 17 ] CVE-2021-34335
  https://nvd.nist.gov/vuln/detail/CVE-2021-34335
[ 18 ] CVE-2021-37615
  https://nvd.nist.gov/vuln/detail/CVE-2021-37615
[ 19 ] CVE-2021-37616
  https://nvd.nist.gov/vuln/detail/CVE-2021-37616
[ 20 ] CVE-2021-37618
  https://nvd.nist.gov/vuln/detail/CVE-2021-37618
[ 21 ] CVE-2021-37619
  https://nvd.nist.gov/vuln/detail/CVE-2021-37619
[ 22 ] CVE-2021-37620
  https://nvd.nist.gov/vuln/detail/CVE-2021-37620
[ 23 ] CVE-2021-37621
  https://nvd.nist.gov/vuln/detail/CVE-2021-37621
[ 24 ] CVE-2021-37622
  https://nvd.nist.gov/vuln/detail/CVE-2021-37622
[ 25 ] CVE-2021-37623
  https://nvd.nist.gov/vuln/detail/CVE-2021-37623
[ 26 ] CVE-2023-44398
  https://nvd.nist.gov/vuln/detail/CVE-2023-44398

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-06

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 202312-04 ] Arduino: Remote Code Execution

2023-12-22 Thread glsamaker

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 202312-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Arduino: Remote Code Execution
 Date: December 22, 2023
 Bugs: #830716
   ID: 202312-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A vulnerability has been found in Arduino which bundled a vulnerable
version of log4j.

Background
==

Arduino is an open-source AVR electronics prototyping platform.

Affected packages
=

Package   VulnerableUnaffected
    
dev-embedded/arduino  < 1.8.19  >= 1.8.19

Description
===

A vulnerability has been discovered in Arduino. Please review the CVE
identifier referenced below for details.

Impact
==

Arduino bundles a vulnerable version of log4j that may lead to remote
code execution.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Arduino users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-embedded/arduino-1.8.19"

References
==

[ 1 ] CVE-2021-4104
  https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-04

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 202312-08 ] LibRaw: Heap Buffer Overflow

[gentoo-announce] [ GLSA 202312-09 ] NASM: Multiple Vulnerabilities

[gentoo-announce] [ GLSA 202312-07 ] QtWebEngine: Multiple Vulnerabilities

[gentoo-announce] [ GLSA 202312-05 ] libssh: Multiple Vulnerabilities

[gentoo-announce] [ GLSA 202312-06 ] Exiv2: Multiple Vulnerabilities

[gentoo-announce] [ GLSA 202312-04 ] Arduino: Remote Code Execution

6 matches

Site Navigation

Mail list logo

Footer information