[gentoo-announce] Gentoo Foundation 2024 Election: Recording Date, Nomination & Voting schedule
(Send replies to gentoo-...@lists.gentoo.org, please ensure you are subscribed before replying) This email serves as the legally required notice of the Gentoo Foundation 2024 election. The Gentoo Foundation board of trustees has five members. dilfridge, prometheanfire, and soap will retire by rotation this year. robbat2 and ulm remain seated until 2025. The trustees have determined that the recording date for the 2024 Trustee election will be 2024-06-01 00:00 UTC (June 1st). The 2024 Trustee election will tentatively use the following schedule, with 14 day periods for each of nominations and voting. Nominations open: 2024-06-01 00:00:00 UTC Nominations close: 2024-06-14 23:59:59 UTC (48 hour gap for election setup) Voting opens: 2024-06-17 00:00:00 UTC Voting closes: 2024-06-30 23:59:59 UTC Trustees are selected by a ballot of Gentoo Foundation members. Only Gentoo Foundation members that are also active Gentoo Developers may stand for election [1] Gentoo Foundation Membership is open to anyone supporting Gentoo. See Bylaws [2] "Section 4.3. Admission of Members" for further information. To vote in this election, and take an active role in the affairs of the Gentoo Foundation in the next year, you need to apply for membership before 2024-06-01. All members are encouraged to review their listing on the membership list [3]. This is especially important those who were previously a member but did not vote in either of the last two elections (2021-08, 2023-06): they must reapply for membership. Gentoo developers who have retired are also encouraged to review their membership for email addresses to ensure their ballot is received. Please submit applications for membership to trust...@gentoo.org. [1] https://wiki.gentoo.org/wiki/Foundation:Bylaws#Section_5.2._Qualification [2] https://wiki.gentoo.org/wiki/Foundation:Bylaws#Section_4.3._Admission_of_Members [3] https://wiki.gentoo.org/wiki/Foundation:Member_List -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation President & Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 signature.asc Description: PGP signature
[gentoo-announce] [ GLSA 202405-16 ] Apache Commons BCEL: Remote Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache Commons BCEL: Remote Code Execution Date: May 05, 2024 Bugs: #880447 ID: 202405-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Apache Commons BCEL, which can lead to remote code execution. Background == The Byte Code Engineering Library (Apache Commons BCEL™) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class). Affected packages = PackageVulnerableUnaffected - dev-java/bcel < 6.6.0 >= 6.6.0 Description === A vulnerability has been discovered in U-Boot tools. Please review the CVE identifier referenced below for details. Impact == Please review the referenced CVE identifier for details. Workaround == There is no known workaround at this time. Resolution == All Apache Commons BCEL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/bcel-6.6.0" References == [ 1 ] CVE-2022-34169 https://nvd.nist.gov/vuln/detail/CVE-2022-34169 [ 2 ] CVE-2022-42920 https://nvd.nist.gov/vuln/detail/CVE-2022-42920 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-16 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202405-15 ] Mozilla Firefox: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Mozilla Firefox: Multiple Vulnerabilities Date: May 05, 2024 Bugs: #925122 ID: 202405-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to remote code execution. Background == Mozilla Firefox is a popular open-source web browser from the Mozilla project. Affected packages = Package Vulnerable Unaffected -- - -- www-client/firefox < 115.8.0:esr >= 115.8.0:esr >= 123.0:rapid < 123.0>= 123.0 www-client/firefox-bin < 115.8.0:esr >= 115.8.0:esr >= 123.0:rapid < 123.0>= 123.0 Description === Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Mozilla Firefox rapid release users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-123.0" All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-123.0" All Mozilla Firefox ESR users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.8.0:esr" All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-115.8.0:esr" References == [ 1 ] CVE-2024-1546 https://nvd.nist.gov/vuln/detail/CVE-2024-1546 [ 2 ] CVE-2024-1547 https://nvd.nist.gov/vuln/detail/CVE-2024-1547 [ 3 ] CVE-2024-1548 https://nvd.nist.gov/vuln/detail/CVE-2024-1548 [ 4 ] CVE-2024-1549 https://nvd.nist.gov/vuln/detail/CVE-2024-1549 [ 5 ] CVE-2024-1550 https://nvd.nist.gov/vuln/detail/CVE-2024-1550 [ 6 ] CVE-2024-1551 https://nvd.nist.gov/vuln/detail/CVE-2024-1551 [ 7 ] CVE-2024-1552 https://nvd.nist.gov/vuln/detail/CVE-2024-1552 [ 8 ] CVE-2024-1553 https://nvd.nist.gov/vuln/detail/CVE-2024-1553 [ 9 ] CVE-2024-1554 https://nvd.nist.gov/vuln/detail/CVE-2024-1554 [ 10 ] CVE-2024-1555 https://nvd.nist.gov/vuln/detail/CVE-2024-1555 [ 11 ] CVE-2024-1556 https://nvd.nist.gov/vuln/detail/CVE-2024-1556 [ 12 ] CVE-2024-1557 https://nvd.nist.gov/vuln/detail/CVE-2024-1557 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-15 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202405-14 ] QtWebEngine: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: QtWebEngine: Multiple Vulnerabilities Date: May 05, 2024 Bugs: #927746 ID: 202405-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Background == QtWebEngine is a library for rendering dynamic web content in Qt5 and Qt6 C++ and QML applications. Affected packages = Package Vulnerable Unaffected -- --- dev-qt/qtwebengine < 5.15.13_p20240322 >= 5.15.13_p20240322 Description === Multiple vulnerabilities have been discovered in QtWebEngine. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All QtWebEngine users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.13_p20240322" References == [ 1 ] CVE-2024-0804 https://nvd.nist.gov/vuln/detail/CVE-2024-0804 [ 2 ] CVE-2024-0805 https://nvd.nist.gov/vuln/detail/CVE-2024-0805 [ 3 ] CVE-2024-0806 https://nvd.nist.gov/vuln/detail/CVE-2024-0806 [ 4 ] CVE-2024-0807 https://nvd.nist.gov/vuln/detail/CVE-2024-0807 [ 5 ] CVE-2024-0808 https://nvd.nist.gov/vuln/detail/CVE-2024-0808 [ 6 ] CVE-2024-0809 https://nvd.nist.gov/vuln/detail/CVE-2024-0809 [ 7 ] CVE-2024-0810 https://nvd.nist.gov/vuln/detail/CVE-2024-0810 [ 8 ] CVE-2024-0811 https://nvd.nist.gov/vuln/detail/CVE-2024-0811 [ 9 ] CVE-2024-0812 https://nvd.nist.gov/vuln/detail/CVE-2024-0812 [ 10 ] CVE-2024-0813 https://nvd.nist.gov/vuln/detail/CVE-2024-0813 [ 11 ] CVE-2024-0814 https://nvd.nist.gov/vuln/detail/CVE-2024-0814 [ 12 ] CVE-2024-1059 https://nvd.nist.gov/vuln/detail/CVE-2024-1059 [ 13 ] CVE-2024-1060 https://nvd.nist.gov/vuln/detail/CVE-2024-1060 [ 14 ] CVE-2024-1077 https://nvd.nist.gov/vuln/detail/CVE-2024-1077 [ 15 ] CVE-2024-1283 https://nvd.nist.gov/vuln/detail/CVE-2024-1283 [ 16 ] CVE-2024-1284 https://nvd.nist.gov/vuln/detail/CVE-2024-1284 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-14 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202405-13 ] borgmatic: Shell Injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: borgmatic: Shell Injection Date: May 05, 2024 Bugs: #924892 ID: 202405-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in borgmatic, which can lead to shell injection. Background == borgmatic is simple, configuration-driven backup software for servers and workstations. Affected packages = Package VulnerableUnaffected app-backup/borgmatic < 1.8.8 >= 1.8.8 Description === Prevent shell injection attacks within the PostgreSQL hook, the MongoDB hook, the SQLite hook, the "borgmatic borg" action, and command hook variable/constant interpolation. Impact == Shell injection may be used in several borgmatic backends to execute arbitrary code. Workaround == There is no known workaround at this time. Resolution == All borgmatic users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-backup/borgmatic-1.8.8" References == Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-13 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202405-12 ] Pillow: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Pillow: Multiple Vulnerabilities Date: May 05, 2024 Bugs: #889594, #903664, #916907, #922577 ID: 202405-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Pillow, the worst of which can lead to arbitrary code execution. Background == The friendly PIL fork. Affected packages = PackageVulnerableUnaffected - dev-python/pillow < 10.2.0 >= 10.2.0 Description === Multiple vulnerabilities have been discovered in Pillow. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Pillow users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/pillow-10.2.0" References == [ 1 ] CVE-2023-44271 https://nvd.nist.gov/vuln/detail/CVE-2023-44271 [ 2 ] CVE-2023-50447 https://nvd.nist.gov/vuln/detail/CVE-2023-50447 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-12 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202405-11 ] MIT krb5: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MIT krb5: Multiple Vulnerabilities Date: May 05, 2024 Bugs: #803434, #809845, #879875, #917464 ID: 202405-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in MIT krb5, the worst of which could lead to remote code execution. Background == MIT krb5 is the free implementation of the Kerberos network authentication protocol by the Massachusetts Institute of Technology. Affected packages = Package VulnerableUnaffected -- app-crypt/mit-krb5 < 1.21.2 >= 1.21.2 Description === Multiple vulnerabilities have been discovered in MIT krb5. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All MIT krb5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.21.2" References == [ 1 ] CVE-2021-36222 https://nvd.nist.gov/vuln/detail/CVE-2021-36222 [ 2 ] CVE-2021-37750 https://nvd.nist.gov/vuln/detail/CVE-2021-37750 [ 3 ] CVE-2022-42898 https://nvd.nist.gov/vuln/detail/CVE-2022-42898 [ 4 ] CVE-2023-36054 https://nvd.nist.gov/vuln/detail/CVE-2023-36054 [ 5 ] CVE-2023-39975 https://nvd.nist.gov/vuln/detail/CVE-2023-39975 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-11 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202405-10 ] Setuptools: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Setuptools: Denial of Service Date: May 05, 2024 Bugs: #879813 ID: 202405-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Setuptools, which can lead to denial of service. Background == Setuptools is a manager for Python packages. Affected packages = PackageVulnerableUnaffected - dev-python/setuptools < 65.5.1 >= 65.5.1 Description === A vulnerability has been discovered in Setuptools. See the impact field. Impact == An inefficiency in a regular expression may end in a denial of service if an user is fetching malicious HTML from a package in PyPI or a custom PackageIndex page. Workaround == There is no known workaround at this time. Resolution == All Setuptools users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/setuptools-65.5.1" References == [ 1 ] CVE-2022-40897 https://nvd.nist.gov/vuln/detail/CVE-2022-40897 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-10 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature