[gentoo-announce] [ GLSA 202105-06 ] Smarty: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Smarty: Multiple vulnerabilities Date: May 26, 2021 Bugs: #772206 ID: 202105-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in the Smarty template engine might allow remote attackers to execute arbitrary PHP code. Background == Smarty is a template engine for PHP. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-php/smarty < 3.1.39 >= 3.1.39 Description === Multiple vulnerabilities have been discovered in Smarty template engine. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Smarty template engine users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-php/smarty-3.1.39" References == [ 1 ] CVE-2021-26119 https://nvd.nist.gov/vuln/detail/CVE-2021-26119 [ 2 ] CVE-2021-26120 https://nvd.nist.gov/vuln/detail/CVE-2021-26120 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-06 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-02 ] stunnel: Improper certificate validation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: stunnel: Improper certificate validation Date: May 26, 2021 Bugs: #772146 ID: 202105-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Stunnel was not properly verifying TLS certificates, possibly allowing an integrity/confidentiality compromise. Background == The stunnel program is designed to work as an SSL/TLS encryption wrapper between a client and a local or remote server. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/stunnel < 5.58 >= 5.58 Description === It was discovered that stunnel did not correctly verified the client certificate when options "redirect" and "verifyChain" are used. Impact == A remote attacker could send a specially crafted certificate, possibly resulting in a breach of integrity or confidentiality. Workaround == There is no known workaround at this time. Resolution == All stunnel users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/stunnel-5.58" References == [ 1 ] CVE-2021-20230 https://nvd.nist.gov/vuln/detail/CVE-2021-20230 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-02 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-07 ] Telegram: Security bypass
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Telegram: Security bypass Date: May 26, 2021 Bugs: #771684 ID: 202105-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An insufficient session expiration has been reported in Telegram. Background == Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-im/telegram-desktop < 2.4.11 >= 2.4.11 2 net-im/telegram-desktop-bin < 2.4.11 >= 2.4.11 --- 2 affected packages Description === It was discovered that Telegram failed to invalidate a recently active session. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Telegram users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-im/telegram-desktop-2.4.11" All Telegram binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=net-im/telegram-desktop-bin-2.4.11" References == [ 1 ] CVE-2021-27351 https://nvd.nist.gov/vuln/detail/CVE-2021-27351 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-07 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-09 ] BusyBox: Denial of service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: BusyBox: Denial of service Date: May 26, 2021 Bugs: #777255 ID: 202105-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in BusyBox might allow remote attackers to cause a Denial of Service condition. Background == BusyBox is a set of tools for embedded systems and is a replacement for GNU Coreutils. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-apps/busybox < 1.32.1 >= 1.32.1 Description === It was discovered that BusyBox mishandled the error bit on the huft_build result pointer when decompressing GZIP compressed data. Impact == A remote attacker could entice a user to open a specially crafted GZIP file using BusyBox, possibly resulting in a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All BusyBox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.32.1" References == [ 1 ] CVE-2021-28831 https://nvd.nist.gov/vuln/detail/CVE-2021-28831 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-09 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-16 ] X.Org X11 library: Denial of service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: X.Org X11 library: Denial of service Date: May 26, 2021 Bugs: #790824 ID: 202105-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in X.Org X11 library could lead to a Denial of Service condition. Background == X.Org is an implementation of the X Window System. The X.Org X11 library provides the X11 protocol library files. Affected packages = --- Package / Vulnerable /Unaffected --- 1 x11-libs/libX11 < 1.7.1>= 1.7.1 Description === It was discovered that XLookupColor() and other X.Org X11 library functions lacked proper validation of the length of their string parameters. Impact == An attacker could emit arbitrary X protocol requests to the X server through malicious crafted string parameters in applications linked against X.Org X11 library. Workaround == There is no known workaround at this time. Resolution == All X.Org X11 library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libX11-1.7.1" References == [ 1 ] CVE-2021-31535 https://nvd.nist.gov/vuln/detail/CVE-2021-31535 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-16 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-05 ] Mutt, NeoMutt: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Mutt, NeoMutt: Denial of Service Date: May 26, 2021 Bugs: #788388, #788391 ID: 202105-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Mutt and NeoMutt could lead to a Denial of Service condition. Background == Mutt is a small but very powerful text-based mail client. NeoMutt is a command line mail reader (or MUA). It's a fork of Mutt with added features. Affected packages = --- Package / Vulnerable /Unaffected --- 1 mail-client/mutt < 2.0.7>= 2.0.7 2 mail-client/neomutt < 20210205-r1 >= 20210205-r1 --- 2 affected packages Description === It was discovered that Mutt, and NeoMutt did not properly handle certain situations where an IMAP sequence set ends with a comma. Impact == A remote attacker could entice a user to connect to a malicious IMAP server to cause a Denial of Service condition, or other unspecified impacts. Workaround == There is no known workaround at this time. Resolution == All Mutt users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/mutt-2.0.7" All NeoMutt users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=mail-client/neomutt-20210205-r1" References == [ 1 ] CVE-2021-32055 https://nvd.nist.gov/vuln/detail/CVE-2021-32055 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-05 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-08 ] ICU: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: ICU: Multiple vulnerabilities Date: May 26, 2021 Bugs: #755704 ID: 202105-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in ICU, the worst of which could cause a Denial of Service condition. Background == ICU is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-libs/icu < 68.2 >= 68.2 Description === Multiple vulnerabilities have been discovered in ICU. Please review the upstream bugs referenced below for details. Impact == Remote attackers could cause a Denial of Service condition or possibly have other unspecified impacts via unspecified vectors. Workaround == There is no known workaround at this time. Resolution == All ICU users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/icu-68.2" References == [ 1 ] Chromium Change-Id Iad839ac77d487d5e1b396bcdbc29bc7cd58a7ef8 https://chromium-review.googlesource.com/q/Iad839ac77d487d5e1b396bcdbc29bc7cd58a7ef8 [ 2 ] ICU-21383 https://unicode-org.atlassian.net/browse/ICU-21383 [ 3 ] ICU-21385 https://unicode-org.atlassian.net/browse/ICU-21385 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-08 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-14 ] Squid: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Squid: Multiple vulnerabilities Date: May 26, 2021 Bugs: #775194, #789309 ID: 202105-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Squid, the worst of which could result in a Denial of Service condition. Background == Squid is a full-featured Web proxy cache designed to run on Unix systems. It supports proxying and caching of HTTP, FTP, and other URLs, as well as SSL support, cache hierarchies, transparent caching, access control lists and many other features. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-proxy/squid < 4.15 >= 4.15 Description === Multiple vulnerabilities have been discovered in Squid. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could send a specially crafted request, possibly resulting in a Denial of Service condition or information leak. Workaround == There is no known workaround at this time. Resolution == All Squid users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-proxy/squid-4.15" References == [ 1 ] CVE-2020-25097 https://nvd.nist.gov/vuln/detail/CVE-2020-25097 [ 2 ] CVE-2021-28116 https://nvd.nist.gov/vuln/detail/CVE-2021-28116 [ 3 ] CVE-2021-28651 https://nvd.nist.gov/vuln/detail/CVE-2021-28651 [ 4 ] CVE-2021-28652 https://nvd.nist.gov/vuln/detail/CVE-2021-28652 [ 5 ] CVE-2021-28662 https://nvd.nist.gov/vuln/detail/CVE-2021-28662 [ 6 ] CVE-2021-31806 https://nvd.nist.gov/vuln/detail/CVE-2021-31806 [ 7 ] CVE-2021-31807 https://nvd.nist.gov/vuln/detail/CVE-2021-31807 [ 8 ] CVE-2021-31808 https://nvd.nist.gov/vuln/detail/CVE-2021-31808 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-14 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-13 ] Mumble: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mumble: User-assisted execution of arbitrary code Date: May 26, 2021 Bugs: #770973 ID: 202105-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been found in Mumble that could allow a remote attacker to execute arbitrary code. Background == Mumble is low-latency voice chat software intended for use with gaming. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-sound/mumble < 1.3.4>= 1.3.4 Description === Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to open a specially crafted server list (web page) using Mumble, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Mumble users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-sound/mumble-1.3.4" References == [ 1 ] CVE-2021-27229 https://nvd.nist.gov/vuln/detail/CVE-2021-27229 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-13 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-04 ] Boost: Buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Boost: Buffer overflow Date: May 26, 2021 Bugs: #620468 ID: 202105-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow in Boost might allow remote attacker(s) to execute arbitrary code. Background == Boost is a set of C++ libraries, including the Boost.Regex library to process regular expressions. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-libs/boost < 1.74.0-r2 >= 1.74.0-r2 Description === It was discovered that Boost incorrectly sanitized 'next_size' and 'max_size' parameter in ordered_malloc() function when allocating memory. Impact == A remote attacker could provide a specially crafted application-specific file (requiring runtime memory allocation to be processed correctly), that, when opened with an application using Boost C++ source libraries, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Boost users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/boost-1.74.0-r2" References == [ 1 ] CVE-2012-2677 https://nvd.nist.gov/vuln/detail/CVE-2012-2677 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-11 ] GNU Screen: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GNU Screen: User-assisted execution of arbitrary code Date: May 26, 2021 Bugs: #769770 ID: 202105-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in GNU screen may allow a remote attacker to execute arbitrary code. Background == GNU Screen is a full-screen window manager that multiplexes a physical terminal between several processes, typically interactive shells. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-misc/screen < 4.8.0-r2 >= 4.8.0-r2 Description === It was discovered that GNU screen did not properly handle certain UTF-8 character sequences. Impact == A remote attacker could entice a user to run a program where attacker controls the output inside a GNU screen session, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == This vulnerability can be mitigated by disabling UTF-8 processing in .screenrc. Resolution == All GNU screen users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-misc/screen-4.8.0-r2" References == [ 1 ] CVE-2021-26937 https://nvd.nist.gov/vuln/detail/CVE-2021-26937 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-11 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-12 ] OpenSMTPD: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: OpenSMTPD: Multiple vulnerabilities Date: May 26, 2021 Bugs: #761945 ID: 202105-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in OpenSMTPD, the worst of which could result in a Denial of Service condition. Background == OpenSMTPD is a lightweight but featured SMTP daemon from OpenBSD. Affected packages = --- Package / Vulnerable /Unaffected --- 1 mail-mta/opensmtpd < 6.8.0_p2 >= 6.8.0_p2 Description === Multiple vulnerabilities have been discovered in OpenSMTPD. Please review the CVE identifiers referenced below for details. Impact == A remote attacker, by connecting to the SMTP listener daemon, could possibly cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All OpenSMTPD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-mta/opensmtpd-6.8.0_p2" References == [ 1 ] CVE-2020-35679 https://nvd.nist.gov/vuln/detail/CVE-2020-35679 [ 2 ] CVE-2020-35680 https://nvd.nist.gov/vuln/detail/CVE-2020-35680 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-12 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-18 ] LittleCMS: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: LittleCMS: User-assisted execution of arbitrary code Date: May 26, 2021 Bugs: #761418 ID: 202105-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A heap-based buffer overflow in LittleCMS might allow remote attackers to execute arbitrary code. Background == LittleCMS, or short lcms, is a color management system for working with ICC profiles. It is used by many applications including GIMP, Firefox and Chromium. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-libs/lcms < 2.10 >= 2.10 Description === It was discovered that LittleCMS (aka Little Color Management System) had an integer overflow in the AllocateDataSet function in cmscgats.c. Impact == A remote attacker could entice a user or automated system to open a specially crafted file containing malicious color data, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All LittleCMS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/lcms-2.10" References == [ 1 ] CVE-2018-16435 https://nvd.nist.gov/vuln/detail/CVE-2018-16435 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-18 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-19 ] Firejail: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Firejail: Privilege escalation Date: May 26, 2021 Bugs: #769542 ID: 202105-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability was discovered in Firejail which may allow local attackers to gain root privileges. Background == A SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-apps/firejail < 0.9.64.4 >= 0.9.64.4 Description === It was discovered that a flaw in Firejail's OverlayFS code allowed restricted programs to escape sandbox. Impact == A local attacker could obtain arbitrary file system access via an application running within a Firejail sandbox, possibly resulting in privilege escalation. Workaround == There is no known workaround at this time. Resolution == All Firejail users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/firejail-0.9.64.4" References == [ 1 ] CVE-2021-26910 https://nvd.nist.gov/vuln/detail/CVE-2021-26910 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-19 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-26 ] SpamAssassin: Arbitrary command execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SpamAssassin: Arbitrary command execution Date: May 26, 2021 Bugs: #778002 ID: 202105-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in SpamAssassin might allow remote attackers to execute arbitrary commands. Background == SpamAssassin is an extensible email filter used to identify junk email. Affected packages = --- Package / Vulnerable /Unaffected --- 1 mail-filter/spamassassin < 3.4.5>= 3.4.5 Description === It was discovered that SpamAssassin incorrectly handled certain CF files. Impact == A remote attacker could entice a user or automated system to process a specially crafted CF file using SpamAssassin, possibly resulting in execution of arbitrary commands with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All SpamAssassin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-filter/spamassassin-3.4.5" References == [ 1 ] CVE-2020-1946 https://nvd.nist.gov/vuln/detail/CVE-2020-1946 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-26 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-32 ] PostgreSQL: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: PostgreSQL: Multiple vulnerabilities Date: May 26, 2021 Bugs: #771942 ID: 202105-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in PostgreSQL, the worst of which could result in information disclosure. Background == PostgreSQL is an open source object-relational database management system. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-db/postgresql < 13.2 >= 9.5.25:9.5 >= 9.6.21:9.6 >= 10.16:10 >= 11.11:11 >= 12.6:12 >= 13.2:13 Description === Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details. Impact == An authenticated remote attacker, by executing malicious crafted queries, could possibly disclose sensitive information. Workaround == There is no known workaround at this time. Resolution == All PostgreSQL 9.5.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.25:9.5" All PostgreSQL 9.6.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.21:9.6" All PostgreSQL 10.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.16:10" All PostgreSQL 11.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.11:11" All PostgreSQL 12.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.6:12" All PostgreSQL 13.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.2:13" References == [ 1 ] CVE-2021-20229 https://nvd.nist.gov/vuln/detail/CVE-2021-20229 [ 2 ] CVE-2021-3393 https://nvd.nist.gov/vuln/detail/CVE-2021-3393 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-32 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-36 ] cURL: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: cURL: Multiple vulnerabilities Date: May 26, 2021 Bugs: #779535, #792192 ID: 202105-36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in cURL, the worst of which could result in the arbitrary execution of code. Background == A command line tool and library for transferring data with URLs. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/curl< 7.77.0 >= 7.77.0 Description === Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All cURL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/curl-7.77.0" References == [ 1 ] CVE-2021-22876 https://nvd.nist.gov/vuln/detail/CVE-2021-22876 [ 2 ] CVE-2021-22890 https://nvd.nist.gov/vuln/detail/CVE-2021-22890 [ 3 ] CVE-2021-22898 https://nvd.nist.gov/vuln/detail/CVE-2021-22898 [ 4 ] CVE-2021-22901 https://nvd.nist.gov/vuln/detail/CVE-2021-22901 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-36 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-25 ] OpenVPN: Authentication bypass
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenVPN: Authentication bypass Date: May 26, 2021 Bugs: #785115 ID: 202105-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been found in OpenVPN, allowing attackers to bypass the authentication process. Background == OpenVPN is a multi-platform, full-featured SSL VPN solution. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-vpn/openvpn < 2.5.2>= 2.5.2 Description === It was discovered that OpenVPN incorrectly handled deferred authentication. Impact == A remote attacker could bypass authentication and access control channel data and trigger further information leaks. Workaround == Configure OpenVPN server to not use deferred authentication. Resolution == All OpenVPN users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-vpn/openvpn-2.5.2" References == [ 1 ] CVE-2020-15078 https://nvd.nist.gov/vuln/detail/CVE-2020-15078 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-25 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-33 ] containerd: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: containerd: Multiple vulnerabilities Date: May 26, 2021 Bugs: #758137, #775329 ID: 202105-33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in containerd, the worst of which could result in privilege escalation. Background == Containerd is a daemon with an API and a command line client, to manage containers on one machine. It uses runC to run containers according to the OCI specification. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-emulation/containerd < 1.4.4>= 1.4.4 Description === Multiple vulnerabilities have been discovered in containerd. Please review the CVE identifiers referenced below for details. Impact == A local attacker, able to run a malicious container in the same network namespace as the shim, could possibly escalate privileges. Furthermore, an attacker could disclose sensitive information. Workaround == There is no known workaround at this time. Resolution == All containerd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/containerd-1.4.4" References == [ 1 ] CVE-2020-15257 https://nvd.nist.gov/vuln/detail/CVE-2020-15257 [ 2 ] CVE-2021-21334 https://nvd.nist.gov/vuln/detail/CVE-2021-21334 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-33 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-17 ] rxvt-unicode: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: rxvt-unicode: User-assisted execution of arbitrary code Date: May 26, 2021 Bugs: #790782 ID: 202105-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in rxvt-unicode may allow a remote attacker to execute arbitrary code. Background == rxvt-unicode (urxvt) is a clone of the rxvt terminal emulator. Affected packages = --- Package / Vulnerable /Unaffected --- 1 x11-terms/rxvt-unicode < 9.22-r9 >= 9.22-r9 Description === It was discovered that rxvt-unicode did not properly handle certain escape sequences. Impact == A remote attacker could entice a user to run a program where attacker controls the output inside a rxvt terminal window, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All rxvt-unicode users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-terms/rxvt-unicode-9.22-r9" References == [ 1 ] CVE-2021-33477 https://nvd.nist.gov/vuln/detail/CVE-2021-33477 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-17 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-20 ] Dnsmasq: DNS cache poisoning
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Dnsmasq: DNS cache poisoning Date: May 26, 2021 Bugs: #782130 ID: 202105-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Use of insufficient randomness in Dnsmasq might lead to DNS Cache Poisoning. Background == Dnsmasq is a lightweight and easily-configurable DNS forwarder and DHCP server. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-dns/dnsmasq < 2.85 >= 2.85 Description === It was discovered that Dnsmasq, when configured with --server=@ or similar (e.g. through dbus), configured a fixed UDP port for all outgoing queries to the specified upstream DNS server. Impact == An attacker, by sending malicious crafted DNS responses, could perform a DNS Cache Poisoning attack. Workaround == There is no known workaround at this time. Resolution == All Dnsmasq users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.85" References == [ 1 ] CVE-2021-3448 https://nvd.nist.gov/vuln/detail/CVE-2021-3448 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-20 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-21 ] Tcpreplay: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Tcpreplay: Multiple vulnerabilities Date: May 26, 2021 Bugs: #750344 ID: 202105-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Tcpreplay, the worst of which could result in a Denial of Service condition. Background == Tcpreplay is a suite of utilities for UNIX systems for editing and replaying network traffic which was previously captured by tools like tcpdump and ethereal/wireshark. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-analyzer/tcpreplay < 4.3.4>= 4.3.4 Description === Multiple vulnerabilities have been discovered in Tcpreplay. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to open a specially crafted network capture file using Tcpreplay, possibly resulting in a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Tcpreplay users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/tcpreplay-4.3.4" References == [ 1 ] CVE-2020-24265 https://nvd.nist.gov/vuln/detail/CVE-2020-24265 [ 2 ] CVE-2020-24266 https://nvd.nist.gov/vuln/detail/CVE-2020-24266 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-21 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-28 ] MariaDB: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MariaDB: Multiple vulnerabilities Date: May 26, 2021 Bugs: #86, #789240 ID: 202105-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in MariaDB, the worst of which could result in the arbitrary execution of code. Background == MariaDB is an enhanced, drop-in replacement for MySQL. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-db/mariadb < 10.5.10>= 10.2.38:10.2 >= 10.3.29:10.3 >= 10.4.19:10.4 >= 10.5.10:10.5 Description === Multiple vulnerabilities have been discovered in MariaDB. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All MariaDB 10.2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.2.38:10.2" All MariaDB 10.3.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.3.29:10.3" All MariaDB 10.3.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.4.19:10.4" All MariaDB 10.5.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.5.10:10.5" References == [ 1 ] CVE-2021-2154 https://nvd.nist.gov/vuln/detail/CVE-2021-2154 [ 2 ] CVE-2021-2166 https://nvd.nist.gov/vuln/detail/CVE-2021-2166 [ 3 ] CVE-2021-2180 https://nvd.nist.gov/vuln/detail/CVE-2021-2180 [ 4 ] CVE-2021-27928 https://nvd.nist.gov/vuln/detail/CVE-2021-27928 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-28 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-31 ] Nettle: Denial of service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Nettle: Denial of service Date: May 26, 2021 Bugs: #780483 ID: 202105-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Nettle could lead to a Denial of Service condition. Background == Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-libs/nettle < 3.7.2>= 3.7.2 Description === It was discovered that Nettle incorrectly handled signature verification. Impact == A remote attacker could send a specially crafted valid-looking input signature, possibly resulting in a Denial of Service condition or force an invalid signature. Workaround == There is no known workaround at this time. Resolution == All Nettle users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/nettle-3.7.2" References == [ 1 ] CVE-2021-20305 https://nvd.nist.gov/vuln/detail/CVE-2021-20305 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-31 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-22 ] Samba: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Samba: Multiple vulnerabilities Date: May 26, 2021 Bugs: #778026, #786825 ID: 202105-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Samba, the worst of which could result in a Denial of Service condition. Background == Samba is a suite of SMB and CIFS client/server programs. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-fs/samba < 4.13.8 >= 4.13.8 Description === Multiple vulnerabilities have been discovered in Samba. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Samba users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-fs/samba-4.13.8" References == [ 1 ] CVE-2020-27840 https://nvd.nist.gov/vuln/detail/CVE-2020-27840 [ 2 ] CVE-2021-20254 https://nvd.nist.gov/vuln/detail/CVE-2021-20254 [ 3 ] CVE-2021-20277 https://nvd.nist.gov/vuln/detail/CVE-2021-20277 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-22 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-23 ] PHP: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: PHP: Multiple vulnerabilities Date: May 26, 2021 Bugs: #764314, #768756, #788892 ID: 202105-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in PHP, the worst of which could result in a Denial of Service condition. Background == PHP is an open source general-purpose scripting language that is especially suited for web development. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-lang/php < 8.0.6 >= 7.3.28:7.3 >= 7.4.19:7.4 >= 8.0.6:8.0 Description === Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers and bugs referenced below for details. Impact == Please review the referenced CVE identifiers and bugs for details. Workaround == There is no known workaround at this time. Resolution == All PHP 7.3.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-7.3.28:7.3" All PHP 7.4.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.19:7.4" All PHP 8.0.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-8.0.6:8.0" References == [ 1 ] CVE-2020-7071 https://nvd.nist.gov/vuln/detail/CVE-2020-7071 [ 2 ] CVE-2021-21702 https://nvd.nist.gov/vuln/detail/CVE-2021-21702 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-23 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-30 ] MuPDF: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: MuPDF: Multiple vulnerabilities Date: May 26, 2021 Bugs: #747151, #772311 ID: 202105-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in MuPDF, the worst of which could result in a Denial of Service condition. Background == MuPDF is a lightweight PDF viewer and toolkit written in portable C. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-text/mupdf < 1.18.0-r3 >= 1.18.0-r3 Description === Multiple vulnerabilities have been discovered in MuPDF. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to open a specially crafted PDF document using MuPDF, possibly resulting in a Denial of Service condition or have other unspecified impact. Workaround == There is no known workaround at this time. Resolution == All MuPDF users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/mupdf-1.18.0-r3" References == [ 1 ] CVE-2020-26519 https://nvd.nist.gov/vuln/detail/CVE-2020-26519 [ 2 ] CVE-2021-3407 https://nvd.nist.gov/vuln/detail/CVE-2021-3407 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-30 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-35 ] OpenSSH: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSH: Multiple vulnerabilities Date: May 26, 2021 Bugs: #763048, #774090 ID: 202105-35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in OpenSSH, the worst of which could allow a remote attacker to execute arbitrary code. Background == OpenSSH is a complete SSH protocol implementation that includes SFTP client and server support. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/openssh < 8.5_p1 >= 8.5_p1 Description === Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact == A remote attacker, able to access the socket of the forwarding agent, might be able to execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Furthermore, a remote attacker might conduct a man-in-the-middle attack targeting initial connection attempts where no host key for the server has been cached by client yet. Workaround == There is no known workaround at this time. Resolution == All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-8.5_p1" References == [ 1 ] CVE-2020-14145 https://nvd.nist.gov/vuln/detail/CVE-2020-14145 [ 2 ] CVE-2021-28041 https://nvd.nist.gov/vuln/detail/CVE-2021-28041 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-35 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-24 ] FFmpeg: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: FFmpeg: Multiple vulnerabilities Date: May 26, 2021 Bugs: #763315, #781146 ID: 202105-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in FFmpeg, the worst of which could result in the arbitrary execution of code. Background == FFmpeg is a complete, cross-platform solution to record, convert and stream audio and video. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-video/ffmpeg< 4.4 >= 4.4 Description === Multiple vulnerabilities have been discovered in FFmpeg. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to open a specially crafted media file using FFmpeg, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All FFmpeg users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-4.4" References == [ 1 ] CVE-2020-35964 https://nvd.nist.gov/vuln/detail/CVE-2020-35964 [ 2 ] CVE-2020-35965 https://nvd.nist.gov/vuln/detail/CVE-2020-35965 [ 3 ] CVE-2021-30123 https://nvd.nist.gov/vuln/detail/CVE-2021-30123 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-24 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-27 ] MySQL: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MySQL: Multiple vulnerabilities Date: May 26, 2021 Bugs: #699876, #708090, #717628, #732974, #766339, #789243 ID: 202105-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in MySQL, the worst of which could result in the arbitrary execution of code. Background == MySQL is a popular multi-threaded, multi-user SQL server. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-db/mysql < 8.0.24 >= 5.7.34:5.7 >= 8.0.24 2 dev-db/mysql-connector-c < 8.0.24 >= 8.0.24 --- 2 affected packages Description === Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact == An attacker could possibly execute arbitrary code with the privileges of the process, escalate privileges, gain access to critical data or complete access to all MySQL server accessible data, or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All MySQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.7.34" All mysql users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-8.0.24" References == [ 1 ] CVE-2019-2938 https://nvd.nist.gov/vuln/detail/CVE-2019-2938 [ 2 ] CVE-2019-2974 https://nvd.nist.gov/vuln/detail/CVE-2019-2974 [ 3 ] CVE-2020-14539 https://nvd.nist.gov/vuln/detail/CVE-2020-14539 [ 4 ] CVE-2020-14540 https://nvd.nist.gov/vuln/detail/CVE-2020-14540 [ 5 ] CVE-2020-14547 https://nvd.nist.gov/vuln/detail/CVE-2020-14547 [ 6 ] CVE-2020-14550 https://nvd.nist.gov/vuln/detail/CVE-2020-14550 [ 7 ] CVE-2020-14553 https://nvd.nist.gov/vuln/detail/CVE-2020-14553 [ 8 ] CVE-2020-14559 https://nvd.nist.gov/vuln/detail/CVE-2020-14559 [ 9 ] CVE-2020-14564 https://nvd.nist.gov/vuln/detail/CVE-2020-14564 [ 10 ] CVE-2020-14567 https://nvd.nist.gov/vuln/detail/CVE-2020-14567 [ 11 ] CVE-2020-14568 https://nvd.nist.gov/vuln/detail/CVE-2020-14568 [ 12 ] CVE-2020-14575 https://nvd.nist.gov/vuln/detail/CVE-2020-14575 [ 13 ] CVE-2020-14576 https://nvd.nist.gov/vuln/detail/CVE-2020-14576 [ 14 ] CVE-2020-14586 https://nvd.nist.gov/vuln/detail/CVE-2020-14586 [ 15 ] CVE-2020-14591 https://nvd.nist.gov/vuln/detail/CVE-2020-14591 [ 16 ] CVE-2020-14597 https://nvd.nist.gov/vuln/detail/CVE-2020-14597 [ 17 ] CVE-2020-14614 https://nvd.nist.gov/vuln/detail/CVE-2020-14614 [ 18 ] CVE-2020-14619 https://nvd.nist.gov/vuln/detail/CVE-2020-14619 [ 19 ] CVE-2020-14620 https://nvd.nist.gov/vuln/detail/CVE-2020-14620 [ 20 ] CVE-2020-14623 https://nvd.nist.gov/vuln/detail/CVE-2020-14623 [ 21 ] CVE-2020-14624 https://nvd.nist.gov/vuln/detail/CVE-2020-14624 [ 22 ] CVE-2020-14626 https://nvd.nist.gov/vuln/detail/CVE-2020-14626 [ 23 ] CVE-2020-14631 https://nvd.nist.gov/vuln/detail/CVE-2020-14631 [ 24 ] CVE-2020-14632 https://nvd.nist.gov/vuln/detail/CVE-2020-14632 [ 25 ] CVE-2020-14633 https://nvd.nist.gov/vuln/detail/CVE-2020-14633 [ 26 ] CVE-2020-14634 https://nvd.nist.gov/vuln/detail/CVE-2020-14634 [ 27 ] CVE-2020-14641 https://nvd.nist.gov/vuln/detail/CVE-2020-14641 [ 28 ] CVE-2020-14643 https://nvd.nist.gov/vuln/detail/CVE-2020-14643 [ 29 ] CVE-2020-14651 https://nvd.nist.gov/vuln/detail/CVE-2020-14651 [ 30 ] CVE-2020-14654 https://nvd.nist.gov/vuln/detail/CVE-2020-14654 [ 31 ] CVE-2020-14656 https://nvd.nist.gov/vuln/detail/CVE-2020-14656 [ 32 ] CVE-2020-14663 https://nvd.nist.gov/vuln/detail/CVE-2020-14663 [ 33 ] CVE-2020-14672 https://nvd.nist.gov/vuln/detail/CVE-2020-14672 [ 34 ] CVE-2020-14678 https://nvd.nist.gov/vuln/detail/CVE-2020-14678 [ 35 ] CVE-2020-14680 https://nvd.nist.gov/vuln/detail/CVE-2020-14680 [ 36 ] CVE-2020-14697
[gentoo-announce] [ GLSA 202105-29 ] Tar: Denial of service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Tar: Denial of service Date: May 26, 2021 Bugs: #778548 ID: 202105-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Tar could lead to a Denial of Service condition. Background == The Tar program provides the ability to create and manipulate tar archives. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-arch/tar < 1.34 >= 1.34 Description === It was discovered that GNU Tar had a memory leak when processing archive headers. Impact == A remote attacker could entice a user to open a specially crafted archive using Tar, possibly resulting in a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Tar users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/tar-1.34" References == [ 1 ] CVE-2021-20193 https://nvd.nist.gov/vuln/detail/CVE-2021-20193 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-29 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-34 ] Bash: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Bash: Privilege escalation Date: May 26, 2021 Bugs: #702488 ID: 202105-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Bash may allow users to escalate privileges. Background == Bash is the standard GNU Bourne Again SHell. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-shells/bash< 5.0_p11-r1>= 5.0_p11-r1 Description === It was discovered that Bash incorrectly dropped privileges by setting its effective UID to its real UID. Impact == A local attacker could possibly escalate privileges. Workaround == There is no known workaround at this time. Resolution == All Bash users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-5.0_p11-r1" References == [ 1 ] CVE-2019-18276 https://nvd.nist.gov/vuln/detail/CVE-2019-18276 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-34 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-03 ] GPT fdisk: Integer underflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GPT fdisk: Integer underflow Date: May 26, 2021 Bugs: #768762 ID: 202105-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An integer underflow in sgdisk from GPT fdisk package might allow local attacker(s) to escalate privileges. Background == GPT fdisk (consisting of the gdisk, cgdisk, sgdisk, and fixparts programs) is a set of text-mode partitioning tools for Linux, FreeBSD, Mac OS X, and Windows. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-apps/gptfdisk< 1.0.6>= 1.0.6 Description === It was discovered that ReadLogicalParts() function in basicmbr.cc was missing a bounds check. Impact == A local attacker could entice a user to insert a malicious formatted block device (USB stick or SD card for example), that, when processed with sgdisk, possibly resulting in local escalation of privileges or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All GPT fdisk users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/gptfdisk-1.0.6" References == [ 1 ] CVE-2021-0308 https://nvd.nist.gov/vuln/detail/CVE-2021-0308 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-03 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-10 ] GNOME Autoar: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GNOME Autoar: User-assisted execution of arbitrary code Date: May 26, 2021 Bugs: #768828, #777126 ID: 202105-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been found in GNOME Autoar that could allow a remote attacker to execute arbitrary code. Background == GNOME Autoar provides functions and widgets for GNOME applications which want to use archives as a method to transfer directories over the internet. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-arch/gnome-autoar< 0.3.1>= 0.3.1 Description === It was discovered that GNOME Autoar could extract files outside of the intended directory. Impact == A remote attacker could entice a user to open a specially crafted archive using GNOME Autoar, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All GNOME Autoar users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/gnome-autoar-0.3.1" References == [ 1 ] CVE-2020-36241 https://nvd.nist.gov/vuln/detail/CVE-2020-36241 [ 2 ] CVE-2021-28650 https://nvd.nist.gov/vuln/detail/CVE-2021-28650 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-10 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-15 ] Prosŏdy IM: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Prosŏdy IM: Multiple vulnerabilities Date: May 26, 2021 Bugs: #771144, #789969 ID: 202105-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Prosŏdy IM, the worst of which could result in a Denial of Service condition. Background == Prosŏdy IM is a modern XMPP communication server. It aims to be easy to set up and configure, and efficient with system resources. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-im/prosody < 0.11.9 >= 0.11.9 Description === Multiple vulnerabilities have been discovered in Prosŏdy IM. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Prosŏdy IM users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-im/prosody-0.11.9" References == [ 1 ] CVE-2021-32917 https://nvd.nist.gov/vuln/detail/CVE-2021-32917 [ 2 ] CVE-2021-32918 https://nvd.nist.gov/vuln/detail/CVE-2021-32918 [ 3 ] CVE-2021-32919 https://nvd.nist.gov/vuln/detail/CVE-2021-32919 [ 4 ] CVE-2021-32920 https://nvd.nist.gov/vuln/detail/CVE-2021-32920 [ 5 ] CVE-2021-32921 https://nvd.nist.gov/vuln/detail/CVE-2021-32921 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-15 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-38 ] nginx: Remote code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-38 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: nginx: Remote code execution Date: May 26, 2021 Bugs: #792087 ID: 202105-38 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in nginx could lead to remote code execution. Background == nginx is a robust, small, and high performance HTTP and reverse proxy server. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-servers/nginx< 1.21.0>= 1.20.1:0 >= 1.21.0:mainline Description === It was discovered that nginx did not properly handle DNS responses when "resolver" directive is used. Impact == A remote attacker, able to provide DNS responses to a nginx instance, could cause the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.20.1" All nginx mainline users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-servers/nginx-1.21.0:mainline" References == [ 1 ] CVE-2021-23017 https://nvd.nist.gov/vuln/detail/CVE-2021-23017 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-38 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-37 ] Nextcloud Desktop Client: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Nextcloud Desktop Client: User-assisted execution of arbitrary code Date: May 26, 2021 Bugs: #783531 ID: 202105-37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Nextcloud Desktop Client could allow a remote attacker to execute arbitrary commands. Background == The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/nextcloud-client < 3.1.3>= 3.1.3 Description === It was discovered that Nextcloud Desktop Client did not validate URLs. Impact == A remote attacker could entice a user to connect to a malicious Nextcloud server to cause the execution of arbitrary commands with the privileges of the user running the Nextcloud Desktop Client application. Workaround == There is no known workaround at this time. Resolution == All Nextcloud Desktop Client users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=net-misc/nextcloud-client-3.1.3" References == [ 1 ] CVE-2021-22879 https://nvd.nist.gov/vuln/detail/CVE-2021-22879 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-37 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202105-39 ] Ceph: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-39 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ceph: Multiple vulnerabilities Date: May 26, 2021 Bugs: #760824, #761969, #783486, #791253 ID: 202105-39 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Ceph, the worst of which could result in privilege escalation. Background == Ceph is a distributed network file system designed to provide excellent performance, reliability, and scalability. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-cluster/ceph< 14.2.21 >= 14.2.21 Description === Multiple vulnerabilities have been discovered in Ceph. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Ceph users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-cluster/ceph-14.2.21" References == [ 1 ] CVE-2020-10753 https://nvd.nist.gov/vuln/detail/CVE-2020-10753 [ 2 ] CVE-2020-1759 https://nvd.nist.gov/vuln/detail/CVE-2020-1759 [ 3 ] CVE-2020-1760 https://nvd.nist.gov/vuln/detail/CVE-2020-1760 [ 4 ] CVE-2020-25660 https://nvd.nist.gov/vuln/detail/CVE-2020-25660 [ 5 ] CVE-2020-25678 https://nvd.nist.gov/vuln/detail/CVE-2020-25678 [ 6 ] CVE-2020-27781 https://nvd.nist.gov/vuln/detail/CVE-2020-27781 [ 7 ] CVE-2021-20288 https://nvd.nist.gov/vuln/detail/CVE-2021-20288 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-39 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 OpenPGP_signature Description: OpenPGP digital signature
