[gentoo-announce] [ GLSA 201702-16 ] Redis: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Redis: Multiple vulnerabilities Date: February 20, 2017 Bugs: #551274, #565188, #595730 ID: 201702-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Redis, the worst of which may allow execution of arbitrary code. Background == Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-db/redis < 3.2.5>= 3.2.5 >= 3.0.7 Description === Multiple vulnerabilities have been discovered in Redis. Please review the CVE identifiers referenced below for details. Impact == A remote attacker, able to connect to a Redis instance, could issue malicious commands possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Redis 3.0.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/redis-3.0.7" All Redis 3.2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/redis-3.2.5" References == [ 1 ] CVE-2015-4335 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4335 [ 2 ] CVE-2015-8080 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8080 [ 3 ] CVE-2016-8339 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8339 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-16 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-13 ] Mozilla Thunderbird: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Mozilla Thunderbird: Multiple vulnerabilities Date: February 20, 2017 Bugs: #607310 ID: 201702-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. Background == Mozilla Thunderbird is a popular open-source email client from the Mozilla project. Affected packages = --- Package / Vulnerable /Unaffected --- 1 mail-client/thunderbird < 45.7.0 >= 45.7.0 2 mail-client/thunderbird-bin < 45.7.0 >= 45.7.0 --- 2 affected packages Description === Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details. Impact == A remote attacker, by enticing a user to open a specially crafted email or web page, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Mozilla Thunderbird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-45.7.0" All Mozilla Thunderbird binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-45.7.0" References == [ 1 ] CVE-2017-5373 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5373 [ 2 ] CVE-2017-5375 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5375 [ 3 ] CVE-2017-5376 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5376 [ 4 ] CVE-2017-5378 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5378 [ 5 ] CVE-2017-5380 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5380 [ 6 ] CVE-2017-5383 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5383 [ 7 ] CVE-2017-5390 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5390 [ 8 ] CVE-2017-5396 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5396 [ 9 ] Mozilla Foundation Security Advisory 2017-03 https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/ Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-13 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-17 ] MySQL: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MySQL: Multiple vulnerabilities Date: February 20, 2017 Bugs: #606254 ID: 201702-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in MySQL, the worst of which could lead to privilege escalation. Background == MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an enhanced, drop-in replacement for MySQL. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-db/mysql < 5.6.35 >= 5.6.35 Description === Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact == An attacker could possibly escalate privileges, gain access to critical data or complete access to all MySQL server accessible data, or cause a Denial of Service condition via unspecified vectors. Workaround == There is no known workaround at this time. Resolution == All MySQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.6.35" References == [ 1 ] CVE-2016-8318 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8318 [ 2 ] CVE-2016-8327 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8327 [ 3 ] CVE-2017-3238 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3238 [ 4 ] CVE-2017-3243 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3243 [ 5 ] CVE-2017-3244 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3244 [ 6 ] CVE-2017-3251 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3251 [ 7 ] CVE-2017-3256 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3256 [ 8 ] CVE-2017-3257 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3257 [ 9 ] CVE-2017-3258 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3258 [ 10 ] CVE-2017-3265 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3265 [ 11 ] CVE-2017-3273 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3273 [ 12 ] CVE-2017-3291 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3291 [ 13 ] CVE-2017-3312 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3312 [ 14 ] CVE-2017-3313 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3313 [ 15 ] CVE-2017-3317 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3317 [ 16 ] CVE-2017-3318 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3318 [ 17 ] CVE-2017-3319 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3319 [ 18 ] CVE-2017-3320 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3320 [ 19 ] Oracle Critical Patch Update Advisory - January 2017 https://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-17 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-15 ] OCaml: Buffer overflow and information disclosure
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OCaml: Buffer overflow and information disclosure Date: February 20, 2017 Bugs: #581946 ID: 201702-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow in OCaml might allow remote attackers to obtain sensitive information or crash an OCaml-based application. Background == OCaml is a high-level, strongly-typed, functional, and object-oriented programming language from the ML family of languages. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-lang/ocaml < 4.04.0 >= 4.04.0 Description === It was discovered that OCaml was vulnerable to a runtime bug that, on 64-bit platforms, causes size arguments to internal memmove calls to be sign-extended from 32- to 64-bits before being passed to the memmove function. This leads to arguments between 2GiB and 4GiB being interpreted as larger than they are (specifically, a bit below 2^64), causing a buffer overflow. Further, arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than they should be causing a possible information leak. Impact == A remote attacker, able to interact with an OCaml-based application, could possibly obtain sensitive information or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All OCaml users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/ocam-4.04.0" Packages which depend on OCaml may need to be recompiled. Tools such as qdepends (included in app-portage/portage-utils) may assist in identifying these packages: # emerge -1 -a -v $(qdepends -CQ dev-lang/ocaml | sed 's/^/=/') References == [ 1 ] CVE-2015-8869 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8869 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-15 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-20 ] Adobe Flash Player: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Flash Player: Multiple vulnerabilities Date: February 20, 2017 Bugs: #605314, #609330 ID: 201702-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code. Background == The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-plugins/adobe-flash< 24.0.0.221>= 24.0.0.221 Description === Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could possibly execute arbitrary code with the privileges of the process or bypass security restrictions. Workaround == There is no known workaround at this time. Resolution == All Adobe Flash users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-24.0.0.221" References == [ 1 ] CVE-2017-2925 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2925 [ 2 ] CVE-2017-2926 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2926 [ 3 ] CVE-2017-2927 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2927 [ 4 ] CVE-2017-2928 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2928 [ 5 ] CVE-2017-2930 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2930 [ 6 ] CVE-2017-2931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2931 [ 7 ] CVE-2017-2932 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2932 [ 8 ] CVE-2017-2933 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2933 [ 9 ] CVE-2017-2934 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2934 [ 10 ] CVE-2017-2935 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2935 [ 11 ] CVE-2017-2936 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2936 [ 12 ] CVE-2017-2937 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2937 [ 13 ] CVE-2017-2938 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2938 [ 14 ] CVE-2017-2982 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2982 [ 15 ] CVE-2017-2984 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2984 [ 16 ] CVE-2017-2985 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2985 [ 17 ] CVE-2017-2986 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2986 [ 18 ] CVE-2017-2987 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2987 [ 19 ] CVE-2017-2988 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2988 [ 20 ] CVE-2017-2990 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2990 [ 21 ] CVE-2017-2991 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2991 [ 22 ] CVE-2017-2992 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2992 [ 23 ] CVE-2017-2993 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2993 [ 24 ] CVE-2017-2994 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2994 [ 25 ] CVE-2017-2995 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2995 [ 26 ] CVE-2017-2996 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2996 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-20 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-21 ] Opus: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Opus: User-assisted execution of arbitrary code Date: February 20, 2017 Bugs: #605894 ID: 201702-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Opus could cause memory corruption. Background == Opus is a totally open, royalty-free, highly versatile audio codec. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-libs/opus < 1.1.3-r1 >= 1.1.3-r1 Description === A large NLSF values could cause the stabilization code in silk/NLSF_stabilize.c to wrap-around and have the last value in NLSF_Q15[] to be negative, close to -32768. Under normal circumstances, the code will simply read from the wrong table resulting in an unstable LPC filter. The filter would then go through the LPC stabilization code at the end of silk_NLSF2A(). Ultimately, the output audio would be garbage, but no worse than with any other harmless bad packet. Please see the referenced upstream patch and Debian bug report below for a detailed analysis. However, the original report was about a successful exploitation of Android's Mediaserver in conjunction with this vulnerability. Impact == A remote attacker could entice a user to open a specially crafted media stream, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Opus users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/opus-1.1.3-r1" References == [ 1 ] CVE-2017-0381 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0381 [ 2 ] Debian Bug 851612 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851612#10 [ 3 ] Upstream patch https://git.xiph.org/?p=opus.git;a=commitdiff;h=70a3d641b Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-21 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-24 ] LibVNCServer/LibVNCClient: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: LibVNCServer/LibVNCClient: Multiple vulnerabilities Date: February 20, 2017 Bugs: #605326 ID: 201702-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in LibVNCServer/LibVNCClient, the worst of which allows remote attackers to execute arbitrary code when connecting to a malicious server. Background == LibVNCServer/LibVNCClient are cross-platform C libraries that allow you to easily implement VNC server or client functionality in your program. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-libs/libvncserver< 0.9.11 >= 0.9.11 Description === Multiple vulnerabilities have been discovered in LibVNCServer and LibVNCClient. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to connect to a malicious VNC server or leverage Man-in-the-Middle attacks to cause the execution of arbitrary code with the privileges of the user running a VNC client linked against LibVNCClient. Workaround == There is no known workaround at this time. Resolution == All LibVNCServer/LibVNCClient users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libvncserver-0.9.11" References == [ 1 ] CVE-2016-9941 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9941 [ 2 ] CVE-2016-9942 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9942 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-24 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-25 ] libass: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libass: Multiple vulnerabilities Date: February 20, 2017 Bugs: #596422 ID: 201702-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in libass, the worst of which have unknown impacts. Background == libass is a portable subtitle renderer for the ASS/SSA (Advanced Substation Alpha/Substation Alpha) subtitle format. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-libs/libass< 0.13.4 >= 0.13.4 Description === Multiple vulnerabilities have been discovered in libass. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could cause a Denial of Service condition or other unknown impacts via unknown attack vectors. Workaround == There is no known workaround at this time. Resolution == All libass users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libass-0.13.4" References == [ 1 ] CVE-2016-7969 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7969 [ 2 ] CVE-2016-7970 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7970 [ 3 ] CVE-2016-7971 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7971 [ 4 ] CVE-2016-7972 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7972 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-25 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-28 ] QEMU: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: QEMU: Multiple vulnerabilities Date: February 21, 2017 Bugs: #606264, #606720, #606722, #607000, #607100, #607766, #608034, #608036, #608038, #608520, #608728 ID: 201702-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in QEMU, the worst of which could lead to the execution of arbitrary code on the host system. Background == QEMU is a generic and open source machine emulator and virtualizer. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-emulation/qemu < 2.8.0-r1 >= 2.8.0-r1 Description === Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact == A local attacker could potentially execute arbitrary code with privileges of QEMU process on the host, gain privileges on the host system, cause a Denial of Service condition, or obtain sensitive information. Workaround == There is no known workaround at this time. Resolution == All QEMU users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.8.0-r1" References == [ 1 ] CVE-2016-10155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10155 [ 2 ] CVE-2017-2615 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2615 [ 3 ] CVE-2017-5525 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5525 [ 4 ] CVE-2017-5552 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5552 [ 5 ] CVE-2017-5578 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5578 [ 6 ] CVE-2017-5579 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5579 [ 7 ] CVE-2017-5667 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5667 [ 8 ] CVE-2017-5856 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5856 [ 9 ] CVE-2017-5857 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5857 [ 10 ] CVE-2017-5898 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5898 [ 11 ] CVE-2017-5931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5931 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-28 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-27 ] Xen: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Xen: Multiple vulnerabilities Date: February 21, 2017 Bugs: #607840, #609160 ID: 201702-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Xen, the worst of which could lead to the execution of arbitrary code on the host system. Background == Xen is a bare-metal hypervisor. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-emulation/xen < 4.7.1-r5 >= 4.7.1-r5 2 app-emulation/xen-tools < 4.7.1-r6 >= 4.7.1-r6 --- 2 affected packages Description === Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers and Xen Security Advisory referenced below for details. Impact == A local attacker could potentially execute arbitrary code with privileges of Xen (QEMU) process on the host, gain privileges on the host system, cause a Denial of Service condition, or obtain sensitive information. Workaround == There is no known workaround at this time. Resolution == All Xen users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.7.1-r5" All Xen Tools users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.7.1-r6" References == [ 1 ] CVE-2017-2615 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2615 [ 2 ] XSA-207 https://xenbits.xen.org/xsa/advisory-207.html [ 3 ] XSA-208 https://xenbits.xen.org/xsa/advisory-208.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-27 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-18 ] MariaDB: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MariaDB: Multiple vulnerabilities Date: February 20, 2017 Bugs: #606258 ID: 201702-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in MariaDB, the worst of which could lead to privilege escalation. Background == MariaDB is an enhanced, drop-in replacement for MySQL. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-db/mariadb < 10.0.29 >= 10.0.29 Description === Multiple vulnerabilities have been discovered in MariaDB. Please review the CVE identifiers referenced below for details. Impact == An attacker could possibly escalate privileges, gain access to critical data or complete access to all MariaDB Server accessible data, or cause a Denial of Service condition via unspecified vectors. Workaround == There is no known workaround at this time. Resolution == All MariaDB users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.0.29" References == [ 1 ] CVE-2016-6664 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6664 [ 2 ] CVE-2017-3238 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3238 [ 3 ] CVE-2017-3243 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3243 [ 4 ] CVE-2017-3244 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3244 [ 5 ] CVE-2017-3257 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3257 [ 6 ] CVE-2017-3258 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3258 [ 7 ] CVE-2017-3265 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3265 [ 8 ] CVE-2017-3291 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3291 [ 9 ] CVE-2017-3312 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3312 [ 10 ] CVE-2017-3317 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3317 [ 11 ] CVE-2017-3318 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3318 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-18 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-29 ] PHP: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: PHP: Multiple vulnerabilities Date: February 21, 2017 Bugs: #604776, #606626 ID: 201702-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in PHP, the worst of which could lead to arbitrary code execution or cause a Denial of Service condition. Background == PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-lang/php < 5.6.30 >= 5.6.30 Description === Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact == An attacker could possibly execute arbitrary code or create a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All PHP 5.6 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.6.30:5.6" References == [ 1 ] CVE-2016-10158 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10158 [ 2 ] CVE-2016-10159 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10159 [ 3 ] CVE-2016-10160 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10160 [ 4 ] CVE-2016-10161 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10161 [ 5 ] CVE-2016-9935 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9935 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-29 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-23 ] Dropbear: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Dropbear: Multiple vulnerabilities Date: February 20, 2017 Bugs: #605560 ID: 201702-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Dropbear, the worst of which allows remote attackers to execute arbitrary code. Background == Dropbear is an SSH server and client designed with a small memory footprint. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/dropbear < 2016.74 >= 2016.74 Description === Multiple vulnerabilities have been discovered in Dropbear. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could possibly execute arbitrary code with root privileges if usernames containing special characters can be created on a system. Also, a dbclient user who can control username or host arguments could potentially run arbitrary code with the privileges of the process. In addition, a remote attacker could entice a user to process a specially crafted SSH key using dropbearconvert, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Dropbear users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/dropbear-2016.74" References == [ 1 ] CVE-2016-7406 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7406 [ 2 ] CVE-2016-7407 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7407 [ 3 ] CVE-2016-7408 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7408 [ 4 ] CVE-2016-7409 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7409 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-23 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-30 ] tcpdump: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: tcpdump: Multiple vulnerabilities Date: February 21, 2017 Bugs: #606516 ID: 201702-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in tcpdump, the worst of which may allow execution of arbitrary code. Background == tcpdump is a tool for network monitoring and data acquisition. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-analyzer/tcpdump < 4.9.0>= 4.9.0 Description === Multiple vulnerabilities have been discovered in tcpdump. Please review the CVE identifiers referenced below for details. Impact == A remote attacker, by sending a specially crafted network package, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All tcpdump users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/tcpdump-4.9.0" References == [ 1 ] CVE-2016-7922 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7922 [ 2 ] CVE-2016-7923 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7923 [ 3 ] CVE-2016-7924 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7924 [ 4 ] CVE-2016-7925 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7925 [ 5 ] CVE-2016-7926 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7926 [ 6 ] CVE-2016-7927 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7927 [ 7 ] CVE-2016-7928 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7928 [ 8 ] CVE-2016-7929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7929 [ 9 ] CVE-2016-7930 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7930 [ 10 ] CVE-2016-7931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7931 [ 11 ] CVE-2016-7932 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7932 [ 12 ] CVE-2016-7933 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7933 [ 13 ] CVE-2016-7934 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7934 [ 14 ] CVE-2016-7935 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7935 [ 15 ] CVE-2016-7936 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7936 [ 16 ] CVE-2016-7937 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7937 [ 17 ] CVE-2016-7938 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7938 [ 18 ] CVE-2016-7939 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7939 [ 19 ] CVE-2016-7940 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7940 [ 20 ] CVE-2016-7973 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7973 [ 21 ] CVE-2016-7974 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7974 [ 22 ] CVE-2016-7975 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7975 [ 23 ] CVE-2016-7983 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7983 [ 24 ] CVE-2016-7984 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7984 [ 25 ] CVE-2016-7985 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7985 [ 26 ] CVE-2016-7986 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7986 [ 27 ] CVE-2016-7992 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7992 [ 28 ] CVE-2016-7993 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7993 [ 29 ] CVE-2016-8574 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8574 [ 30 ] CVE-2016-8575 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8575 [ 31 ] CVE-2017-5202 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5202 [ 32 ] CVE-2017-5203 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5203 [ 33 ] CVE-2017-5204 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5204 [ 34 ] CVE-2017-5205 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5205 [ 35 ] CVE-2017-5341 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5341 [ 36 ] CVE-2017-5342 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5342 [ 37 ] CVE-2017-5482 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5482 [ 38 ] CVE-2017-5483 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5483 [ 39 ] CVE-2017-5484 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5484 [ 40 ] CVE-2017-5485 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5485 [ 41 ] CVE-2017-5486 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5486 Availability This GLSA and any updates to it are available for viewing at
[gentoo-announce] [ GLSA 201702-19 ] TigerVNC: Buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: TigerVNC: Buffer overflow Date: February 20, 2017 Bugs: #606998 ID: 201702-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow in TigerVNC might allow remote attackers to execute arbitrary code. Background == TigerVNC is a high-performance VNC server/client. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/tigervnc< 1.7.1>= 1.7.1 Description === A buffer overflow vulnerability in ModifiablePixelBuffer::fillRect in vncviewer was found. Impact == A remote attacker, utilizing a malicious VNC server, could execute arbitrary code with the privileges of the user running the client or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All TigerVNC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/tigervnc-1.7.1" References == [ 1 ] CVE-2017-5581 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5581 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-19 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-22 ] Mozilla Firefox: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla Firefox: Multiple vulnerabilities Date: February 20, 2017 Bugs: #607138 ID: 201702-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. Background == Mozilla Firefox is a popular open-source web browser from the Mozilla Project. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-client/firefox < 45.7.0 >= 45.7.0 2 www-client/firefox-bin < 45.7.0 >= 45.7.0 --- 2 affected packages Description === Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, bypass access restriction, access otherwise protected information, or spoof content via multiple vectors. Workaround == There is no known workaround at this time. Resolution == All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-45.7.0" All Mozilla Firefox binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-45.7.0" References == [ 1 ] CVE-2017-5373 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5373 [ 2 ] CVE-2017-5375 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5375 [ 3 ] CVE-2017-5376 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5376 [ 4 ] CVE-2017-5378 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5378 [ 5 ] CVE-2017-5380 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5380 [ 6 ] CVE-2017-5383 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5383 [ 7 ] CVE-2017-5386 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5386 [ 8 ] CVE-2017-5390 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5390 [ 9 ] CVE-2017-5396 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5396 [ 10 ] Mozilla Foundation Security Advisory 2017-02 https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-22 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201702-26 ] Nagios: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201702-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Nagios: Multiple vulnerabilities Date: February 21, 2017 Bugs: #595194, #598104, #600864, #602216 ID: 201702-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Nagios, the worst of which could lead to privilege escalation. Background == Nagios is an open source host, service and network monitoring program. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-analyzer/nagios-core < 4.2.4>= 4.2.4 Description === Multiple vulnerabilities have been discovered in Nagios. Please review the CVE identifiers referenced below for details. Impact == A local attacker, who either is already Nagios's system user or belongs to Nagios's group, could potentially escalate privileges. In addition, a remote attacker could read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. Workaround == There is no known workaround at this time. Resolution == All Nagios users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/nagios-core-4.2.4" References == [ 1 ] CVE-2008-4796 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4796 [ 2 ] CVE-2008-7313 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7313 [ 3 ] CVE-2016-8641 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8641 [ 4 ] CVE-2016-9565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9565 [ 5 ] CVE-2016-9566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9566 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201702-26 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature