[gentoo-announce] [ GLSA 201702-16 ] Redis: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Redis: Multiple vulnerabilities
 Date: February 20, 2017
 Bugs: #551274, #565188, #595730
   ID: 201702-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in Redis, the worst of which
may allow execution of arbitrary code.

Background
==

Redis is an open source (BSD licensed), in-memory data structure store,
used as a database, cache and message broker.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  dev-db/redis < 3.2.5>= 3.2.5
 >= 3.0.7

Description
===

Multiple vulnerabilities have been discovered in Redis. Please review
the CVE identifiers referenced below for details.

Impact
==

A remote attacker, able to connect to a Redis instance, could issue
malicious commands possibly resulting in the execution of arbitrary
code with the privileges of the process or a Denial of Service
condition.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Redis 3.0.x users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-db/redis-3.0.7"

All Redis 3.2.x users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-db/redis-3.2.5"

References
==

[ 1 ] CVE-2015-4335
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4335
[ 2 ] CVE-2015-8080
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8080
[ 3 ] CVE-2016-8339
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8339

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-16

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-13 ] Mozilla Thunderbird: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: Mozilla Thunderbird: Multiple vulnerabilities
 Date: February 20, 2017
 Bugs: #607310
   ID: 201702-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in Mozilla Thunderbird, the
worst of which could lead to the execution of arbitrary code.

Background
==

Mozilla Thunderbird is a popular open-source email client from the
Mozilla project.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  mail-client/thunderbird  < 45.7.0  >= 45.7.0
  2  mail-client/thunderbird-bin
  < 45.7.0  >= 45.7.0
---
 2 affected packages

Description
===

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.
Please review the CVE identifiers referenced below for details.

Impact
==

A remote attacker, by enticing a user to open a specially crafted email
or web page, could possibly execute arbitrary code with the privileges
of the process or cause a Denial of Service condition.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-45.7.0"

All Mozilla Thunderbird binary users should upgrade to the latest
version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-45.7.0"

References
==

[ 1 ] CVE-2017-5373
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5373
[ 2 ] CVE-2017-5375
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5375
[ 3 ] CVE-2017-5376
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5376
[ 4 ] CVE-2017-5378
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5378
[ 5 ] CVE-2017-5380
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5380
[ 6 ] CVE-2017-5383
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5383
[ 7 ] CVE-2017-5390
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5390
[ 8 ] CVE-2017-5396
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5396
[ 9 ] Mozilla Foundation Security Advisory 2017-03
  https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-13

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-17 ] MySQL: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: MySQL: Multiple vulnerabilities
 Date: February 20, 2017
 Bugs: #606254
   ID: 201702-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in MySQL, the worst of which
could lead to privilege escalation.

Background
==

MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an
enhanced, drop-in replacement for MySQL.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  dev-db/mysql < 5.6.35  >= 5.6.35

Description
===

Multiple vulnerabilities have been discovered in MySQL. Please review
the CVE identifiers referenced below for details.

Impact
==

An attacker could possibly escalate privileges, gain access to critical
data or complete access to all MySQL server accessible data, or cause a
Denial of Service condition via unspecified vectors.

Workaround
==

There is no known workaround at this time.

Resolution
==

All MySQL users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.6.35"

References
==

[  1 ] CVE-2016-8318
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8318
[  2 ] CVE-2016-8327
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8327
[  3 ] CVE-2017-3238
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3238
[  4 ] CVE-2017-3243
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3243
[  5 ] CVE-2017-3244
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3244
[  6 ] CVE-2017-3251
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3251
[  7 ] CVE-2017-3256
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3256
[  8 ] CVE-2017-3257
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3257
[  9 ] CVE-2017-3258
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3258
[ 10 ] CVE-2017-3265
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3265
[ 11 ] CVE-2017-3273
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3273
[ 12 ] CVE-2017-3291
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3291
[ 13 ] CVE-2017-3312
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3312
[ 14 ] CVE-2017-3313
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3313
[ 15 ] CVE-2017-3317
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3317
[ 16 ] CVE-2017-3318
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3318
[ 17 ] CVE-2017-3319
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3319
[ 18 ] CVE-2017-3320
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3320
[ 19 ] Oracle Critical Patch Update Advisory - January 2017

https://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-17

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-15 ] OCaml: Buffer overflow and information disclosure

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: OCaml: Buffer overflow and information disclosure
 Date: February 20, 2017
 Bugs: #581946
   ID: 201702-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A buffer overflow in OCaml might allow remote attackers to obtain
sensitive information or crash an OCaml-based application.

Background
==

OCaml is a high-level, strongly-typed, functional, and object-oriented
programming language from the ML family of languages.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  dev-lang/ocaml   < 4.04.0  >= 4.04.0

Description
===

It was discovered that OCaml was vulnerable to a runtime bug that, on
64-bit platforms, causes size arguments to internal memmove calls to be
sign-extended from 32- to 64-bits before being passed to the memmove
function. This leads to arguments between 2GiB and 4GiB being
interpreted as larger than they are (specifically, a bit below 2^64),
causing a buffer overflow. Further, arguments between 4GiB and 6GiB are
interpreted as 4GiB smaller than they should be causing a possible
information leak.

Impact
==

A remote attacker, able to interact with an OCaml-based application,
could possibly obtain sensitive information or cause a Denial of
Service condition.

Workaround
==

There is no known workaround at this time.

Resolution
==

All OCaml users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-lang/ocam-4.04.0"

Packages which depend on OCaml may need to be recompiled. Tools such as
qdepends (included in app-portage/portage-utils) may assist in
identifying these packages:

  # emerge -1 -a -v $(qdepends -CQ dev-lang/ocaml | sed 's/^/=/')

References
==

[ 1 ] CVE-2015-8869
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8869

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-15

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-20 ] Adobe Flash Player: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Adobe Flash Player: Multiple vulnerabilities
 Date: February 20, 2017
 Bugs: #605314, #609330
   ID: 201702-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in Adobe Flash Player, the
worst of which allows remote attackers to execute arbitrary code.

Background
==

The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  www-plugins/adobe-flash< 24.0.0.221>= 24.0.0.221

Description
===

Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers referenced below for details.

Impact
==

A remote attacker could possibly execute arbitrary code with the
privileges of the process or bypass security restrictions.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Adobe Flash users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-24.0.0.221"

References
==

[  1 ] CVE-2017-2925
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2925
[  2 ] CVE-2017-2926
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2926
[  3 ] CVE-2017-2927
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2927
[  4 ] CVE-2017-2928
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2928
[  5 ] CVE-2017-2930
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2930
[  6 ] CVE-2017-2931
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2931
[  7 ] CVE-2017-2932
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2932
[  8 ] CVE-2017-2933
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2933
[  9 ] CVE-2017-2934
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2934
[ 10 ] CVE-2017-2935
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2935
[ 11 ] CVE-2017-2936
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2936
[ 12 ] CVE-2017-2937
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2937
[ 13 ] CVE-2017-2938
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2938
[ 14 ] CVE-2017-2982
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2982
[ 15 ] CVE-2017-2984
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2984
[ 16 ] CVE-2017-2985
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2985
[ 17 ] CVE-2017-2986
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2986
[ 18 ] CVE-2017-2987
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2987
[ 19 ] CVE-2017-2988
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2988
[ 20 ] CVE-2017-2990
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2990
[ 21 ] CVE-2017-2991
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2991
[ 22 ] CVE-2017-2992
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2992
[ 23 ] CVE-2017-2993
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2993
[ 24 ] CVE-2017-2994
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2994
[ 25 ] CVE-2017-2995
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2995
[ 26 ] CVE-2017-2996
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2996

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-20

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-21 ] Opus: User-assisted execution of arbitrary code

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Opus: User-assisted execution of arbitrary code
 Date: February 20, 2017
 Bugs: #605894
   ID: 201702-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A vulnerability in Opus could cause memory corruption.

Background
==

Opus is a totally open, royalty-free, highly versatile audio codec.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  media-libs/opus < 1.1.3-r1   >= 1.1.3-r1

Description
===

A large NLSF values could cause the stabilization code in
silk/NLSF_stabilize.c to wrap-around and have the last value in
NLSF_Q15[] to be negative, close to -32768.

Under normal circumstances, the code will simply read from the wrong
table resulting in an unstable LPC filter. The filter would then go
through the LPC stabilization code at the end of silk_NLSF2A().

Ultimately, the output audio would be garbage, but no worse than with
any other harmless bad packet.

Please see the referenced upstream patch and Debian bug report below
for a detailed analysis.

However, the original report was about a successful exploitation of
Android's Mediaserver in conjunction with this vulnerability.

Impact
==

A remote attacker could entice a user to open a specially crafted media
stream, possibly resulting in execution of arbitrary code with the
privileges of the process, or a Denial of Service condition.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Opus users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=media-libs/opus-1.1.3-r1"

References
==

[ 1 ] CVE-2017-0381
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0381
[ 2 ] Debian Bug 851612
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851612#10
[ 3 ] Upstream patch
  https://git.xiph.org/?p=opus.git;a=commitdiff;h=70a3d641b

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-21

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-24 ] LibVNCServer/LibVNCClient: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: LibVNCServer/LibVNCClient: Multiple vulnerabilities
 Date: February 20, 2017
 Bugs: #605326
   ID: 201702-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in LibVNCServer/LibVNCClient,
the worst of which allows remote attackers to execute arbitrary code
when connecting to a malicious server.

Background
==

LibVNCServer/LibVNCClient are cross-platform C libraries that allow you
to easily implement VNC server or client functionality in your program.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-libs/libvncserver< 0.9.11  >= 0.9.11

Description
===

Multiple vulnerabilities have been discovered in LibVNCServer and
LibVNCClient. Please review the CVE identifiers referenced below for
details.

Impact
==

A remote attacker could entice a user to connect to a malicious VNC
server or leverage Man-in-the-Middle attacks to cause the execution of
arbitrary code with the privileges of the user running a VNC client
linked against LibVNCClient.

Workaround
==

There is no known workaround at this time.

Resolution
==

All LibVNCServer/LibVNCClient users should upgrade to the latest
version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-libs/libvncserver-0.9.11"

References
==

[ 1 ] CVE-2016-9941
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9941
[ 2 ] CVE-2016-9942
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9942

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-24

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-25 ] libass: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: libass: Multiple vulnerabilities
 Date: February 20, 2017
 Bugs: #596422
   ID: 201702-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in libass, the worst of which
have unknown impacts.

Background
==

libass is a portable subtitle renderer for the ASS/SSA (Advanced
Substation Alpha/Substation Alpha) subtitle format.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  media-libs/libass< 0.13.4  >= 0.13.4

Description
===

Multiple vulnerabilities have been discovered in libass. Please review
the CVE identifiers referenced below for details.

Impact
==

A remote attacker could cause a Denial of Service condition or other
unknown impacts via unknown attack vectors.

Workaround
==

There is no known workaround at this time.

Resolution
==

All libass users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=media-libs/libass-0.13.4"

References
==

[ 1 ] CVE-2016-7969
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7969
[ 2 ] CVE-2016-7970
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7970
[ 3 ] CVE-2016-7971
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7971
[ 4 ] CVE-2016-7972
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7972

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-25

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-28 ] QEMU: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-28
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: QEMU: Multiple vulnerabilities
 Date: February 21, 2017
 Bugs: #606264, #606720, #606722, #607000, #607100, #607766,
   #608034, #608036, #608038, #608520, #608728
   ID: 201702-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in QEMU, the worst of which
could lead to the execution of arbitrary code on the host system.

Background
==

QEMU is a generic and open source machine emulator and virtualizer.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  app-emulation/qemu  < 2.8.0-r1   >= 2.8.0-r1

Description
===

Multiple vulnerabilities have been discovered in QEMU. Please review
the CVE identifiers referenced below for details.

Impact
==

A local attacker could potentially execute arbitrary code with
privileges of QEMU process on the host, gain privileges on the host
system, cause a Denial of Service condition, or obtain sensitive
information.

Workaround
==

There is no known workaround at this time.

Resolution
==

All QEMU users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.8.0-r1"

References
==

[  1 ] CVE-2016-10155
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10155
[  2 ] CVE-2017-2615
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2615
[  3 ] CVE-2017-5525
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5525
[  4 ] CVE-2017-5552
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5552
[  5 ] CVE-2017-5578
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5578
[  6 ] CVE-2017-5579
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5579
[  7 ] CVE-2017-5667
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5667
[  8 ] CVE-2017-5856
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5856
[  9 ] CVE-2017-5857
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5857
[ 10 ] CVE-2017-5898
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5898
[ 11 ] CVE-2017-5931
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5931

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-28

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-27 ] Xen: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-27
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Xen: Multiple vulnerabilities
 Date: February 21, 2017
 Bugs: #607840, #609160
   ID: 201702-27

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in Xen, the worst of which
could lead to the execution of arbitrary code on the host system.

Background
==

Xen is a bare-metal hypervisor.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  app-emulation/xen   < 4.7.1-r5   >= 4.7.1-r5
  2  app-emulation/xen-tools < 4.7.1-r6   >= 4.7.1-r6
---
 2 affected packages

Description
===

Multiple vulnerabilities have been discovered in Xen. Please review the
CVE identifiers and Xen Security Advisory referenced below for details.

Impact
==

A local attacker could potentially execute arbitrary code with
privileges of Xen (QEMU) process on the host, gain privileges on the
host system, cause a Denial of Service condition, or obtain sensitive
information.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Xen users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.7.1-r5"

All Xen Tools users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.7.1-r6"

References
==

[ 1 ] CVE-2017-2615
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2615
[ 2 ] XSA-207
  https://xenbits.xen.org/xsa/advisory-207.html
[ 3 ] XSA-208
  https://xenbits.xen.org/xsa/advisory-208.html

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-27

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-18 ] MariaDB: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: MariaDB: Multiple vulnerabilities
 Date: February 20, 2017
 Bugs: #606258
   ID: 201702-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in MariaDB, the worst of which
could lead to privilege escalation.

Background
==

MariaDB is an enhanced, drop-in replacement for MySQL.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  dev-db/mariadb  < 10.0.29 >= 10.0.29

Description
===

Multiple vulnerabilities have been discovered in MariaDB. Please review
the CVE identifiers referenced below for details.

Impact
==

An attacker could possibly escalate privileges, gain access to critical
data or complete access to all MariaDB Server accessible data, or cause
a Denial of Service condition via unspecified vectors.

Workaround
==

There is no known workaround at this time.

Resolution
==

All MariaDB users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.0.29"

References
==

[  1 ] CVE-2016-6664
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6664
[  2 ] CVE-2017-3238
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3238
[  3 ] CVE-2017-3243
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3243
[  4 ] CVE-2017-3244
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3244
[  5 ] CVE-2017-3257
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3257
[  6 ] CVE-2017-3258
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3258
[  7 ] CVE-2017-3265
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3265
[  8 ] CVE-2017-3291
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3291
[  9 ] CVE-2017-3312
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3312
[ 10 ] CVE-2017-3317
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3317
[ 11 ] CVE-2017-3318
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3318

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-18

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-29 ] PHP: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: PHP: Multiple vulnerabilities
 Date: February 21, 2017
 Bugs: #604776, #606626
   ID: 201702-29

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in PHP, the worst of which
could lead to arbitrary code execution or cause a Denial of Service
condition.

Background
==

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  dev-lang/php < 5.6.30  >= 5.6.30

Description
===

Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.

Impact
==

An attacker could possibly execute arbitrary code or create a Denial of
Service condition.

Workaround
==

There is no known workaround at this time.

Resolution
==

All PHP 5.6 users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-lang/php-5.6.30:5.6"

References
==

[ 1 ] CVE-2016-10158
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10158
[ 2 ] CVE-2016-10159
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10159
[ 3 ] CVE-2016-10160
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10160
[ 4 ] CVE-2016-10161
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10161
[ 5 ] CVE-2016-9935
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9935

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-29

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-23 ] Dropbear: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Dropbear: Multiple vulnerabilities
 Date: February 20, 2017
 Bugs: #605560
   ID: 201702-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in Dropbear, the worst of
which allows remote attackers to execute arbitrary code.

Background
==

Dropbear is an SSH server and client designed with a small memory
footprint.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-misc/dropbear   < 2016.74 >= 2016.74

Description
===

Multiple vulnerabilities have been discovered in Dropbear. Please
review the CVE identifiers referenced below for details.

Impact
==

A remote attacker could possibly execute arbitrary code with root
privileges if usernames containing special characters can be created on
a system. Also, a dbclient user who can control username or host
arguments could potentially run arbitrary code with the privileges of
the process.

In addition, a remote attacker could entice a user to process a
specially crafted SSH key using dropbearconvert, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Dropbear users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-misc/dropbear-2016.74"

References
==

[ 1 ] CVE-2016-7406
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7406
[ 2 ] CVE-2016-7407
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7407
[ 3 ] CVE-2016-7408
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7408
[ 4 ] CVE-2016-7409
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7409

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-23

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-30 ] tcpdump: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: tcpdump: Multiple vulnerabilities
 Date: February 21, 2017
 Bugs: #606516
   ID: 201702-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in tcpdump, the worst of which
may allow execution of arbitrary code.

Background
==

tcpdump is a tool for network monitoring and data acquisition.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-analyzer/tcpdump < 4.9.0>= 4.9.0

Description
===

Multiple vulnerabilities have been discovered in tcpdump. Please review
the CVE identifiers referenced below for details.

Impact
==

A remote attacker, by sending a specially crafted network package,
could possibly execute arbitrary code with the privileges of the
process or cause a Denial of Service condition.

Workaround
==

There is no known workaround at this time.

Resolution
==

All tcpdump users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-analyzer/tcpdump-4.9.0"

References
==

[  1 ] CVE-2016-7922
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7922
[  2 ] CVE-2016-7923
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7923
[  3 ] CVE-2016-7924
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7924
[  4 ] CVE-2016-7925
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7925
[  5 ] CVE-2016-7926
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7926
[  6 ] CVE-2016-7927
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7927
[  7 ] CVE-2016-7928
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7928
[  8 ] CVE-2016-7929
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7929
[  9 ] CVE-2016-7930
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7930
[ 10 ] CVE-2016-7931
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7931
[ 11 ] CVE-2016-7932
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7932
[ 12 ] CVE-2016-7933
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7933
[ 13 ] CVE-2016-7934
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7934
[ 14 ] CVE-2016-7935
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7935
[ 15 ] CVE-2016-7936
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7936
[ 16 ] CVE-2016-7937
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7937
[ 17 ] CVE-2016-7938
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7938
[ 18 ] CVE-2016-7939
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7939
[ 19 ] CVE-2016-7940
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7940
[ 20 ] CVE-2016-7973
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7973
[ 21 ] CVE-2016-7974
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7974
[ 22 ] CVE-2016-7975
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7975
[ 23 ] CVE-2016-7983
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7983
[ 24 ] CVE-2016-7984
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7984
[ 25 ] CVE-2016-7985
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7985
[ 26 ] CVE-2016-7986
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7986
[ 27 ] CVE-2016-7992
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7992
[ 28 ] CVE-2016-7993
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7993
[ 29 ] CVE-2016-8574
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8574
[ 30 ] CVE-2016-8575
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8575
[ 31 ] CVE-2017-5202
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5202
[ 32 ] CVE-2017-5203
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5203
[ 33 ] CVE-2017-5204
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5204
[ 34 ] CVE-2017-5205
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5205
[ 35 ] CVE-2017-5341
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5341
[ 36 ] CVE-2017-5342
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5342
[ 37 ] CVE-2017-5482
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5482
[ 38 ] CVE-2017-5483
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5483
[ 39 ] CVE-2017-5484
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5484
[ 40 ] CVE-2017-5485
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5485
[ 41 ] CVE-2017-5486
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5486

Availability


This GLSA and any updates to it are available for viewing at

[gentoo-announce] [ GLSA 201702-19 ] TigerVNC: Buffer overflow

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: TigerVNC: Buffer overflow
 Date: February 20, 2017
 Bugs: #606998
   ID: 201702-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A buffer overflow in TigerVNC might allow remote attackers to execute
arbitrary code.

Background
==

TigerVNC is a high-performance VNC server/client.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-misc/tigervnc< 1.7.1>= 1.7.1

Description
===

A buffer overflow vulnerability in ModifiablePixelBuffer::fillRect in
vncviewer was found.

Impact
==

A remote attacker, utilizing a malicious VNC server, could execute
arbitrary code with the privileges of the user running the client or
cause a Denial of Service condition.

Workaround
==

There is no known workaround at this time.

Resolution
==

All TigerVNC users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-misc/tigervnc-1.7.1"

References
==

[ 1 ] CVE-2017-5581
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5581

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-19

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-22 ] Mozilla Firefox: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Mozilla Firefox: Multiple vulnerabilities
 Date: February 20, 2017
 Bugs: #607138
   ID: 201702-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in Mozilla Firefox, the worst
of which may allow execution of arbitrary code.

Background
==

Mozilla Firefox is a popular open-source web browser from the Mozilla
Project.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  www-client/firefox   < 45.7.0  >= 45.7.0
  2  www-client/firefox-bin   < 45.7.0  >= 45.7.0
---
 2 affected packages

Description
===

Multiple vulnerabilities have been discovered in Mozilla Firefox.
Please review the CVE identifiers referenced below for details.

Impact
==

A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, bypass
access restriction, access otherwise protected information, or spoof
content via multiple vectors.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=www-client/firefox-45.7.0"

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-45.7.0"

References
==

[  1 ] CVE-2017-5373
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5373
[  2 ] CVE-2017-5375
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5375
[  3 ] CVE-2017-5376
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5376
[  4 ] CVE-2017-5378
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5378
[  5 ] CVE-2017-5380
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5380
[  6 ] CVE-2017-5383
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5383
[  7 ] CVE-2017-5386
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5386
[  8 ] CVE-2017-5390
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5390
[  9 ] CVE-2017-5396
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5396
[ 10 ] Mozilla Foundation Security Advisory 2017-02
   https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-22

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[gentoo-announce] [ GLSA 201702-26 ] Nagios: Multiple vulnerabilities

[Thomas Deutschmann]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201702-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: Nagios: Multiple vulnerabilities
 Date: February 21, 2017
 Bugs: #595194, #598104, #600864, #602216
   ID: 201702-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in Nagios, the worst of which
could lead to privilege escalation.

Background
==

Nagios is an open source host, service and network monitoring program.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-analyzer/nagios-core
  < 4.2.4>= 4.2.4

Description
===

Multiple vulnerabilities have been discovered in Nagios. Please review
the CVE identifiers referenced below for details.

Impact
==

A local attacker, who either is already Nagios's system user or belongs
to Nagios's group, could potentially escalate privileges.

In addition, a remote attacker could read or write to arbitrary files
by spoofing a crafted response from the Nagios RSS feed server.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Nagios users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-analyzer/nagios-core-4.2.4"

References
==

[ 1 ] CVE-2008-4796
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4796
[ 2 ] CVE-2008-7313
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7313
[ 3 ] CVE-2016-8641
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8641
[ 4 ] CVE-2016-9565
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9565
[ 5 ] CVE-2016-9566
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9566

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-26

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature