[gentoo-announce] [ GLSA 201706-01 ] MUNGE: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MUNGE: Privilege escalation Date: June 06, 2017 Bugs: #602596 ID: 201706-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Gentoo's MUNGE ebuilds are vulnerable to privilege escalation due to improper permissions. Background == An authentication service for creating and validating credentials. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-auth/munge < 0.5.10-r2 >= 0.5.10-r2 Description === It was discovered that Gentoo's default MUNGE installation suffered from a privilege escalation vulnerability (munge user to root) due to improper permissions and a runscript which called chown() on a user controlled file. Impact == A local attacker, who either is already MUNGE's system user or belongs to MUNGE's group, could potentially escalate privileges. Workaround == There is no known workaround at this time. Resolution == All MUNGE users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-auth/munge-0.5.10-r2" References == Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-01 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-03 ] QEMU: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: QEMU: Multiple vulnerabilities Date: June 06, 2017 Bugs: #614744, #615874, #616460, #616462, #616482, #616484, #616636, #616870, #616872, #616874, #618808, #619018, #619020, #620322 ID: 201706-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in QEMU, the worst of which may allow a remote attacker to cause a Denial of Service or gain elevated privileges from a guest VM. Background == QEMU is a generic and open source machine emulator and virtualizer. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-emulation/qemu < 2.9.0-r2 >= 2.9.0-r2 Description === Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact == A remote attacker might cause a Denial of Service or gain escalated privileges from a guest VM. Workaround == There is no known workaround at this time. Resolution == All QEMU users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.9.0-r2" References == [ 1 ] CVE-2016-9603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9603 [ 2 ] CVE-2017-7377 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7377 [ 3 ] CVE-2017-7471 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7471 [ 4 ] CVE-2017-7493 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7493 [ 5 ] CVE-2017-7718 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7718 [ 6 ] CVE-2017-7980 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7980 [ 7 ] CVE-2017-8086 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8086 [ 8 ] CVE-2017-8112 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8112 [ 9 ] CVE-2017-8309 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8309 [ 10 ] CVE-2017-8379 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8379 [ 11 ] CVE-2017-8380 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8380 [ 12 ] CVE-2017-9060 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9060 [ 13 ] CVE-2017-9310 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9310 [ 14 ] CVE-2017-9330 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9330 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-03 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-02 ] Shadow: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Shadow: Multiple vulnerabilities Date: June 06, 2017 Bugs: #610804, #620510 ID: 201706-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Shadow, the worst of which might allow privilege escalation. Background == Shadow is a set of tools to deal with user accounts. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-apps/shadow < 4.4-r2 >= 4.4-r2 Description === Multiple vulnerabilities have been discovered in Shadow. Please review the CVE identifiers referenced below for details. Impact == A local attacker could possibly cause a Denial of Service condition, gain privileges via crafted input, or SIGKILL arbitrary processes. Workaround == There is no known workaround at this time. Resolution == All Shadow users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.4-r2" References == [ 1 ] CVE-2016-6252 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6252 [ 2 ] CVE-2017-2616 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2616 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-02 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-06 ] ImageWorsener: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ImageWorsener: Multiple vulnerabilities Date: June 06, 2017 Bugs: #618014 ID: 201706-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in ImageWorsener, the worst of which allows remote attackers to cause a Denial of Service condition or have other unspecified impact. Background == ImageWorsener is a cross-platform command-line utility and library for image scaling and other image processing. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-gfx/imageworsener < 1.3.1>= 1.3.1 Description === Multiple vulnerabilities have been discovered in ImageWorsener. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to process a specially crafted image file using ImageWorsener, possibly resulting in a Denial of Service condition or have other unspecified impacts. Workaround == There is no known workaround at this time. Resolution == All ImageWorsener users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/imageworsener-1.3.1" References == [ 1 ] CVE-2017-7452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7452 [ 2 ] CVE-2017-7453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7453 [ 3 ] CVE-2017-7454 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7454 [ 4 ] CVE-2017-7939 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7939 [ 5 ] CVE-2017-7940 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7940 [ 6 ] CVE-2017-7962 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7962 [ 7 ] CVE-2017-8325 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8325 [ 8 ] CVE-2017-8326 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8326 [ 9 ] CVE-2017-8327 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8327 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-06 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-07 ] Libtirpc and RPCBind: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Libtirpc and RPCBind: Denial of Service Date: June 06, 2017 Bugs: #617472 ID: 201706-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been found in Libtirpc and RPCBind which may allow a remote attacker to cause a Denial of Service condition. Background == The RPCBind utility is a server that converts RPC program numbers into universal addresses. Libtirpc is a port of Suns Transport-Independent RPC library to Linux. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-nds/rpcbind < 0.2.4-r >= 0.2.4-r 2 net-libs/libtirpc < 1.0.1-r1 >= 1.0.1-r1 --- 2 affected packages Description === It was found that due to the way RPCBind uses libtirpc (libntirpc), a memory leak can occur when parsing specially crafted XDR messages. Impact == A remote attacker could send thousands of messages to RPCBind, possibly resulting in a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All RPCBind users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-nds/rpcbind-0.2.4-r" All Libtirpc users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libtirpc-1.0.1-r1" References == [ 1 ] CVE-2017-8779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8779 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-07 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-04 ] Git: Security bypass
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Git: Security bypass Date: June 06, 2017 Bugs: #618126 ID: 201706-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Git might allow remote attackers to bypass security restrictions. Background == Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-vcs/git < 2.13.0 >= 2.13.0 Description === Timo Schmid discovered that the Git restricted shell incorrectly filtered allowed commands. Impact == A remote attacker could possibly bypass security restrictions and access sensitive information. Workaround == There is no known workaround at this time. Resolution == All Git users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.13.0" References == [ 1 ] CVE-2017-8386 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8386 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-05 ] D-Bus: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: D-Bus: Multiple vulnerabilities Date: June 06, 2017 Bugs: #611392 ID: 201706-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in D-Bus might allow an attacker to overwrite files with a fixed filename in arbitrary directories or conduct a symlink attack. Background == D-Bus is a message bus system which processes can use to talk to each other. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-apps/dbus < 1.10.18 >= 1.10.18 Description === Multiple vulnerabilities have been discovered in D-Bus. Please review the original report referenced below for details. Impact == An attacker could possibly overwrite arbitrary files named "once" with content not controlled by the attacker. A local attacker could perform a symlink attack against D-Bus' test suite. Workaround == There is no known workaround at this time. Resolution == All D-Bus users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.10.18" References == [ 1 ] Original report http://www.openwall.com/lists/oss-security/2017/02/16/4 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-05 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-08 ] MuPDF: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MuPDF: Multiple vulnerabilities Date: June 06, 2017 Bugs: #611444, #614044, #614852 ID: 201706-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in MuPDF, the worst of which allows remote attackers to cause a Denial of Service condition or have other unspecified impact. Background == A lightweight PDF, XPS, and E-book viewer. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-text/mupdf < 1.11-r1 >= 1.11-r1 Description === Multiple vulnerabilities have been discovered in MuPDF. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to process a specially crafted PDF document or image using MuPDF, possibly resulting in a Denial of Service condition or have other unspecified impact. Workaround == There is no known workaround at this time. Resolution == All MuPDF users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/mupdf-1.11-r1" References == [ 1 ] CVE-2016-10221 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10221 [ 2 ] CVE-2017-5991 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5991 [ 3 ] CVE-2017-6060 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6060 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-08 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-09 ] FileZilla: Buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: FileZilla: Buffer overflow Date: June 06, 2017 Bugs: #610554 ID: 201706-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in a bundled copy of PuTTY in FileZilla might allow remote attackers to execute arbitrary code or cause a denial of service. Background == FileZilla is an open source FTP client. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-ftp/filezilla< 3.25.2 >= 3.25.2 Description === FileZilla is affected by the same vulnerability as reported in "GLSA 201703-03" because the package included a vulnerable copy of PuTTY. Please read the GLSA for PuTTY referenced below for details. Impact == A remote attacker, utilizing the SSH agent forwarding of an SSH server, could execute arbitrary code with the privileges of the user running FileZilla or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All FileZilla users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-ftp/filezilla-3.25.2" References == [ 1 ] CVE-2017-6542 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6542 [ 2 ] GLSA 201703-03 https://security.gentoo.org/glsa/201703-03 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-09 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] Dropping support of sparc as a security supported architecture.
Hello, After long discussion with the sparc team and other developers, the Security Team has decided to drop SPARC as a security supported architecture. This decision follows the council decision on 2016-12-11, "The council defers to the security team, but is supportive of dropping security support for sparc if it is unable to generally meet the security team timelines." The list of security supported architectures is maintained in the [Security Vulnerability Treatment Policy] The consequences of the removal of security supported architecture include (i) GLSA will be released before a version of a package is necessarily stable for the architecture (ii) architecture-specific issues will not be investigated. In addition to this announcement, glsa-check will be updated to present necessary information for sparc users. As most security issues are cross-architecture, glsa-check will continue to be operational for sparc based on generic GLSAs for other architectures. References: [Security Vulnerability Treatment Policy] https://www.gentoo.org/support/security/vulnerability-treatment-policy.html ## -- Yury German (BlueKnight) Gentoo Security Team Lead Email: bluekni...@gentoo.org OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net GPG Fingerprint: 8858 89D6 C0C4 75C4 D0DD FA00 EEAF ED89 024C 043 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-10 ] Pidgin: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Pidgin: Arbitrary code execution Date: June 06, 2017 Bugs: #612188 ID: 201706-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Pidgin might allow remote attackers to execute arbitrary code. Background == Pidgin is a GTK Instant Messenger client for a variety of instant messaging protocols. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-im/pidgin< 2.12.0 >= 2.12.0 Description === Joseph Bisch discovered that Pidgin incorrectly handled certain xml messages. Impact == A remote attacker could send a specially crafted instant message, possibly resulting in execution of arbitrary code with the privileges of the Pidgin process. Workaround == There is no known workaround at this time. Resolution == All Pidgin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-im/pidgin-2.12.0" References == [ 1 ] CVE-2017-2640 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2640 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-10 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-11 ] PCRE library: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: PCRE library: Denial of Service Date: June 06, 2017 Bugs: #609592 ID: 201706-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in PCRE library allows remote attackers to cause a Denial of Service condition. Background == PCRE library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-libs/libpcre< 8.40-r1 >= 8.40-r1 Description === It was found that the compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE library is vulnerable to an out-of-bounds read. Impact == A remote attacker could possibly cause a Denial of Service condition via a special crafted regular expression. Workaround == There is no known workaround at this time. Resolution == All PCRE library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libpcre-8.40-r1" References == [ 1 ] CVE-2017-6004 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6004 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-11 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-12 ] Wireshark: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Wireshark: Multiple vulnerabilities Date: June 06, 2017 Bugs: #609646, #615462 ID: 201706-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Wireshark, the worst of which allows remote attackers to cause a Denial of Service condition. Background == Wireshark is a network protocol analyzer formerly known as ethereal. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-analyzer/wireshark < 2.2.6>= 2.2.6 Description === Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to process a specially crafted network packet using Wireshark, possibly resulting a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Wireshark users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-2.2.6" References == [ 1 ] CVE-2017-6014 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6014 [ 2 ] CVE-2017-7700 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7700 [ 3 ] CVE-2017-7701 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7701 [ 4 ] CVE-2017-7702 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7702 [ 5 ] CVE-2017-7703 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7703 [ 6 ] CVE-2017-7704 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7704 [ 7 ] CVE-2017-7705 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7705 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-12 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-14 ] FreeType: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: FreeType: Multiple vulnerabilities Date: June 06, 2017 Bugs: #612192, #616730 ID: 201706-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in FreeType, the worst of which allows remote attackers to execute arbitrary code. Background == FreeType is a high-quality and portable font engine. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-libs/freetype < 2.8 >= 2.8 Description === Multiple vulnerabilities have been discovered in FreeType. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to use a specially crafted font file using FreeType, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All FreeType users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.8" References == [ 1 ] CVE-2016-10244 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10244 [ 2 ] CVE-2016-10328 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10328 [ 3 ] CVE-2017-7857 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7857 [ 4 ] CVE-2017-7858 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7858 [ 5 ] CVE-2017-7864 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7864 [ 6 ] CVE-2017-8105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8105 [ 7 ] CVE-2017-8287 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8287 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-14 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-13 ] minicom: Remote execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: minicom: Remote execution of arbitrary code Date: June 06, 2017 Bugs: #615996 ID: 201706-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An out-of-bounds data access in minicom might allow remote attackers to execute arbitrary code. Background == Minicom is a text-based serial port communications program. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-dialup/minicom < 2.7.1>= 2.7.1 Description === In minicom before version 2.7.1, the escparms[] buffer in vt100.c is vulnerable to an overflow. Impact == A remote attacker, able to connect to a minicom port, could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All minicom users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dialup/minicom-2.7.1" References == [ 1 ] CVE-2017-7467 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7467 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-13 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
