[gentoo-announce] [ GLSA 201708-02 ] TNEF: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201708-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: TNEF: Multiple vulnerabilities Date: August 17, 2017 Bugs: #611426, #618658 ID: 201708-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in TNEF, the worst of which allows remote attackers to cause a Denial of Service condition. Background == TNEF is a program for unpacking MIME attachments of type "application/ms-tnef". Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-mail/tnef< 1.4.15 >= 1.4.15 Description === Multiple vulnerabilities have been discovered in TNEF. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to process a specially crafted MIME attachment of type "application/ms-tnef" using TNEF, possibly resulting in a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All TNEF users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/tnef-1.4.15" References == [ 1 ] CVE-2017-6307 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6307 [ 2 ] CVE-2017-6308 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6308 [ 3 ] CVE-2017-6309 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6309 [ 4 ] CVE-2017-6310 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6310 [ 5 ] CVE-2017-8911 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8911 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201708-02 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201708-01 ] BIND: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201708-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: BIND: Multiple vulnerabilities Date: August 17, 2017 Bugs: #605454, #608740, #615420, #621730 ID: 201708-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in BIND, the worst of which allows remote attackers to cause a Denial of Service condition. Background == BIND (Berkeley Internet Name Domain) is a Name Server. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-dns/bind < 9.11.1_p1 >= 9.11.1_p1 Description === Multiple vulnerabilities have been discovered in BIND. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could send a specially crafted DNS request to the BIND resolver resulting in a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All BIND users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/bind-9.11.1_p1" References == [ 1 ] CVE-2016-9131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9131 [ 2 ] CVE-2016-9147 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9147 [ 3 ] CVE-2016-9444 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9444 [ 4 ] CVE-2016-9778 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9778 [ 5 ] CVE-2017-3135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3135 [ 6 ] CVE-2017-3136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3136 [ 7 ] CVE-2017-3137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3137 [ 8 ] CVE-2017-3138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3138 [ 9 ] CVE-2017-3140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3140 [ 10 ] CVE-2017-3141 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3141 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201708-01 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] Dropping support of sparc as a security supported architecture.
Hello, After long discussion with the sparc team and other developers, the Security Team has decided to drop SPARC as a security supported architecture. This decision follows the council decision on 2016-12-11, "The council defers to the security team, but is supportive of dropping security support for sparc if it is unable to generally meet the security team timelines." The list of security supported architectures is maintained in the [Security Vulnerability Treatment Policy] The consequences of the removal of security supported architecture include (i) GLSA will be released before a version of a package is necessarily stable for the architecture (ii) architecture-specific issues will not be investigated. In addition to this announcement, glsa-check will be updated to present necessary information for sparc users. As most security issues are cross-architecture, glsa-check will continue to be operational for sparc based on generic GLSAs for other architectures. References: [Security Vulnerability Treatment Policy] https://www.gentoo.org/support/security/vulnerability-treatment-policy.html ## -- ____ Yury German (BlueKnight) Gentoo Security Team Lead Email: bluekni...@gentoo.org OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net GPG Fingerprint: 8858 89D6 C0C4 75C4 D0DD FA00 EEAF ED89 024C 043 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-03 ] QEMU: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: QEMU: Multiple vulnerabilities Date: June 06, 2017 Bugs: #614744, #615874, #616460, #616462, #616482, #616484, #616636, #616870, #616872, #616874, #618808, #619018, #619020, #620322 ID: 201706-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in QEMU, the worst of which may allow a remote attacker to cause a Denial of Service or gain elevated privileges from a guest VM. Background == QEMU is a generic and open source machine emulator and virtualizer. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-emulation/qemu < 2.9.0-r2 >= 2.9.0-r2 Description === Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact == A remote attacker might cause a Denial of Service or gain escalated privileges from a guest VM. Workaround == There is no known workaround at this time. Resolution == All QEMU users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.9.0-r2" References == [ 1 ] CVE-2016-9603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9603 [ 2 ] CVE-2017-7377 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7377 [ 3 ] CVE-2017-7471 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7471 [ 4 ] CVE-2017-7493 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7493 [ 5 ] CVE-2017-7718 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7718 [ 6 ] CVE-2017-7980 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7980 [ 7 ] CVE-2017-8086 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8086 [ 8 ] CVE-2017-8112 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8112 [ 9 ] CVE-2017-8309 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8309 [ 10 ] CVE-2017-8379 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8379 [ 11 ] CVE-2017-8380 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8380 [ 12 ] CVE-2017-9060 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9060 [ 13 ] CVE-2017-9310 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9310 [ 14 ] CVE-2017-9330 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9330 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-03 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-02 ] Shadow: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Shadow: Multiple vulnerabilities Date: June 06, 2017 Bugs: #610804, #620510 ID: 201706-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Shadow, the worst of which might allow privilege escalation. Background == Shadow is a set of tools to deal with user accounts. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-apps/shadow < 4.4-r2 >= 4.4-r2 Description === Multiple vulnerabilities have been discovered in Shadow. Please review the CVE identifiers referenced below for details. Impact == A local attacker could possibly cause a Denial of Service condition, gain privileges via crafted input, or SIGKILL arbitrary processes. Workaround == There is no known workaround at this time. Resolution == All Shadow users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.4-r2" References == [ 1 ] CVE-2016-6252 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6252 [ 2 ] CVE-2017-2616 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2616 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-02 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201706-01 ] MUNGE: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201706-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MUNGE: Privilege escalation Date: June 06, 2017 Bugs: #602596 ID: 201706-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Gentoo's MUNGE ebuilds are vulnerable to privilege escalation due to improper permissions. Background == An authentication service for creating and validating credentials. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-auth/munge < 0.5.10-r2 >= 0.5.10-r2 Description === It was discovered that Gentoo's default MUNGE installation suffered from a privilege escalation vulnerability (munge user to root) due to improper permissions and a runscript which called chown() on a user controlled file. Impact == A local attacker, who either is already MUNGE's system user or belongs to MUNGE's group, could potentially escalate privileges. Workaround == There is no known workaround at this time. Resolution == All MUNGE users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-auth/munge-0.5.10-r2" References == Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-01 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201705-10 ] GStreamer plug-ins: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201705-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GStreamer plug-ins: User-assisted execution of arbitrary code Date: May 18, 2017 Bugs: #600142, #601354 ID: 201705-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in various GStreamer plug-ins, the worst of which could lead to the execution of arbitrary code. Background == The GStreamer plug-ins provide decoders to the GStreamer open source media framework. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-libs/gst-plugins-bad < 1.10.3 >= 1.10.3 2 media-libs/gst-plugins-good < 1.10.3 >= 1.10.3 3 media-libs/gst-plugins-base < 1.10.3 >= 1.10.3 4 media-libs/gst-plugins-ugly < 1.10.3 >= 1.10.3 --- 4 affected packages Description === Multiple vulnerabilities have been discovered in various GStreamer plug-ins. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user or automated system using a GStreamer plug-in to process a specially crafted file, resulting in the execution of arbitrary code or a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All gst-plugins-bad users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=media-libs/gst-plugins-bad-1.10.3:1.0" All gst-plugins-good users should upgrade to the latest version: # emerge --sync # emerge -a --oneshot -v ">=media-libs/gst-plugins-good-1.10.3:1.0" All gst-plugins-base users should upgrade to the latest version: # emerge --sync # emerge -a --oneshot -v ">=media-libs/gst-plugins-base-1.10.3:1.0" All gst-plugins-ugly users should upgrade to the latest version: # emerge --sync # emerge -a --oneshot -v ">=media-libs/gst-plugins-ugly-1.10.3:1.0" References == [ 1 ] CVE-2016-10198 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10198 [ 2 ] CVE-2016-10199 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10199 [ 3 ] CVE-2016-9445 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9445 [ 4 ] CVE-2016-9446 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9446 [ 5 ] CVE-2016-9447 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9447 [ 6 ] CVE-2016-9634 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9634 [ 7 ] CVE-2016-9635 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9635 [ 8 ] CVE-2016-9636 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9636 [ 9 ] CVE-2016-9807 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9807 [ 10 ] CVE-2016-9808 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9808 [ 11 ] CVE-2016-9809 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9809 [ 12 ] CVE-2016-9810 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9810 [ 13 ] CVE-2016-9811 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9811 [ 14 ] CVE-2016-9812 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9812 [ 15 ] CVE-2016-9813 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9813 [ 16 ] CVE-2017-5837 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5837 [ 17 ] CVE-2017-5838 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5838 [ 18 ] CVE-2017-5839 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5839 [ 19 ] CVE-2017-5840 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5840 [ 20 ] CVE-2017-5841 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5841 [ 21 ] CVE-2017-5842 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5842 [ 22 ] CVE-2017-5843 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5843 [ 23 ] CVE-2017-5844 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5844 [ 24 ] CVE-2017-5845 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5845 [ 25 ] CVE-2017-5846 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5846 [ 26 ] CVE-2017-5847 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5847 [ 27 ] CVE-2017-5848 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5848 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
[gentoo-announce] [ GLSA 201705-09 ] Apache Tomcat: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201705-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Apache Tomcat: Multiple vulnerabilities Date: May 18, 2017 Bugs: #575796, #586966, #595978, #615868 ID: 201705-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Apache Tomcat, the worst of which could lead to privilege escalation. Background == Apache Tomcat is a Servlet-3.0/JSP-2.2 Container. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-servers/tomcat < 8.0.36 >= 7.0.70 >= 8.0.36 Description === Multiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. Impact == A remote attacker may be able to cause a Denial of Service condition, obtain sensitive information, bypass protection mechanisms and authentication restrictions. A local attacker, who is a tomcat's system user or belongs to tomcat’s group, could potentially escalate privileges. Workaround == There is no known workaround at this time. Resolution == All Apache Tomcat users have to manually check their Tomcat runscripts to make sure that they don't use an old, vulnerable runscript. In addition: All Apache Tomcat 7 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.70:7" All Apache Tomcat 8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.0.36:8" References == [ 1 ] CVE-2015-5174 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5174 [ 2 ] CVE-2015-5345 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5345 [ 3 ] CVE-2015-5346 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5346 [ 4 ] CVE-2015-5351 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5351 [ 5 ] CVE-2016-0706 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0706 [ 6 ] CVE-2016-0714 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0714 [ 7 ] CVE-2016-0763 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0763 [ 8 ] CVE-2016-1240 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1240 [ 9 ] CVE-2016-3092 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3092 [ 10 ] CVE-2016-8745 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8745 [ 11 ] CVE-2017-5647 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5647 [ 12 ] CVE-2017-5648 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5648 [ 13 ] CVE-2017-5650 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5650 [ 14 ] CVE-2017-5651 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5651 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201705-09 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201704-04 ] Adobe Flash Player: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201704-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Flash Player: Multiple vulnerabilities Date: April 27, 2017 Bugs: #615244 ID: 201704-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code. Background == The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-plugins/adobe-flash< 25.0.0.148>= 25.0.0.148 Description === Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could possibly execute arbitrary code with the privileges of the process or bypass security restrictions. Workaround == There is no known workaround at this time. Resolution == All Adobe Flash users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-25.0.0.148" References == [ 1 ] CVE-2017-3058 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3058 [ 2 ] CVE-2017-3059 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3059 [ 3 ] CVE-2017-3060 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3060 [ 4 ] CVE-2017-3061 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3061 [ 5 ] CVE-2017-3062 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3062 [ 6 ] CVE-2017-3063 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3063 [ 7 ] CVE-2017-3064 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3064 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201704-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201703-07 ] Xen: Privilege Escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201703-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Xen: Privilege Escalation Date: March 28, 2017 Bugs: #609120 ID: 201703-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Xen's bundled QEMU version might allow privilege escalation. Background == Xen is a bare-metal hypervisor. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-emulation/xen-tools < 4.7.1-r8 >= 4.7.1-r8 Description === In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe. Impact == A local attacker could potentially execute arbitrary code with privileges of Xen (QEMU) process on the host, gain privileges on the host system, or cause a Denial of Service condition. Workaround == Running guests in Paravirtualization (PV) mode, or running guests in Hardware-assisted virtualizion (HVM) utilizing stub domains mitigate the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. Resolution == All Xen Tools users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.7.1-r8" References == [ 1 ] CVE-2017-2620 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2620 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201703-07 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201703-06 ] Deluge: Remote execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201703-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Deluge: Remote execution of arbitrary code Date: March 28, 2017 Bugs: #612144 ID: 201703-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Deluge might allow remote attackers to execute arbitrary code. Background == Deluge is a BitTorrent client. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-p2p/deluge < 1.3.14 >= 1.3.14 Description === A CSRF vulnerability was discovered in the web UI of Deluge. Impact == A remote attacker could entice a user currently logged in into Deluge web UI to visit a malicious web page which uses forged requests to make Deluge download and install a Deluge plug-in provided by the attacker. The plug-in can then execute arbitrary code as the user running Deluge. Workaround == There is no known workaround at this time. Resolution == All Deluge users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-p2p/deluge-1.3.14" References == [ 1 ] CVE-2017-7178 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7178 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201703-06 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201703-04 ] cURL: Certificate validation error
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201703-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: cURL: Certificate validation error Date: March 28, 2017 Bugs: #610572 ID: 201703-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A coding error has been found in cURL, causing the TLS Certificate Status Request extension check to always return true. Background == cURL is a tool and libcurl is a library for transferring data with URL syntax. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/curl< 7.53.0 >= 7.53.0 Description === cURL and applications linked against libcurl support "OCSP stapling", also known as the TLS Certificate Status Request extension (using the CURLOPT_SSL_VERIFYSTATUS option). When telling cURL to use this feature, it uses that TLS extension to ask for a fresh proof of the server's certificate's validity. If the server doesn't support the extension, or fails to provide said proof, cURL is expected to return an error. Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. Impact == Due to the error, a user maybe does not detect when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. Workaround == There is no known workaround at this time. Resolution == All cURL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/curl-7.53.0" References == [ 1 ] CVE-2017-2629 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2629 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201703-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201609-01 ] QEMU: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201609-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: QEMU: Multiple vulnerabilities Date: September 25, 2016 Bugs: #573816, #579734, #580040, #583496, #583952, #584094, #584102, #584146, #584514, #584630, #584918, #589924, #589928, #591242, #591244, #591374, #591380, #591678, #592430, #593036, #593038, #593284, #593956 ID: 201609-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in QEMU, the worst of which could lead to arbitrary code execution, or cause a Denial of Service condition. Background == QEMU is a generic and open source machine emulator and virtualizer. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-emulation/qemu < 2.7.0-r2 >= 2.7.0-r2 Description === Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact == Local users within a guest QEMU environment can execute arbitrary code within the host or a cause a Denial of Service condition of the QEMU guest process. Workaround == There is no known workaround at this time. Resolution == All QEMU users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.7.0-r2" References == [ 1 ] CVE-2016-2841 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2841 [ 2 ] CVE-2016-4001 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4001 [ 3 ] CVE-2016-4002 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4002 [ 4 ] CVE-2016-4020 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4020 [ 5 ] CVE-2016-4439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4439 [ 6 ] CVE-2016-4441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4441 [ 7 ] CVE-2016-4453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4453 [ 8 ] CVE-2016-4454 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4454 [ 9 ] CVE-2016-4964 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4964 [ 10 ] CVE-2016-5106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5106 [ 11 ] CVE-2016-5107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5107 [ 12 ] CVE-2016-5126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5126 [ 13 ] CVE-2016-5238 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5238 [ 14 ] CVE-2016-5337 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5337 [ 15 ] CVE-2016-5338 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5338 [ 16 ] CVE-2016-6490 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6490 [ 17 ] CVE-2016-6833 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6833 [ 18 ] CVE-2016-6834 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6834 [ 19 ] CVE-2016-6836 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6836 [ 20 ] CVE-2016-6888 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6888 [ 21 ] CVE-2016-7116 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7116 [ 22 ] CVE-2016-7156 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7156 [ 23 ] CVE-2016-7157 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7157 [ 24 ] CVE-2016-7422 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7422 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201609-01 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201608-01 ] OptiPNG: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201608-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OptiPNG: Multiple vulnerabilities Date: August 11, 2016 Bugs: #561882, #579030 ID: 201608-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in OptiPNG, the worst of which could lead to the remote execution of arbitrary code, or cause a Denial of Service condition. Background == OptiPNG is a PNG optimizer that recompresses image files to a smaller size, without losing any information. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-gfx/optipng< 0.7.6>= 0.7.6 Description === Multiple vulnerabilities have been discovered in OptiPNG. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to open a specially crafted image file resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All OptiPNG users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/optipng-0.7.6" References == [ 1 ] CVE-2016-2191 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2191 [ 2 ] CVE-2016-3981 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3981 [ 3 ] CVE-2016-3982 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3982 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201608-01 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201606-04 ] GnuPG: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201606-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GnuPG: Multiple vulnerabilities Date: June 05, 2016 Bugs: #534110, #541564, #541568 ID: 201606-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in GnuPG and libgcrypt, the worst of which may allow a local attacker to obtain confidential key information. Background == The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-crypt/gnupg< 2.0.26-r3*>= 1.4.19 >= 2.0.26-r3 2 dev-libs/libgcrypt < 1.6.3-r4 >= 1.6.3-r4 --- 2 affected packages Description === Multiple vulnerabilities have been discovered in GnuPG and libgcrypt, please review the CVE identifiers referenced below for details. Impact == A local attacker could possibly cause a Denial of Service condition. Side-channel attacks could be leveraged to obtain key material. Workaround == There is no known workaround at this time. Resolution == All GnuPG 2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.26-r3" All GnuPG 1 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.19" All libgcrypt users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.6.3-r4" References == [ 1 ] CVE-2014-3591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3591 [ 2 ] CVE-2015-0837 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0837 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201606-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201606-03 ] libjpeg-turbo: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201606-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libjpeg-turbo: Multiple vulnerabilities Date: June 05, 2016 Bugs: #491150, #531418 ID: 201606-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Two vulnerabilities have been discovered in libjpeg-turbo, the worse of which could allow remote attackers access to sensitive information. Background == libjpeg-turbo is a MMX, SSE, and SSE2 SIMD accelerated JPEG library Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-libs/libjpeg-turbo < 1.4.2>= 1.4.2 Description === libjpeg-turbo does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers. Impact == Remote attackers could obtain sensitive information from uninitialized memory locations via a crafted JPEG images. Workaround == There is no known workaround at this time. Resolution == All libjpeg-turbo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-1.4.2" References == [ 1 ] CVE-2013-6629 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6629 [ 2 ] CVE-2013-6630 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6630 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201606-03 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201606-02 ] Puppet Server and Agent: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201606-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Puppet Server and Agent: Multiple vulnerabilities Date: June 05, 2016 Bugs: #577450, #581372 ID: 201606-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Puppet Server and Agent, the worst of which could lead to arbitrary code execution. Background == Puppet Agent contains Puppet’s main code and all of the dependencies needed to run it, including Facter, Hiera, and bundled versions of Ruby and OpenSSL. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-admin/puppet-agent < 1.4.2>= 1.4.2 2 app-admin/puppetserver < 2.3.2>= 2.3.2 --- 2 affected packages Description === Multiple vulnerabilities have been discovered in Puppet Server and Agent. Please review the CVE identifiers referenced below for details. Impact == Remote attackers, impersonating a trusted broker, could potentially execute arbitrary code. Workaround == There is no known workaround at this time. Resolution == All puppet-agent users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/puppet-agent-1.4.2" All puppetserver users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/puppetserver-2.3.2" References == [ 1 ] CVE-2016-2785 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2785 [ 2 ] CVE-2016-2786 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2786 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201606-02 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201606-01 ] PuTTY: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201606-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: PuTTY: Multiple vulnerabilities Date: June 05, 2016 Bugs: #565080, #576524 ID: 201606-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in PuTTY, the worst of which could lead to arbitrary code execution, or cause a Denial of Service condition. Background == PuTTY is a telnet and SSH client. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/putty< 0.67 >= 0.67 Description === Multiple vulnerabilities have been discovered in PuTTY. Please review the CVE identifiers referenced below for details. Impact == Stack-based buffer overflow in the SCP command-line utility allows remote servers to execute arbitrary code or cause a denial of service condition via a crafted SCP-SINK file-size response to an SCP download request. Workaround == There is no known workaround at this time. Resolution == All PuTTY users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/putty-0.67" References == [ 1 ] CVE-2015-5309 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5309 [ 2 ] CVE-2016-2563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2563 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201606-01 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201605-05 ] Linux-PAM: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201605-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Linux-PAM: Multiple vulnerabilities Date: May 31, 2016 Bugs: #493432, #505604, #553302 ID: 201605-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Linux-PAM, allowing remote attackers to bypass the auth process and cause Denial of Service. Background == Linux-PAM (Pluggable Authentication Modules) is an architecture allowing the separation of the development of privilege granting software from the development of secure and appropriate authentication schemes. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-libs/pam < 1.2.1>= 1.2.1 Description === Multiple vulnerabilities have been discovered in Linux-PAM. Please review the CVE identifiers referenced below for details. Impact == Remote attackers could cause Denial of Service, conduct brute force attacks, and conduct username enumeration. Workaround == There is no known workaround at this time. Resolution == All Linux-PAM users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-libs/pam-1.2.1" References == [ 1 ] CVE-2013-7041 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7041 [ 2 ] CVE-2014-2583 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2583 [ 3 ] CVE-2015-3238 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3238 [ 4 ] CVE-2015-3238 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3238 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201605-05 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201605-03 ] libfpx: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201605-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libfpx: Denial of Service Date: May 30, 2016 Bugs: #395367 ID: 201605-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A double free vulnerability has been discovered in libfpx that allows remote attackers to cause a Denial of Service. Background == A library for manipulating FlashPIX images. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-libs/libfpx < 1.3.1_p6 >= 1.3.1_p6 Description === A double free vulnerability has been discovered in the Free_All_Memory function in jpeg/dectile.c. Impact == A remote attacker could entice a user to open a specially crafted FPX image using an application linked against libfpx, possibly resulting in a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All libfpx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libfpx-1.3.1_p6" Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying these packages. References == [ 1 ] CVE-2012-0025 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0025 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201605-03 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201604-03 ] Xen: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201604-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Xen: Multiple vulnerabilities Date: April 05, 2016 Bugs: #445254, #513832, #547202, #549200, #549950, #550658, #553664, #553718, #32, #556304, #561110, #564472, #564932, #566798, #566838, #566842, #567962, #571552, #571556, #574012 ID: 201604-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Xen, the worst of which cause a Denial of Service. Background == Xen is a bare-metal hypervisor. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-emulation/xen < 4.6.0-r9 >= 4.6.0-r9 *>= 4.5.2-r5 2 app-emulation/xen-pvgrub < 4.6.0 Vulnerable! 3 app-emulation/xen-tools < 4.6.0-r9 >= 4.6.0-r9 *>= 4.5.2-r5 4 app-emulation/pvgrub>= 4.6.0 *>= 4.5.2 --- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. --- 4 affected packages Description === Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact == A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround == There is no known workaround at this time. Resolution == All Xen 4.5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.5.2-r5" All Xen 4.6 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.6.0-r9" All Xen tools 4.5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.5.2-r5" All Xen tools 4.6 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.6.0-r9" All Xen pvgrub users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-pvgrub-4.6.0" References == [ 1 ] CVE-2012-3494 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3494 [ 2 ] CVE-2012-3495 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3495 [ 3 ] CVE-2012-3496 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3496 [ 4 ] CVE-2012-3497 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3497 [ 5 ] CVE-2012-3498 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3498 [ 6 ] CVE-2012-3515 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3515 [ 7 ] CVE-2012-4411 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4411 [ 8 ] CVE-2012-4535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4535 [ 9 ] CVE-2012-4536 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4536 [ 10 ] CVE-2012-4537 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4537 [ 11 ] CVE-2012-4538 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4538 [ 12 ] CVE-2012-4539 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4539 [ 13 ] CVE-2012-6030 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6030 [ 14 ] CVE-2012-6031 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6031 [ 15 ] CVE-2012-6032 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6032 [ 16 ] CVE-2012-6033 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6033 [ 17 ] CVE-2012-6034 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6034 [ 18 ] CVE-2012-6035 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6035 [ 19 ] CVE-2012-6036 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6036 [ 20 ] CVE-2015-2151 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2151 [ 21 ] CVE-2015-3209 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3209 [ 22 ] CVE-2015-3259 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3259 [ 23 ] CVE-2015-3340
[gentoo-announce] [ GLSA 201512-11 ] Firebird: Buffer Overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Firebird: Buffer Overflow Date: December 30, 2015 Bugs: #460780 ID: 201512-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow in Firebird might allow remote attackers to execute arbitrary code. Background == Firebird is a multi-platform, open source relational database. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-db/firebird < 2.5.3.26780.0-r3 >= 2.5.3.26780.0-r3 Description === The vulnerability is caused due to an error when processing requests from remote clients. Impact == A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Firebird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-db/firebird-2.5.3.26780.0-r3" NOTE: Firebird package was moved to the testing branch (unstable) of Gentoo. There is currently no stable version of Firebird, and there will be no further GLSAs for this package. References == [ 1 ] CVE-2013-2492 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2492 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201512-11 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201512-12 ] KDE Systemsettings: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: KDE Systemsettings: Privilege escalation Date: December 30, 2015 Bugs: #528468 ID: 201512-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Data validation in KDE Systemsettings could lead to local privilege escalation. Background == KDE workspace configuration module for setting the date and time has a helper program which runs as root for performing actions. Affected packages = --- Package / Vulnerable /Unaffected --- 1 kde-base/systemsettings< 4.11.13-r1>= 4.11.13-r1 Description === KDE Systemsettings fails to properly validate user input before passing it as argument in context of higher privilege. Impact == A local attacker could gain privileges via a crafted ntpUtility (ntp utility name) argument. Workaround == Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action. Resolution == All KDE Systemsettings users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=kde-base/systemsettings-4.11.13-r1" References == [ 1 ] CVE-2014-8651 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8651 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201512-12 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201512-13 ] InspIRCd: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: InspIRCd: Multiple vulnerabilities Date: December 30, 2015 Bugs: #545034, #570244 ID: 201512-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in InspIRCd, the worst allowing remote attackers to execute arbitrary code. Background == InspIRCd is a modular Internet Relay Chat (IRC) server written in C++ which was created from scratch to be stable, modern and lightweight. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-irc/inspircd < 2.0.20 >= 2.0.20 Description === Multiple vulnerabilities have been discovered in InspIRCd. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All InspIRCd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-irc/inspircd-2.0.20" References == [ 1 ] CVE-2012-6697 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6697 [ 2 ] CVE-2015-6674 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6674 [ 3 ] CVE-2015-8702 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8702 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201512-13 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201512-07 ] GStreamer: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GStreamer: User-assisted execution of arbitrary code Date: December 30, 2015 Bugs: #553742 ID: 201512-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow in GStreamer could allow remote attackers to execute arbitrary code or cause Denial of Service. Background == GStreamer is an open source multimedia framework. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-libs/gstreamer < 1.4.5>= 1.4.5 Description === A buffer overflow vulnerability has been found in the parsing of H.264 formatted video. Impact == A remote attacker could entice a user to open a specially crafted H.264 formatted video using an application linked against GStreamer, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All GStreamer users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/gstreamer-1.4.5" References == [ 1 ] CVE-2015-0797 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0797 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201512-07 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201512-06 ] MPFR: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MPFR: User-assisted execution of arbitrary code Date: December 30, 2015 Bugs: #532028 ID: 201512-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow vulnerability in MPFR could allow remote attackers to execute arbitrary code or cause Denial of Service. Background == MPFR is a library for multiple-precision floating-point computations with exact rounding. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-libs/mpfr < 3.1.3_p4 >= 3.1.3_p4 Description === MPFR fails to adequately check user-supplied input, which could lead to a buffer overflow. Impact == A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All MPFR users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/mpfr-3.1.3_p4" References == [ 1 ] CVE-2014-9474 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9474 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201512-06 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201512-08 ] ClamAV: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ClamAV: Multiple vulnerabilities Date: December 30, 2015 Bugs: #538084, #548066 ID: 201512-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in ClamAV, possibly resulting in Denial of Service. Background == ClamAV is a GPL virus scanner. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-antivirus/clamav < 0.98.7 >= 0.98.7 Description === Multiple vulnerabilities have been discovered in ClamAV. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could cause ClamAV to scan a specially crafted file, possibly resulting in a Denial of Service condition or other unspecified impact. Workaround == There is no known workaround at this time. Resolution == All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.98.7" References == [ 1 ] CVE-2014-9328 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9328 [ 2 ] CVE-2015-1461 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1461 [ 3 ] CVE-2015-1462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1462 [ 4 ] CVE-2015-1463 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1463 [ 5 ] CVE-2015-2170 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2170 [ 6 ] CVE-2015-2221 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2221 [ 7 ] CVE-2015- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015- [ 8 ] CVE-2015-2668 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2668 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201512-08 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201512-09 ] encfs: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: encfs: Multiple vulnerabilities Date: December 30, 2015 Bugs: #510290 ID: 201512-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in encfs, the worst of which can allow remote attackers to execute arbitrary code or cause a Denial of Service condition. Background == Encfs is an implementation of encrypted filesystem in user-space using FUSE. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-fs/encfs < 1.7.5>= 1.7.5 Description === Multiple vulnerabilities have been discovered in encfs. Please review the CVE identifiers referenced below for details. Impact == A local attacker can utilize a possible buffer overflow in the encodeName method of StreamNameIO and BlockNameIO to execute arbitrary code or cause a Denial of Service. Also multiple weak cryptographics practices have been found in encfs. Workaround == There is no known workaround at this time. Resolution == All encfs users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-fs/encfs-1.7.5" References == [ 1 ] CVE-2014-3462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3462 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201512-09 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201512-10 ] Mozilla Products: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla Products: Multiple vulnerabilities Date: December 30, 2015 Bugs: #545232, #554036, #556942, #564818, #568376 ID: 201512-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Mozilla Firefox and Thunderbird, the worst of which may allow user-assisted execution of arbitrary code. Background == Mozilla Firefox is an open-source web browser and Mozilla Thunderbird an open-source email client, both from the Mozilla Project. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-client/firefox < 38.5.0 >= 38.5.0 2 www-client/firefox-bin < 38.5.0 >= 38.5.0 3 mail-client/thunderbird < 38.5.0 >= 38.5.0 4 mail-client/thunderbird-bin < 38.5.0 >= 38.5.0 --- 4 affected packages Description === Multiple vulnerabilities have been discovered in Mozilla Firefox and Mozilla Thunderbird. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-38.5.0" All Firefox-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-38.5.0" All Thunderbird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-38.5.0" All Thunderbird-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-38.5.0" References == [ 1 ] CVE-2015-0798 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0798 [ 2 ] CVE-2015-0799 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0799 [ 3 ] CVE-2015-0801 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0801 [ 4 ] CVE-2015-0802 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0802 [ 5 ] CVE-2015-0803 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0803 [ 6 ] CVE-2015-0804 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0804 [ 7 ] CVE-2015-0805 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0805 [ 8 ] CVE-2015-0806 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0806 [ 9 ] CVE-2015-0807 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0807 [ 10 ] CVE-2015-0808 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0808 [ 11 ] CVE-2015-0810 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0810 [ 12 ] CVE-2015-0811 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0811 [ 13 ] CVE-2015-0812 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0812 [ 14 ] CVE-2015-0813 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0813 [ 15 ] CVE-2015-0814 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0814 [ 16 ] CVE-2015-0815 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0815 [ 17 ] CVE-2015-0816 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0816 [ 18 ] CVE-2015-2706 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2706 [ 19 ] CVE-2015-2721 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2721 [ 20 ] CVE-2015-2722 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2722 [ 21 ] CVE-2015-2724 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2724 [ 22 ] CVE-2015-2725 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2725 [ 23 ] CVE-2015-2726 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2726 [ 24 ] CVE-2015-2727 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2727 [ 25 ] CVE-2015-2728 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2728 [ 26 ] CVE-2015-2729 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2729 [ 27 ] CVE-2015-2730 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2730 [ 28 ] CVE-2015-2731 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2731 [ 29 ] CVE-2015-2733 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2733 [ 30 ] CVE-2015-2734
[gentoo-announce] [ GLSA 201512-04 ] OpenSSH: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSH: Multiple vulnerabilities Date: December 20, 2015 Bugs: #553724, #18, #557340 ID: 201512-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in OpenSSH, the worst of which could lead to arbitrary code execution, or cause a Denial of Service condition. Background == OpenSSH is a complete SSH protocol implementation that includes an SFTP client and server support. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/openssh < 7.1_p1-r2 >= 7.1_p1-r2 Description === Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact == Workaround == There is no known workaround at this time. Resolution == All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-6.9_p1-r2" References == [ 1 ] CVE-2015-5352 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5352 [ 2 ] CVE-2015-5600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5600 [ 3 ] CVE-2015-6563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6563 [ 4 ] CVE-2015-6564 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6564 [ 5 ] CVE-2015-6565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6565 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201512-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201512-05 ] gdk-pixbuf: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: gdk-pixbuf: Multiple Vulnerabilities Date: December 21, 2015 Bugs: #556314, #562878, #562880 ID: 201512-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple buffer overflow vulnerabilities in gdk-pixbuf may allow remote attackers to execute arbitrary code or cause Denial of Service. Background == gdk-pixbuf is an image loading library for GTK+. Affected packages = --- Package / Vulnerable /Unaffected --- 1 x11-libs/gdk-pixbuf < 2.32.1 >= 2.32.1 Description === Three heap-based buffer overflow vulnerabilities have been discovered in gdk-pixbuf. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to open a specially crafted image file with an application linked against gdk-pixbuf, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All gdk-pixbuf users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/gdk-pixbuf-2.32.1" Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying these packages. References == [ 1 ] CVE-2015-4491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4491 [ 2 ] CVE-2015-7673 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7673 [ 3 ] CVE-2015-7674 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7674 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201512-05 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201512-02 ] IPython: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: IPython: User-assisted execution of arbitrary code Date: December 17, 2015 Bugs: #560708 ID: 201512-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in IPython could result in execution of arbitrary JavaScript. Background == IPython is an advanced interactive shell for Python. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-python/ipython < 3.2.1-r1 >= 3.2.1-r1 Description === IPython does not properly check the MIME type of a file. Impact == A remote attacker could entice a user to open a specially crafted text file using IPython, possibly resulting in execution of arbitrary JavaScript with the privileges of the process. Workaround == There is no known workaround at this time. Resolution == All IPython users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/ipython-3.2.1-r1" References == [ 1 ] CVE-2015-7337 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7337 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201512-02 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201508-03 ] Icecast: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201508-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Icecast: Denial of Service Date: August 15, 2015 Bugs: #545968 ID: 201508-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A bug in the Icecast code handling source client URL authentication causes a Denial of Service condition. Background == Icecast is an open source alternative to shoutcast that supports mp3, ogg (vorbis/theora) and aac streaming. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/icecast 2.4.2= 2.4.2 Description === When stream_auth handler is defined for URL authentication and a request is sent without login credentials, a Denial of Service condition can occur. Impact == A remote attacker could possibly cause a Denial of Service condition. Workaround == Users of affected versions can change stream_auth mountpoints to use password authentication instead. Resolution == All icecast users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/icecast-2.4.2 References == [ 1 ] CVE-2015-3026 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3026 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201508-03 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201508-02 ] libgadu: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201508-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libgadu: Multiple vulnerabilities Date: August 15, 2015 Bugs: #490238, #505558, #510714 ID: 201508-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in libgadu, the worst of which may result in execution of arbitrary code. Background == libgadu is a library that implements the client side of the Gadu-Gadu protocol. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-libs/libgadu 1.12.0 = 1.12.0 Description === libgadu contains multiple vulnerabilities: * X.509 certificates are not properly validated (CVE-2013-4488) * A integer overflow error could lead to a buffer overflow (CVE-2013-6487) * Malformed responses from a Gadu-Gadu file relay server are not properly handled (CVE-2014-3775) Impact == A remote attacker may be able to execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or spoof servers. Workaround == There is no known workaround at this time. Resolution == All libgadu users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-libs/libgadu-1.12.0 References == [ 1 ] CVE-2013-4488 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4488 [ 2 ] CVE-2013-6487 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6487 [ 3 ] CVE-2014-3775 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3775 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201508-02 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201508-01 ] Adobe Flash Player: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201508-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Flash Player: Multiple vulnerabilities Date: August 15, 2015 Bugs: #554882, #557342 ID: 201508-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code. Background == The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-plugins/adobe-flash11.2.202.508 = 11.2.202.508 Description === Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. Workaround == There is no known workaround at this time. Resolution == All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v =www-plugins/adobe-flash-11.2.202.508 References == [ 1 ] CVE-2015-3107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3107 [ 2 ] CVE-2015-5122 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5122 [ 3 ] CVE-2015-5123 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5123 [ 4 ] CVE-2015-5124 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5124 [ 5 ] CVE-2015-5125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5125 [ 6 ] CVE-2015-5127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5127 [ 7 ] CVE-2015-5129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5129 [ 8 ] CVE-2015-5130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5130 [ 9 ] CVE-2015-5131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5131 [ 10 ] CVE-2015-5132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5132 [ 11 ] CVE-2015-5133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5133 [ 12 ] CVE-2015-5134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5134 [ 13 ] CVE-2015-5539 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5539 [ 14 ] CVE-2015-5540 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5540 [ 15 ] CVE-2015-5541 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5541 [ 16 ] CVE-2015-5544 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5544 [ 17 ] CVE-2015-5545 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5545 [ 18 ] CVE-2015-5546 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5546 [ 19 ] CVE-2015-5547 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5547 [ 20 ] CVE-2015-5548 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5548 [ 21 ] CVE-2015-5549 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5549 [ 22 ] CVE-2015-5550 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5550 [ 23 ] CVE-2015-5551 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5551 [ 24 ] CVE-2015-5552 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5552 [ 25 ] CVE-2015-5553 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5553 [ 26 ] CVE-2015-5554 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5554 [ 27 ] CVE-2015- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015- [ 28 ] CVE-2015-5556 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5556 [ 29 ] CVE-2015-5557 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5557 [ 30 ] CVE-2015-5558 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5558 [ 31 ] CVE-2015-5559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5559 [ 32 ] CVE-2015-5560 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5560 [ 33 ] CVE-2015-5561 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5561 [ 34 ] CVE-2015-5562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5562 [ 35 ] CVE-2015-5563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5563 [ 36 ] CVE-2015-5564 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5564 [ 37 ] CVE-2015-5965 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5965 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201508-01 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security
[gentoo-announce] [ GLSA 201506-04 ] Chromium: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201506-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium: Multiple vulnerabilities Date: June 23, 2015 Bugs: #545300, #546728, #548108, #549944 ID: 201506-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been fixed in Chromium, the worst of which can cause arbitrary remote code execution. Background == Chromium is an open-source web browser project. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-client/chromium43.0.2357.65 = 43.0.2357.65 Description === Multiple vulnerabilities have been discovered in Chromium. Please review the CVE identifiers referenced below for details. Impact == A remote attacker can cause arbitrary remote code execution, Denial of Service or bypass of security mechanisms. Workaround == There is no known workaround at this time. Resolution == All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v =www-client/chromium-43.0.2357.65 References == [ 1 ] CVE-2015-1233 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1233 [ 2 ] CVE-2015-1234 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1234 [ 3 ] CVE-2015-1235 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1235 [ 4 ] CVE-2015-1236 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1236 [ 5 ] CVE-2015-1237 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1237 [ 6 ] CVE-2015-1238 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1238 [ 7 ] CVE-2015-1240 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1240 [ 8 ] CVE-2015-1241 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1241 [ 9 ] CVE-2015-1242 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1242 [ 10 ] CVE-2015-1243 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1243 [ 11 ] CVE-2015-1244 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1244 [ 12 ] CVE-2015-1245 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1245 [ 13 ] CVE-2015-1246 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1246 [ 14 ] CVE-2015-1247 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1247 [ 15 ] CVE-2015-1248 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1248 [ 16 ] CVE-2015-1250 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1250 [ 17 ] CVE-2015-1251 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1251 [ 18 ] CVE-2015-1252 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1252 [ 19 ] CVE-2015-1253 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1253 [ 20 ] CVE-2015-1254 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1254 [ 21 ] CVE-2015-1255 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1255 [ 22 ] CVE-2015-1256 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1256 [ 23 ] CVE-2015-1257 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1257 [ 24 ] CVE-2015-1258 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1258 [ 25 ] CVE-2015-1259 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1259 [ 26 ] CVE-2015-1260 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1260 [ 27 ] CVE-2015-1262 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1262 [ 28 ] CVE-2015-1263 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1263 [ 29 ] CVE-2015-1264 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1264 [ 30 ] CVE-2015-1265 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1265 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201506-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201504-04 ] Xen: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201504-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Xen: Multiple vulnerabilities Date: April 11, 2015 Bugs: #478280, #482138, #512294, #519800, #530182, #530980, #532030, #536220, #542266, #543304, #545144 ID: 201504-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Xen, the worst of which can allow remote attackers to cause a Denial of Service condition. Background == Xen is a bare-metal hypervisor. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-emulation/xen4.4.2-r1 = 4.4.2-r1 *= 4.2.5-r8 Description === Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact == A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround == There is no known workaround at this time. Resolution == All Xen 4.4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-emulation/xen-4.4.2-r1 All Xen 4.2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-emulation/xen-4.2.5-r8 References == [ 1 ] CVE-2013-2212 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2212 [ 2 ] CVE-2013-3495 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3495 [ 3 ] CVE-2014-3967 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3967 [ 4 ] CVE-2014-3968 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3968 [ 5 ] CVE-2014-5146 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5146 [ 6 ] CVE-2014-5149 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5149 [ 7 ] CVE-2014-8594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8594 [ 8 ] CVE-2014-8595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8595 [ 9 ] CVE-2014-8866 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8866 [ 10 ] CVE-2014-8867 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8867 [ 11 ] CVE-2014-9030 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9030 [ 12 ] CVE-2014-9065 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9065 [ 13 ] CVE-2014-9066 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9066 [ 14 ] CVE-2015-0361 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0361 [ 15 ] CVE-2015-2044 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2044 [ 16 ] CVE-2015-2045 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2045 [ 17 ] CVE-2015-2152 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2152 [ 18 ] CVE-2015-2751 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2751 [ 19 ] CVE-2015-2752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2752 [ 20 ] CVE-2015-2756 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2756 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201504-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201504-03 ] Apache: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201504-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache: Multiple vulnerabilities Date: April 11, 2015 Bugs: #535948 ID: 201504-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Apache HTTP Server, the worst of which could lead to arbitrary code execution. Background == Apache HTTP Server is one of the most popular web servers on the Internet. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-servers/apache2.2.29 = 2.2.29 Description === Multiple vulnerabilities have been discovered in Apache HTTP Server. Please review the CVE identifiers referenced below for details. Impact == A remote attacker may be able to execute arbitrary code or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Apache users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-servers/apache-2.2.29 References == [ 1 ] CVE-2014-0118 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0118 [ 2 ] CVE-2014-0226 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0226 [ 3 ] CVE-2014-0231 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0231 [ 4 ] CVE-2014-5704 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5704 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201504-03 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201504-05 ] MySQL and MariaDB: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201504-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MySQL and MariaDB: Multiple vulnerabilities Date: April 11, 2015 Bugs: #537216, #537262 ID: 201504-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in MySQL and MariaDB, the worst of which can allow remote attackers to cause a Denial of Service condition. Background == MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an enhanced, drop-in replacement for MySQL. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-db/mysql 5.6.22 = 5.6.22 2 dev-db/mariadb 10.0.16 = 10.0.16 --- 2 affected packages Description === Multiple vulnerabilities have been discovered in MySQL and MariaDB. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could exploit vulnerabilities to possibly cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All MySQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-db/mysql-5.6.22 All MariaDB users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-db/mariadb-10.0.16 References == [ 1 ] CVE-2014-6568 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6568 [ 2 ] CVE-2015-0374 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0374 [ 3 ] CVE-2015-0381 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0381 [ 4 ] CVE-2015-0382 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0382 [ 5 ] CVE-2015-0385 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0385 [ 6 ] CVE-2015-0391 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0391 [ 7 ] CVE-2015-0409 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0409 [ 8 ] CVE-2015-0411 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0411 [ 9 ] CVE-2015-0432 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0432 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201504-05 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201412-41 ] OpenVPN: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenVPN: Denial of Service Date: December 26, 2014 Bugs: #531308 ID: 201412-41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in OpenVPN could lead to Denial of Service. Background == OpenVPN is a multi-platform, full-featured SSL VPN solution. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/openvpn 2.3.6= 2.3.6 Description === OpenVPN does not properly handle control channel packets that are too small. Impact == A remote authenticated attacker could send a specially crafted control channel packet, possibly resulting in a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All OpenVPN users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/openvpn-2.3.6 References == [ 1 ] CVE-2014-8104 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8104 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-41.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201412-42 ] Xen: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-42 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Xen: Denial of Service Date: December 26, 2014 Bugs: #523524, #524200 ID: 201412-42 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Xen, possibly resulting in Denial of Service. Background == Xen is a bare-metal hypervisor. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-emulation/xen4.4.1-r2 *= 4.2.5-r1 = 4.4.1-r2 Description === Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact == A local user could possibly cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Xen 4.2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-emulation/xen-4.2.5-r1 All Xen 4.4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-emulation/xen-4.4.1-r2 References == [ 1 ] CVE-2014-7154 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7154 [ 2 ] CVE-2014-7155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7155 [ 3 ] CVE-2014-7156 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7156 [ 4 ] CVE-2014-7188 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7188 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-42.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201412-43 ] MuPDF: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-43 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MuPDF: User-assisted execution of arbitrary code Date: December 26, 2014 Bugs: #358029, #498876 ID: 201412-43 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in MuPDF, possibly resulting in remote code execution or Denial of Service. Background == MuPDF is a lightweight PDF viewer and toolkit written in portable C. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-text/mupdf1.3_p20140118= 1.3_p20140118 Description === Multiple vulnerabilities have been discovered in MuPDF. Please review the CVE identifier and Secunia Research referenced below for details. Impact == A remote attacker could entice a user to open a specially crafted PDF using MuPDF, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All MuPDF users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-text/mupdf-1.3_p20140118 References == [ 1 ] CVE-2014-2013 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2013 [ 2 ] Secunia Research: MuPDF Two Integer Overflow Vulnerabilities http://secunia.com/secunia_research/2011-12/ Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-43.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201412-44 ] policycoreutils: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: policycoreutils: Privilege escalation Date: December 26, 2014 Bugs: #509896 ID: 201412-44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in policycoreutils could lead to local privilege escalation. Background == policycoreutils is a collection of SELinux policy utilities. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-apps/policycoreutils 2.2.5-r4 = 2.2.5-r4 Description === The seunshare utility is owned by root with 4755 permissions which can be exploited by a setuid system call. Impact == A local attacker may be able to gain escalated privileges. Workaround == There is no known workaround at this time. Resolution == All policycoreutils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v =sys-apps/policycoreutils-2.2.5-r4 References == [ 1 ] CVE-2014-3215 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3215 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-44.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201412-46 ] LittleCMS: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: LittleCMS: Denial of Service Date: December 26, 2014 Bugs: #479874, #507788 ID: 201412-46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple buffer overflow flaws and a parser error in LittleCMS could cause Denial of Service. Background == LittleCMS, or short lcms, is a color management system for working with ICC profiles. It is used by many applications including GIMP and Firefox. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-libs/lcms 2.6-r1 = 2.6-r1 Description === Multiple stack-based buffer overflows and a profile parser error have been found in LittleCMS. Impact == A remote attacker could entice a user or automated system to open a specially crafted file containing a malicious ICC profile, possibly resulting in a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All LittleCMS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-libs/lcms-2.6-r1 Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying these packages. NOTE: Gentoo has discontinued support for the LittleCMS 1.9 branch. References == [ 1 ] CVE-2013-4276 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4276 [ 2 ] CVE-2014-0459 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0459 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-46.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201412-34 ] NTP: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: NTP: Multiple vulnerabilities Date: December 24, 2014 Bugs: #533076 ID: 201412-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in NTP, the worst of which could result in remote execution of arbitrary code. Background == NTP is a protocol designed to synchronize the clocks of computers over a network. The net-misc/ntp package contains the official reference implementation by the NTP Project. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/ntp 4.2.8= 4.2.8 Description === Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact == A remote unauthenticated attacker may be able to execute arbitrary code with the privileges of the process, cause a Denial of Service condition, and obtain sensitive information that could assist in other attacks. Workaround == There is no known workaround at this time. Resolution == All NTP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/ntp-4.2.8 References == [ 1 ] CVE-2014-9293 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9293 [ 2 ] CVE-2014-9294 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9294 [ 3 ] CVE-2014-9295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9295 [ 4 ] CVE-2014-9296 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9296 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-34.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201412-35 ] RSYSLOG: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: RSYSLOG: Denial of Service Date: December 24, 2014 Bugs: #395709, #491856, #524058, #524290 ID: 201412-35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in RSYSLOG, allowing attackers to cause Denial of Service. Background == RSYSLOG is an enhanced multi-threaded syslogd with database support and more. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-admin/rsyslog 8.4.2= 8.4.2 Description === Multiple vulnerabilities have been discovered in RSYSLOG. Please review the CVE identifiers referenced below for details. Impact == A context-dependent attacker may be able to create a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All RSYSLOG users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-admin/rsyslog-8.4.2 References == [ 1 ] CVE-2011-4623 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4623 [ 2 ] CVE-2014-3634 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3634 [ 3 ] CVE-2014-3683 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3683 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-35.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201412-37 ] QEMU: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: QEMU: Multiple Vulnerabilities Date: December 24, 2014 Bugs: #528922, #529030, #531666 ID: 201412-37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in QEMU, the worst of which could result in execution of arbitrary code or Denial of Service. Background == QEMU is a generic and open source machine emulator and virtualizer. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-emulation/qemu 2.1.2-r2 = 2.1.2-r2 Description === Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact == A context-dependent attacker may be able to execute arbitrary code, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. Workaround == There is no known workaround at this time. Resolution == All QEMU users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-emulation/qemu-2.1.2-r2 References == [ 1 ] CVE-2014-3689 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3689 [ 2 ] CVE-2014-7840 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7840 [ 3 ] CVE-2014-8106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8106 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-37.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201406-36 ] OpenLDAP: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201406-36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenLDAP: Multiple vulnerabilities Date: June 30, 2014 Bugs: #290345, #323777, #355333, #388605, #407941, #424167 ID: 201406-36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in OpenLDAP, allowing for Denial of Service or a man-in-the-middle attack. Background == OpenLDAP is an LDAP suite of application and development tools. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-nds/openldap 2.4.35 = 2.4.35 Description === Multiple vulnerabilities have been discovered in OpenLDAP. Please review the CVE identifiers referenced below for details. Impact == A remote attacker might employ a specially crafted certificate to conduct man-in-the-middle attacks on SSL connections made using OpenLDAP, bypass security restrictions or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All OpenLDAP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-nds/openldap-2.4.35 References == [ 1 ] CVE-2009-3767 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3767 [ 2 ] CVE-2010-0211 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0211 [ 3 ] CVE-2010-0212 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0212 [ 4 ] CVE-2011-1024 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1024 [ 5 ] CVE-2011-1025 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1025 [ 6 ] CVE-2011-1081 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1081 [ 7 ] CVE-2011-4079 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4079 [ 8 ] CVE-2012-1164 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1164 [ 9 ] CVE-2012-2668 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2668 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-36.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 201406-25 ] Asterisk: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201406-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Asterisk: Multiple vulnerabilities Date: June 25, 2014 Bugs: #513102 ID: 201406-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Asterisk, the worst of which could allow privileged users to execute arbitrary system shell commands. Background == Asterisk is an open source telephony engine and toolkit. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/asterisk11.10.2 *= 1.8.28.2 = 11.10.2 Description === Multiple vulnerabilities have been discovered in Asterisk. Please review the CVE identifiers below for details. Impact == A remote attacker that gains access to a privileged Asterisk account can execute arbitrary system shell commands. Furthermore an unprivileged remote attacker could cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Asterisk 11 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/asterisk-11.10.2 All Asterisk 1.8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/asterisk-1.8.28.2 References == [ 1 ] CVE-2014-4046 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4046 [ 2 ] CVE-2014-4047 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4047 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-25.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
