[ GLSA 201201-17 ] Chromium: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium: Multiple vulnerabilities Date: January 28, 2012 Bugs: #400551 ID: 201201-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been reported in Chromium, some of which may allow execution of arbitrary code. Background == Chromium is an open source web browser project. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-client/chromium < 16.0.912.77 >= 16.0.912.77 Description === Multiple vulnerabilities have been discovered in Chromium. Please review the CVE identifiers and release notes referenced below for details. Impact == A remote attacker could entice a user to open a specially crafted web site using Chromium, possibly resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-client/chromium-16.0.912.77" References == [ 1 ] CVE-2011-3924 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3924 [ 2 ] CVE-2011-3925 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3925 [ 3 ] CVE-2011-3926 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3926 [ 4 ] CVE-2011-3927 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3927 [ 5 ] CVE-2011-3928 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3928 [ 6 ] Release Notes 16.0.912.77 http://googlechromereleases.blogspot.com/2012/01/stable-channel-update_23.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-17.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201201-03 ] Chromium, V8: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium, V8: Multiple vulnerabilities Date: January 08, 2012 Bugs: #394587, #397907 ID: 201201-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been reported in Chromium and V8, some of which may allow execution of arbitrary code. Background == Chromium is an open source web browser project. V8 is Google's open source JavaScript engine. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-client/chromium < 16.0.912.75 >= 16.0.912.75 2 dev-lang/v8 < 3.6.6.11 >= 3.6.6.11 --- 2 affected packages --- Description === Multiple vulnerabilities have been discovered in Chromium and V8. Please review the CVE identifiers and release notes referenced below for details. Impact == A context-dependent attacker could entice a user to open a specially crafted web site or JavaScript program using Chromium or V8, possibly resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. The attacker could also perform URL bar spoofing. Workaround == There is no known workaround at this time. Resolution == All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-client/chromium-16.0.912.75" All V8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/v8-3.6.6.11" References == [ 1 ] CVE-2011-3903 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3903 [ 2 ] CVE-2011-3904 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3904 [ 3 ] CVE-2011-3906 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3906 [ 4 ] CVE-2011-3907 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3907 [ 5 ] CVE-2011-3908 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3908 [ 6 ] CVE-2011-3909 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3909 [ 7 ] CVE-2011-3910 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3910 [ 8 ] CVE-2011-3912 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3912 [ 9 ] CVE-2011-3913 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3913 [ 10 ] CVE-2011-3914 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3914 [ 11 ] CVE-2011-3917 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3917 [ 12 ] CVE-2011-3921 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3921 [ 13 ] CVE-2011-3922 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3922 [ 14 ] Release Notes 16.0.912.63 http://googlechromereleases.blogspot.com/2011/12/stable-channel-update.html [ 15 ] Release Notes 16.0.912.75 http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201201-02 ] MySQL: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MySQL: Multiple vulnerabilities Date: January 05, 2012 Bugs: #220813, #229329, #237166, #238117, #240407, #277717, #294187, #303747, #319489, #321791, #339717, #344987, #351413 ID: 201201-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in MySQL, some of which may allow execution of arbitrary code. Background == MySQL is a popular open-source multi-threaded, multi-user SQL database server. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-db/mysql < 5.1.56 >= 5.1.56 Description === Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact == An unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the MySQL process, cause a Denial of Service condition, bypass security restrictions, uninstall arbitrary MySQL plugins, or conduct Man-in-the-Middle and Cross-Site Scripting attacks. Workaround == There is no known workaround at this time. Resolution == All MySQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.1.56" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 14, 2011. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2008-3963 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3963 [ 2 ] CVE-2008-4097 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4097 [ 3 ] CVE-2008-4098 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4098 [ 4 ] CVE-2008-4456 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4456 [ 5 ] CVE-2008-7247 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7247 [ 6 ] CVE-2009-2446 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2446 [ 7 ] CVE-2009-4019 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4019 [ 8 ] CVE-2009-4028 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4028 [ 9 ] CVE-2009-4484 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4484 [ 10 ] CVE-2010-1621 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1621 [ 11 ] CVE-2010-1626 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1626 [ 12 ] CVE-2010-1848 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1848 [ 13 ] CVE-2010-1849 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1849 [ 14 ] CVE-2010-1850 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1850 [ 15 ] CVE-2010-2008 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2008 [ 16 ] CVE-2010-3676 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3676 [ 17 ] CVE-2010-3677 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3677 [ 18 ] CVE-2010-3678 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3678 [ 19 ] CVE-2010-3679 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3679 [ 20 ] CVE-2010-3680 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3680 [ 21 ] CVE-2010-3681 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3681 [ 22 ] CVE-2010-3682 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3682 [ 23 ] CVE-2010-3683 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3683 [ 24 ] CVE-2010-3833 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3833 [ 25 ] CVE-2010-3834 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3834 [ 26 ] CVE-2010-3835 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3835 [ 27 ] CVE-2010-3836 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3836 [ 28 ] CVE-2010-3837 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3837 [ 29 ] CVE-2010-3838 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3838 [ 30 ] CVE-2010-3839 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3839 [ 31 ] CVE-2010-3840 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3840 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Co
[ GLSA 201201-01 ] phpMyAdmin: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: phpMyAdmin: Multiple vulnerabilities Date: January 04, 2012 Bugs: #302745, #335490, #336462, #354227, #373951, #376369, #387413, #389427, #395715 ID: 201201-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in phpMyAdmin, the most severe of which allows the execution of arbitrary PHP code. Background == phpMyAdmin is a web-based management tool for MySQL databases. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-db/phpmyadmin< 3.4.9>= 3.4.9 Description === Multiple vulnerabilities have been discovered in phpMyAdmin. Please review the CVE identifiers and phpMyAdmin Security Advisories referenced below for details. Impact == Remote attackers might be able to insert and execute PHP code, include and execute local PHP files, or perform Cross-Site Scripting (XSS) attacks via various vectors. Workaround == There is no known workaround at this time. Resolution == All phpMyAdmin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-3.4.9" References == [ 1 ] CVE-2008-7251 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7251 [ 2 ] CVE-2008-7252 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7252 [ 3 ] CVE-2010-2958 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2958 [ 4 ] CVE-2010-3055 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3055 [ 5 ] CVE-2010-3056 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3056 [ 6 ] CVE-2010-3263 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3263 [ 7 ] CVE-2011-0986 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0986 [ 8 ] CVE-2011-0987 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0987 [ 9 ] CVE-2011-2505 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2505 [ 10 ] CVE-2011-2506 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2506 [ 11 ] CVE-2011-2507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2507 [ 12 ] CVE-2011-2508 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2508 [ 13 ] CVE-2011-2642 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2642 [ 14 ] CVE-2011-2643 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2643 [ 15 ] CVE-2011-2718 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2718 [ 16 ] CVE-2011-2719 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2719 [ 17 ] CVE-2011-3646 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3646 [ 18 ] CVE-2011-4064 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4064 [ 19 ] CVE-2011-4107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4107 [ 20 ] CVE-2011-4634 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4634 [ 21 ] CVE-2011-4780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4780 [ 22 ] CVE-2011-4782 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4782 [ 23 ] PMASA-2010-1 http://www.phpmyadmin.net/home_page/security/PMASA-2010-1.php [ 24 ] PMASA-2010-2 http://www.phpmyadmin.net/home_page/security/PMASA-2010-2.php [ 25 ] PMASA-2010-4 http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php [ 26 ] PMASA-2010-5 http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php [ 27 ] PMASA-2010-6 http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php [ 28 ] PMASA-2010-7 http://www.phpmyadmin.net/home_page/security/PMASA-2010-7.php [ 29 ] PMASA-2011-1 http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php [ 30 ] PMASA-2011-10 http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php [ 31 ] PMASA-2011-11 http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php [ 32 ] PMASA-2011-12 http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php [ 33 ] PMASA-2011-15 http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php [ 34 ] PMASA-2011-16 http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php [ 35 ] PMASA-2011-17 http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php [ 36 ] PMASA-2011-18 http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php [ 37 ] PMASA-2011-19 http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php [ 38 ] PMASA-2011-2 http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php [ 39 ] PMASA-2011
[ GLSA 201111-05 ] Chromium, V8: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 20-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium, V8: Multiple vulnerabilities Date: November 19, 2011 Bugs: #390113, #390779 ID: 20-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been reported in Chromium and V8, some of which may allow execution of arbitrary code. Background == Chromium is an open-source web browser project. V8 is Google's open source JavaScript engine. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-client/chromium < 15.0.874.121 >= 15.0.874.121 2 dev-lang/v8< 3.5.10.24 >= 3.5.10.24 --- 2 affected packages --- Description === Multiple vulnerabilities have been discovered in Chromium and V8. Please review the CVE identifiers and release notes referenced below for details. Impact == A context-dependent attacker could entice a user to open a specially crafted web site or JavaScript program using Chromium or V8, possibly resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. The attacker also could cause a Java applet to run without user confirmation. Workaround == There is no known workaround at this time. Resolution == All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-client/chromium-15.0.874.121" All V8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/v8-3.5.10.24" References == [ 1 ] CVE-2011-3892 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3892 [ 2 ] CVE-2011-3893 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3893 [ 3 ] CVE-2011-3894 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3894 [ 4 ] CVE-2011-3895 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3895 [ 5 ] CVE-2011-3896 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3896 [ 6 ] CVE-2011-3897 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3897 [ 7 ] CVE-2011-3898 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3898 [ 8 ] CVE-2011-3900 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3900 [ 9 ] Release Notes 15.0.874.120 http://googlechromereleases.blogspot.com/2011/11/stable-channel-update.html [ 10 ] Release Notes 15.0.874.121 http://googlechromereleases.blogspot.com/2011/11/stable-channel-update_16.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-20-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201111-04 ] phpDocumentor: Function call injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 20-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: phpDocumentor: Function call injection Date: November 11, 2011 Bugs: #213318 ID: 20-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis phpDocumentor bundles Smarty which contains an input sanitation flaw, allowing attackers to call arbitrary PHP functions. Background == The phpDocumentor package provides automatic documenting of PHP API directly from the source. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-php/PEAR-PhpDocumentor < 1.4.3-r1 >= 1.4.3-r1 Description === phpDocumentor bundles Smarty with the modifier.regex_replace.php plug-in which does not properly sanitize input related to the ASCII NUL character in a search string. Impact == A remote attacker could call arbitrary PHP functions via templates. Workaround == There is no known workaround at this time. Resolution == All phpDocumentor users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot -v ">=dev-php/PEAR-PhpDocumentor-1.4.3-r1" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since February 12, 2011. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2008-1066 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1066 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-20-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201111-03 ] OpenTTD: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 20-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: OpenTTD: Multiple vulnerabilities Date: November 11, 2011 Bugs: #381799 ID: 20-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in OpenTTD which could lead to execution of arbitrary code, a Denial of Service, or privilege escalation. Background == OpenTTD is a clone of Transport Tycoon Deluxe. Affected packages = --- Package / Vulnerable /Unaffected --- 1 games-simulation/openttd < 1.1.3>= 1.1.3 Description === Multiple vulnerabilities have been discovered in OpenTTD. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could execute arbitrary code with the privileges of the OpenTTD process or cause a Denial of Service. Local users could cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All OpenTTD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=games-simulation/openttd-1.1.3" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since September 27, 2011. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2010-4168 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4168 [ 2 ] CVE-2011-3341 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3341 [ 3 ] CVE-2011-3342 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3342 [ 4 ] CVE-2011-3343 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3343 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-20-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201110-26 ] libxml2: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: libxml2: Multiple vulnerabilities Date: October 26, 2011 Bugs: #34, #370715, #386985 ID: 201110-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in libxml2 which could lead to execution of arbitrary code or a Denial of Service. Background == libxml2 is the XML C parser and toolkit developed for the Gnome project. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-libs/libxml2< 2.7.8-r3 >= 2.7.8-r3 Description === Multiple vulnerabilities have been discovered in libxml2. Please review the CVE identifiers referenced below for details. Impact == A local or remote attacker may be able to execute arbitrary code with the privileges of the application or cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All libxml2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.8-r3" References == [ 1 ] CVE-2010-4008 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4008 [ 2 ] CVE-2010-4494 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4494 [ 3 ] CVE-2011-1944 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1944 [ 4 ] CVE-2011-2821 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2821 [ 5 ] CVE-2011-2834 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2834 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-26.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201110-25 ] Pure-FTPd: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Pure-FTPd: Multiple vulnerabilities Date: October 26, 2011 Bugs: #358375, #365751 ID: 201110-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in Pure-FTPd allowing attackers to inject FTP commands or cause a Denial of Service. Background == Pure-FTPd is a fast, production-quality and standards-compliant FTP server. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-ftp/pure-ftpd< 1.0.32 >= 1.0.32 Description === Multiple vulnerabilities have been discovered in Pure-FTPd. Please review the CVE identifiers referenced below for details. Impact == Remote unauthenticated attackers may be able to inject FTP commands or cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All pure-ftpd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-ftp/pure-ftpd-1.0.32" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 14, 2011. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2011-0418 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0418 [ 2 ] CVE-2011-1575 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1575 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-25.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201110-24 ] Squid: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Squid: Multiple vulnerabilities Date: October 26, 2011 Bugs: #279379, #279380, #301828, #334263, #381065, #386215 ID: 201110-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in Squid allowing attackers to execute arbitrary code or cause a Denial of Service. Background == Squid is a full-featured web proxy cache. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-proxy/squid < 3.1.15 >= 3.1.15 Description === Multiple vulnerabilities have been discovered in Squid. Please review the CVE identifiers referenced below for details. Impact == Remote unauthenticated attackers may be able to execute arbitrary code with the privileges of the Squid process or cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All squid users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-proxy/squid-3.1.15" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since September 4, 2011. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2009-2621 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2621 [ 2 ] CVE-2009-2622 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2622 [ 3 ] CVE-2009-2855 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2855 [ 4 ] CVE-2010-0308 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0308 [ 5 ] CVE-2010-0639 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0639 [ 6 ] CVE-2010-2951 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2951 [ 7 ] CVE-2010-3072 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3072 [ 8 ] CVE-2011-3205 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3205 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-24.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201110-21 ] Asterisk: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Asterisk: Multiple vulnerabilities Date: October 24, 2011 Bugs: #352059, #355967, #359767, #364887, #372793, #373409, #387453 ID: 201110-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. Background == Asterisk is an open source telephony engine and toolkit. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/asterisk < 1.8.7.1 >= 1.8.7.1 *>= 1.6.2.18.2 Description === Multiple vulnerabilities have been discovered in Asterisk. Please review the CVE identifiers referenced below for details. Impact == An unauthenticated remote attacker may execute code with the privileges of the Asterisk process or cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All asterisk 1.6.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.6.2.18.2" All asterisk 1.8.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.7.1" References == [ 1 ] CVE-2011-1147 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1147 [ 2 ] CVE-2011-1174 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1174 [ 3 ] CVE-2011-1175 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1175 [ 4 ] CVE-2011-1507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1507 [ 5 ] CVE-2011-1599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1599 [ 6 ] CVE-2011-2529 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2529 [ 7 ] CVE-2011-2535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2535 [ 8 ] CVE-2011-2536 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2536 [ 9 ] CVE-2011-2665 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2665 [ 10 ] CVE-2011-2666 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2666 [ 11 ] CVE-2011-4063 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4063 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-21.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201110-20 ] Clam AntiVirus: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Clam AntiVirus: Multiple vulnerabilities Date: October 23, 2011 Bugs: #338226, #347627, #354019, #378815, #387521 ID: 201110-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in Clam AntiVirus, the most severe of which may allow the execution of arbitrary code. Background == Clam AntiVirus (short: ClamAV) is an anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-antivirus/clamav < 0.97.3 >= 0.97.3 Description === Multiple vulnerabilities have been discovered in Clam AntiVirus. Please review the CVE identifiers referenced below for details. Impact == An unauthenticated remote attacker may execute arbitrary code with the privileges of the Clam AntiVirus process or cause a Denial of Service by causing an affected user or system to scan a crafted file. Workaround == There is no known workaround at this time. Resolution == All Clam AntiVirus users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.97.3" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since August 27, 2011. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2010-0405 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0405 [ 2 ] CVE-2010-3434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3434 [ 3 ] CVE-2010-4260 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4260 [ 4 ] CVE-2010-4261 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4261 [ 5 ] CVE-2010-4479 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4479 [ 6 ] CVE-2011-1003 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1003 [ 7 ] CVE-2011-2721 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2721 [ 8 ] CVE-2011-3627 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3627 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-20.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201110-16 ] Cyrus IMAP Server: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Cyrus IMAP Server: Multiple vulnerabilities Date: October 22, 2011 Bugs: #283596, #382349, #385729 ID: 201110-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The Cyrus IMAP Server is affected by multiple vulnerabilities which could potentially lead to the remote execution of arbitrary code or a Denial of Service. Background == The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail server. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-mail/cyrus-imapd < 2.4.12 >= 2.4.12 Description === Multiple vulnerabilities have been discovered in the Cyrus IMAP Server. Please review the CVE identifiers referenced below for details. Impact == An unauthenticated local or remote attacker may be able to execute arbitrary code with the privileges of the Cyrus IMAP Server process or cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Cyrus IMAP Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.4.12" References == [ 1 ] CVE-2009-2632 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2632 [ 2 ] CVE-2011-3208 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3208 [ 3 ] CVE-2011-3481 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3481 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-16.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201110-15 ] GnuPG: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GnuPG: User-assisted execution of arbitrary code Date: October 22, 2011 Bugs: #329583 ID: 201110-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The GPGSM utility included in GnuPG contains a use-after-free vulnerability that may allow an unauthenticated remote attacker to execute arbitrary code. Background == The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software. The GPGSM utility in GnuPG is responsible for processing X.509 certificates, signatures and encryption as well as S/MIME messages. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-crypt/gnupg< 2.0.16-r1 >= 2.0.16-r1 < 2.0 Description === The GPGSM utility in GnuPG contains a use-after-free vulnerability that may be exploited when importing a crafted X.509 certificate explicitly or during the signature verification process. Impact == An unauthenticated remote attacker may execute arbitrary code with the privileges of the user running GnuPG by enticing them to import a crafted certificate. Workaround == There is no known workaround at this time. Resolution == All GnuPG 2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.16-r1" References == [ 1 ] CVE-2010-2547 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2547 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-15.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201110-13 ] Tor: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Tor: Multiple vulnerabilities Date: October 18, 2011 Bugs: #351920, #359789 ID: 201110-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in Tor, the most severe of which may allow a remote attacker to execute arbitrary code. Background == Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/tor< 0.2.1.30 >= 0.2.1.30 Description === Multiple vulnerabilities have been discovered in Tor. Please review the CVE identifiers referenced below for details. Impact == A remote unauthenticated attacker may be able to execute arbitrary code with the privileges of the Tor process or create a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Tor users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.1.30" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since April 2, 2011. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2011-0015 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0015 [ 2 ] CVE-2011-0016 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0016 [ 3 ] CVE-2011-0427 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0427 [ 4 ] CVE-2011-0490 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0490 [ 5 ] CVE-2011-0491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0491 [ 6 ] CVE-2011-0492 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0492 [ 7 ] CVE-2011-0493 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0493 [ 8 ] CVE-2011-1924 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1924 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201110-11 ] Adobe Flash Player: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Flash Player: Multiple vulnerabilities Date: October 13, 2011 Bugs: #354207, #359019, #363179, #367031, #370215, #372899, #378637, #384017 ID: 201110-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Adobe Flash Player might allow remote attackers to execute arbitrary code or cause a Denial of Service. Background == The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-plugins/adobe-flash < 10.3.183.10 >= 10.3.183.10 Description === Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers and Adobe Security Advisories and Bulletins referenced below for details. Impact == By enticing a user to open a specially crafted SWF file a remote attacker could cause a Denial of Service or the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10" References == [ 1 ] APSA11-01 http://www.adobe.com/support/security/advisories/apsa11-01.html [ 2 ] APSA11-02 http://www.adobe.com/support/security/advisories/apsa11-02.html [ 3 ] APSB11-02 http://www.adobe.com/support/security/bulletins/apsb11-02.html [ 4 ] APSB11-12 http://www.adobe.com/support/security/bulletins/apsb11-12.html [ 5 ] APSB11-13 http://www.adobe.com/support/security/bulletins/apsb11-13.html [ 6 ] APSB11-21 https://www.adobe.com/support/security/bulletins/apsb11-21.html [ 7 ] APSB11-26 https://www.adobe.com/support/security/bulletins/apsb11-26.html [ 8 ] CVE-2011-0558 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558 [ 9 ] CVE-2011-0559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559 [ 10 ] CVE-2011-0560 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560 [ 11 ] CVE-2011-0561 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561 [ 12 ] CVE-2011-0571 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571 [ 13 ] CVE-2011-0572 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572 [ 14 ] CVE-2011-0573 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573 [ 15 ] CVE-2011-0574 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574 [ 16 ] CVE-2011-0575 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575 [ 17 ] CVE-2011-0577 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577 [ 18 ] CVE-2011-0578 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578 [ 19 ] CVE-2011-0579 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579 [ 20 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 21 ] CVE-2011-0607 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607 [ 22 ] CVE-2011-0608 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608 [ 23 ] CVE-2011-0609 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609 [ 24 ] CVE-2011-0611 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611 [ 25 ] CVE-2011-0618 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618 [ 26 ] CVE-2011-0619 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619 [ 27 ] CVE-2011-0620 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620 [ 28 ] CVE-2011-0621 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621 [ 29 ] CVE-2011-0622 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622 [ 30 ] CVE-2011-0623 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623 [ 31 ] CVE-2011-0624 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624 [ 32 ] CVE-2011-0625 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625 [ 33 ] CVE-2011-0626 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626 [ 34 ] CVE-2011-0627 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627 [ 35 ] CVE-2011-0628 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628 [ 36 ] CVE-2011-2107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107 [ 37 ] CVE-2011-2110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110 [ 38 ] CVE-2011-2125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 39 ] CVE-20
[ GLSA 201110-10 ] Wget: User-assisted file creation or overwrite
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Wget: User-assisted file creation or overwrite Date: October 13, 2011 Bugs: #329941 ID: 201110-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Insecure usage of server provided filenames may allow the creation or overwriting of local files. Background == GNU Wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/wget < 1.12-r2 >= 1.12-r2 Description === It was discovered that Wget was unsafely trusting server-provided filenames. This allowed attackers to overwrite or create files on the user's system by sending a redirect from the expected URL to another URL specifying the targeted file. Impact == An unauthenticated remote attacker may be able to create or overwrite local files by enticing the user to open an attacker controlled URL, possibly leading to execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All Wget users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/wget-1.12-r2" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since September 19, 2010. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2010-2252 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2252 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201101-08 ] Adobe Reader: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201101-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Reader: Multiple vulnerabilities Date: January 21, 2011 Bugs: #336508, #343091 ID: 201101-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Adobe Reader might result in the execution of arbitrary code. Background == Adobe Reader (formerly Adobe Acrobat Reader) is a closed-source PDF reader. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-text/acroread< 9.4.1 >= 9.4.1 Description === Multiple vulnerabilities were discovered in Adobe Reader. For further information please consult the CVE entries and the Adobe Security Bulletins referenced below. Impact == A remote attacker might entice a user to open a specially crafted PDF file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Adobe Reader users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.1" References == [ 1 ] APSB10-21 http://www.adobe.com/support/security/bulletins/apsb10-21.html [ 2 ] APSB10-28 http://www.adobe.com/support/security/bulletins/apsb10-28.html [ 3 ] CVE-2010-2883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883 [ 4 ] CVE-2010-2884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2884 [ 5 ] CVE-2010-2887 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2887 [ 6 ] CVE-2010-2889 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2889 [ 7 ] CVE-2010-2890 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2890 [ 8 ] CVE-2010-3619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3619 [ 9 ] CVE-2010-3620 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3620 [ 10 ] CVE-2010-3621 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3621 [ 11 ] CVE-2010-3622 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3622 [ 12 ] CVE-2010-3625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3625 [ 13 ] CVE-2010-3626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3626 [ 14 ] CVE-2010-3627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3627 [ 15 ] CVE-2010-3628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3628 [ 16 ] CVE-2010-3629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3629 [ 17 ] CVE-2010-3630 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3630 [ 18 ] CVE-2010-3632 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3632 [ 19 ] CVE-2010-3654 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3654 [ 20 ] CVE-2010-3656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3656 [ 21 ] CVE-2010-3657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3657 [ 22 ] CVE-2010-3658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3658 [ 23 ] CVE-2010-4091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4091 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201101-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201101-09 ] Adobe Flash Player: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201101-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Flash Player: Multiple vulnerabilities Date: January 21, 2011 Bugs: #307749, #322855, #332205, #337204, #343089 ID: 201101-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Adobe Flash Player might allow remote attackers to execute arbitrary code or cause a Denial of Service. Background == The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Affected packages = --- Package /Vulnerable/ Unaffected --- 1 www-plugins/adobe-flash < 10.1.102.64 >= 10.1.102.64 Description === Multiple vulnerabilities were discovered in Adobe Flash Player. For further information please consult the CVE entries and the Adobe Security Bulletins referenced below. Impact == A remote attacker could entice a user to open a specially crafted SWF file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Adobe Flash Player users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-10.1.102.64" References == [ 1 ] APSB10-06 http://www.adobe.com/support/security/bulletins/apsb10-06.html [ 2 ] APSB10-14 http://www.adobe.com/support/security/bulletins/apsb10-14.html [ 3 ] APSB10-16 http://www.adobe.com/support/security/bulletins/apsb10-16.html [ 4 ] APSB10-22 http://www.adobe.com/support/security/bulletins/apsb10-22.html [ 5 ] APSB10-26 http://www.adobe.com/support/security/bulletins/apsb10-26.html [ 6 ] CVE-2008-4546 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4546 [ 7 ] CVE-2009-3793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3793 [ 8 ] CVE-2010-0186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0186 [ 9 ] CVE-2010-0187 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0187 [ 10 ] CVE-2010-0209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0209 [ 11 ] CVE-2010-1297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297 [ 12 ] CVE-2010-2160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2160 [ 13 ] CVE-2010-2161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2161 [ 14 ] CVE-2010-2162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2162 [ 15 ] CVE-2010-2163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2163 [ 16 ] CVE-2010-2164 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2164 [ 17 ] CVE-2010-2165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2165 [ 18 ] CVE-2010-2166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2166 [ 19 ] CVE-2010-2167 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2167 [ 20 ] CVE-2010-2169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2169 [ 21 ] CVE-2010-2170 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2170 [ 22 ] CVE-2010-2171 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2171 [ 23 ] CVE-2010-2172 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2172 [ 24 ] CVE-2010-2173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2173 [ 25 ] CVE-2010-2174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2174 [ 26 ] CVE-2010-2175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2175 [ 27 ] CVE-2010-2176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2176 [ 28 ] CVE-2010-2177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2177 [ 29 ] CVE-2010-2178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2178 [ 30 ] CVE-2010-2179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2179 [ 31 ] CVE-2010-2180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2180 [ 32 ] CVE-2010-2181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2181 [ 33 ] CVE-2010-2182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2182 [ 34 ] CVE-2010-2183 http://
[ GLSA 201101-03 ] libvpx: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201101-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libvpx: User-assisted execution of arbitrary code Date: January 15, 2011 Bugs: #345559 ID: 201101-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Timothy B. Terriberry discovered that libvpx contains an integer overflow vulnerability in the processing of video streams that may allow user-assisted execution of arbitrary code. Background == libvpx is the VP8 codec SDK used to encode and decode video streams, typically within a WebM format media file. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 media-libs/libvpx < 0.9.5 >= 0.9.5 Description === libvpx is vulnerable to an integer overflow vulnerability when processing crafted VP8 video streams. Impact == A remote attacker could entice a user to open a specially crafted media file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All libvpx users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libvpx-0.9.5" Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying some of these packages. References == [ 1 ] CVE-2010-4203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4203 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201101-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201101-02 ] Tor: Remote heap-based buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201101-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Tor: Remote heap-based buffer overflow Date: January 15, 2011 Bugs: #349312 ID: 201101-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Tor is vulnerable to a heap-based buffer overflow that may allow arbitrary code execution. Background == Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-misc/tor < 0.2.1.28 >= 0.2.1.28 Description === Tor contains a heap-based buffer overflow in the processing of user or attacker supplied data. No additional information is available. Impact == Successful exploitation of this vulnerability may allow an unauthenticated remote attacker to execute arbitrary code with the permissions of the Tor user, or to cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Tor users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.1.28" References == [ 1 ] CVE-2010-1676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1676 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201101-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201101-01 ] gif2png: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201101-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: gif2png: User-assisted execution of arbitrary code Date: January 05, 2011 Bugs: #346501 ID: 201101-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis gif2png contains a stack overflow vulnerability when parsing command line arguments. Background == gif2png is a command line program that converts image files from the Graphics Interchange Format (GIF) format to the Portable Network Graphics (PNG) format. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 media-gfx/gif2png < 2.5.1-r1 >= 2.5.1-r1 Description === gif2png contains a command line parsing vulnerability that may result in a stack overflow due to an unexpectedly long input filename. Impact == A remote attacker could entice a user to open a specially crafted image, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Note that applications relying on gif2png to process images can also trigger the vulnerability. Workaround == There is no known workaround at this time. Resolution == All gif2png users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/gif2png-2.5.1-r1" References == [ 1 ] CVE-2009-5018 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5018 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201101-01.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature