from:"Tim Sammut"

[ GLSA 201201-17 ] Chromium: Multiple vulnerabilities

2012-01-30 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201201-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Chromium: Multiple vulnerabilities
 Date: January 28, 2012
 Bugs: #400551
   ID: 201201-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.

Background
==

Chromium is an open source web browser project.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  www-client/chromium   < 16.0.912.77   >= 16.0.912.77

Description
===

Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.

Impact
==

A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, or a Denial of Service
condition.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Chromium users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=www-client/chromium-16.0.912.77"

References
==

[ 1 ] CVE-2011-3924
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3924
[ 2 ] CVE-2011-3925
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3925
[ 3 ] CVE-2011-3926
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3926
[ 4 ] CVE-2011-3927
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3927
[ 5 ] CVE-2011-3928
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3928
[ 6 ] Release Notes 16.0.912.77

http://googlechromereleases.blogspot.com/2012/01/stable-channel-update_23.html

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201201-17.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201201-03 ] Chromium, V8: Multiple vulnerabilities

2012-01-09 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201201-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Chromium, V8: Multiple vulnerabilities
 Date: January 08, 2012
 Bugs: #394587, #397907
   ID: 201201-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been reported in Chromium and V8, some of
which may allow execution of arbitrary code.

Background
==

Chromium is an open source web browser project. V8 is Google's open
source JavaScript engine.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  www-client/chromium   < 16.0.912.75   >= 16.0.912.75
  2  dev-lang/v8 < 3.6.6.11   >= 3.6.6.11
---
 2 affected packages
---

Description
===

Multiple vulnerabilities have been discovered in Chromium and V8.
Please review the CVE identifiers and release notes referenced below
for details.

Impact
==

A context-dependent attacker could entice a user to open a specially
crafted web site or JavaScript program using Chromium or V8, possibly
resulting in the execution of arbitrary code with the privileges of the
process, or a Denial of Service condition.

The attacker could also perform URL bar spoofing.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Chromium users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=www-client/chromium-16.0.912.75"

All V8 users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-lang/v8-3.6.6.11"

References
==

[  1 ] CVE-2011-3903
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3903
[  2 ] CVE-2011-3904
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3904
[  3 ] CVE-2011-3906
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3906
[  4 ] CVE-2011-3907
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3907
[  5 ] CVE-2011-3908
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3908
[  6 ] CVE-2011-3909
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3909
[  7 ] CVE-2011-3910
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3910
[  8 ] CVE-2011-3912
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3912
[  9 ] CVE-2011-3913
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3913
[ 10 ] CVE-2011-3914
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3914
[ 11 ] CVE-2011-3917
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3917
[ 12 ] CVE-2011-3921
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3921
[ 13 ] CVE-2011-3922
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3922
[ 14 ] Release Notes 16.0.912.63

http://googlechromereleases.blogspot.com/2011/12/stable-channel-update.html
[ 15 ] Release Notes 16.0.912.75

http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201201-03.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201201-02 ] MySQL: Multiple vulnerabilities

2012-01-06 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201201-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: MySQL: Multiple vulnerabilities
 Date: January 05, 2012
 Bugs: #220813, #229329, #237166, #238117, #240407, #277717,
   #294187, #303747, #319489, #321791, #339717, #344987, #351413
   ID: 201201-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities were found in MySQL, some of which may allow
execution of arbitrary code.

Background
==

MySQL is a popular open-source multi-threaded, multi-user SQL database
server.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  dev-db/mysql < 5.1.56  >= 5.1.56

Description
===

Multiple vulnerabilities have been discovered in MySQL. Please review
the CVE identifiers referenced below for details.

Impact
==

An unauthenticated remote attacker may be able to execute arbitrary
code with the privileges of the MySQL process, cause a Denial of
Service condition, bypass security restrictions, uninstall arbitrary
MySQL plugins, or conduct Man-in-the-Middle and Cross-Site Scripting
attacks.

Workaround
==

There is no known workaround at this time.

Resolution
==

All MySQL users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.1.56"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since May 14, 2011. It is likely that your system is already
no longer affected by this issue.

References
==

[  1 ] CVE-2008-3963
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3963
[  2 ] CVE-2008-4097
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4097
[  3 ] CVE-2008-4098
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4098
[  4 ] CVE-2008-4456
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4456
[  5 ] CVE-2008-7247
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7247
[  6 ] CVE-2009-2446
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2446
[  7 ] CVE-2009-4019
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4019
[  8 ] CVE-2009-4028
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4028
[  9 ] CVE-2009-4484
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4484
[ 10 ] CVE-2010-1621
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1621
[ 11 ] CVE-2010-1626
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1626
[ 12 ] CVE-2010-1848
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1848
[ 13 ] CVE-2010-1849
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1849
[ 14 ] CVE-2010-1850
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1850
[ 15 ] CVE-2010-2008
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2008
[ 16 ] CVE-2010-3676
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3676
[ 17 ] CVE-2010-3677
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3677
[ 18 ] CVE-2010-3678
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3678
[ 19 ] CVE-2010-3679
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3679
[ 20 ] CVE-2010-3680
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3680
[ 21 ] CVE-2010-3681
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3681
[ 22 ] CVE-2010-3682
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3682
[ 23 ] CVE-2010-3683
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3683
[ 24 ] CVE-2010-3833
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3833
[ 25 ] CVE-2010-3834
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3834
[ 26 ] CVE-2010-3835
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3835
[ 27 ] CVE-2010-3836
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3836
[ 28 ] CVE-2010-3837
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3837
[ 29 ] CVE-2010-3838
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3838
[ 30 ] CVE-2010-3839
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3839
[ 31 ] CVE-2010-3840
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3840

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201201-02.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Co

[ GLSA 201201-01 ] phpMyAdmin: Multiple vulnerabilities

2012-01-05 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201201-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: phpMyAdmin: Multiple vulnerabilities
 Date: January 04, 2012
 Bugs: #302745, #335490, #336462, #354227, #373951, #376369,
   #387413, #389427, #395715
   ID: 201201-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities were found in phpMyAdmin, the most severe of
which allows the execution of arbitrary PHP code.

Background
==

phpMyAdmin is a web-based management tool for MySQL databases.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  dev-db/phpmyadmin< 3.4.9>= 3.4.9

Description
===

Multiple vulnerabilities have been discovered in phpMyAdmin. Please
review the CVE identifiers and phpMyAdmin Security Advisories
referenced below for details.

Impact
==

Remote attackers might be able to insert and execute PHP code, include
and execute local PHP files, or perform Cross-Site Scripting (XSS)
attacks via various vectors.

Workaround
==

There is no known workaround at this time.

Resolution
==

All phpMyAdmin users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-3.4.9"

References
==

[  1 ] CVE-2008-7251
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7251
[  2 ] CVE-2008-7252
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7252
[  3 ] CVE-2010-2958
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2958
[  4 ] CVE-2010-3055
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3055
[  5 ] CVE-2010-3056
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3056
[  6 ] CVE-2010-3263
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3263
[  7 ] CVE-2011-0986
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0986
[  8 ] CVE-2011-0987
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0987
[  9 ] CVE-2011-2505
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2505
[ 10 ] CVE-2011-2506
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2506
[ 11 ] CVE-2011-2507
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2507
[ 12 ] CVE-2011-2508
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2508
[ 13 ] CVE-2011-2642
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2642
[ 14 ] CVE-2011-2643
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2643
[ 15 ] CVE-2011-2718
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2718
[ 16 ] CVE-2011-2719
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2719
[ 17 ] CVE-2011-3646
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3646
[ 18 ] CVE-2011-4064
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4064
[ 19 ] CVE-2011-4107
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4107
[ 20 ] CVE-2011-4634
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4634
[ 21 ] CVE-2011-4780
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4780
[ 22 ] CVE-2011-4782
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4782
[ 23 ] PMASA-2010-1
   http://www.phpmyadmin.net/home_page/security/PMASA-2010-1.php
[ 24 ] PMASA-2010-2
   http://www.phpmyadmin.net/home_page/security/PMASA-2010-2.php
[ 25 ] PMASA-2010-4
   http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php
[ 26 ] PMASA-2010-5
   http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
[ 27 ] PMASA-2010-6
   http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php
[ 28 ] PMASA-2010-7
   http://www.phpmyadmin.net/home_page/security/PMASA-2010-7.php
[ 29 ] PMASA-2011-1
   http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php
[ 30 ] PMASA-2011-10
   http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php
[ 31 ] PMASA-2011-11
   http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php
[ 32 ] PMASA-2011-12
   http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php
[ 33 ] PMASA-2011-15
   http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php
[ 34 ] PMASA-2011-16
   http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php
[ 35 ] PMASA-2011-17
   http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
[ 36 ] PMASA-2011-18
   http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php
[ 37 ] PMASA-2011-19
   http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php
[ 38 ] PMASA-2011-2
   http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php
[ 39 ] PMASA-2011

[ GLSA 201111-05 ] Chromium, V8: Multiple vulnerabilities

2011-11-21 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 20-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Chromium, V8: Multiple vulnerabilities
 Date: November 19, 2011
 Bugs: #390113, #390779
   ID: 20-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been reported in Chromium and V8, some of
which may allow execution of arbitrary code.

Background
==

Chromium is an open-source web browser project. V8 is Google's open
source JavaScript engine.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  www-client/chromium   < 15.0.874.121 >= 15.0.874.121
  2  dev-lang/v8< 3.5.10.24  >= 3.5.10.24
---
 2 affected packages
---

Description
===

Multiple vulnerabilities have been discovered in Chromium and V8.
Please review the CVE identifiers and release notes referenced below
for details.

Impact
==

A context-dependent attacker could entice a user to open a specially
crafted web site or JavaScript program using Chromium or V8, possibly
resulting in the execution of arbitrary code with the privileges of the
process, or a Denial of Service condition. The attacker also could
cause a Java applet to run without user confirmation.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Chromium users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=www-client/chromium-15.0.874.121"

All V8 users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-lang/v8-3.5.10.24"

References
==

[  1 ] CVE-2011-3892
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3892
[  2 ] CVE-2011-3893
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3893
[  3 ] CVE-2011-3894
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3894
[  4 ] CVE-2011-3895
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3895
[  5 ] CVE-2011-3896
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3896
[  6 ] CVE-2011-3897
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3897
[  7 ] CVE-2011-3898
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3898
[  8 ] CVE-2011-3900
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3900
[  9 ] Release Notes 15.0.874.120

http://googlechromereleases.blogspot.com/2011/11/stable-channel-update.html
[ 10 ] Release Notes 15.0.874.121

http://googlechromereleases.blogspot.com/2011/11/stable-channel-update_16.html

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-20-05.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201111-04 ] phpDocumentor: Function call injection

2011-11-14 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 20-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: phpDocumentor: Function call injection
 Date: November 11, 2011
 Bugs: #213318
   ID: 20-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


phpDocumentor bundles Smarty which contains an input sanitation flaw,
allowing attackers to call arbitrary PHP functions.

Background
==

The phpDocumentor package provides automatic documenting of PHP API
directly from the source.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  dev-php/PEAR-PhpDocumentor
 < 1.4.3-r1   >= 1.4.3-r1

Description
===

phpDocumentor bundles Smarty with the modifier.regex_replace.php
plug-in which does not properly sanitize input related to the ASCII NUL
character in a search string.

Impact
==

A remote attacker could call arbitrary PHP functions via templates.

Workaround
==

There is no known workaround at this time.

Resolution
==

All phpDocumentor users should upgrade to the latest stable version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=dev-php/PEAR-PhpDocumentor-1.4.3-r1"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since February 12, 2011. It is likely that your system is
already no longer affected by this issue.

References
==

[ 1 ] CVE-2008-1066
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1066

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-20-04.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201111-03 ] OpenTTD: Multiple vulnerabilities

2011-11-14 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 20-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: OpenTTD: Multiple vulnerabilities
 Date: November 11, 2011
 Bugs: #381799
   ID: 20-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities were found in OpenTTD which could lead to
execution of arbitrary code, a Denial of Service, or privilege
escalation.

Background
==

OpenTTD is a clone of Transport Tycoon Deluxe.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  games-simulation/openttd
  < 1.1.3>= 1.1.3

Description
===

Multiple vulnerabilities have been discovered in OpenTTD. Please review
the CVE identifiers referenced below for details.

Impact
==

A remote attacker could execute arbitrary code with the privileges of
the OpenTTD process or cause a Denial of Service. Local users could
cause a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All OpenTTD users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=games-simulation/openttd-1.1.3"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since September 27, 2011. It is likely that your system is
already no longer affected by this issue.

References
==

[ 1 ] CVE-2010-4168
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4168
[ 2 ] CVE-2011-3341
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3341
[ 3 ] CVE-2011-3342
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3342
[ 4 ] CVE-2011-3343
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3343

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-20-03.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201110-26 ] libxml2: Multiple vulnerabilities

2011-10-28 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201110-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: libxml2: Multiple vulnerabilities
 Date: October 26, 2011
 Bugs: #34, #370715, #386985
   ID: 201110-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities were found in libxml2 which could lead to
execution of arbitrary code or a Denial of Service.

Background
==

libxml2 is the XML C parser and toolkit developed for the Gnome
project.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  dev-libs/libxml2< 2.7.8-r3   >= 2.7.8-r3

Description
===

Multiple vulnerabilities have been discovered in libxml2. Please review
the CVE identifiers referenced below for details.

Impact
==

A local or remote attacker may be able to execute arbitrary code with
the privileges of the application or cause a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All libxml2 users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.8-r3"

References
==

[ 1 ] CVE-2010-4008
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4008
[ 2 ] CVE-2010-4494
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4494
[ 3 ] CVE-2011-1944
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1944
[ 4 ] CVE-2011-2821
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2821
[ 5 ] CVE-2011-2834
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2834

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201110-26.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201110-25 ] Pure-FTPd: Multiple vulnerabilities

2011-10-28 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201110-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Pure-FTPd: Multiple vulnerabilities
 Date: October 26, 2011
 Bugs: #358375, #365751
   ID: 201110-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities were found in Pure-FTPd allowing attackers to
inject FTP commands or cause a Denial of Service.

Background
==

Pure-FTPd is a fast, production-quality and standards-compliant FTP
server.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-ftp/pure-ftpd< 1.0.32  >= 1.0.32

Description
===

Multiple vulnerabilities have been discovered in Pure-FTPd. Please
review the CVE identifiers referenced below for details.

Impact
==

Remote unauthenticated attackers may be able to inject FTP commands or
cause a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All pure-ftpd users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-ftp/pure-ftpd-1.0.32"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since May 14, 2011. It is likely that your system is already
no longer affected by this issue.

References
==

[ 1 ] CVE-2011-0418
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0418
[ 2 ] CVE-2011-1575
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1575

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201110-25.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201110-24 ] Squid: Multiple vulnerabilities

2011-10-28 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201110-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: Squid: Multiple vulnerabilities
 Date: October 26, 2011
 Bugs: #279379, #279380, #301828, #334263, #381065, #386215
   ID: 201110-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities were found in Squid allowing attackers to
execute arbitrary code or cause a Denial of Service.

Background
==

Squid is a full-featured web proxy cache.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-proxy/squid  < 3.1.15  >= 3.1.15

Description
===

Multiple vulnerabilities have been discovered in Squid. Please review
the CVE identifiers referenced below for details.

Impact
==

Remote unauthenticated attackers may be able to execute arbitrary code
with the privileges of the Squid process or cause a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All squid users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-proxy/squid-3.1.15"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since September 4, 2011. It is likely that your system is
already no longer affected by this issue.

References
==

[ 1 ] CVE-2009-2621
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2621
[ 2 ] CVE-2009-2622
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2622
[ 3 ] CVE-2009-2855
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2855
[ 4 ] CVE-2010-0308
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0308
[ 5 ] CVE-2010-0639
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0639
[ 6 ] CVE-2010-2951
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2951
[ 7 ] CVE-2010-3072
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3072
[ 8 ] CVE-2011-3205
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3205

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201110-24.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201110-21 ] Asterisk: Multiple vulnerabilities

2011-10-25 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201110-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: Asterisk: Multiple vulnerabilities
 Date: October 24, 2011
 Bugs: #352059, #355967, #359767, #364887, #372793, #373409, #387453
   ID: 201110-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities in Asterisk might allow unauthenticated remote
attackers to execute arbitrary code.

Background
==

Asterisk is an open source telephony engine and toolkit.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-misc/asterisk   < 1.8.7.1 >= 1.8.7.1
   *>= 1.6.2.18.2

Description
===

Multiple vulnerabilities have been discovered in Asterisk. Please
review the CVE identifiers referenced below for details.

Impact
==

An unauthenticated remote attacker may execute code with the privileges
of the Asterisk process or cause a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All asterisk 1.6.x users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.6.2.18.2"

All asterisk 1.8.x users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.7.1"

References
==

[  1 ] CVE-2011-1147
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1147
[  2 ] CVE-2011-1174
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1174
[  3 ] CVE-2011-1175
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1175
[  4 ] CVE-2011-1507
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1507
[  5 ] CVE-2011-1599
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1599
[  6 ] CVE-2011-2529
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2529
[  7 ] CVE-2011-2535
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2535
[  8 ] CVE-2011-2536
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2536
[  9 ] CVE-2011-2665
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2665
[ 10 ] CVE-2011-2666
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2666
[ 11 ] CVE-2011-4063
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4063

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201110-21.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201110-20 ] Clam AntiVirus: Multiple vulnerabilities

2011-10-24 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201110-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: Clam AntiVirus: Multiple vulnerabilities
 Date: October 23, 2011
 Bugs: #338226, #347627, #354019, #378815, #387521
   ID: 201110-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities were found in Clam AntiVirus, the most severe
of which may allow the execution of arbitrary code.

Background
==

Clam AntiVirus (short: ClamAV) is an anti-virus toolkit for UNIX,
designed especially for e-mail scanning on mail gateways.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  app-antivirus/clamav < 0.97.3  >= 0.97.3

Description
===

Multiple vulnerabilities have been discovered in Clam AntiVirus. Please
review the CVE identifiers referenced below for details.

Impact
==

An unauthenticated remote attacker may execute arbitrary code with the
privileges of the Clam AntiVirus process or cause a Denial of Service
by causing an affected user or system to scan a crafted file.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Clam AntiVirus users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.97.3"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since August 27, 2011. It is likely that your system is
already no longer affected by this issue.

References
==

[ 1 ] CVE-2010-0405
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0405
[ 2 ] CVE-2010-3434
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3434
[ 3 ] CVE-2010-4260
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4260
[ 4 ] CVE-2010-4261
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4261
[ 5 ] CVE-2010-4479
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4479
[ 6 ] CVE-2011-1003
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1003
[ 7 ] CVE-2011-2721
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2721
[ 8 ] CVE-2011-3627
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3627

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201110-20.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201110-16 ] Cyrus IMAP Server: Multiple vulnerabilities

2011-10-24 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201110-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: Cyrus IMAP Server: Multiple vulnerabilities
 Date: October 22, 2011
 Bugs: #283596, #382349, #385729
   ID: 201110-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


The Cyrus IMAP Server is affected by multiple vulnerabilities which
could potentially lead to the remote execution of arbitrary code or a
Denial of Service.

Background
==

The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail
server.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-mail/cyrus-imapd < 2.4.12  >= 2.4.12

Description
===

Multiple vulnerabilities have been discovered in the Cyrus IMAP Server.
Please review the CVE identifiers referenced below for details.

Impact
==

An unauthenticated local or remote attacker may be able to execute
arbitrary code with the privileges of the Cyrus IMAP Server process or
cause a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Cyrus IMAP Server users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.4.12"

References
==

[ 1 ] CVE-2009-2632
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2632
[ 2 ] CVE-2011-3208
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3208
[ 3 ] CVE-2011-3481
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3481

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201110-16.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201110-15 ] GnuPG: User-assisted execution of arbitrary code

2011-10-24 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201110-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: GnuPG: User-assisted execution of arbitrary code
 Date: October 22, 2011
 Bugs: #329583
   ID: 201110-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


The GPGSM utility included in GnuPG contains a use-after-free
vulnerability that may allow an unauthenticated remote attacker to
execute arbitrary code.

Background
==

The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite
of cryptographic software. The GPGSM utility in GnuPG is responsible
for processing X.509 certificates, signatures and encryption as well as
S/MIME messages.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  app-crypt/gnupg< 2.0.16-r1  >= 2.0.16-r1
< 2.0

Description
===

The GPGSM utility in GnuPG contains a use-after-free vulnerability that
may be exploited when importing a crafted X.509 certificate explicitly
or during the signature verification process.

Impact
==

An unauthenticated remote attacker may execute arbitrary code with the
privileges of the user running GnuPG by enticing them to import a
crafted certificate.

Workaround
==

There is no known workaround at this time.

Resolution
==

All GnuPG 2.x users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.16-r1"

References
==

[ 1 ] CVE-2010-2547
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2547

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201110-15.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201110-13 ] Tor: Multiple vulnerabilities

2011-10-20 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201110-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: Tor: Multiple vulnerabilities
 Date: October 18, 2011
 Bugs: #351920, #359789
   ID: 201110-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities were found in Tor, the most severe of which
may allow a remote attacker to execute arbitrary code.

Background
==

Tor is an implementation of second generation Onion Routing, a
connection-oriented anonymizing communication service.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-misc/tor< 0.2.1.30   >= 0.2.1.30

Description
===

Multiple vulnerabilities have been discovered in Tor. Please review the
CVE identifiers referenced below for details.

Impact
==

A remote unauthenticated attacker may be able to execute arbitrary code
with the privileges of the Tor process or create a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Tor users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.1.30"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since April 2, 2011. It is likely that your system is already
no longer affected by this issue.

References
==

[ 1 ] CVE-2011-0015
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0015
[ 2 ] CVE-2011-0016
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0016
[ 3 ] CVE-2011-0427
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0427
[ 4 ] CVE-2011-0490
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0490
[ 5 ] CVE-2011-0491
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0491
[ 6 ] CVE-2011-0492
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0492
[ 7 ] CVE-2011-0493
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0493
[ 8 ] CVE-2011-1924
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1924

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201110-13.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201110-11 ] Adobe Flash Player: Multiple vulnerabilities

2011-10-14 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201110-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Adobe Flash Player: Multiple vulnerabilities
 Date: October 13, 2011
 Bugs: #354207, #359019, #363179, #367031, #370215, #372899,
   #378637, #384017
   ID: 201110-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities in Adobe Flash Player might allow remote
attackers to execute arbitrary code or cause a Denial of Service.

Background
==

The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  www-plugins/adobe-flash   < 10.3.183.10   >= 10.3.183.10

Description
===

Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers and Adobe Security Advisories and
Bulletins referenced below for details.

Impact
==

By enticing a user to open a specially crafted SWF file a remote
attacker could cause a Denial of Service or the execution of arbitrary
code with the privileges of the user running the application.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Adobe Flash Player users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"

References
==

[  1 ] APSA11-01
   http://www.adobe.com/support/security/advisories/apsa11-01.html
[  2 ] APSA11-02
   http://www.adobe.com/support/security/advisories/apsa11-02.html
[  3 ] APSB11-02
   http://www.adobe.com/support/security/bulletins/apsb11-02.html
[  4 ] APSB11-12
   http://www.adobe.com/support/security/bulletins/apsb11-12.html
[  5 ] APSB11-13
   http://www.adobe.com/support/security/bulletins/apsb11-13.html
[  6 ] APSB11-21
   https://www.adobe.com/support/security/bulletins/apsb11-21.html
[  7 ] APSB11-26
   https://www.adobe.com/support/security/bulletins/apsb11-26.html
[  8 ] CVE-2011-0558
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[  9 ] CVE-2011-0559
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-20

[ GLSA 201110-10 ] Wget: User-assisted file creation or overwrite

2011-10-14 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201110-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
Title: Wget: User-assisted file creation or overwrite
 Date: October 13, 2011
 Bugs: #329941
   ID: 201110-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Insecure usage of server provided filenames may allow the creation or
overwriting of local files.

Background
==

GNU Wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-misc/wget   < 1.12-r2 >= 1.12-r2

Description
===

It was discovered that Wget was unsafely trusting server-provided
filenames. This allowed attackers to overwrite or create files on the
user's system by sending a redirect from the expected URL to another
URL specifying the targeted file.

Impact
==

An unauthenticated remote attacker may be able to create or overwrite
local files by enticing the user to open an attacker controlled URL,
possibly leading to execution of arbitrary code.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Wget users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-misc/wget-1.12-r2"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since September 19, 2010. It is likely that your system is
already no longer affected by this issue.

References
==

[ 1 ] CVE-2010-2252
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2252

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201110-10.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201101-08 ] Adobe Reader: Multiple vulnerabilities

2011-01-21 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201101-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Adobe Reader: Multiple vulnerabilities
  Date: January 21, 2011
  Bugs: #336508, #343091
ID: 201101-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities in Adobe Reader might result in the execution
of arbitrary code.

Background
==

Adobe Reader (formerly Adobe Acrobat Reader) is a closed-source PDF
reader.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  app-text/acroread< 9.4.1 >= 9.4.1

Description
===

Multiple vulnerabilities were discovered in Adobe Reader. For further
information please consult the CVE entries and the Adobe Security
Bulletins referenced below.

Impact
==

A remote attacker might entice a user to open a specially crafted PDF
file, possibly resulting in the execution of arbitrary code with the
privileges of the user running the application, or a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Adobe Reader users should upgrade to the latest stable version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.1"

References
==

  [ 1 ] APSB10-21
http://www.adobe.com/support/security/bulletins/apsb10-21.html
  [ 2 ] APSB10-28
http://www.adobe.com/support/security/bulletins/apsb10-28.html
  [ 3 ] CVE-2010-2883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883
  [ 4 ] CVE-2010-2884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2884
  [ 5 ] CVE-2010-2887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2887
  [ 6 ] CVE-2010-2889
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2889
  [ 7 ] CVE-2010-2890
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2890
  [ 8 ] CVE-2010-3619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3619
  [ 9 ] CVE-2010-3620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3620
  [ 10 ] CVE-2010-3621
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3621
  [ 11 ] CVE-2010-3622
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3622
  [ 12 ] CVE-2010-3625
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3625
  [ 13 ] CVE-2010-3626
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3626
  [ 14 ] CVE-2010-3627
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3627
  [ 15 ] CVE-2010-3628
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3628
  [ 16 ] CVE-2010-3629
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3629
  [ 17 ] CVE-2010-3630
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3630
  [ 18 ] CVE-2010-3632
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3632
  [ 19 ] CVE-2010-3654
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3654
  [ 20 ] CVE-2010-3656
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3656
  [ 21 ] CVE-2010-3657
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3657
  [ 22 ] CVE-2010-3658
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3658
  [ 23 ] CVE-2010-4091
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4091

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-201101-08.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




signature.asc
Description: OpenPGP digital signature

[ GLSA 201101-09 ] Adobe Flash Player: Multiple vulnerabilities

2011-01-21 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201101-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Adobe Flash Player: Multiple vulnerabilities
  Date: January 21, 2011
  Bugs: #307749, #322855, #332205, #337204, #343089
ID: 201101-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities in Adobe Flash Player might allow remote
attackers to execute arbitrary code or cause a Denial of Service.

Background
==

The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.

Affected packages
=

---
 Package  /Vulnerable/  Unaffected
---
  1  www-plugins/adobe-flash  < 10.1.102.64 >= 10.1.102.64

Description
===

Multiple vulnerabilities were discovered in Adobe Flash Player. For
further information please consult the CVE entries and the Adobe
Security Bulletins referenced below.

Impact
==

A remote attacker could entice a user to open a specially crafted SWF
file, possibly resulting in the execution of arbitrary code with the
privileges of the user running the application, or a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Adobe Flash Player users should upgrade to the latest stable
version:

# emerge --sync
# emerge --ask --oneshot --verbose
">=www-plugins/adobe-flash-10.1.102.64"

References
==

  [ 1 ] APSB10-06
http://www.adobe.com/support/security/bulletins/apsb10-06.html
  [ 2 ] APSB10-14
http://www.adobe.com/support/security/bulletins/apsb10-14.html
  [ 3 ] APSB10-16
http://www.adobe.com/support/security/bulletins/apsb10-16.html
  [ 4 ] APSB10-22
http://www.adobe.com/support/security/bulletins/apsb10-22.html
  [ 5 ] APSB10-26
http://www.adobe.com/support/security/bulletins/apsb10-26.html
  [ 6 ] CVE-2008-4546
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4546
  [ 7 ] CVE-2009-3793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3793
  [ 8 ] CVE-2010-0186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0186
  [ 9 ] CVE-2010-0187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0187
  [ 10 ] CVE-2010-0209
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0209
  [ 11 ] CVE-2010-1297
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297
  [ 12 ] CVE-2010-2160
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2160
  [ 13 ] CVE-2010-2161
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2161
  [ 14 ] CVE-2010-2162
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2162
  [ 15 ] CVE-2010-2163
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2163
  [ 16 ] CVE-2010-2164
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2164
  [ 17 ] CVE-2010-2165
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2165
  [ 18 ] CVE-2010-2166
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2166
  [ 19 ] CVE-2010-2167
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2167
  [ 20 ] CVE-2010-2169
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2169
  [ 21 ] CVE-2010-2170
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2170
  [ 22 ] CVE-2010-2171
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2171
  [ 23 ] CVE-2010-2172
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2172
  [ 24 ] CVE-2010-2173
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2173
  [ 25 ] CVE-2010-2174
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2174
  [ 26 ] CVE-2010-2175
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2175
  [ 27 ] CVE-2010-2176
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2176
  [ 28 ] CVE-2010-2177
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2177
  [ 29 ] CVE-2010-2178
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2178
  [ 30 ] CVE-2010-2179
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2179
  [ 31 ] CVE-2010-2180
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2180
  [ 32 ] CVE-2010-2181
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2181
  [ 33 ] CVE-2010-2182
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2182
  [ 34 ] CVE-2010-2183
 http://

[ GLSA 201101-03 ] libvpx: User-assisted execution of arbitrary code

2011-01-17 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201101-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: libvpx: User-assisted execution of arbitrary code
  Date: January 15, 2011
  Bugs: #345559
ID: 201101-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Timothy B. Terriberry discovered that libvpx contains an integer
overflow vulnerability in the processing of video streams that may
allow user-assisted execution of arbitrary code.

Background
==

libvpx is the VP8 codec SDK used to encode and decode video streams,
typically within a WebM format media file.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  media-libs/libvpx   < 0.9.5  >= 0.9.5

Description
===

libvpx is vulnerable to an integer overflow vulnerability when
processing crafted VP8 video streams.

Impact
==

A remote attacker could entice a user to open a specially crafted media
file, possibly resulting in the execution of arbitrary code with the
privileges of the user running the application, or a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All libvpx users should upgrade to the latest stable version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libvpx-0.9.5"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.

References
==

  [ 1 ] CVE-2010-4203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4203

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-201101-03.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201101-02 ] Tor: Remote heap-based buffer overflow

2011-01-17 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201101-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: Tor: Remote heap-based buffer overflow
  Date: January 15, 2011
  Bugs: #349312
ID: 201101-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Tor is vulnerable to a heap-based buffer overflow that may allow
arbitrary code execution.

Background
==

Tor is an implementation of second generation Onion Routing, a
connection-oriented anonymizing communication service.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  net-misc/tor < 0.2.1.28   >= 0.2.1.28

Description
===

Tor contains a heap-based buffer overflow in the processing of user or
attacker supplied data. No additional information is available.

Impact
==

Successful exploitation of this vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code with the
permissions of the Tor user, or to cause a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Tor users should upgrade to the latest stable version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.1.28"

References
==

  [ 1 ] CVE-2010-1676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1676

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-201101-02.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201101-01 ] gif2png: User-assisted execution of arbitrary code

2011-01-05 Thread Tim Sammut

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201101-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: gif2png: User-assisted execution of arbitrary code
  Date: January 05, 2011
  Bugs: #346501
ID: 201101-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


gif2png contains a stack overflow vulnerability when parsing command
line arguments.

Background
==

gif2png is a command line program that converts image files from the
Graphics Interchange Format (GIF) format to the Portable Network
Graphics (PNG) format.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  media-gfx/gif2png < 2.5.1-r1  >= 2.5.1-r1

Description
===

gif2png contains a command line parsing vulnerability that may result
in a stack overflow due to an unexpectedly long input filename.

Impact
==

A remote attacker could entice a user to open a specially crafted
image, possibly resulting in the execution of arbitrary code with the
privileges of the user running the application, or a Denial of Service.
Note that applications relying on gif2png to process images can also
trigger the vulnerability.

Workaround
==

There is no known workaround at this time.

Resolution
==

All gif2png users should upgrade to the latest stable version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/gif2png-2.5.1-r1"

References
==

  [ 1 ] CVE-2009-5018
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5018

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-201101-01.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

[ GLSA 201201-17 ] Chromium: Multiple vulnerabilities

[ GLSA 201201-03 ] Chromium, V8: Multiple vulnerabilities

[ GLSA 201201-02 ] MySQL: Multiple vulnerabilities

[ GLSA 201201-01 ] phpMyAdmin: Multiple vulnerabilities

[ GLSA 201111-05 ] Chromium, V8: Multiple vulnerabilities

[ GLSA 201111-04 ] phpDocumentor: Function call injection

[ GLSA 201111-03 ] OpenTTD: Multiple vulnerabilities

[ GLSA 201110-26 ] libxml2: Multiple vulnerabilities

[ GLSA 201110-25 ] Pure-FTPd: Multiple vulnerabilities

[ GLSA 201110-24 ] Squid: Multiple vulnerabilities

[ GLSA 201110-21 ] Asterisk: Multiple vulnerabilities

[ GLSA 201110-20 ] Clam AntiVirus: Multiple vulnerabilities

[ GLSA 201110-16 ] Cyrus IMAP Server: Multiple vulnerabilities

[ GLSA 201110-15 ] GnuPG: User-assisted execution of arbitrary code

[ GLSA 201110-13 ] Tor: Multiple vulnerabilities

[ GLSA 201110-11 ] Adobe Flash Player: Multiple vulnerabilities

[ GLSA 201110-10 ] Wget: User-assisted file creation or overwrite

[ GLSA 201101-08 ] Adobe Reader: Multiple vulnerabilities

[ GLSA 201101-09 ] Adobe Flash Player: Multiple vulnerabilities

[ GLSA 201101-03 ] libvpx: User-assisted execution of arbitrary code

[ GLSA 201101-02 ] Tor: Remote heap-based buffer overflow

[ GLSA 201101-01 ] gif2png: User-assisted execution of arbitrary code

22 matches

Site Navigation

Mail list logo

Footer information