[gentoo-announce] [ GLSA 201904-19 ] Dovecot: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201904-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Dovecot: Multiple vulnerabilities Date: April 17, 2019 Bugs: #677350, #681922 ID: 201904-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Dovecot, the worst of which could result in root privilege escalation. Background == Dovecot is an open source IMAP and POP3 email server. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-mail/dovecot< 2.3.5.1 >= 2.3.5.1 Description === Multiple vulnerabilities have been discovered in Dovecot. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details Workaround == There is no known workaround at this time. Resolution == All Dovecot users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.3.5.1" References == [ 1 ] CVE-2019-3814 https://nvd.nist.gov/vuln/detail/CVE-2019-3814 [ 2 ] CVE-2019-7524 https://nvd.nist.gov/vuln/detail/CVE-2019-7524 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201904-19 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
[gentoo-announce] [ GLSA 201904-18 ] libseccomp: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201904-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libseccomp: Privilege escalation Date: April 17, 2019 Bugs: #680442 ID: 201904-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in libseccomp allows for privilege escalation. Background == A library that provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-libs/libseccomp < 2.4.0>= 2.4.0 Description === Please review the CVE identifier referenced below for details. Impact == Please review the referenced CVE identifier for details. Workaround == There is no known workaround at this time. Resolution == All libseccomp users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-libs/libseccomp-2.4.0" References == [ 1 ] CVE-2019-9893 https://nvd.nist.gov/vuln/detail/CVE-2019-9893 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201904-18 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
[gentoo-announce] [ GLSA 201904-17 ] Patch: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201904-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Patch: Multiple vulnerabilities Date: April 17, 2019 Bugs: #647792, #647794, #652710 ID: 201904-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Patch, the worst of which could result in the execution of arbitrary code. Background == Patch takes a patch file containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-devel/patch < 2.7.6-r3 >= 2.7.6-r3 Description === Multiple vulnerabilities have been discovered in Patch. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Patch users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/patch-2.7.6-r3" References == [ 1 ] CVE-2018-1000156 https://nvd.nist.gov/vuln/detail/CVE-2018-1000156 [ 2 ] CVE-2018-6951 https://nvd.nist.gov/vuln/detail/CVE-2018-6951 [ 3 ] CVE-2018-6952 https://nvd.nist.gov/vuln/detail/CVE-2018-6952 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201904-17 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
[gentoo-announce] Nitrokey partners with Gentoo Foundation to equip developers with USB keys
The Gentoo Foundation[1] has partnered with Nitrokey[2] to equip all Gentoo developers with free Nitrokey Pro 2[3] devices. Gentoo developers will use the Nitrokey devices to store cryptographic keys for signing of git commits and software packages, GnuPG keys, and SSH accounts. Thanks to the Gentoo Foundation and NitrokeyĆ¢s discount, each Gentoo developer is eligible to receive one free Nitrokey Pro 2. To receive their Nitrokey, developers will need to register with their @gentoo.org email address at the dedicated order form [4]. A Nitrokey Pro 2 Guide[5] is available on the Gentoo Wiki with FAQ & instructions for integrating Nitrokeys into developer workflow. ABOUT NITROKEY PRO 2 "Nitrokey Pro 2"[3] has strong reliable hardware encryption, thanks to open source. It can help you to: sign Git commits; encrypt emails and files; secure server access; and protect accounts against identity theft via two-factor authentication (one-time passwords). ABOUT GENTOO Gentoo Linux[7] is a free, source-based, rolling release meta distribution that features a high degree of flexibility and high performance. It empowers you to make your computer work for you, and offers a variety of choices at all levels of system configuration. As a community, Gentoo consists of approximately two hundred developers and over fifty thousand users globally. The Gentoo Foundation[1] supports the development of Gentoo, protects Gentoo's intellectual property, and oversees adherence to Gentoo's Social Contract. ABOUT NITROKEY Nitrokey[2] is a German IT security startup committed to open source hardware and software. Nitrokey develops and produces USB keys for data encryption, email encryption (PGP/GPG, S/MIME), and secure account logins (SSH, two-factor authentication via OTP and FIDO). Nitrokey is proud to support the Gentoo Foundation in further securing the Gentoo infrastructure and contributing to a secure open source Linux ecosystem. 1. https://wiki.gentoo.org/wiki/Foundation:Main_Page 2. https://www.nitrokey.com/ 3. https://www.nitrokey.com/files/doc/Nitrokey_Pro_factsheet.pdf 4. https://gentoo.nitrokey.com/ 5. https://wiki.gentoo.org/wiki/Project:Infrastructure/Nitrokey_Pro_2_guide_for_Gentoo_developers 7. https://www.gentoo.org/ -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 signature.asc Description: PGP signature
