[gentoo-announce] [ GLSA 202409-32 ] nginx: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: nginx: Multiple Vulnerabilities Date: September 28, 2024 Bugs: #924619, #937938 ID: 202409-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in nginx, the worst of which could result in denial of service. Background == nginx is a robust, small, and high performance HTTP and reverse proxy server. Affected packages = PackageVulnerableUnaffected - www-servers/nginx < 1.26.2-r2 >= 1.26.2-r2 Description === Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.26.2-r2" References == [ 1 ] CVE-2024-7347 https://nvd.nist.gov/vuln/detail/CVE-2024-7347 [ 2 ] CVE-2024-24989 https://nvd.nist.gov/vuln/detail/CVE-2024-24989 [ 3 ] CVE-2024-24990 https://nvd.nist.gov/vuln/detail/CVE-2024-24990 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-32 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-31 ] Apache HTTPD: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Apache HTTPD: Multiple Vulnerabilities Date: September 28, 2024 Bugs: #928540, #935296, #935427, #936257 ID: 202409-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Apache HTTPD, the worst of which could result in denial of service. Background == The Apache HTTP server is one of the most popular web servers on the Internet. Affected packages = Package VulnerableUnaffected -- www-servers/apache < 2.4.62 >= 2.4.62 Description === Multiple vulnerabilities have been discovered in Apache HTTPD. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Apache HTTPD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.62" References == [ 1 ] CVE-2023-38709 https://nvd.nist.gov/vuln/detail/CVE-2023-38709 [ 2 ] CVE-2024-24795 https://nvd.nist.gov/vuln/detail/CVE-2024-24795 [ 3 ] CVE-2024-27316 https://nvd.nist.gov/vuln/detail/CVE-2024-27316 [ 4 ] CVE-2024-36387 https://nvd.nist.gov/vuln/detail/CVE-2024-36387 [ 5 ] CVE-2024-38472 https://nvd.nist.gov/vuln/detail/CVE-2024-38472 [ 6 ] CVE-2024-38473 https://nvd.nist.gov/vuln/detail/CVE-2024-38473 [ 7 ] CVE-2024-38474 https://nvd.nist.gov/vuln/detail/CVE-2024-38474 [ 8 ] CVE-2024-38475 https://nvd.nist.gov/vuln/detail/CVE-2024-38475 [ 9 ] CVE-2024-38476 https://nvd.nist.gov/vuln/detail/CVE-2024-38476 [ 10 ] CVE-2024-38477 https://nvd.nist.gov/vuln/detail/CVE-2024-38477 [ 11 ] CVE-2024-39573 https://nvd.nist.gov/vuln/detail/CVE-2024-39573 [ 12 ] CVE-2024-39884 https://nvd.nist.gov/vuln/detail/CVE-2024-39884 [ 13 ] CVE-2024-40725 https://nvd.nist.gov/vuln/detail/CVE-2024-40725 [ 14 ] CVE-2024-40898 https://nvd.nist.gov/vuln/detail/CVE-2024-40898 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-31 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-30 ] yt-dlp: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: yt-dlp: Multiple Vulnerabilities Date: September 28, 2024 Bugs: #909780, #917355, #935316 ID: 202409-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in yt-dlp, the worst of which could result in arbitrary code execution. Background == yt-dlp is a youtube-dl fork with additional features and fixes. Affected packages = Package VulnerableUnaffected --- - net-misc/yt-dlp < 2024.07.01 >= 2024.07.01 Description === Multiple vulnerabilities have been found in yt-dlp. Please review the referenced CVE identifiers for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All yt-dlp users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/yt-dlp-2024.07.01" References == [ 1 ] CVE-2023-35934 https://nvd.nist.gov/vuln/detail/CVE-2023-35934 [ 2 ] CVE-2023-46121 https://nvd.nist.gov/vuln/detail/CVE-2023-46121 [ 3 ] CVE-2024-38519 https://nvd.nist.gov/vuln/detail/CVE-2024-38519 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-30 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-29 ] Docker: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Docker: Multiple Vulnerabilities Date: September 28, 2024 Bugs: #816273, #869407, #877653, #886509, #903804, #905336, #925022 ID: 202409-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Docker, the worst of which could result in denial of service. Background == Docker contains the the core functions you need to create Docker images and run Docker containers Affected packages = PackageVulnerableUnaffected - app-containers/docker < 25.0.4 >= 25.0.4 Description === Multiple vulnerabilities have been discovered in Docker. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Docker users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-containers/docker-25.0.4" References == [ 1 ] CVE-2021-41089 https://nvd.nist.gov/vuln/detail/CVE-2021-41089 [ 2 ] CVE-2021-41091 https://nvd.nist.gov/vuln/detail/CVE-2021-41091 [ 3 ] CVE-2022-36109 https://nvd.nist.gov/vuln/detail/CVE-2022-36109 [ 4 ] CVE-2022-41717 https://nvd.nist.gov/vuln/detail/CVE-2022-41717 [ 5 ] CVE-2023-26054 https://nvd.nist.gov/vuln/detail/CVE-2023-26054 [ 6 ] CVE-2023-28840 https://nvd.nist.gov/vuln/detail/CVE-2023-28840 [ 7 ] CVE-2023-28841 https://nvd.nist.gov/vuln/detail/CVE-2023-28841 [ 8 ] CVE-2023-28842 https://nvd.nist.gov/vuln/detail/CVE-2023-28842 [ 9 ] CVE-2024-23650 https://nvd.nist.gov/vuln/detail/CVE-2024-23650 [ 10 ] CVE-2024-23651 https://nvd.nist.gov/vuln/detail/CVE-2024-23651 [ 11 ] CVE-2024-23652 https://nvd.nist.gov/vuln/detail/CVE-2024-23652 [ 12 ] CVE-2024-23653 https://nvd.nist.gov/vuln/detail/CVE-2024-23653 [ 13 ] CVE-2024-24557 https://nvd.nist.gov/vuln/detail/CVE-2024-24557 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-29 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-28 ] HashiCorp Consul: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: HashiCorp Consul: Multiple Vulnerabilities Date: September 28, 2024 Bugs: #885997 ID: 202409-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. Background == HashiCorp Consul is a tool for service discovery, monitoring and configuration. Affected packages = Package VulnerableUnaffected app-admin/consul < 1.15.10 >= 1.15.10 Description === Multiple vulnerabilities have been found in HashiCorp Consul. Please review the CVE identifiers referenced below for details. Impact == Please review the CVE identifiers referenced below for details. Workaround == There is no known workaround at this time. Resolution == All HashiCorp Consul users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/consul-1.15.10" References == [ 1 ] CVE-2022-41717 https://nvd.nist.gov/vuln/detail/CVE-2022-41717 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-28 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-27 ] tmux: Null Pointer Dereference
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: tmux: Null Pointer Dereference Date: September 28, 2024 Bugs: #891783 ID: 202409-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been found in tmux which could result in application crash. Background == tmux is a terminal multiplexer. Affected packages = PackageVulnerableUnaffected - app-misc/tmux < 3.4 >= 3.4 Description === A null pointer dereference issue was discovered in function window_pane_set_event in window.c in which allows attackers to cause denial of service or other unspecified impacts. Impact == Manipulating tmux window state could result in a null pointer dereference. Workaround == There is no known workaround at this time. Resolution == All tmux users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-misc/tmux-3.4" References == [ 1 ] CVE-2022-47016 https://nvd.nist.gov/vuln/detail/CVE-2022-47016 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-27 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-26 ] IcedTea: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: IcedTea: Multiple Vulnerabilities Date: September 28, 2024 Bugs: #732628, #803608, #877599 ID: 202409-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in IcedTea, the worst of which could result in arbitrary code execution. Background == IcedTea’s aim is to provide OpenJDK in a form suitable for easy configuration, compilation and distribution with the primary goal of allowing inclusion in GNU/Linux distributions. Affected packages = Package VulnerableUnaffected dev-java/icedtea <= 3.21.0 Vulnerable! dev-java/icedtea-bin <= 3.16.0-r2 Vulnerable! Description === Multiple vulnerabilities have been discovered in IcedTea. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == Gentoo has discontinued support for IcedTea. We recommend that users unmerge it: # emerge --sync # emerge --ask --depclean "dev-java/icedtea" "dev-java/icedtea-bin" References == [ 1 ] CVE-2020-14556 https://nvd.nist.gov/vuln/detail/CVE-2020-14556 [ 2 ] CVE-2020-14562 https://nvd.nist.gov/vuln/detail/CVE-2020-14562 [ 3 ] CVE-2020-14573 https://nvd.nist.gov/vuln/detail/CVE-2020-14573 [ 4 ] CVE-2020-14577 https://nvd.nist.gov/vuln/detail/CVE-2020-14577 [ 5 ] CVE-2020-14578 https://nvd.nist.gov/vuln/detail/CVE-2020-14578 [ 6 ] CVE-2020-14579 https://nvd.nist.gov/vuln/detail/CVE-2020-14579 [ 7 ] CVE-2020-14581 https://nvd.nist.gov/vuln/detail/CVE-2020-14581 [ 8 ] CVE-2020-14583 https://nvd.nist.gov/vuln/detail/CVE-2020-14583 [ 9 ] CVE-2020-14593 https://nvd.nist.gov/vuln/detail/CVE-2020-14593 [ 10 ] CVE-2020-14621 https://nvd.nist.gov/vuln/detail/CVE-2020-14621 [ 11 ] CVE-2020-14664 https://nvd.nist.gov/vuln/detail/CVE-2020-14664 [ 12 ] CVE-2020-14779 https://nvd.nist.gov/vuln/detail/CVE-2020-14779 [ 13 ] CVE-2020-14781 https://nvd.nist.gov/vuln/detail/CVE-2020-14781 [ 14 ] CVE-2020-14782 https://nvd.nist.gov/vuln/detail/CVE-2020-14782 [ 15 ] CVE-2020-14792 https://nvd.nist.gov/vuln/detail/CVE-2020-14792 [ 16 ] CVE-2020-14796 https://nvd.nist.gov/vuln/detail/CVE-2020-14796 [ 17 ] CVE-2020-14797 https://nvd.nist.gov/vuln/detail/CVE-2020-14797 [ 18 ] CVE-2020-14798 https://nvd.nist.gov/vuln/detail/CVE-2020-14798 [ 19 ] CVE-2020-14803 https://nvd.nist.gov/vuln/detail/CVE-2020-14803 [ 20 ] CVE-2021-2341 https://nvd.nist.gov/vuln/detail/CVE-2021-2341 [ 21 ] CVE-2021-2369 https://nvd.nist.gov/vuln/detail/CVE-2021-2369 [ 22 ] CVE-2021-2388 https://nvd.nist.gov/vuln/detail/CVE-2021-2388 [ 23 ] CVE-2021-2432 https://nvd.nist.gov/vuln/detail/CVE-2021-2432 [ 24 ] CVE-2021-35550 https://nvd.nist.gov/vuln/detail/CVE-2021-35550 [ 25 ] CVE-2021-35556 https://nvd.nist.gov/vuln/detail/CVE-2021-35556 [ 26 ] CVE-2021-35559 https://nvd.nist.gov/vuln/detail/CVE-2021-35559 [ 27 ] CVE-2021-35561 https://nvd.nist.gov/vuln/detail/CVE-2021-35561 [ 28 ] CVE-2021-35564 https://nvd.nist.gov/vuln/detail/CVE-2021-35564 [ 29 ] CVE-2021-35565 https://nvd.nist.gov/vuln/detail/CVE-2021-35565 [ 30 ] CVE-2021-35567 https://nvd.nist.gov/vuln/detail/CVE-2021-35567 [ 31 ] CVE-2021-35578 https://nvd.nist.gov/vuln/detail/CVE-2021-35578 [ 32 ] CVE-2021-35586 https://nvd.nist.gov/vuln/detail/CVE-2021-35586 [ 33 ] CVE-2021-35588 https://nvd.nist.gov/vuln/detail/CVE-2021-35588 [ 34 ] CVE-2021-35603 https://nvd.nist.gov/vuln/detail/CVE-2021-35603 [ 35 ] CVE-2022-21618 https://nvd.nist.gov/vuln/detail/CVE-2022-21618 [ 36 ] CVE-2022-21619 https://nvd.nist.gov/vuln/detail/CVE-2022-21619 [ 37 ] CVE-2022-21624 https://nvd.nist.gov/vuln/detail/CVE-2022-21624 [ 38 ] CVE-2022-21626 https://nvd.nist.gov/vuln/detail/CVE-2022-21626 [ 39 ] CVE-2022-21628 https://nvd.nist.gov/vuln/detail/CVE-2022-21628 [ 40 ] CVE-2022-39399 https://nvd.nist.gov/vuln/detail/CVE-2022-39399 [ 41 ] CVE-2023-21830 https://nvd.nist.gov/vuln/detail/CVE-2023-21830 [ 42 ] CVE-2023-21835 https://nvd.nist.gov/vuln/detail/CVE-2023-21835 [ 43 ] CVE-2023-21843 https://nvd.nist.gov/vuln/detail/CVE-2023-21843 Availability This GLSA and any updates to it are available for viewing at
[gentoo-announce] [ GLSA 202409-25 ] Xpdf: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Xpdf: Multiple Vulnerabilities Date: September 25, 2024 Bugs: #845027, #908037, #936407 ID: 202409-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Background == Xpdf is an X viewer for PDF files. Affected packages = PackageVulnerableUnaffected - app-text/xpdf < 4.05>= 4.05 Description === Multiple vulnerabilities have been discovered in Xpdf. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Xpdf users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/xpdf-4.05" References == [ 1 ] CVE-2018-7453 https://nvd.nist.gov/vuln/detail/CVE-2018-7453 [ 2 ] CVE-2018-16369 https://nvd.nist.gov/vuln/detail/CVE-2018-16369 [ 3 ] CVE-2022-30524 https://nvd.nist.gov/vuln/detail/CVE-2022-30524 [ 4 ] CVE-2022-30775 https://nvd.nist.gov/vuln/detail/CVE-2022-30775 [ 5 ] CVE-2022-33108 https://nvd.nist.gov/vuln/detail/CVE-2022-33108 [ 6 ] CVE-2022-36561 https://nvd.nist.gov/vuln/detail/CVE-2022-36561 [ 7 ] CVE-2022-38222 https://nvd.nist.gov/vuln/detail/CVE-2022-38222 [ 8 ] CVE-2022-38334 https://nvd.nist.gov/vuln/detail/CVE-2022-38334 [ 9 ] CVE-2022-38928 https://nvd.nist.gov/vuln/detail/CVE-2022-38928 [ 10 ] CVE-2022-41842 https://nvd.nist.gov/vuln/detail/CVE-2022-41842 [ 11 ] CVE-2022-41843 https://nvd.nist.gov/vuln/detail/CVE-2022-41843 [ 12 ] CVE-2022-41844 https://nvd.nist.gov/vuln/detail/CVE-2022-41844 [ 13 ] CVE-2022-43071 https://nvd.nist.gov/vuln/detail/CVE-2022-43071 [ 14 ] CVE-2022-43295 https://nvd.nist.gov/vuln/detail/CVE-2022-43295 [ 15 ] CVE-2022-45586 https://nvd.nist.gov/vuln/detail/CVE-2022-45586 [ 16 ] CVE-2022-45587 https://nvd.nist.gov/vuln/detail/CVE-2022-45587 [ 17 ] CVE-2023-2662 https://nvd.nist.gov/vuln/detail/CVE-2023-2662 [ 18 ] CVE-2023-2663 https://nvd.nist.gov/vuln/detail/CVE-2023-2663 [ 19 ] CVE-2023-2664 https://nvd.nist.gov/vuln/detail/CVE-2023-2664 [ 20 ] CVE-2023-3044 https://nvd.nist.gov/vuln/detail/CVE-2023-3044 [ 21 ] CVE-2023-3436 https://nvd.nist.gov/vuln/detail/CVE-2023-3436 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-25 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-24 ] Tor: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Tor: Multiple Vulnerabilities Date: September 24, 2024 Bugs: #916759, #917142 ID: 202409-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Tor, the worst of which could result in denial of service. Background == Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service. Affected packages = Package VulnerableUnaffected --- net-vpn/tor < 0.4.8.9 >= 0.4.8.9 Description === Multiple vulnerabilities have been discovered in Tor. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Tor users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-vpn/tor-0.4.8.9" References == [ 1 ] TROVE-2023-004 [ 2 ] TROVE-2023-006 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-24 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-23 ] ZNC: Remote Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ZNC: Remote Code Execution Date: September 24, 2024 Bugs: #935422 ID: 202409-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been found in ZNC which could result in remote code execution. Background == ZNC is an advanced IRC bouncer. Affected packages = Package VulnerableUnaffected --- net-irc/znc < 1.9.1 >= 1.9.1 Description === ZNC's modtcl could allow for remote code execution via a KICK. Impact == A vulnerable ZNC with the modtcl module loaded could be exploited for remote code execution. Workaround == Unload the mod_tcl module. Resolution == All ZNC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-irc/znc-1.9.1" References == [ 1 ] CVE-2024-39844 https://nvd.nist.gov/vuln/detail/CVE-2024-39844 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-23 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-22 ] GCC: Flawed Code Generation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GCC: Flawed Code Generation Date: September 24, 2024 Bugs: #719466 ID: 202409-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in GCC, which can lead to flawed code generation. Background == The GNU Compiler Collection includes front ends for C, C++, Objective-C, Fortran, Ada, Go, D and Modula-2 as well as libraries for these languages (libstdc++,...). Affected packages = PackageVulnerableUnaffected - sys-devel/gcc < 10.0>= 10.0 Description === A vulnerability has been discovered in GCC. Please review the CVE identifier referenced below for details. Impact == The POWER9 backend in GNU Compiler Collection (GCC) could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same. Workaround == There is no known workaround at this time. Resolution == All GCC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/gcc-10.0" And then select it with gcc-config: # gcc-config latest In this case, users should also rebuild all affected packages with emerge -e, e.g.: # emerge --usepkg=n --emptytree @world References == [ 1 ] CVE-2019-15847 https://nvd.nist.gov/vuln/detail/CVE-2019-15847 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-22 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-21 ] Hunspell: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Hunspell: Multiple Vulnerabilities Date: September 24, 2024 Bugs: #866093 ID: 202409-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Hunspell, the worst of which could lead to arbitrary code execution. Background == Hunspell is the spell checker of LibreOffice, OpenOffice.org, Mozilla Firefox & Thunderbird, Google Chrome. Affected packages = PackageVulnerableUnaffected - app-text/hunspell < 1.7.1 >= 1.7.1 Description === Malicious input to the hunspell spell checker could result in an application crash or other unspecified behavior. Impact == Malicious input to the hunspell spell checker could result in an application crash or other unspecified behavior. Workaround == There is no known workaround at this time. Resolution == All Hunspell users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/hunspell-1.7.1" References == Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-21 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-20 ] curl: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: curl: Multiple Vulnerabilities Date: September 23, 2024 Bugs: #919325, #919889, #923413, #927960 ID: 202409-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. Background == A command line tool and library for transferring data with URLs. Affected packages = PackageVulnerableUnaffected - net-misc/curl < 8.7.1 >= 8.7.1 Description === Multiple vulnerabilities have been discovered in curl. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All curl users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/curl-8.7.1" References == [ 1 ] CVE-2023-42619 https://nvd.nist.gov/vuln/detail/CVE-2023-42619 [ 2 ] CVE-2023-46218 https://nvd.nist.gov/vuln/detail/CVE-2023-46218 [ 3 ] CVE-2023-46219 https://nvd.nist.gov/vuln/detail/CVE-2023-46219 [ 4 ] CVE-2024-0853 https://nvd.nist.gov/vuln/detail/CVE-2024-0853 [ 5 ] CVE-2024-2004 https://nvd.nist.gov/vuln/detail/CVE-2024-2004 [ 6 ] CVE-2024-2398 https://nvd.nist.gov/vuln/detail/CVE-2024-2398 [ 7 ] CVE-2024-2466 https://nvd.nist.gov/vuln/detail/CVE-2024-2466 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-20 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-19 ] Emacs, org-mode: Command Execution Vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Emacs, org-mode: Command Execution Vulnerability Date: September 22, 2024 Bugs: #934736 ID: 202409-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been found in Emacs and org-mode which could result in arbitrary code execution. Background == Emacs is the extensible, customizable, self-documenting real-time display editor. org-mode is an Emacs mode for notes and project planning. Affected packages = Package Vulnerable Unaffected -- - -- app-editors/emacs < 26.3-r19:26 >= 26.3-r19:26 < 27.2-r17:27 >= 27.2-r17:27 < 28.2-r13:28 >= 28.2-r13:28 < 29.3-r3:29 >= 29.3-r3:29 app-emacs/org-mode < 9.7.5>= 9.7.5 Description === %(...) link abbreviations could specify unsafe functions. Impact == Opening a malicious org-mode file could result in arbitrary code execution. Workaround == There is no known workaround at this time. Resolution == All Emacs users should upgrade to the latest version according to the installed slot, one of: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/emacs-26.3-r19:26" Alternatively: # emerge --ask --oneshot --verbose ">=app-editors/emacs-27.2-r17:27" # emerge --ask --oneshot --verbose ">=app-editors/emacs-28.2-r13:28" # emerge --ask --oneshot --verbose ">=app-editors/emacs-29.3-r3:29" All org-mode users should upgrade to the latest package: # emerge --ask --oneshot --verbose ">=app-emacs/org-mode-9.7.5" References == [ 1 ] CVE-2024-39331 https://nvd.nist.gov/vuln/detail/CVE-2024-39331 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-19 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-18 ] liblouis: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: liblouis: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #905298 ID: 202409-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in liblouis, the worst of which could result in denial of service. Background == liblouis is an open-source braille translator and back-translator. Affected packages = PackageVulnerableUnaffected - dev-libs/liblouis < 3.25.0 >= 3.25.0 Description === Multiple vulnerabilities have been discovered in liblouis. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All liblouis users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/liblouis-3.25.0" References == [ 1 ] CVE-2023-26767 https://nvd.nist.gov/vuln/detail/CVE-2023-26767 [ 2 ] CVE-2023-26768 https://nvd.nist.gov/vuln/detail/CVE-2023-26768 [ 3 ] CVE-2023-26769 https://nvd.nist.gov/vuln/detail/CVE-2023-26769 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-18 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-17 ] VLC: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: VLC: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #788226, #883943, #917274 ID: 202409-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in VLC, the worst of which could result in arbitrary code execution. Background == VLC is a cross-platform media player and streaming server. Affected packages = Package VulnerableUnaffected --- media-video/vlc < 3.0.20 >= 3.0.20 Description === Multiple vulnerabilities have been discovered in VLC. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All VLC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-video/vlc-3.0.20" References == [ 1 ] CVE-2022-41325 https://nvd.nist.gov/vuln/detail/CVE-2022-41325 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-17 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-16 ] Slurm: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Slurm: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #631552, #920104 ID: 202409-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Slurm, the worst of which could result in privilege escalation or code execution. Background == Slurm is a highly scalable resource manager. Affected packages = PackageVulnerableUnaffected - sys-cluster/slurm <= 22.05.3Vulnerable! Description === Multiple vulnerabilities have been discovered in Slurm. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == Gentoo has discontinued support for Slurm. We recommend that users unmerge it: # emerge --ask --depclean "sys-cluster/slurm" References == [ 1 ] CVE-2020-36770 https://nvd.nist.gov/vuln/detail/CVE-2020-36770 [ 2 ] CVE-2023-49933 https://nvd.nist.gov/vuln/detail/CVE-2023-49933 [ 3 ] CVE-2023-49934 https://nvd.nist.gov/vuln/detail/CVE-2023-49934 [ 4 ] CVE-2023-49935 https://nvd.nist.gov/vuln/detail/CVE-2023-49935 [ 5 ] CVE-2023-49936 https://nvd.nist.gov/vuln/detail/CVE-2023-49936 [ 6 ] CVE-2023-49937 https://nvd.nist.gov/vuln/detail/CVE-2023-49937 [ 7 ] CVE-2023-49938 https://nvd.nist.gov/vuln/detail/CVE-2023-49938 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-16 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-15 ] stb: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: stb: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #818556 ID: 202409-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in stb, the worst of which lead to a denial of service. Background == A set of single-file public domain (or MIT licensed) libraries for C/C++ Affected packages = Package VulnerableUnaffected dev-libs/stb < 20240201>= 20240201 Description === Multiple vulnerabilities have been discovered in stb. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All stb users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/stb-20240201" Note that stb is included at compile time, so all packages that depend on it should also be reinstalled. If you have app-portage/gentoolkit installed you can use: # emerge --ask --verbose $( equery depends dev-libs/stb | sed 's/^/=/' ) References == [ 1 ] CVE-2021-28021 https://nvd.nist.gov/vuln/detail/CVE-2021-28021 [ 2 ] CVE-2021-37789 https://nvd.nist.gov/vuln/detail/CVE-2021-37789 [ 3 ] CVE-2021-42715 https://nvd.nist.gov/vuln/detail/CVE-2021-42715 [ 4 ] CVE-2021-42716 https://nvd.nist.gov/vuln/detail/CVE-2021-42716 [ 5 ] CVE-2022-28041 https://nvd.nist.gov/vuln/detail/CVE-2022-28041 [ 6 ] CVE-2022-28042 https://nvd.nist.gov/vuln/detail/CVE-2022-28042 [ 7 ] CVE-2022-28048 https://nvd.nist.gov/vuln/detail/CVE-2022-28048 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-15 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-14 ] Mbed TLS: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mbed TLS: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #886001, #923279 ID: 202409-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could lead to information disclosure or denial of service. Background == Mbed TLS (previously PolarSSL) is an “easy to understand, use, integrate and expand” implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required. Affected packages = Package VulnerableUnaffected net-libs/mbedtls < 2.28.7 >= 2.28.7 Description === Multiple vulnerabilities have been discovered in Mbed TLS. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Mbed TLS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/mbedtls-2.28.7" References == [ 1 ] CVE-2022-46392 https://nvd.nist.gov/vuln/detail/CVE-2022-46392 [ 2 ] CVE-2022-46393 https://nvd.nist.gov/vuln/detail/CVE-2022-46393 [ 3 ] CVE-2023-43615 https://nvd.nist.gov/vuln/detail/CVE-2023-43615 [ 4 ] CVE-2023-45199 https://nvd.nist.gov/vuln/detail/CVE-2023-45199 [ 5 ] CVE-2024-23170 https://nvd.nist.gov/vuln/detail/CVE-2024-23170 [ 6 ] CVE-2024-23775 https://nvd.nist.gov/vuln/detail/CVE-2024-23775 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-14 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-13 ] gst-plugins-good: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: gst-plugins-good: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #859418 ID: 202409-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in gst-plugins-good, the worst of which could lead to denial of service or arbitrary code execution. Background == gst-plugins-good contains a set of plugins for the GStreamer open source multimedia framework. Affected packages = Package VulnerableUnaffected --- media-libs/gst-plugins-good < 1.20.3 >= 1.20.3 Description === Multiple vulnerabilities have been discovered in gst-plugins-good. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All gst-plugins-good users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-good-1.20.3" References == [ 1 ] CVE-2022-1920 https://nvd.nist.gov/vuln/detail/CVE-2022-1920 [ 2 ] CVE-2022-1921 https://nvd.nist.gov/vuln/detail/CVE-2022-1921 [ 3 ] CVE-2022-1922 https://nvd.nist.gov/vuln/detail/CVE-2022-1922 [ 4 ] CVE-2022-1923 https://nvd.nist.gov/vuln/detail/CVE-2022-1923 [ 5 ] CVE-2022-1924 https://nvd.nist.gov/vuln/detail/CVE-2022-1924 [ 6 ] CVE-2022-1925 https://nvd.nist.gov/vuln/detail/CVE-2022-1925 [ 7 ] CVE-2022-2122 https://nvd.nist.gov/vuln/detail/CVE-2022-2122 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-13 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-12 ] pypy, pypy3: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: pypy, pypy3: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #741496, #741560, #774114, #782520 ID: 202409-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in pypy and pypy3, the worst of which could lead to arbitrary code execution. Background == A fast, compliant alternative implementation of the Python language. Affected packages = Package Vulnerable Unaffected --- - -- dev-python/pypy < 7.3.3_p37_p1-r1 >= 7.3.3_p37_p1-r1 dev-python/pypy-exe < 7.3.2>= 7.3.2 dev-python/pypy-exe-bin < 7.3.2Vulnerable! dev-python/pypy3 < 7.3.3_p37_p1-r1 >= 7.3.3_p37_p1-r1 Description === Multiple vulnerabilities have been discovered in pypy. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All pypy users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/pypy-7.3.3_p37_p1-r1" # emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-7.3.2" # emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-bin-7.3.2" All pypy3 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/pypy3-7.3.3_p37_p1-r1" References == [ 1 ] CVE-2020-27619 https://nvd.nist.gov/vuln/detail/CVE-2020-27619 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-12 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-11 ] Oracle VirtualBox: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Oracle VirtualBox: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #918524 ID: 202409-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Oracle VirtualBox, the worst of which could lead to privilege escalation. Background == VirtualBox is a powerful virtualization product from Oracle. Affected packages = Package VulnerableUnaffected app-emulation/virtualbox < 7.0.12 >= 7.0.12 Description === Multiple vulnerabilities have been discovered in Oracle VirtualBox. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Oracle VirtualBox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-7.0.12" References == [ 1 ] CVE-2023-22098 https://nvd.nist.gov/vuln/detail/CVE-2023-22098 [ 2 ] CVE-2023-22099 https://nvd.nist.gov/vuln/detail/CVE-2023-22099 [ 3 ] CVE-2023-22100 https://nvd.nist.gov/vuln/detail/CVE-2023-22100 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-11 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-10 ] Xen: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Xen: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #918669, #921355, #923741, #928620, #929038 ID: 202409-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Xen, the worst of which could lead to privilege escalation. Background == Xen is a bare-metal hypervisor. Affected packages = PackageVulnerableUnaffected - app-emulation/xen < 4.17.4 >= 4.17.4 Description === Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Xen users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.17.4" References == [ 1 ] CVE-2022-4949 https://nvd.nist.gov/vuln/detail/CVE-2022-4949 [ 2 ] CVE-2022-42336 https://nvd.nist.gov/vuln/detail/CVE-2022-42336 [ 3 ] CVE-2023-28746 https://nvd.nist.gov/vuln/detail/CVE-2023-28746 [ 4 ] CVE-2023-34319 https://nvd.nist.gov/vuln/detail/CVE-2023-34319 [ 5 ] CVE-2023-34320 https://nvd.nist.gov/vuln/detail/CVE-2023-34320 [ 6 ] CVE-2023-34321 https://nvd.nist.gov/vuln/detail/CVE-2023-34321 [ 7 ] CVE-2023-34322 https://nvd.nist.gov/vuln/detail/CVE-2023-34322 [ 8 ] CVE-2023-34323 https://nvd.nist.gov/vuln/detail/CVE-2023-34323 [ 9 ] CVE-2023-34324 https://nvd.nist.gov/vuln/detail/CVE-2023-34324 [ 10 ] CVE-2023-34325 https://nvd.nist.gov/vuln/detail/CVE-2023-34325 [ 11 ] CVE-2023-34327 https://nvd.nist.gov/vuln/detail/CVE-2023-34327 [ 12 ] CVE-2023-34328 https://nvd.nist.gov/vuln/detail/CVE-2023-34328 [ 13 ] CVE-2023-46835 https://nvd.nist.gov/vuln/detail/CVE-2023-46835 [ 14 ] CVE-2023-46836 https://nvd.nist.gov/vuln/detail/CVE-2023-46836 [ 15 ] CVE-2023-46837 https://nvd.nist.gov/vuln/detail/CVE-2023-46837 [ 16 ] CVE-2023-46839 https://nvd.nist.gov/vuln/detail/CVE-2023-46839 [ 17 ] CVE-2023-46840 https://nvd.nist.gov/vuln/detail/CVE-2023-46840 [ 18 ] CVE-2023-46841 https://nvd.nist.gov/vuln/detail/CVE-2023-46841 [ 19 ] CVE-2023-46842 https://nvd.nist.gov/vuln/detail/CVE-2023-46842 [ 20 ] CVE-2024-2193 https://nvd.nist.gov/vuln/detail/CVE-2024-2193 [ 21 ] CVE-2024-31142 https://nvd.nist.gov/vuln/detail/CVE-2024-31142 [ 22 ] XSA-431 https://xenbits.xen.org/xsa/advisory-431.html [ 23 ] XSA-432 https://xenbits.xen.org/xsa/advisory-432.html [ 24 ] XSA-436 https://xenbits.xen.org/xsa/advisory-436.html [ 25 ] XSA-437 https://xenbits.xen.org/xsa/advisory-437.html [ 26 ] XSA-438 https://xenbits.xen.org/xsa/advisory-438.html [ 27 ] XSA-439 https://xenbits.xen.org/xsa/advisory-439.html [ 28 ] XSA-440 https://xenbits.xen.org/xsa/advisory-440.html [ 29 ] XSA-441 https://xenbits.xen.org/xsa/advisory-441.html [ 30 ] XSA-442 https://xenbits.xen.org/xsa/advisory-442.html [ 31 ] XSA-447 https://xenbits.xen.org/xsa/advisory-447.html [ 32 ] XSA-449 https://xenbits.xen.org/xsa/advisory-449.html [ 33 ] XSA-450 https://xenbits.xen.org/xsa/advisory-450.html [ 34 ] XSA-451 https://xenbits.xen.org/xsa/advisory-451.html [ 35 ] XSA-452 https://xenbits.xen.org/xsa/advisory-452.html [ 36 ] XSA-453 https://xenbits.xen.org/xsa/advisory-453.html [ 37 ] XSA-454 https://xenbits.xen.org/xsa/advisory-454.html [ 38 ] XSA-455 https://xenbits.xen.org/xsa/advisory-455.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-10 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-09 ] Exo: Arbitrary Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Exo: Arbitrary Code Execution Date: September 22, 2024 Bugs: #851201 ID: 202409-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Exo, which can lead to arbitrary code execution. Background == Exo is an Xfce library targeted at application development, originally developed by os-cillation. It contains various custom widgets and APIs extending the functionality of GLib and GTK. It also has some helper applications that are used throughout the entire Xfce desktop to manage preferred applications and edit .desktop files. Affected packages = PackageVulnerableUnaffected - xfce-base/exo < 4.17.2 >= 4.17.2 Description === A vulnerability has been discovered in Exo. Please review the CVE identifiers referenced below for details. Impact == Exo executes remote desktop files which may lead to unexpected arbitrary code execution. Workaround == There is no known workaround at this time. Resolution == All Exo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=xfce-base/exo-4.17.2" References == [ 1 ] CVE-2022-32278 https://nvd.nist.gov/vuln/detail/CVE-2022-32278 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-09 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-08 ] OpenVPN: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenVPN: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #835514, #917272 ID: 202409-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in OpenVPN, the worst of which could lead to information disclosure. Background == OpenVPN is a multi-platform, full-featured SSL VPN solution. Affected packages = Package VulnerableUnaffected --- net-vpn/openvpn < 2.6.7 >= 2.6.7 Description === Multiple vulnerabilities have been discovered in OpenVPN. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All OpenVPN users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-vpn/openvpn-2.6.7" References == [ 1 ] CVE-2022-0547 https://nvd.nist.gov/vuln/detail/CVE-2022-0547 [ 2 ] CVE-2023-46849 https://nvd.nist.gov/vuln/detail/CVE-2023-46849 [ 3 ] CVE-2023-46850 https://nvd.nist.gov/vuln/detail/CVE-2023-46850 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-08 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-07 ] Rust: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Rust: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #890371, #911685 ID: 202409-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Rust, the worst of which could lead to arbitrary code execution. Background == A systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. Affected packages = PackageVulnerableUnaffected - dev-lang/rust < 1.71.1 >= 1.71.1 dev-lang/rust-bin < 1.71.1 >= 1.71.1 Description === Multiple vulnerabilities have been discovered in Rust. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Rust binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/rust-bin-1.71.1" All Rust users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/rust-1.71.1" References == [ 1 ] CVE-2022-46176 https://nvd.nist.gov/vuln/detail/CVE-2022-46176 [ 2 ] CVE-2023-38497 https://nvd.nist.gov/vuln/detail/CVE-2023-38497 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-07 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-06 ] file: Stack Buffer Overread
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: file: Stack Buffer Overread Date: September 22, 2024 Bugs: #918554 ID: 202409-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in file, which could lead to a denial of service. Background == The file utility attempts to identify a file’s format by scanning binary data for patterns. Affected packages = PackageVulnerableUnaffected - sys-apps/file < 5.42>= 5.42 Description === Multiple vulnerabilities have been discovered in file. Please review the CVE identifiers referenced below for details. Impact == File has an stack-based buffer over-read in file_copystr in funcs.c. Workaround == There is no known workaround at this time. Resolution == All file users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/file-5.42" References == [ 1 ] CVE-2022-48554 https://nvd.nist.gov/vuln/detail/CVE-2022-48554 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-06 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-05 ] PJSIP: Heap Buffer Overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: PJSIP: Heap Buffer Overflow Date: September 22, 2024 Bugs: #917463 ID: 202409-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in PJSIP, which could lead to arbitrary code execution. Background == PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Affected packages = Package VulnerableUnaffected -- net-libs/pjproject < 2.13.1 >= 2.13.1 Description === Please review the CVE identifier referenced below for details. Impact == Please review the CVE identifier referenced below for details. Workaround == There is no known workaround at this time. Resolution == All PJSIP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/pjproject-2.13.1" References == [ 1 ] CVE-2023-27585 https://nvd.nist.gov/vuln/detail/CVE-2023-27585 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-05 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-04 ] calibre: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: calibre: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #918429, #936961 ID: 202409-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in calibre, the worst of which could lead to remote code execution. Background == calibre is a powerful and easy to use e-book manager. Affected packages = Package VulnerableUnaffected app-text/calibre < 7.16.0 >= 7.16.0 Description === Multiple vulnerabilities have been discovered in calibre. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All calibre users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/calibre-7.16.0" References == [ 1 ] CVE-2023-46303 https://nvd.nist.gov/vuln/detail/CVE-2023-46303 [ 2 ] CVE-2024-6781 https://nvd.nist.gov/vuln/detail/CVE-2024-6781 [ 3 ] CVE-2024-6782 https://nvd.nist.gov/vuln/detail/CVE-2024-6782 [ 4 ] CVE-2024-7008 https://nvd.nist.gov/vuln/detail/CVE-2024-7008 [ 5 ] CVE-2024-7009 https://nvd.nist.gov/vuln/detail/CVE-2024-7009 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-03 ] GPL Ghostscript: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: GPL Ghostscript: Multiple Vulnerabilities Date: September 22, 2024 Bugs: #932125 ID: 202409-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in GPL Ghostscript, the worst of which could lead to arbitrary code execution. Background == Ghostscript is an interpreter for the PostScript language and for PDF. Affected packages = Package VulnerableUnaffected app-text/ghostscript-gpl < 10.03.1 >= 10.03.1 Description === Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All GPL Ghostscript users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-10.03.1" References == [ 1 ] CVE-2023-52722 https://nvd.nist.gov/vuln/detail/CVE-2023-52722 [ 2 ] CVE-2024-29510 https://nvd.nist.gov/vuln/detail/CVE-2024-29510 [ 3 ] CVE-2024-33869 https://nvd.nist.gov/vuln/detail/CVE-2024-33869 [ 4 ] CVE-2024-33870 https://nvd.nist.gov/vuln/detail/CVE-2024-33870 [ 5 ] CVE-2024-33871 https://nvd.nist.gov/vuln/detail/CVE-2024-33871 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-03 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-02 ] PostgreSQL: Privilege Escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PostgreSQL: Privilege Escalation Date: September 22, 2024 Bugs: #937573 ID: 202409-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in PostgreSQL, which can lead to privilege escalation. Background == PostgreSQL is an open source object-relational database management system. Affected packages = PackageVulnerableUnaffected - dev-db/postgresql < 12.20:12>= 12.20:12 < 13.16:13>= 13.16:13 < 14.13:14>= 14.13:14 < 15.8:15 >= 15.8:15 < 16.4:16 >= 16.4:16 Description === A vulnerability has been discovered in PostgreSQL. Please review the CVE identifier referenced below for details. Impact == An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix. Workaround == There is no known workaround at this time. Resolution == All PostgreSQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.20:12" # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.16:13" # emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.13:14" # emerge --ask --oneshot --verbose ">=dev-db/postgresql-15.8:15" # emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.4:16" References == [ 1 ] CVE-2024-7348 https://nvd.nist.gov/vuln/detail/CVE-2024-7348 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-02 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202409-01 ] Portage: Unverified PGP Signatures
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Portage: Unverified PGP Signatures Date: September 22, 2024 Bugs: #905356 ID: 202409-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Portage, where PGP signatures would not be verified. Background == Portage is the default Gentoo package management system. Affected packages = Package VulnerableUnaffected sys-apps/portage < 3.0.47 >= 3.0.47 Description === Multiple vulnerabilities have been discovered in Portage. Please review the CVE identifiers referenced below for details. Impact == When using the webrsync mechanism to sync the tree the PGP signatures that protect the integrity of the data in the tree would not be verified. This would allow a man-in-the-middle attack to inject arbitrary content into the tree. Workaround == There is no known workaround at this time. Resolution == All Portage users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/portage-3.0.47" References == [ 1 ] CVE-2016-20021 https://nvd.nist.gov/vuln/detail/CVE-2016-20021 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-01 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-33 ] protobuf-c: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: protobuf-c: Multiple Vulnerabilities Date: August 12, 2024 Bugs: #856043, #904423 ID: 202408-33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in protobuf-c, the worst of which could result in denial of service. Background == protobuf-c is a protocol buffers implementation in C. Affected packages = Package VulnerableUnaffected --- dev-libs/protobuf-c < 1.4.1 >= 1.4.1 Description === Multiple denial of service vulnerabilities have been discovered in protobuf-c. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All protobuf-c users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/protobuf-c-1.4.1" References == [ 1 ] CVE-2022-33070 https://nvd.nist.gov/vuln/detail/CVE-2022-33070 [ 2 ] CVE-2022-48468 https://nvd.nist.gov/vuln/detail/CVE-2022-48468 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-33 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-32 ] PHP: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PHP: Multiple Vulnerabilities Date: August 12, 2024 Bugs: #889882, #895416, #908259, #912331, #929929, #933752 ID: 202408-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in PHP, the worst of which can lead to a denial of service. Background == PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages = Package Vulnerable Unaffected - - dev-lang/php >= 8.1.29:8.1 >= 8.1.29:8.1 >= 8.2.20:8.2 >= 8.2.20:8.2 >= 8.3.8:8.3 >= 8.3.8:8.3 < 8.1 >= 8.1.29 Description === Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-8.1.29:8.1" # emerge --ask --oneshot --verbose ">=dev-lang/php-8.2.20:8.2" # emerge --ask --oneshot --verbose ">=dev-lang/php-8.3.8:8.3" Support for older version has been discontinued: # emerge --ask --verbose --depclean "https://nvd.nist.gov/vuln/detail/CVE-2022-31631 [ 2 ] CVE-2023-0567 https://nvd.nist.gov/vuln/detail/CVE-2023-0567 [ 3 ] CVE-2023-0568 https://nvd.nist.gov/vuln/detail/CVE-2023-0568 [ 4 ] CVE-2023-0662 https://nvd.nist.gov/vuln/detail/CVE-2023-0662 [ 5 ] CVE-2023-3823 https://nvd.nist.gov/vuln/detail/CVE-2023-3823 [ 6 ] CVE-2023-3824 https://nvd.nist.gov/vuln/detail/CVE-2023-3824 [ 7 ] CVE-2024-2756 https://nvd.nist.gov/vuln/detail/CVE-2024-2756 [ 8 ] CVE-2024-2757 https://nvd.nist.gov/vuln/detail/CVE-2024-2757 [ 9 ] CVE-2024-3096 https://nvd.nist.gov/vuln/detail/CVE-2024-3096 [ 10 ] CVE-2024-4577 https://nvd.nist.gov/vuln/detail/CVE-2024-4577 [ 11 ] CVE-2024-5458 https://nvd.nist.gov/vuln/detail/CVE-2024-5458 [ 12 ] CVE-2024-5585 https://nvd.nist.gov/vuln/detail/CVE-2024-5585 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-32 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-31 ] protobuf, protobuf-python: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: protobuf, protobuf-python: Denial of Service Date: August 12, 2024 Bugs: #872434 ID: 202408-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in protobuf and protobuf-python, which can lead to a denial of service. Background == Google's Protocol Buffers are an extensible mechanism for serializing structured data. Affected packages = Package VulnerableUnaffected -- dev-libs/protobuf < 3.20.3 >= 3.20.3 dev-python/protobuf-python < 3.19.6 >= 3.19.6 Description === A vulnerability has been discovered in protobuf and protobuf-python. Please review the CVE identifiers referenced below for details. Impact == A parsing vulnerability for the MessageSet type can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. Workaround == There is no known workaround at this time. Resolution == All protobuf and protobuf-python users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/protobuf-3.20.3" # emerge --ask --oneshot --verbose ">=dev-python/protobuf-python-3.19.6" References == [ 1 ] CVE-2022-1941 https://nvd.nist.gov/vuln/detail/CVE-2022-1941 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-31 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-30 ] dpkg: Directory Traversal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: dpkg: Directory Traversal Date: August 12, 2024 Bugs: #847976 ID: 202408-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in dpkg, which allows for directory traversal. Background == Debian package management system. Affected packages = PackageVulnerableUnaffected - app-arch/dpkg < 1.20.9-r1 >= 1.20.9-r1 Description === Please review the CVE indentifier referenced below for details. Impact == Dpkg::Source::Archive in dpkg, the Debian package management system, is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs. Workaround == There is no known workaround at this time. Resolution == All dpkg users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/dpkg-1.20.9-r1" References == [ 1 ] CVE-2022-1664 https://nvd.nist.gov/vuln/detail/CVE-2022-1664 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-30 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-29 ] MuPDF: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MuPDF: Multiple Vulnerabilities Date: August 12, 2024 Bugs: #803305 ID: 202408-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in MuPDF, the worst of which could lead to arbitrary code execution. Background == A lightweight PDF, XPS, and E-book viewer. Affected packages = Package VulnerableUnaffected -- app-text/mupdf < 1.20.0 >= 1.20.0 Description === Multiple vulnerabilities have been discovered in MuPDF. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All MuPDF users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/mupdf-1.20.0" References == [ 1 ] CVE-2021-4216 https://nvd.nist.gov/vuln/detail/CVE-2021-4216 [ 2 ] CVE-2021-37220 https://nvd.nist.gov/vuln/detail/CVE-2021-37220 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-29 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-28 ] rsyslog: Heap Buffer Overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: rsyslog: Heap Buffer Overflow Date: August 11, 2024 Bugs: #842846 ID: 202408-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in rsyslog, which could possibly lead to remote code execution. Background == rsyslog is an enhanced multi-threaded syslogd with database support and more. Affected packages = PackageVulnerableUnaffected - app-admin/rsyslog < 8.2206.0>= 8.2206.0 Description === Multiple vulnerabilities have been discovered in rsyslog. Please review the CVE identifiers referenced below for details. Impact == Modules for TCP syslog reception have a heap buffer overflow when octet- counted framing is used. The attacker can corrupt heap values, leading to data integrity issues and availability impact. Remote code execution is unlikely to happen but not impossible. Workaround == There is no known workaround at this time. Resolution == All rsyslog users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/rsyslog-8.2206.0" References == [ 1 ] CVE-2022-24903 https://nvd.nist.gov/vuln/detail/CVE-2022-24903 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-28 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-27 ] AFLplusplus: Arbitrary Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: AFLplusplus: Arbitrary Code Execution Date: August 11, 2024 Bugs: #897924 ID: 202408-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in AFLplusplus, which can lead to arbitrary code execution via an untrusted CWD. Background == The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more! Affected packages = PackageVulnerableUnaffected - app-forensics/aflplusplus < 4.06c >= 4.06c Description === In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution. Impact == In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution. Workaround == There is no known workaround at this time. Resolution == All AFLplusplus users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-forensics/aflplusplus-4.06c" References == [ 1 ] CVE-2023-26266 https://nvd.nist.gov/vuln/detail/CVE-2023-26266 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-27 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-26 ] matio: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: matio: Multiple Vulnerabilities Date: August 11, 2024 Bugs: #803131 ID: 202408-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in matio, the worst of which could lead to arbitrary code execution. Background == matio is a library for reading and writing matlab files. Affected packages = Package VulnerableUnaffected -- sci-libs/matio < 1.5.22 >= 1.5.22 Description === Multiple vulnerabilities have been discovered in matio. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All matio users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sci-libs/matio-1.5.22" References == [ 1 ] CVE-2020-36428 https://nvd.nist.gov/vuln/detail/CVE-2020-36428 [ 2 ] CVE-2021-36977 https://nvd.nist.gov/vuln/detail/CVE-2021-36977 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-26 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-25 ] runc: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: runc: Multiple Vulnerabilities Date: August 11, 2024 Bugs: #828471, #844085, #903079, #923434 ID: 202408-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in runc, the worst of which could lead to privilege escalation. Background == runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Affected packages = Package VulnerableUnaffected --- app-containers/runc < 1.1.12 >= 1.1.12 Description === Multiple vulnerabilities have been discovered in runc. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All runc users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-containers/runc-1.1.12" References == [ 1 ] CVE-2021-43784 https://nvd.nist.gov/vuln/detail/CVE-2021-43784 [ 2 ] CVE-2022-29162 https://nvd.nist.gov/vuln/detail/CVE-2022-29162 [ 3 ] CVE-2023-25809 https://nvd.nist.gov/vuln/detail/CVE-2023-25809 [ 4 ] CVE-2023-27561 https://nvd.nist.gov/vuln/detail/CVE-2023-27561 [ 5 ] CVE-2023-28642 https://nvd.nist.gov/vuln/detail/CVE-2023-28642 [ 6 ] CVE-2024-21626 https://nvd.nist.gov/vuln/detail/CVE-2024-21626 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-25 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-24 ] Ruby on Rails: Remote Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ruby on Rails: Remote Code Execution Date: August 11, 2024 Bugs: #857840 ID: 202408-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Ruby on Rails, which can lead to remote code execution via serialization of data. Background == Ruby on Rails is a free web framework used to develop database-driven web applications. Affected packages = Package Vulnerable Unaffected -- - -- dev-ruby/rails < 6.1.6.1:6.1 >= 6.1.6.1:6.1 < 7.0.3.1:7.0 >= 7.0.3.1:7.0 Description === Multiple vulnerabilities have been discovered in Ruby on Rails. Please review the CVE identifiers referenced below for details. Impact == When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. Impacted Active Record models will look something like this: class User < ApplicationRecord serialize :options # Vulnerable: Uses YAML for serialization serialize :values, Array # Vulnerable: Uses YAML for serialization serialize :values, JSON # Not vulnerable end The released versions change the default YAML deserializer to use YAML.safe_load, which prevents deserialization of possibly dangerous objects. This may introduce backwards compatibility issues with existing data. Workaround == There is no known workaround at this time. Resolution == All Ruby on Rails users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/rails-6.1.6.1:6.1" # emerge --ask --oneshot --verbose ">=dev-ruby/rails-7.0.3.1:7.0" References == [ 1 ] CVE-2022-32224 https://nvd.nist.gov/vuln/detail/CVE-2022-32224 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-24 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-23 ] GnuPG: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GnuPG: Multiple Vulnerabilities Date: August 10, 2024 Bugs: #855395, #923248 ID: 202408-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in GnuPG, the worst of which could lead to signature spoofing. Background == The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software. Affected packages = Package VulnerableUnaffected --- app-crypt/gnupg < 2.4.4 >= 2.4.4 Description === Multiple vulnerabilities have been discovered in GnuPG. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All GnuPG users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.4.4" References == [ 1 ] CVE-2022-34903 https://nvd.nist.gov/vuln/detail/CVE-2022-34903 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-23 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-22 ] Bundler: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Bundler: Multiple Vulnerabilities Date: August 10, 2024 Bugs: #743214, #798135, #828884 ID: 202408-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Bundler, the worst of which could lead to arbitrary code execution. Background == Bundler provides a consistent environment for Ruby projects by tracking and installing the exact gems and versions that are needed. Affected packages = Package VulnerableUnaffected dev-ruby/bundler < 2.2.33 >= 2.2.33 Description === Multiple vulnerabilities have been discovered in Bundler. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Bundler users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/bundler-2.2.33" References == [ 1 ] CVE-2019-3881 https://nvd.nist.gov/vuln/detail/CVE-2019-3881 [ 2 ] CVE-2020-36327 https://nvd.nist.gov/vuln/detail/CVE-2020-36327 [ 3 ] CVE-2021-43809 https://nvd.nist.gov/vuln/detail/CVE-2021-43809 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-22 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-21 ] GPAC: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GPAC: Multiple Vulnerabilities Date: August 10, 2024 Bugs: #785649, #835341 ID: 202408-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Background == GPAC is an implementation of the MPEG-4 Systems standard developed from scratch in ANSI C. Affected packages = Package VulnerableUnaffected media-video/gpac < 2.2.0 >= 2.2.0 Description === Multiple vulnerabilities have been discovered in GPAC. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All GPAC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-video/gpac-2.2.0" References == [ 1 ] CVE-2020-22673 https://nvd.nist.gov/vuln/detail/CVE-2020-22673 [ 2 ] CVE-2020-22674 https://nvd.nist.gov/vuln/detail/CVE-2020-22674 [ 3 ] CVE-2020-22675 https://nvd.nist.gov/vuln/detail/CVE-2020-22675 [ 4 ] CVE-2020-22677 https://nvd.nist.gov/vuln/detail/CVE-2020-22677 [ 5 ] CVE-2020-22678 https://nvd.nist.gov/vuln/detail/CVE-2020-22678 [ 6 ] CVE-2020-22679 https://nvd.nist.gov/vuln/detail/CVE-2020-22679 [ 7 ] CVE-2020-25427 https://nvd.nist.gov/vuln/detail/CVE-2020-25427 [ 8 ] CVE-2020-35979 https://nvd.nist.gov/vuln/detail/CVE-2020-35979 [ 9 ] CVE-2020-35980 https://nvd.nist.gov/vuln/detail/CVE-2020-35980 [ 10 ] CVE-2020-35981 https://nvd.nist.gov/vuln/detail/CVE-2020-35981 [ 11 ] CVE-2020-35982 https://nvd.nist.gov/vuln/detail/CVE-2020-35982 [ 12 ] CVE-2021-4043 https://nvd.nist.gov/vuln/detail/CVE-2021-4043 [ 13 ] CVE-2021-21834 https://nvd.nist.gov/vuln/detail/CVE-2021-21834 [ 14 ] CVE-2021-21835 https://nvd.nist.gov/vuln/detail/CVE-2021-21835 [ 15 ] CVE-2021-21836 https://nvd.nist.gov/vuln/detail/CVE-2021-21836 [ 16 ] CVE-2021-21837 https://nvd.nist.gov/vuln/detail/CVE-2021-21837 [ 17 ] CVE-2021-21838 https://nvd.nist.gov/vuln/detail/CVE-2021-21838 [ 18 ] CVE-2021-21839 https://nvd.nist.gov/vuln/detail/CVE-2021-21839 [ 19 ] CVE-2021-21840 https://nvd.nist.gov/vuln/detail/CVE-2021-21840 [ 20 ] CVE-2021-21841 https://nvd.nist.gov/vuln/detail/CVE-2021-21841 [ 21 ] CVE-2021-21842 https://nvd.nist.gov/vuln/detail/CVE-2021-21842 [ 22 ] CVE-2021-21843 https://nvd.nist.gov/vuln/detail/CVE-2021-21843 [ 23 ] CVE-2021-21844 https://nvd.nist.gov/vuln/detail/CVE-2021-21844 [ 24 ] CVE-2021-21845 https://nvd.nist.gov/vuln/detail/CVE-2021-21845 [ 25 ] CVE-2021-21846 https://nvd.nist.gov/vuln/detail/CVE-2021-21846 [ 26 ] CVE-2021-21847 https://nvd.nist.gov/vuln/detail/CVE-2021-21847 [ 27 ] CVE-2021-21848 https://nvd.nist.gov/vuln/detail/CVE-2021-21848 [ 28 ] CVE-2021-21849 https://nvd.nist.gov/vuln/detail/CVE-2021-21849 [ 29 ] CVE-2021-21850 https://nvd.nist.gov/vuln/detail/CVE-2021-21850 [ 30 ] CVE-2021-21851 https://nvd.nist.gov/vuln/detail/CVE-2021-21851 [ 31 ] CVE-2021-21852 https://nvd.nist.gov/vuln/detail/CVE-2021-21852 [ 32 ] CVE-2021-21853 https://nvd.nist.gov/vuln/detail/CVE-2021-21853 [ 33 ] CVE-2021-21854 https://nvd.nist.gov/vuln/detail/CVE-2021-21854 [ 34 ] CVE-2021-21855 https://nvd.nist.gov/vuln/detail/CVE-2021-21855 [ 35 ] CVE-2021-21856 https://nvd.nist.gov/vuln/detail/CVE-2021-21856 [ 36 ] CVE-2021-21857 https://nvd.nist.gov/vuln/detail/CVE-2021-21857 [ 37 ] CVE-2021-21858 https://nvd.nist.gov/vuln/detail/CVE-2021-21858 [ 38 ] CVE-2021-21859 https://nvd.nist.gov/vuln/detail/CVE-2021-21859 [ 39 ] CVE-2021-21860 https://nvd.nist.gov/vuln/detail/CVE-2021-21860 [ 40 ] CVE-2021-21861 https://nvd.nist.gov/vuln/detail/CVE-2021-21861 [ 41 ] CVE-2021-21862 https://nvd.nist.gov/vuln/detail/CVE-2021-21862 [ 42 ] CVE-2021-30014 https://nvd.nist.gov/vuln/detail/CVE-2021-30014 [ 43 ] CVE-2021-30015 https://nvd.nist.gov/vuln/detail/CVE-2021-30015 [ 44 ] CVE-2021-30019 https://nvd.nist.gov/vuln/detail/CVE-2021-30019 [ 45 ] CVE-2021-30020 https://nvd.nist.gov/vuln/detail/CVE-2021-30020 [ 46 ] CVE-2021-30022 https://nvd.nist.gov/vuln/detail/CVE-2021-30022 [ 47 ] CVE-2021-30199 https://nvd.nist.gov/vuln/deta
[gentoo-announce] [ GLSA 202408-20 ] libde265: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libde265: Multiple Vulnerabilities Date: August 10, 2024 Bugs: #813486, #889876 ID: 202408-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Background == Open h.265 video codec implementation. Affected packages = Package VulnerableUnaffected --- media-libs/libde265 < 1.0.11 >= 1.0.11 Description === Multiple vulnerabilities have been discovered in libde265. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All libde265 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libde265-1.0.11" References == [ 1 ] CVE-2020-21594 https://nvd.nist.gov/vuln/detail/CVE-2020-21594 [ 2 ] CVE-2020-21595 https://nvd.nist.gov/vuln/detail/CVE-2020-21595 [ 3 ] CVE-2020-21596 https://nvd.nist.gov/vuln/detail/CVE-2020-21596 [ 4 ] CVE-2020-21597 https://nvd.nist.gov/vuln/detail/CVE-2020-21597 [ 5 ] CVE-2020-21598 https://nvd.nist.gov/vuln/detail/CVE-2020-21598 [ 6 ] CVE-2020-21599 https://nvd.nist.gov/vuln/detail/CVE-2020-21599 [ 7 ] CVE-2020-21600 https://nvd.nist.gov/vuln/detail/CVE-2020-21600 [ 8 ] CVE-2020-21601 https://nvd.nist.gov/vuln/detail/CVE-2020-21601 [ 9 ] CVE-2020-21602 https://nvd.nist.gov/vuln/detail/CVE-2020-21602 [ 10 ] CVE-2020-21603 https://nvd.nist.gov/vuln/detail/CVE-2020-21603 [ 11 ] CVE-2020-21604 https://nvd.nist.gov/vuln/detail/CVE-2020-21604 [ 12 ] CVE-2020-21605 https://nvd.nist.gov/vuln/detail/CVE-2020-21605 [ 13 ] CVE-2020-21606 https://nvd.nist.gov/vuln/detail/CVE-2020-21606 [ 14 ] CVE-2021-35452 https://nvd.nist.gov/vuln/detail/CVE-2021-35452 [ 15 ] CVE-2021-36408 https://nvd.nist.gov/vuln/detail/CVE-2021-36408 [ 16 ] CVE-2021-36409 https://nvd.nist.gov/vuln/detail/CVE-2021-36409 [ 17 ] CVE-2021-36410 https://nvd.nist.gov/vuln/detail/CVE-2021-36410 [ 18 ] CVE-2021-36411 https://nvd.nist.gov/vuln/detail/CVE-2021-36411 [ 19 ] CVE-2022-1253 https://nvd.nist.gov/vuln/detail/CVE-2022-1253 [ 20 ] CVE-2022-43235 https://nvd.nist.gov/vuln/detail/CVE-2022-43235 [ 21 ] CVE-2022-43236 https://nvd.nist.gov/vuln/detail/CVE-2022-43236 [ 22 ] CVE-2022-43237 https://nvd.nist.gov/vuln/detail/CVE-2022-43237 [ 23 ] CVE-2022-43238 https://nvd.nist.gov/vuln/detail/CVE-2022-43238 [ 24 ] CVE-2022-43239 https://nvd.nist.gov/vuln/detail/CVE-2022-43239 [ 25 ] CVE-2022-43240 https://nvd.nist.gov/vuln/detail/CVE-2022-43240 [ 26 ] CVE-2022-43241 https://nvd.nist.gov/vuln/detail/CVE-2022-43241 [ 27 ] CVE-2022-43242 https://nvd.nist.gov/vuln/detail/CVE-2022-43242 [ 28 ] CVE-2022-43243 https://nvd.nist.gov/vuln/detail/CVE-2022-43243 [ 29 ] CVE-2022-43244 https://nvd.nist.gov/vuln/detail/CVE-2022-43244 [ 30 ] CVE-2022-43245 https://nvd.nist.gov/vuln/detail/CVE-2022-43245 [ 31 ] CVE-2022-43248 https://nvd.nist.gov/vuln/detail/CVE-2022-43248 [ 32 ] CVE-2022-43249 https://nvd.nist.gov/vuln/detail/CVE-2022-43249 [ 33 ] CVE-2022-43250 https://nvd.nist.gov/vuln/detail/CVE-2022-43250 [ 34 ] CVE-2022-43252 https://nvd.nist.gov/vuln/detail/CVE-2022-43252 [ 35 ] CVE-2022-43253 https://nvd.nist.gov/vuln/detail/CVE-2022-43253 [ 36 ] CVE-2022-47655 https://nvd.nist.gov/vuln/detail/CVE-2022-47655 [ 37 ] CVE-2022-47664 https://nvd.nist.gov/vuln/detail/CVE-2022-47664 [ 38 ] CVE-2022-47665 https://nvd.nist.gov/vuln/detail/CVE-2022-47665 [ 39 ] CVE-2023-24751 https://nvd.nist.gov/vuln/detail/CVE-2023-24751 [ 40 ] CVE-2023-24752 https://nvd.nist.gov/vuln/detail/CVE-2023-24752 [ 41 ] CVE-2023-24754 https://nvd.nist.gov/vuln/detail/CVE-2023-24754 [ 42 ] CVE-2023-24755 https://nvd.nist.gov/vuln/detail/CVE-2023-24755 [ 43 ] CVE-2023-24756 https://nvd.nist.gov/vuln/detail/CVE-2023-24756 [ 44 ] CVE-2023-24757 https://nvd.nist.gov/vuln/detail/CVE-2023-24757 [ 45 ] CVE-2023-24758 https://nvd.nist.gov/vuln/detail/CVE-2023-24758 [ 46 ] CVE-2023-25221 https://nvd.nist.gov/vuln/detail/CVE-2023-25221 Availability This GLSA and any updates to it are available for vi
[gentoo-announce] [ GLSA 202408-19 ] ncurses: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ncurses: Multiple Vulnerabilities Date: August 09, 2024 Bugs: #839351, #904247 ID: 202408-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in ncurses, the worst of which could lead to a denial of service. Background == Free software emulation of curses in System V. Affected packages = Package Vulnerable Unaffected --- --- sys-libs/ncurses < 6.4_p20230408 >= 6.4_p20230408 sys-libs/ncurses-compat < 6.4_p20240330 >= 6.4_p20240330 Description === Multiple vulnerabilities have been discovered in ncurses. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All ncurses users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-libs/ncurses-6.4_p20230408" # emerge --ask --oneshot --verbose ">=sys-libs/ncurses-compat-6.4_p20240330" References == [ 1 ] CVE-2022-29458 https://nvd.nist.gov/vuln/detail/CVE-2022-29458 [ 2 ] CVE-2023-29491 https://nvd.nist.gov/vuln/detail/CVE-2023-29491 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-19 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-18 ] QEMU: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: QEMU: Multiple Vulnerabilities Date: August 09, 2024 Bugs: #857657, #865121, #883693, #909542 ID: 202408-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in QEMU, the worst of which could lead to a denial of service. Background == QEMU is a generic and open source machine emulator and virtualizer. Affected packages = Package VulnerableUnaffected -- app-emulation/qemu < 8.0.0 >= 8.0.0 Description === Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All QEMU users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/qemu-8.0.0" References == [ 1 ] CVE-2020-14394 https://nvd.nist.gov/vuln/detail/CVE-2020-14394 [ 2 ] CVE-2022-0216 https://nvd.nist.gov/vuln/detail/CVE-2022-0216 [ 3 ] CVE-2022-1050 https://nvd.nist.gov/vuln/detail/CVE-2022-1050 [ 4 ] CVE-2022-2962 https://nvd.nist.gov/vuln/detail/CVE-2022-2962 [ 5 ] CVE-2022-4144 https://nvd.nist.gov/vuln/detail/CVE-2022-4144 [ 6 ] CVE-2022-4172 https://nvd.nist.gov/vuln/detail/CVE-2022-4172 [ 7 ] CVE-2022-35414 https://nvd.nist.gov/vuln/detail/CVE-2022-35414 [ 8 ] CVE-2023-1544 https://nvd.nist.gov/vuln/detail/CVE-2023-1544 [ 9 ] CVE-2023-2861 https://nvd.nist.gov/vuln/detail/CVE-2023-2861 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-18 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-17 ] Nautilus: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Nautilus: Denial of Service Date: August 09, 2024 Bugs: #881509 ID: 202408-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Nautilus, which can lead to a denial of service. Background == Default file manager for the GNOME desktop Affected packages = Package VulnerableUnaffected --- gnome-base/nautilus < 44.0>= 44.0 Description === Please review the CVE identifier referenced below for details. Impact == GNOME Nautilus allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive. Workaround == There is no known workaround at this time. Resolution == All Nautilus users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=gnome-base/nautilus-44.0" References == [ 1 ] CVE-2022-37290 https://nvd.nist.gov/vuln/detail/CVE-2022-37290 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-17 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-16 ] re2c: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: re2c: Denial of Service Date: August 09, 2024 Bugs: #719872 ID: 202408-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in re2c, which can lead to a denial of service. Background == re2c is a tool for generating C-based recognizers from regular expressions. Affected packages = PackageVulnerableUnaffected - dev-util/re2c < 2.0 >= 2.0 Description === Please review the CVE identifier referenced below for details. Impact == Please review the CVE identifier referenced below for details. Workaround == There is no known workaround at this time. Resolution == All re2c users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/re2c-2.0" References == [ 1 ] CVE-2018-21232 https://nvd.nist.gov/vuln/detail/CVE-2018-21232 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-16 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-15 ] Percona XtraBackup: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Percona XtraBackup: Multiple Vulnerabilities Date: August 09, 2024 Bugs: #849389, #908033 ID: 202408-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Percona XtraBackup, the worst of which could lead to arbitrary code execution. Background == Percona XtraBackup is a complete and open source online backup solution for all versions of MySQL. Affected packages = PackageVulnerableUnaffected - dev-db/percona-xtrabackup < 8.0.29.22 >= 8.0.29.22 dev-db/percona-xtrabackup-bin < 8.0.29.22 Vulnerable! Description === Multiple vulnerabilities have been discovered in Percona XtraBackup. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Percona XtraBackup users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/percona-xtrabackup-8.0.29.22" Gentoo has discontinued support for the binary package. Users should remove this from their system: # emerge --sync # emerge --ask --verbose --depclean "dev-db/percona-xtrabackup-bin" References == [ 1 ] CVE-2022-25834 https://nvd.nist.gov/vuln/detail/CVE-2022-25834 [ 2 ] CVE-2022-26944 https://nvd.nist.gov/vuln/detail/CVE-2022-26944 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-15 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-14 ] Librsvg: Arbitrary File Read
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Librsvg: Arbitrary File Read Date: August 09, 2024 Bugs: #918100 ID: 202408-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Librsvg, which can lead to arbitrary file reads. Background == Librsvg is a library to render SVG files using cairo as a rendering engine. Affected packages = Package VulnerableUnaffected -- gnome-base/librsvg < 2.56.3 >= 2.56.3 Description === A directory traversal problem in the URL decoder of librsvg could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. Impact == Please review the referenced CVE identifier for details. Workaround == There is no known workaround at this time. Resolution == All Librsvg users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=gnome-base/librsvg-2.56.3" References == [ 1 ] CVE-2023-38633 https://nvd.nist.gov/vuln/detail/CVE-2023-38633 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-14 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-13 ] Nokogiri: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Nokogiri: Denial of Service Date: August 07, 2024 Bugs: #884863 ID: 202408-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Nokogiri, which can lead to a denial of service. Background == Nokogiri is an HTML, XML, SAX, and Reader parser. Affected packages = PackageVulnerableUnaffected - dev-ruby/nokogiri < 1.13.10 >= 1.13.10 Description === A denial of service vulnerability has been discovered in Nokogiri. Please review the CVE identifier referenced below for details. Impact == Nokogiri fails to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Workaround == Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected. Resolution == All Nokogiri users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/nokogiri-1.13.10" References == [ 1 ] CVE-2022-23476 https://nvd.nist.gov/vuln/detail/CVE-2022-23476 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-13 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-12 ] Bitcoin: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Bitcoin: Denial of Service Date: August 07, 2024 Bugs: #908084 ID: 202408-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Bitcoin, which can lead to a denial of service. Background == Bitcoin Core consists of both "full-node" software for fully validating the blockchain as well as a bitcoin wallet. Affected packages = Package VulnerableUnaffected net-p2p/bitcoind < 25.0>= 25.0 Description === Please review the CVE identifier referenced below for details. Impact == Bitcoin Core, when debug mode is not used, allows attackers to cause a denial of service (CPU consumption) because draining the inventory-to- send queue is inefficient, as exploited in the wild in May 2023. Workaround == There is no known workaround at this time. Resolution == All Bitcoin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-p2p/bitcoind-25.0" References == [ 1 ] CVE-2023-33297 https://nvd.nist.gov/vuln/detail/CVE-2023-33297 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-12 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-11 ] aiohttp: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: aiohttp: Multiple Vulnerabilities Date: August 07, 2024 Bugs: #918541, #918968, #931097 ID: 202408-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in aiohttp, the worst of which could lead to service compromise. Background == aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected packages = Package VulnerableUnaffected -- dev-python/aiohttp < 3.9.4 >= 3.9.4 Description === Multiple vulnerabilities have been discovered in aiohttp. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All aiohttp users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/aiohttp-3.9.4" References == [ 1 ] CVE-2023-47641 https://nvd.nist.gov/vuln/detail/CVE-2023-47641 [ 2 ] CVE-2023-49082 https://nvd.nist.gov/vuln/detail/CVE-2023-49082 [ 3 ] CVE-2024-30251 https://nvd.nist.gov/vuln/detail/CVE-2024-30251 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-11 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-10 ] nghttp2: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: nghttp2: Multiple Vulnerabilities Date: August 07, 2024 Bugs: #915554, #928541 ID: 202408-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in nghttp2, the worst of which could lead to a denial of service. Background == Nghttp2 is an implementation of HTTP/2 and its header compression algorithm HPACK in C. Affected packages = Package VulnerableUnaffected net-libs/nghttp2 < 1.61.0 >= 1.61.0 Description === Multiple vulnerabilities have been discovered in nghttp2. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All nghttp2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/nghttp2-1.61.0" References == [ 1 ] CVE-2023-44487 https://nvd.nist.gov/vuln/detail/CVE-2023-44487 [ 2 ] CVE-2024-28182 https://nvd.nist.gov/vuln/detail/CVE-2024-28182 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-10 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-09 ] Cairo: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Cairo: Multiple Vulnerabilities Date: August 07, 2024 Bugs: #717778 ID: 202408-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Cairo, the worst of which a denial of service. Background == Cairo is a 2D vector graphics library with cross-device output support. Affected packages = Package VulnerableUnaffected -- x11-libs/cairo < 1.18.0 >= 1.18.0 Description === Multiple vulnerabilities have been discovered in Cairo. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Cairo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/cairo-1.18.0" References == [ 1 ] CVE-2019-6461 https://nvd.nist.gov/vuln/detail/CVE-2019-6461 [ 2 ] CVE-2019-6462 https://nvd.nist.gov/vuln/detail/CVE-2019-6462 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-09 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-08 ] json-c: Buffer Overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: json-c: Buffer Overflow Date: August 07, 2024 Bugs: #918555 ID: 202408-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in json-c, which can lead to a stack buffer overflow. Background == json-c is a JSON implementation in C. Affected packages = Package VulnerableUnaffected --- dev-libs/json-c < 0.16>= 0.16 Description === Please review the CVE identifier referenced below for details. Impact == A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit. Workaround == There is no known workaround at this time. Resolution == All json-c users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/json-c-0.16" References == [ 1 ] CVE-2021-32292 https://nvd.nist.gov/vuln/detail/CVE-2021-32292 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-08 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-07 ] Go: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Go: Multiple Vulnerabilities Date: August 07, 2024 Bugs: #906043, #919310, #926530, #928539, #931602 ID: 202408-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Go, the worst of which could lead to information leakage or a denial of service. Background == Go is an open source programming language that makes it easy to build simple, reliable, and efficient software. Affected packages = Package VulnerableUnaffected --- dev-lang/go < 1.22.3 >= 1.22.3 Description === Multiple vulnerabilities have been discovered in Go. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Go users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/go-1.22.3" Due to Go programs typically being statically compiled, Go users should also recompile the reverse dependencies of the Go language to ensure statically linked programs are remediated: # emerge --ask --oneshot --verbose @golang-rebuild References == [ 1 ] CVE-2023-24539 https://nvd.nist.gov/vuln/detail/CVE-2023-24539 [ 2 ] CVE-2023-24540 https://nvd.nist.gov/vuln/detail/CVE-2023-24540 [ 3 ] CVE-2023-29400 https://nvd.nist.gov/vuln/detail/CVE-2023-29400 [ 4 ] CVE-2023-39326 https://nvd.nist.gov/vuln/detail/CVE-2023-39326 [ 5 ] CVE-2023-45283 https://nvd.nist.gov/vuln/detail/CVE-2023-45283 [ 6 ] CVE-2023-45285 https://nvd.nist.gov/vuln/detail/CVE-2023-45285 [ 7 ] CVE-2023-45288 https://nvd.nist.gov/vuln/detail/CVE-2023-45288 [ 8 ] CVE-2023-45289 https://nvd.nist.gov/vuln/detail/CVE-2023-45289 [ 9 ] CVE-2023-45290 https://nvd.nist.gov/vuln/detail/CVE-2023-45290 [ 10 ] CVE-2024-24783 https://nvd.nist.gov/vuln/detail/CVE-2024-24783 [ 11 ] CVE-2024-24784 https://nvd.nist.gov/vuln/detail/CVE-2024-24784 [ 12 ] CVE-2024-24785 https://nvd.nist.gov/vuln/detail/CVE-2024-24785 [ 13 ] CVE-2024-24788 https://nvd.nist.gov/vuln/detail/CVE-2024-24788 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-07 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-06 ] PostgreSQL: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: PostgreSQL: Multiple Vulnerabilities Date: August 07, 2024 Bugs: #903193, #912251, #917153, #924110, #931849 ID: 202408-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in PostgreSQL, the worst of which could lead to privilege escalation or denial of service. Background == PostgreSQL is an open source object-relational database management system. Affected packages = PackageVulnerable Unaffected - - -- dev-db/postgresql < 12.19:12 >= 12.19:12 < 13.14:13 >= 13.14:13 < 14.12-r1:14 >= 14.12-r1:14 < 15.7-r1:15 >= 15.7-r1:15 < 16.3-r1:16 >= 16.3-r1:16 < 12 >= 12.19 Description === Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All PostgreSQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.3-r1:16" Or update an older slot if that is still in use. References == [ 1 ] CVE-2023-5868 https://nvd.nist.gov/vuln/detail/CVE-2023-5868 [ 2 ] CVE-2023-5869 https://nvd.nist.gov/vuln/detail/CVE-2023-5869 [ 3 ] CVE-2023-5870 https://nvd.nist.gov/vuln/detail/CVE-2023-5870 [ 4 ] CVE-2024-0985 https://nvd.nist.gov/vuln/detail/CVE-2024-0985 [ 5 ] CVE-2024-4317 https://nvd.nist.gov/vuln/detail/CVE-2024-4317 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-06 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-05 ] Redis: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Redis: Multiple Vulnerabilities Date: August 07, 2024 Bugs: #891169, #898464, #902501, #904486, #910191, #913741, #915989, #921662 ID: 202408-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Redis, the worst of which may lead to a denial of service or possible remote code execution. Background == Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker. Affected packages = Package VulnerableUnaffected dev-db/redis < 7.2.4 >= 7.2.4 Description === Multiple vulnerabilities have been discovered in Redis. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Redis users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/redis-7.2.4" References == [ 1 ] CVE-2022-24834 https://nvd.nist.gov/vuln/detail/CVE-2022-24834 [ 2 ] CVE-2022-35977 https://nvd.nist.gov/vuln/detail/CVE-2022-35977 [ 3 ] CVE-2022-36021 https://nvd.nist.gov/vuln/detail/CVE-2022-36021 [ 4 ] CVE-2023-22458 https://nvd.nist.gov/vuln/detail/CVE-2023-22458 [ 5 ] CVE-2023-25155 https://nvd.nist.gov/vuln/detail/CVE-2023-25155 [ 6 ] CVE-2023-28425 https://nvd.nist.gov/vuln/detail/CVE-2023-28425 [ 7 ] CVE-2023-28856 https://nvd.nist.gov/vuln/detail/CVE-2023-28856 [ 8 ] CVE-2023-36824 https://nvd.nist.gov/vuln/detail/CVE-2023-36824 [ 9 ] CVE-2023-41053 https://nvd.nist.gov/vuln/detail/CVE-2023-41053 [ 10 ] CVE-2023-41056 https://nvd.nist.gov/vuln/detail/CVE-2023-41056 [ 11 ] CVE-2023-45145 https://nvd.nist.gov/vuln/detail/CVE-2023-45145 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-05 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-04 ] Levenshtein: Remote Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Levenshtein: Remote Code Execution Date: August 07, 2024 Bugs: #766009 ID: 202408-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Levenshtein, which could lead to a remote code execution. Background == Levenshtein is a Python extension for computing string edit distances and similarities. Affected packages = Package VulnerableUnaffected -- dev-python/Levenshtein < 0.12.1 >= 0.12.1 Description === Fixed handling of numerous possible wraparounds in calculating the size of memory allocations; incorrect handling of which could cause denial of service or even possible remote code execution. Impact == Fixed handling of numerous possible wraparounds in calculating the size of memory allocations; incorrect handling of which could cause denial of service or even possible remote code execution. Workaround == There is no known workaround at this time. Resolution == All Levenshtein users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/Levenshtein-0.12.1" References == Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-03 ] libXpm: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libXpm: Multiple Vulnerabilities Date: August 07, 2024 Bugs: #891209, #915130 ID: 202408-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulberabilities have been discovered in libXpm, the worst of which could lead to a denial of service. Background == The X PixMap image format is an extension of the monochrome X BitMap format specified in the X protocol, and is commonly used in traditional X applications. Affected packages = Package VulnerableUnaffected --- x11-libs/libXpm < 3.5.17 >= 3.5.17 Description === Multiple vulnerabilities have been discovered in libXpm. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All libXpm users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXpm-3.5.17" References == [ 1 ] CVE-2022-4883 https://nvd.nist.gov/vuln/detail/CVE-2022-4883 [ 2 ] CVE-2022-44617 https://nvd.nist.gov/vuln/detail/CVE-2022-44617 [ 3 ] CVE-2022-46285 https://nvd.nist.gov/vuln/detail/CVE-2022-46285 [ 4 ] CVE-2023-43788 https://nvd.nist.gov/vuln/detail/CVE-2023-43788 [ 5 ] CVE-2023-43789 https://nvd.nist.gov/vuln/detail/CVE-2023-43789 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-03 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202408-02 ] Mozilla Firefox: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Mozilla Firefox: Multiple Vulnerabilities Date: August 06, 2024 Bugs: #930380, #932374, #935550 ID: 202408-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could lead to remote code execution. Background == Mozilla Firefox is a popular open-source web browser from the Mozilla project. Affected packages = Package Vulnerable Unaffected -- -- --- www-client/firefox < 115.12.0:esr >= 115.12.0:esr < 127.0:rapid >= 127.0:rapid www-client/firefox-bin < 115.12.0:esr >= 115.12.0:esr < 127.0:rapid >= 127.0:rapid Description === Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Mozilla Firefox binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-127.0:rapid" All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-127.0:rapid" All Mozilla Firefox ESR users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-115.12.0:esr" All Mozilla Firefox ESR binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.12.0:esr" References == [ 1 ] CVE-2024-2609 https://nvd.nist.gov/vuln/detail/CVE-2024-2609 [ 2 ] CVE-2024-3302 https://nvd.nist.gov/vuln/detail/CVE-2024-3302 [ 3 ] CVE-2024-3853 https://nvd.nist.gov/vuln/detail/CVE-2024-3853 [ 4 ] CVE-2024-3854 https://nvd.nist.gov/vuln/detail/CVE-2024-3854 [ 5 ] CVE-2024-3855 https://nvd.nist.gov/vuln/detail/CVE-2024-3855 [ 6 ] CVE-2024-3856 https://nvd.nist.gov/vuln/detail/CVE-2024-3856 [ 7 ] CVE-2024-3857 https://nvd.nist.gov/vuln/detail/CVE-2024-3857 [ 8 ] CVE-2024-3858 https://nvd.nist.gov/vuln/detail/CVE-2024-3858 [ 9 ] CVE-2024-3859 https://nvd.nist.gov/vuln/detail/CVE-2024-3859 [ 10 ] CVE-2024-3860 https://nvd.nist.gov/vuln/detail/CVE-2024-3860 [ 11 ] CVE-2024-3861 https://nvd.nist.gov/vuln/detail/CVE-2024-3861 [ 12 ] CVE-2024-3862 https://nvd.nist.gov/vuln/detail/CVE-2024-3862 [ 13 ] CVE-2024-3864 https://nvd.nist.gov/vuln/detail/CVE-2024-3864 [ 14 ] CVE-2024-3865 https://nvd.nist.gov/vuln/detail/CVE-2024-3865 [ 15 ] CVE-2024-4764 https://nvd.nist.gov/vuln/detail/CVE-2024-4764 [ 16 ] CVE-2024-4765 https://nvd.nist.gov/vuln/detail/CVE-2024-4765 [ 17 ] CVE-2024-4766 https://nvd.nist.gov/vuln/detail/CVE-2024-4766 [ 18 ] CVE-2024-4771 https://nvd.nist.gov/vuln/detail/CVE-2024-4771 [ 19 ] CVE-2024-4772 https://nvd.nist.gov/vuln/detail/CVE-2024-4772 [ 20 ] CVE-2024-4773 https://nvd.nist.gov/vuln/detail/CVE-2024-4773 [ 21 ] CVE-2024-4774 https://nvd.nist.gov/vuln/detail/CVE-2024-4774 [ 22 ] CVE-2024-4775 https://nvd.nist.gov/vuln/detail/CVE-2024-4775 [ 23 ] CVE-2024-4776 https://nvd.nist.gov/vuln/detail/CVE-2024-4776 [ 24 ] CVE-2024-4778 https://nvd.nist.gov/vuln/detail/CVE-2024-4778 [ 25 ] CVE-2024-5689 https://nvd.nist.gov/vuln/detail/CVE-2024-5689 [ 26 ] CVE-2024-5693 https://nvd.nist.gov/vuln/detail/CVE-2024-5693 [ 27 ] CVE-2024-5694 https://nvd.nist.gov/vuln/detail/CVE-2024-5694 [ 28 ] CVE-2024-5695 https://nvd.nist.gov/vuln/detail/CVE-2024-5695 [ 29 ] CVE-2024-5696 https://nvd.nist.gov/vuln/detail/CVE-2024-5696 [ 30 ] CVE-2024-5697 https://nvd.nist.gov/vuln/detail/CVE-2024-5697 [ 31 ] CVE-2024-5698 https://nvd.nist.gov/vuln/detail/CVE-2024-5698 [ 32 ] CVE-2024-5699 https://nvd.nist.gov/vuln/detail/CVE-2024-5699 [ 33 ] CVE-2024-5700 https://nvd.nist.gov/vuln/detail/CVE-2024-5700 [ 34 ] CVE-2024-5701 https://nvd.nist.gov/vuln/detail/CVE-2024-5701 [ 35 ] CVE-2024-5702 https://nvd.nist.gov/vuln/detail/CVE-2024-5702 [ 36 ] MFSA-2024-25 [ 37 ] MFSA-2024-26 [ 38 ] MFSA-2024-28 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/20240
[gentoo-announce] [ GLSA 202408-01 ] containerd: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: containerd: Multiple Vulnerabilities Date: August 06, 2024 Bugs: #897960 ID: 202408-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in containerd, the worst of which could lead to privilege escalation. Background == containerd is a daemon with an API and a command line client, to manage containers on one machine. It uses runC to run containers according to the OCI specification. Affected packages = PackageVulnerableUnaffected - app-containers/containerd < 1.6.19 >= 1.6.19 Description === Multiple vulnerabilities have been discovered in containerd. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All containerd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-containers/containerd-1.6.19" References == [ 1 ] CVE-2023-25153 https://nvd.nist.gov/vuln/detail/CVE-2023-25153 [ 2 ] CVE-2023-25173 https://nvd.nist.gov/vuln/detail/CVE-2023-25173 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-01 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-28 ] Freenet: Deanonymization Vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Freenet: Deanonymization Vulnerability Date: July 24, 2024 Bugs: #904441 ID: 202407-28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Freenet, which can lead to deanonymization due to path folding. Background == Freenet is an encrypted network without censorship. Affected packages = Package Vulnerable Unaffected --- - -- net-p2p/freenet < 0.7.5_p1497 >= 0.7.5_p1497 Description === This release fixes a severe vulnerability in path folding that allowed to distinguish between downloaders and forwarders with an adapted node that is directly connected via opennet. Impact == This release fixes a severe vulnerability in path folding that allowed to distinguish between downloaders and forwarders with an adapted node that is directly connected via opennet. Workaround == There is no known workaround at this time. Resolution == All Freenet users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-p2p/freenet-0.7.5_p1497" References == Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-28 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-27 ] ExifTool: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ExifTool: Multiple vulnerabilities Date: July 24, 2024 Bugs: #785667, #791397, #803317, #832033 ID: 202407-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in ExifTool, the worst of which could lead to arbitrary code execution. Background == ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. Affected packages = Package VulnerableUnaffected --- media-libs/exiftool < 12.42 >= 12.42 Description === Multiple vulnerabilities have been discovered in ExifTool. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All ExifTool users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/exiftool-12.42" References == [ 1 ] CVE-2021-22204 https://nvd.nist.gov/vuln/detail/CVE-2021-22204 [ 2 ] CVE-2022-23935 https://nvd.nist.gov/vuln/detail/CVE-2022-23935 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-27 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-26 ] Dmidecode: Privilege Escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Dmidecode: Privilege Escalation Date: July 24, 2024 Bugs: #905093 ID: 202407-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Dmidecode, which can lead to privilege escalation. Background == Dmidecode reports information about your system's hardware as described in your system BIOS according to the SMBIOS/DMI standard (see a sample output). This information typically includes system manufacturer, model name, serial number, BIOS version, asset tag as well as a lot of other details of varying level of interest and reliability depending on the manufacturer. This will often include usage status for the CPU sockets, expansion slots (e.g. AGP, PCI, ISA) and memory module slots, and the list of I/O ports (e.g. serial, parallel, USB). Affected packages = Package VulnerableUnaffected -- sys-apps/dmidecode < 3.5 >= 3.5 Description === Dmidecode -dump-bin can overwrite a local file. This has security relevance because, for example, execution of Dmidecode via sudo is plausible. Impact == Please review the referenced CVE identifier for details. Workaround == There is no known workaround at this time. Resolution == All Dmidecode users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/dmidecode-3.5" References == [ 1 ] CVE-2023-30630 https://nvd.nist.gov/vuln/detail/CVE-2023-30630 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-26 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-25 ] Buildah: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Buildah: Multiple Vulnerabilities Date: July 10, 2024 Bugs: #923650, #927499, #927502 ID: 202407-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Buildah, the worst of which could lead to privilege escalation. Background == Buildah is a tool that facilitates building Open Container Initiative (OCI) container images Affected packages = Package VulnerableUnaffected -- app-containers/buildah < 1.35.3 >= 1.35.3 Description === Please review the referenced CVE identifiers for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Buildah users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-containers/buildah-1.35.3" References == [ 1 ] CVE-2024-1753 https://nvd.nist.gov/vuln/detail/CVE-2024-1753 [ 2 ] CVE-2024-23651 https://nvd.nist.gov/vuln/detail/CVE-2024-23651 [ 3 ] CVE-2024-23652 https://nvd.nist.gov/vuln/detail/CVE-2024-23652 [ 4 ] CVE-2024-23653 https://nvd.nist.gov/vuln/detail/CVE-2024-23653 [ 5 ] CVE-2024-24786 https://nvd.nist.gov/vuln/detail/CVE-2024-24786 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-25 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-24 ] HarfBuzz: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: HarfBuzz: Denial of Service Date: July 10, 2024 Bugs: #905310 ID: 202407-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in HarfBuzz, which can lead to a denial of service. Background == HarfBuzz is an OpenType text shaping engine. Affected packages = Package VulnerableUnaffected --- media-libs/harfbuzz < 7.1.0 >= 7.1.0 Description === Multiple vulnerabilities have been discovered in HarfBuzz. Please review the CVE identifiers referenced below for details. Impact == hb-ot-layout-gsubgpos.hh in HarfBuzz allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. Workaround == There is no known workaround at this time. Resolution == All HarfBuzz users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/harfbuzz-7.1.0" References == [ 1 ] CVE-2023-22006 https://nvd.nist.gov/vuln/detail/CVE-2023-22006 [ 2 ] CVE-2023-22036 https://nvd.nist.gov/vuln/detail/CVE-2023-22036 [ 3 ] CVE-2023-22041 https://nvd.nist.gov/vuln/detail/CVE-2023-22041 [ 4 ] CVE-2023-22044 https://nvd.nist.gov/vuln/detail/CVE-2023-22044 [ 5 ] CVE-2023-22045 https://nvd.nist.gov/vuln/detail/CVE-2023-22045 [ 6 ] CVE-2023-22049 https://nvd.nist.gov/vuln/detail/CVE-2023-22049 [ 7 ] CVE-2023-25193 https://nvd.nist.gov/vuln/detail/CVE-2023-25193 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-24 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-23 ] LIVE555 Media Server: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: LIVE555 Media Server: Multiple Vulnerabilities Date: July 09, 2024 Bugs: #732598, #807622 ID: 202407-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in LIVE555 Media Server, the worst of which could lead to a denial of service. Background == LIVE555 Media Server is a set of libraries for multimedia streaming. Affected packages = Package VulnerableUnaffected -- - media-plugins/live < 2021.08.24 >= 2021.08.24 Description === Multiple vulnerabilities have been discovered in LIVE555 Media Server. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All LIVE555 Media Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-plugins/live-2021.08.24" References == [ 1 ] CVE-2020-24027 https://nvd.nist.gov/vuln/detail/CVE-2020-24027 [ 2 ] CVE-2021-38380 https://nvd.nist.gov/vuln/detail/CVE-2021-38380 [ 3 ] CVE-2021-38381 https://nvd.nist.gov/vuln/detail/CVE-2021-38381 [ 4 ] CVE-2021-38382 https://nvd.nist.gov/vuln/detail/CVE-2021-38382 [ 5 ] CVE-2021-39282 https://nvd.nist.gov/vuln/detail/CVE-2021-39282 [ 6 ] CVE-2021-39283 https://nvd.nist.gov/vuln/detail/CVE-2021-39283 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-23 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-22 ] Mozilla Firefox: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Mozilla Firefox: Multiple Vulnerabilities Date: July 06, 2024 Bugs: #927559 ID: 202407-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could arbitrary code execution. Background == Mozilla Firefox is a popular open-source web browser from the Mozilla project. Affected packages = Package Vulnerable Unaffected -- --- www-client/firefox < 115.9.1:esr>= 115.9.1:esr < 124.0.1:rapid >= 124.0.1:rapid www-client/firefox-bin < 115.9.1:esr>= 115.9.1:esr < 124.0.1:rapid >= 124.0.1:rapid Description === Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Mozilla Firefox binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-124.0.1" All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-124.0.1:rapid" All Mozilla Firefox ESR users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-115.9.1:esr" All Mozilla Firefox ESR binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.9.1:esr" References == [ 1 ] CVE-2024-29943 https://nvd.nist.gov/vuln/detail/CVE-2024-29943 [ 2 ] CVE-2024-29944 https://nvd.nist.gov/vuln/detail/CVE-2024-29944 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-22 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-21 ] X.Org X11 library: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: X.Org X11 library: Multiple Vulnerabilities Date: July 06, 2024 Bugs: #877461, #908549, #915129 ID: 202407-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in the X.Org X11 library, the worst of which could lead to a denial of service. Background == X.Org is an implementation of the X Window System. The X.Org X11 library provides the X11 protocol library files. Affected packages = Package VulnerableUnaffected --- x11-libs/libX11 < 1.8.7 >= 1.8.7 Description === Multiple vulnerabilities have been discovered in X.Org X11 library. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All X.Org X11 library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libX11-1.8.7" References == [ 1 ] CVE-2022-3554 https://nvd.nist.gov/vuln/detail/CVE-2022-3554 [ 2 ] CVE-2022-3555 https://nvd.nist.gov/vuln/detail/CVE-2022-3555 [ 3 ] CVE-2023-3138 https://nvd.nist.gov/vuln/detail/CVE-2023-3138 [ 4 ] CVE-2023-43785 https://nvd.nist.gov/vuln/detail/CVE-2023-43785 [ 5 ] CVE-2023-43786 https://nvd.nist.gov/vuln/detail/CVE-2023-43786 [ 6 ] CVE-2023-43787 https://nvd.nist.gov/vuln/detail/CVE-2023-43787 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-21 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-20 ] KDE Plasma Workspaces: Privilege Escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: KDE Plasma Workspaces: Privilege Escalation Date: July 06, 2024 Bugs: #933342 ID: 202407-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in KDE Plasma Workspaces, which can lead to privilege escalation. Background == KDE Plasma workspace is a widget based desktop environment designed to be fast and efficient. Affected packages = Package VulnerableUnaffected --- kde-plasma/plasma-workspace < 5.27.11.1 >= 5.27.11.1 Description === Multiple vulnerabilities have been discovered in KDE Plasma Workspaces. Please review the CVE identifiers referenced below for details. Impact == KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE based purely on the host, allowing all local connections. This allows another user on the same machine to gain access to the session manager. A well crafted client could use the session restore feature to execute arbitrary code as the user on the next boot. Workaround == There is no known workaround at this time. Resolution == All KDE Plasma Workspaces users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=kde-plasma/plasma-workspace-5.27.11.1" References == [ 1 ] CVE-2024-36041 https://nvd.nist.gov/vuln/detail/CVE-2024-36041 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-20 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-19 ] Mozilla Thunderbird: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Mozilla Thunderbird: Multiple Vulnerabilities Date: July 06, 2024 Bugs: #932375 ID: 202407-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. Background == Mozilla Thunderbird is a popular open-source email client from the Mozilla project. Affected packages = Package VulnerableUnaffected --- mail-client/thunderbird < 115.11.0>= 115.11.0 mail-client/thunderbird-bin < 115.11.0>= 115.11.0 Description === Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Mozilla Thunderbird binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.11.0" All Mozilla Thunderbird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.11.0" References == [ 1 ] CVE-2024-2609 https://nvd.nist.gov/vuln/detail/CVE-2024-2609 [ 2 ] CVE-2024-3302 https://nvd.nist.gov/vuln/detail/CVE-2024-3302 [ 3 ] CVE-2024-3854 https://nvd.nist.gov/vuln/detail/CVE-2024-3854 [ 4 ] CVE-2024-3857 https://nvd.nist.gov/vuln/detail/CVE-2024-3857 [ 5 ] CVE-2024-3859 https://nvd.nist.gov/vuln/detail/CVE-2024-3859 [ 6 ] CVE-2024-3861 https://nvd.nist.gov/vuln/detail/CVE-2024-3861 [ 7 ] CVE-2024-3864 https://nvd.nist.gov/vuln/detail/CVE-2024-3864 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-19 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-18 ] Stellarium: Arbitrary File Write
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Stellarium: Arbitrary File Write Date: July 05, 2024 Bugs: #905300 ID: 202407-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Stellarium, which can lead to arbitrary file writes. Background == Stellarium is a free open source planetarium for your computer. It shows a realistic sky in 3D, just like what you see with the naked eye, binoculars or a telescope. Affected packages = Package VulnerableUnaffected sci-astronomy/stellarium < 23.1>= 23.1 Description === A vulnerability has been discovered in Stellarium. Please review the CVE identifier referenced below for details. Impact == Attackers can write to files that are typically unintended, such as ones with absolute pathnames or .. directory traversal. Workaround == There is no known workaround at this time. Resolution == All Stellarium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sci-astronomy/stellarium-23.1" References == [ 1 ] CVE-2023-28371 https://nvd.nist.gov/vuln/detail/CVE-2023-28371 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-18 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-17 ] BusyBox: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: BusyBox: Multiple Vulnerabilities Date: July 05, 2024 Bugs: #824222 ID: 202407-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in BusyBox, the worst of which could lead to arbitrary code execution. Background == BusyBox is set of tools for embedded systems and is a replacement for GNU Coreutils. Affected packages = Package VulnerableUnaffected sys-apps/busybox < 1.34.0 >= 1.34.0 Description === Multiple vulnerabilities have been discovered in BusyBox. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All BusyBox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.34.0" References == [ 1 ] CVE-2021-42373 https://nvd.nist.gov/vuln/detail/CVE-2021-42373 [ 2 ] CVE-2021-42374 https://nvd.nist.gov/vuln/detail/CVE-2021-42374 [ 3 ] CVE-2021-42375 https://nvd.nist.gov/vuln/detail/CVE-2021-42375 [ 4 ] CVE-2021-42376 https://nvd.nist.gov/vuln/detail/CVE-2021-42376 [ 5 ] CVE-2021-42377 https://nvd.nist.gov/vuln/detail/CVE-2021-42377 [ 6 ] CVE-2021-42378 https://nvd.nist.gov/vuln/detail/CVE-2021-42378 [ 7 ] CVE-2021-42379 https://nvd.nist.gov/vuln/detail/CVE-2021-42379 [ 8 ] CVE-2021-42380 https://nvd.nist.gov/vuln/detail/CVE-2021-42380 [ 9 ] CVE-2021-42381 https://nvd.nist.gov/vuln/detail/CVE-2021-42381 [ 10 ] CVE-2021-42382 https://nvd.nist.gov/vuln/detail/CVE-2021-42382 [ 11 ] CVE-2021-42383 https://nvd.nist.gov/vuln/detail/CVE-2021-42383 [ 12 ] CVE-2021-42384 https://nvd.nist.gov/vuln/detail/CVE-2021-42384 [ 13 ] CVE-2021-42385 https://nvd.nist.gov/vuln/detail/CVE-2021-42385 [ 14 ] CVE-2021-42386 https://nvd.nist.gov/vuln/detail/CVE-2021-42386 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-17 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-16 ] GNU Coreutils: Buffer Overflow Vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: GNU Coreutils: Buffer Overflow Vulnerability Date: July 05, 2024 Bugs: #922474 ID: 202407-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Coreutils, which can lead to a heap buffer overflow and possibly aribitrary code execution. Background == The GNU Core Utilities are the basic file, shell and text manipulation utilities of the GNU operating system. Affected packages = Package VulnerableUnaffected -- sys-apps/coreutils < 9.4-r1 >= 9.4-r1 Description === A vulnerability has been discovered in the Coreutils "split" program that can lead to a heap buffer overflow and possibly arbitrary code execution. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Coreutils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/coreutils-9.4-r1" References == [ 1 ] CVE-2024-0684 https://nvd.nist.gov/vuln/detail/CVE-2024-0684 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-16 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-15 ] GraphicsMagick: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GraphicsMagick: Multiple Vulnerabilities Date: July 05, 2024 Bugs: #888545, #890851 ID: 202407-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in GraphicsMagick, the worst of which could lead to arbitrary code execution. Background == GraphicsMagick is a collection of tools and libraries which support reading, writing, and manipulating images in many major formats. Affected packages = Package VulnerableUnaffected media-gfx/graphicsmagick < 1.3.40 >= 1.3.40 Description === Multiple vulnerabilities have been discovered in GraphicsMagick. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All GraphicsMagick users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.3.40" References == Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-15 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-14 ] TigerVNC: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: TigerVNC: Multiple Vulnerabilities Date: July 05, 2024 Bugs: #700464 ID: 202407-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in TigerVNC, the worst of which could lead to remote code execution. Background == TigerVNC is a high-performance VNC server/client. Affected packages = PackageVulnerableUnaffected - net-misc/tigervnc < 1.12.0-r2 >= 1.12.0-r2 Description === Multiple vulnerabilities have been discovered in TigerVNC. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All TigerVNC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/tigervnc-1.12.0-r2" References == [ 1 ] CVE-2019-15691 https://nvd.nist.gov/vuln/detail/CVE-2019-15691 [ 2 ] CVE-2019-15692 https://nvd.nist.gov/vuln/detail/CVE-2019-15692 [ 3 ] CVE-2019-15694 https://nvd.nist.gov/vuln/detail/CVE-2019-15694 [ 4 ] CVE-2019-15695 https://nvd.nist.gov/vuln/detail/CVE-2019-15695 [ 5 ] CVE-2020-26117 https://nvd.nist.gov/vuln/detail/CVE-2020-26117 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-14 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-13 ] WebKitGTK+: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: WebKitGTK+: Multiple Vulnerabilities Date: July 05, 2024 Bugs: #923851, #930116 ID: 202407-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in WebKitGTK+, the worst of which could lead to arbitrary code execution Background == WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. Affected packages = Package VulnerableUnaffected --- - net-libs/webkit-gtk < 2.44.0:4>= 2.44.0:4 < 2.44.0:4.1 >= 2.44.0:4.1 < 2.44.0:6>= 2.44.0:6 Description === Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All WebKitGTK+ users should upgrade to the latest version (depending on the installed slots): # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:4" # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:4.1" # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:6" References == [ 1 ] CVE-2014-1745 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1745 [ 2 ] CVE-2023-40414 https://nvd.nist.gov/vuln/detail/CVE-2023-40414 [ 3 ] CVE-2023-42833 https://nvd.nist.gov/vuln/detail/CVE-2023-42833 [ 4 ] CVE-2023-42843 https://nvd.nist.gov/vuln/detail/CVE-2023-42843 [ 5 ] CVE-2023-42950 https://nvd.nist.gov/vuln/detail/CVE-2023-42950 [ 6 ] CVE-2023-42956 https://nvd.nist.gov/vuln/detail/CVE-2023-42956 [ 7 ] CVE-2024-23206 https://nvd.nist.gov/vuln/detail/CVE-2024-23206 [ 8 ] CVE-2024-23213 https://nvd.nist.gov/vuln/detail/CVE-2024-23213 [ 9 ] CVE-2024-23222 https://nvd.nist.gov/vuln/detail/CVE-2024-23222 [ 10 ] CVE-2024-23252 https://nvd.nist.gov/vuln/detail/CVE-2024-23252 [ 11 ] CVE-2024-23254 https://nvd.nist.gov/vuln/detail/CVE-2024-23254 [ 12 ] CVE-2024-23263 https://nvd.nist.gov/vuln/detail/CVE-2024-23263 [ 13 ] CVE-2024-23280 https://nvd.nist.gov/vuln/detail/CVE-2024-23280 [ 14 ] CVE-2024-23284 https://nvd.nist.gov/vuln/detail/CVE-2024-23284 [ 15 ] WSA-2024-0001 https://webkitgtk.org/security/WSA-2024-0001.html [ 16 ] WSA-2024-0002 https://webkitgtk.org/security/WSA-2024-0002.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-13 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-12 ] podman: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: podman: Multiple Vulnerabilities Date: July 05, 2024 Bugs: #829896, #870931, #896372, #921290, #923751, #927500, #927501 ID: 202407-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Podman, the worst of which could lead to privilege escalation. Background == Podman is a tool for managing OCI containers and pods with a Docker- compatible CLI. Affected packages = PackageVulnerableUnaffected - app-containers/podman < 4.9.4 >= 4.9.4 Description === Please review the referenced CVE identifiers for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All Podman users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-containers/podman-4.9.4" References == [ 1 ] CVE-2021-4024 https://nvd.nist.gov/vuln/detail/CVE-2021-4024 [ 2 ] CVE-2022-2989 https://nvd.nist.gov/vuln/detail/CVE-2022-2989 [ 3 ] CVE-2023-0778 https://nvd.nist.gov/vuln/detail/CVE-2023-0778 [ 4 ] CVE-2023-48795 https://nvd.nist.gov/vuln/detail/CVE-2023-48795 [ 5 ] CVE-2024-1753 https://nvd.nist.gov/vuln/detail/CVE-2024-1753 [ 6 ] CVE-2024-23651 https://nvd.nist.gov/vuln/detail/CVE-2024-23651 [ 7 ] CVE-2024-23652 https://nvd.nist.gov/vuln/detail/CVE-2024-23652 [ 8 ] CVE-2024-23653 https://nvd.nist.gov/vuln/detail/CVE-2024-23653 [ 9 ] CVE-2024-24786 https://nvd.nist.gov/vuln/detail/CVE-2024-24786 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-12 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-11 ] PuTTY: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PuTTY: Multiple Vulnerabilities Date: July 05, 2024 Bugs: #920304, #930082 ID: 202407-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in PuTTY, the worst of which could lead to compromised keys. Background == PuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator. Affected packages = Package VulnerableUnaffected -- net-misc/putty < 0.81>= 0.81 Description === Multiple vulnerabilities have been discovered in PuTTY. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All PuTTY users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/putty-0.81" In addition, any keys generated with PuTTY versions 0.68 to 0.80 should be considered breached and should be regenerated. References == [ 1 ] CVE-2023-48795 https://nvd.nist.gov/vuln/detail/CVE-2023-48795 [ 2 ] CVE-2024-31497 https://nvd.nist.gov/vuln/detail/CVE-2024-31497 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-11 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-10 ] Sofia-SIP: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Sofia-SIP: Multiple Vulnerabilities Date: July 05, 2024 Bugs: #891791 ID: 202407-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Sofia-SIP, the worst of which can lead to remote code execution. Background == Sofia-SIP is an RFC3261 compliant SIP User-Agent library. Affected packages = Package VulnerableUnaffected -- net-libs/sofia-sip < 1.13.16 Vulnerable! Description === Multiple vulnerabilities have been discovered in Sofia-SIP. Please review the CVE identifiers referenced below for details. Impact == Multiple vulnerabilities have been discovered in Sofia-SIP. Please review the CVE identifiers referenced below for details. Workaround == There is no known workaround at this time. Resolution == Gentoo has discontinued support for the Sofia-SIP package. We recommend that users unmerge it: # emerge --ask --depclean "net-libs/sofia-sip" References == [ 1 ] CVE-2023-22741 https://nvd.nist.gov/vuln/detail/CVE-2023-22741 [ 2 ] CVE-2023-32307 https://nvd.nist.gov/vuln/detail/CVE-2023-32307 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-10 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-09 ] OpenSSH: Remote Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: OpenSSH: Remote Code Execution Date: July 01, 2024 Bugs: #935271 ID: 202407-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in OpenSSH, which can lead to remote code execution with root privileges. Background == OpenSSH is a free application suite consisting of server and clients that replace tools like telnet, rlogin, rcp and ftp with more secure versions offering additional functionality. Affected packages = Package VulnerableUnaffected net-misc/openssh < 9.7_p1-r6 >= 9.7_p1-r6 Description === A vulnerability has been discovered in OpenSSH. Please review the CVE identifier referenced below for details. Impact == A critical vulnerability in sshd(8) was present in Portable OpenSSH versions that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon. Workaround == There is no known workaround at this time. Note that Gentoo has backported the fix to the following versions: net-misc/openssh-9.6_p1-r5 net-misc/openssh-9.7_p1-r6 Resolution == All OpenSSH users should upgrade to the latest version and restart the sshd server (to ensure access for new sessions and no vulnerable code keeps running). # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-9.7_p1-r6" With OpenRC: # rc-service sshd restart With systemD: # systemctl try-restart sshd.service References == [ 1 ] CVE-2024-6387 https://nvd.nist.gov/vuln/detail/CVE-2024-6387 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-09 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-07 ] cpio: Arbitrary Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: cpio: Arbitrary Code Execution Date: July 01, 2024 Bugs: #807088 ID: 202407-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in cpio, which can lead to arbitrary code execution. Background == cpio is a file archival tool which can also read and write tar files. Affected packages = PackageVulnerableUnaffected - app-arch/cpio < 2.13-r1 >= 2.13-r1 Description === Multiple vulnerabilities have been discovered in cpio. Please review the CVE identifiers referenced below for details. Impact == GNU cpio allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data. Workaround == There is no known workaround at this time. Resolution == All cpio users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/cpio-2.13-r1" References == [ 1 ] CVE-2016-2037 https://nvd.nist.gov/vuln/detail/CVE-2016-2037 [ 2 ] CVE-2019-14866 https://nvd.nist.gov/vuln/detail/CVE-2019-14866 [ 3 ] CVE-2021-38185 https://nvd.nist.gov/vuln/detail/CVE-2021-38185 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-07 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-08 ] GNU Emacs, Org Mode: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: GNU Emacs, Org Mode: Multiple Vulnerabilities Date: July 01, 2024 Bugs: #897950, #927820 ID: 202407-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in GNU Emacs and Org Mode, the worst of which could lead to arbitrary code execution. Background == GNU Emacs is a highly extensible and customizable text editor. Affected packages = Package Vulnerable Unaffected -- - -- app-editors/emacs < 26.3-r16:26 >= 26.3-r16:26 < 27.2-r14:27 >= 27.2-r14:27 < 28.2-r10:28 >= 28.2-r10:28 < 29.2-r1:29 >= 29.2-r1:29 app-emacs/org-mode < 9.6.23 >= 9.6.23 Description === Multiple vulnerabilities have been discovered in GNU Emacs. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All GNU Emacs users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/emacs-29.3-r2" All Org Mode users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emacs/org-mode-9.6.23" References == [ 1 ] CVE-2022-48337 https://nvd.nist.gov/vuln/detail/CVE-2022-48337 [ 2 ] CVE-2022-48338 https://nvd.nist.gov/vuln/detail/CVE-2022-48338 [ 3 ] CVE-2022-48339 https://nvd.nist.gov/vuln/detail/CVE-2022-48339 [ 4 ] CVE-2024-30202 https://nvd.nist.gov/vuln/detail/CVE-2024-30202 [ 5 ] CVE-2024-30203 https://nvd.nist.gov/vuln/detail/CVE-2024-30203 [ 6 ] CVE-2024-30204 https://nvd.nist.gov/vuln/detail/CVE-2024-30204 [ 7 ] CVE-2024-30205 https://nvd.nist.gov/vuln/detail/CVE-2024-30205 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-08 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-06 ] cryptography: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: cryptography: Multiple Vulnerabilities Date: July 01, 2024 Bugs: #769419, #864049, #893576, #918685, #925120 ID: 202407-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in cryptography, the worst of which could lead to a denial of service. Background == cryptography is a package which provides cryptographic recipes and primitives to Python developers. Affected packages = Package VulnerableUnaffected --- dev-python/cryptography < 42.0.4 >= 42.0.4 Description === Multiple vulnerabilities have been discovered in cryptography. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All cryptography users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/cryptography-42.0.4" References == [ 1 ] CVE-2020-36242 https://nvd.nist.gov/vuln/detail/CVE-2020-36242 [ 2 ] CVE-2023-23931 https://nvd.nist.gov/vuln/detail/CVE-2023-23931 [ 3 ] CVE-2023-49083 https://nvd.nist.gov/vuln/detail/CVE-2023-49083 [ 4 ] CVE-2024-26130 https://nvd.nist.gov/vuln/detail/CVE-2024-26130 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-06 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-02 ] SDL_ttf: Arbitrary Memory Write
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SDL_ttf: Arbitrary Memory Write Date: July 01, 2024 Bugs: #843434 ID: 202407-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in SDL_ttf, which can lead to arbitrary memory writes. Background == SDL_ttf is a wrapper around the FreeType and Harfbuzz libraries, allowing you to use TrueType fonts to render text in SDL applications. Affected packages = Package VulnerableUnaffected --- media-libs/sdl2-ttf < 2.20.0 >= 2.20.0 Description === A vulnerability has been discovered in SDL_ttf. Please review the CVE identifier referenced below for details. Impact == SDL_ttf was discovered to contain an arbitrary memory write via the function TTF_RenderText_Solid(). This vulnerability is triggered via a crafted TTF file. Workaround == There is no known workaround at this time. Resolution == All SDL_ttf users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/sdl2-ttf-2.20.0" References == [ 1 ] CVE-2022-27470 https://nvd.nist.gov/vuln/detail/CVE-2022-27470 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-02 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-04 ] Pixman: Heap Buffer Overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Pixman: Heap Buffer Overflow Date: July 01, 2024 Bugs: #879207 ID: 202407-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Pixman, which can lead to a heap buffer overflow. Background == Pixman is a pixel manipulation library. Affected packages = Package VulnerableUnaffected --- x11-libs/pixman < 0.42.2 >= 0.42.2 Description === A vulnerability has been discovered in Pixman. Please review the CVE identifiers referenced below for details. Impact == An out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 can occur due to an integer overflow in pixman_sample_floor_y. Workaround == There is no known workaround at this time. Resolution == All Pixman users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/pixman-0.42.2" References == [ 1 ] CVE-2022-44638 https://nvd.nist.gov/vuln/detail/CVE-2022-44638 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-03 ] Liferea: Remote Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Liferea: Remote Code Execution Date: July 01, 2024 Bugs: #901085 ID: 202407-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Liferea, which can lead to remote code execution. Background == Liferea is a feed reader/news aggregator that brings together all of the content from your favorite subscriptions into a simple interface that makes it easy to organize and browse feeds. Its GUI is similar to a desktop mail/news client, with an embedded web browser. Affected packages = Package VulnerableUnaffected net-news/liferea < 1.12.10 >= 1.12.10 Description === A vulnerability has been discovered in Liferea. Please review the CVE identifier referenced below for details. Impact == A vulnerability was found in liferea. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source can lead to os command injection. The attack may be launched remotely. Workaround == There is no known workaround at this time. Resolution == All Liferea users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-news/liferea-1.12.10" References == [ 1 ] CVE-2023-1350 https://nvd.nist.gov/vuln/detail/CVE-2023-1350 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-03 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-01 ] Zsh: Prompt Expansion Vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Zsh: Prompt Expansion Vulnerability Date: July 01, 2024 Bugs: #833252 ID: 202407-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Zsh, which can lead to execution of arbitrary code. Background == A shell designed for interactive use, although it is also a powerful scripting language. Affected packages = Package VulnerableUnaffected -- app-shells/zsh < 5.8.1 >= 5.8.1 Description === Multiple vulnerabilities have been discovered in Zsh. Please review the CVE identifiers referenced below for details. Impact == A vulnerability in prompt expansion could be exploited through e.g. VCS_Info to execute arbitrary shell commands without a user's knowledge. Workaround == There is no known workaround at this time. Resolution == All Zsh users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/zsh-5.8.1" References == [ 1 ] CVE-2021-45444 https://nvd.nist.gov/vuln/detail/CVE-2021-45444 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-01 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202407-05 ] SSSD: Command Injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SSSD: Command Injection Date: July 01, 2024 Bugs: #808911 ID: 202407-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in SSSD, which can lead to arbitrary code execution. Background == SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. Affected packages = PackageVulnerableUnaffected - sys-auth/sssd < 2.5.2-r1>= 2.5.2-r1 Description === A vulnerability has been discovered in SSSD. Please review the CVE identifier referenced below for details. Impact == A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. Workaround == There is no known workaround at this time. Resolution == All SSSD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-auth/sssd-2.5.2-r1" References == [ 1 ] CVE-2021-3621 https://nvd.nist.gov/vuln/detail/CVE-2021-3621 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-05 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202406-06 ] GStreamer, GStreamer Plugins: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202406-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: GStreamer, GStreamer Plugins: Multiple Vulnerabilities Date: June 28, 2024 Bugs: #917791, #918095 ID: 202406-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in GStreamer and GStreamer Plugins, the worst of which could lead to code execution. Background == GStreamer is an open source multimedia framework. Affected packages = Package VulnerableUnaffected -- - media-libs/gst-plugins-bad < 1.22.11-r1 >= 1.22.11-r1 media-libs/gstreamer< 1.22.11 >= 1.22.11 Description === Multiple vulnerabilities have been discovered in GStreamer, GStreamer Plugins. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All GStreamer, GStreamer Plugins users should upgrade to the latest versions: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/gstreamer-1.22.11" ">=media-libs/gst-plugins-bad-1.22.11-r1" References == [ 1 ] CVE-2023-40474 https://nvd.nist.gov/vuln/detail/CVE-2023-40474 [ 2 ] CVE-2023-40475 https://nvd.nist.gov/vuln/detail/CVE-2023-40475 [ 3 ] CVE-2023-40476 https://nvd.nist.gov/vuln/detail/CVE-2023-40476 [ 4 ] CVE-2023-44429 https://nvd.nist.gov/vuln/detail/CVE-2023-44429 [ 5 ] CVE-2023-6 https://nvd.nist.gov/vuln/detail/CVE-2023-6 [ 6 ] ZDI-CAN-21660 [ 7 ] ZDI-CAN-21661 [ 8 ] ZDI-CAN-21768 [ 9 ] ZDI-CAN-6 [ 10 ] ZDI-CAN-22299 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202406-06 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202406-05 ] JHead: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202406-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: JHead: Multiple Vulnerabilities Date: June 22, 2024 Bugs: #876247, #879801, #908519 ID: 202406-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in JHead, the worst of which may lead to arbitrary code execution. Background == JHead is an EXIF JPEG header manipulation tool. Affected packages = Package VulnerableUnaffected --- media-gfx/jhead < 3.08>= 3.08 Description === Multiple vulnerabilities have been discovered in JHead. Please review the CVE identifiers referenced below for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All JHead users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/jhead-3.08" References == [ 1 ] CVE-2020-6624 https://nvd.nist.gov/vuln/detail/CVE-2020-6624 [ 2 ] CVE-2020-6625 https://nvd.nist.gov/vuln/detail/CVE-2020-6625 [ 3 ] CVE-2021-34055 https://nvd.nist.gov/vuln/detail/CVE-2021-34055 [ 4 ] CVE-2022-28550 https://nvd.nist.gov/vuln/detail/CVE-2022-28550 [ 5 ] CVE-2022-41751 https://nvd.nist.gov/vuln/detail/CVE-2022-41751 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202406-05 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202406-04 ] LZ4: Memory Corruption
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202406-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: LZ4: Memory Corruption Date: June 22, 2024 Bugs: #791952 ID: 202406-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in LZ4, which can lead to memory corruption. Background == LZ4 is a lossless compression algorithm, providing compression speed > 500 MB/s per core, scalable with multi-cores CPU. It features an extremely fast decoder, with speed in multiple GB/s per core, typically reaching RAM speed limits on multi-core systems. Affected packages = Package VulnerableUnaffected app-arch/lz4 < 1.9.3-r1>= 1.9.3-r1 Description === An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. Impact == The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well. Workaround == There is no known workaround at this time. Resolution == All LZ4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/lz4-1.9.3-r1" References == [ 1 ] CVE-2021-3520 https://nvd.nist.gov/vuln/detail/CVE-2021-3520 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202406-04 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202406-03 ] RDoc: Remote Code Cxecution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202406-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: RDoc: Remote Code Cxecution Date: June 22, 2024 Bugs: #927565 ID: 202406-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in RDoc, which can lead to execution of arbitrary code. Background == RDoc produces HTML and command-line documentation for Ruby projects. Affected packages = PackageVulnerableUnaffected - dev-ruby/rdoc < 6.6.3.1 >= 6.6.3.1 Description === A vulnerability has been discovered in RDoc. Please review the CVE identifier referenced below for details. Impact == When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache. Workaround == There is no known workaround at this time. Resolution == All RDoc users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/rdoc-6.6.3.1" References == [ 1 ] CVE-2024-27281 https://nvd.nist.gov/vuln/detail/CVE-2024-27281 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202406-03 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202406-02 ] Flatpak: Sandbox Escape
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202406-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Flatpak: Sandbox Escape Date: June 22, 2024 Bugs: #930202 ID: 202406-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Flatpak, which can lead to a sandbox escape. Background == Flatpak is a Linux application sandboxing and distribution framework. Affected packages = Package VulnerableUnaffected sys-apps/flatpak < 1.14.6 >= 1.14.6 Description === A vulnerability has been discovered in Flatpak. Please review the CVE identifier referenced below for details. Impact == A malicious or compromised Flatpak app could execute arbitrary code outside its sandbox in conjunction with xdg-desktop-portal. Workaround == There is no known workaround at this time. Resolution == All Flatpak users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.14.6" References == [ 1 ] CVE-2024-32462 https://nvd.nist.gov/vuln/detail/CVE-2024-32462 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202406-02 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202406-01 ] GLib: Privilege Escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202406-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: GLib: Privilege Escalation Date: June 22, 2024 Bugs: #931507 ID: 202406-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in GLib, which can lead to privilege escalation. Background == GLib is a library providing a number of GNOME's core objects and functions. Affected packages = PackageVulnerableUnaffected - dev-libs/glib < 2.78.6 >= 2.78.6 Description === A vulnerability has been discovered in GLib. Please review the CVE identifier referenced below for details. Impact == When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager or logind on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. Workaround == There is no known workaround at this time. Resolution == All GLib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.78.6" References == [ 1 ] CVE-2024-34397 https://nvd.nist.gov/vuln/detail/CVE-2024-34397 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202406-01 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[gentoo-announce] [ GLSA 202405-33 ] PoDoFo: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PoDoFo: Multiple Vulnerabilities Date: May 12, 2024 Bugs: #906105 ID: 202405-33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in PoDoFo, the worst of which could lead to code execution. Background == PoDoFo is a free portable C++ library to work with the PDF file format. Affected packages = Package VulnerableUnaffected --- app-text/podofo < 0.10.1 >= 0.10.1 Description === Please review the referenced CVE identifiers for details. Impact == Please review the referenced CVE identifiers for details. Workaround == There is no known workaround at this time. Resolution == All PoDoFo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/podofo-0.10.1" References == [ 1 ] CVE-2023-31566 https://nvd.nist.gov/vuln/detail/CVE-2023-31566 [ 2 ] CVE-2023-31567 https://nvd.nist.gov/vuln/detail/CVE-2023-31567 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-33 Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature