[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201410-02.xml
keytoaster14/12/29 20:06:18 Modified: glsa-201410-02.xml Log: Fixed capitalization in resolution instructions, reported by Olaf Krause. Revision ChangesPath 1.2 xml/htdocs/security/en/glsa/glsa-201410-02.xml file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201410-02.xml?rev=1.2view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201410-02.xml?rev=1.2content-type=text/plain diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201410-02.xml?r1=1.1r2=1.2 Index: glsa-201410-02.xml === RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/glsa/glsa-201410-02.xml,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- glsa-201410-02.xml 12 Oct 2014 08:04:57 - 1.1 +++ glsa-201410-02.xml 29 Dec 2014 20:06:18 - 1.2 @@ -4,13 +4,13 @@ !DOCTYPE glsa SYSTEM http://www.gentoo.org/dtd/glsa.dtd; glsa id=201410-02 titlePerl, Perl Locale-Maketext module: Multiple vulnerabilities/title - synopsisMultiple vulnerabilities have been found in Perl Locale-Maketext -module, allowing remote attackers to inject and execute arbitrary Perl -code. + synopsisMultiple vulnerabilities have been found in the Perl +Locale-Maketext module, allowing remote attackers to inject and execute +arbitrary Perl code. /synopsis product type=ebuildLocale-Maketext/product announcedOctober 12, 2014/announced - revisedOctober 12, 2014: 1/revised + revisedDecember 29, 2014: 2/revised bug446376/bug accessremote/access affected @@ -27,42 +27,40 @@ pLocale-Maketext - Perl framework for localization/p /background description -pTwo vulnerabilities have been reported in Locale-Maketext module for - Perl, which can be exploited - by malicious users to compromise an application using the module. +pTwo vulnerabilities have been reported in the Locale-Maketext module for + Perl, which can be exploited by malicious users to compromise an + application using the module. /p pThe vulnerabilities are caused due to the “_compile()” function not - properly sanitising input, - which can be exploited to inject and execute arbitrary Perl code. + properly sanitising input, which can be exploited to inject and execute + arbitrary Perl code. /p /description impact type=normal -pA remote attacker could possibly execute - arbitrary code with the privileges of the process, or cause a Denial of - Service condition. +pA remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. /p /impact workaround pThere is no known workaround at this time./p /workaround resolution -pAll users of the Perl Locale-Maketext module should upgrade to the - latest version: +pAll users of the Locale-Maketext module should upgrade to the latest + version: /p code # emerge --sync # emerge --ask --oneshot --verbose - gt;=perl-core/locale-maketext-1.230.0 + gt;=perl-core/Locale-Maketext-1.230.0 /code - /resolution references uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6329;CVE-2012-6329/uri /references metadata tag=requester timestamp=Tue, 01 Jan 2013 20:38:14 +ackle/metadata - metadata tag=submitter timestamp=Sun, 12 Oct 2014 08:04:05 + + metadata tag=submitter timestamp=Mon, 29 Dec 2014 20:02:06 + pinkbyte /metadata /glsa
[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201410-01.xml
keytoaster14/10/04 22:15:50 Added:glsa-201410-01.xml Log: GLSA 201410-01 Revision ChangesPath 1.1 xml/htdocs/security/en/glsa/glsa-201410-01.xml file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201410-01.xml?rev=1.1view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201410-01.xml?rev=1.1content-type=text/plain Index: glsa-201410-01.xml === ?xml version=1.0 encoding=UTF-8? ?xml-stylesheet href=/xsl/glsa.xsl type=text/xsl? ?xml-stylesheet href=/xsl/guide.xsl type=text/xsl? !DOCTYPE glsa SYSTEM http://www.gentoo.org/dtd/glsa.dtd; glsa id=201410-01 titleBash: Multiple vulnerabilities/title synopsisMultiple parsing flaws in Bash could allow remote attackers to inject code or cause a Denial of Service condition. /synopsis product type=ebuildbash/product announcedOctober 04, 2014/announced revisedOctober 04, 2014: 1/revised bug523742/bug bug524256/bug accesslocal, remote/access affected package name=app-shells/bash auto=yes arch=* unaffected range=rge3.1_p22/unaffected unaffected range=rge3.2_p56/unaffected unaffected range=rge4.0_p43/unaffected unaffected range=rge4.1_p16/unaffected unaffected range=ge4.2_p52/unaffected vulnerable range=lt4.2_p52/vulnerable /package /affected background pBash is the standard GNU Bourne Again SHell./p /background description pFlorian Weimer, Todd Sabin, Michal Zalewski et al. discovered further parsing flaws in Bash. The unaffected Gentoo packages listed in this GLSA contain the official patches to fix the issues tracked as CVE-2014-6277, CVE-2014-7186, and CVE-2014-7187. Furthermore, the official patch known as “function prefix patch” is included which prevents the exploitation of CVE-2014-6278. /p /description impact type=high pA remote attacker could exploit these vulnerabilities to execute arbitrary commands or cause a Denial of Service condition via various vectors. /p /impact workaround pThere is no known workaround at this time./p /workaround resolution pAll Bash 3.1 users should upgrade to the latest version:/p code # emerge --sync # emerge --ask --oneshot --verbose gt;=app-shells/bash-3.1_p22:3.1 /code pAll Bash 3.2 users should upgrade to the latest version:/p code # emerge --sync # emerge --ask --oneshot --verbose gt;=app-shells/bash-3.2_p56:3.2 /code pAll Bash 4.0 users should upgrade to the latest version:/p code # emerge --sync # emerge --ask --oneshot --verbose gt;=app-shells/bash-4.0_p43:4.0 /code pAll Bash 4.1 users should upgrade to the latest version:/p code # emerge --sync # emerge --ask --oneshot --verbose gt;=app-shells/bash-4.1_p16:4.1 /code pAll Bash 4.2 users should upgrade to the latest version:/p code # emerge --sync # emerge --ask --oneshot --verbose gt;=app-shells/bash-4.2_p52 /code /resolution references uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6277;CVE-2014-6277/uri uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6278;CVE-2014-6278/uri uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7186;CVE-2014-7186/uri uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7187;CVE-2014-7187/uri /references metadata tag=requester timestamp=Sat, 04 Oct 2014 17:29:28 + keytoaster /metadata metadata tag=submitter timestamp=Sat, 04 Oct 2014 22:13:43 + keytoaster /metadata /glsa
[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201409-09.xml glsa-201409-10.xml
keytoaster14/10/04 22:28:19 Modified: glsa-201409-09.xml glsa-201409-10.xml Log: Add SLOTs to resolution, bug #524062, thanks to Nick Bowler for reporting. Revision ChangesPath 1.2 xml/htdocs/security/en/glsa/glsa-201409-09.xml file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201409-09.xml?rev=1.2view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201409-09.xml?rev=1.2content-type=text/plain diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201409-09.xml?r1=1.1r2=1.2 Index: glsa-201409-09.xml === RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/glsa/glsa-201409-09.xml,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- glsa-201409-09.xml 24 Sep 2014 22:18:13 - 1.1 +++ glsa-201409-09.xml 4 Oct 2014 22:28:19 - 1.2 @@ -9,7 +9,7 @@ /synopsis product type=ebuildbash/product announcedSeptember 24, 2014/announced - revisedSeptember 24, 2014: 3/revised + revisedOctober 04, 2014: 4/revised bug523592/bug accesslocal, remote/access affected @@ -43,28 +43,28 @@ code # emerge --sync - # emerge --ask --oneshot --verbose gt;=app-shells/bash-3.1_p18 + # emerge --ask --oneshot --verbose gt;=app-shells/bash-3.1_p18:3.1 /code pAll Bash 3.2 users should upgrade to the latest version:/p code # emerge --sync - # emerge --ask --oneshot --verbose gt;=app-shells/bash-3.2_p52 + # emerge --ask --oneshot --verbose gt;=app-shells/bash-3.2_p52:3.2 /code pAll Bash 4.0 users should upgrade to the latest version:/p code # emerge --sync - # emerge --ask --oneshot --verbose gt;=app-shells/bash-4.0_p39 + # emerge --ask --oneshot --verbose gt;=app-shells/bash-4.0_p39:4.0 /code pAll Bash 4.1 users should upgrade to the latest version:/p code # emerge --sync - # emerge --ask --oneshot --verbose gt;=app-shells/bash-4.1_p12 + # emerge --ask --oneshot --verbose gt;=app-shells/bash-4.1_p12:4.1 /code pAll Bash 4.2 users should upgrade to the latest version:/p @@ -79,5 +79,5 @@ uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6271;CVE-2014-6271/uri /references metadata tag=requester timestamp=Wed, 24 Sep 2014 16:00:19 +a3li/metadata - metadata tag=submitter timestamp=Wed, 24 Sep 2014 22:06:57 +a3li/metadata + metadata tag=submitter timestamp=Sat, 04 Oct 2014 22:25:14 +a3li/metadata /glsa 1.2 xml/htdocs/security/en/glsa/glsa-201409-10.xml file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201409-10.xml?rev=1.2view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201409-10.xml?rev=1.2content-type=text/plain diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201409-10.xml?r1=1.1r2=1.2 Index: glsa-201409-10.xml === RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/glsa/glsa-201409-10.xml,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- glsa-201409-10.xml 25 Sep 2014 13:39:43 - 1.1 +++ glsa-201409-10.xml 4 Oct 2014 22:28:19 - 1.2 @@ -10,7 +10,7 @@ /synopsis product type=ebuildbash/product announcedSeptember 25, 2014/announced - revisedSeptember 25, 2014: 1/revised + revisedOctober 04, 2014: 2/revised bug523592/bug accesslocal, remote/access affected @@ -49,28 +49,28 @@ code # emerge --sync - # emerge --ask --oneshot --verbose gt;=app-shells/bash-3.1_p18-r1 + # emerge --ask --oneshot --verbose gt;=app-shells/bash-3.1_p18-r1:3.1 /code pAll Bash 3.2 users should upgrade to the latest version:/p code # emerge --sync - # emerge --ask --oneshot --verbose gt;=app-shells/bash-3.2_p52-r1 + # emerge --ask --oneshot --verbose gt;=app-shells/bash-3.2_p52-r1:3.2 /code pAll Bash 4.0 users should upgrade to the latest version:/p code # emerge --sync - # emerge --ask --oneshot --verbose gt;=app-shells/bash-4.0_p39-r1 + # emerge --ask --oneshot --verbose gt;=app-shells/bash-4.0_p39-r1:4.0 /code pAll Bash 4.1 users should upgrade to the latest version:/p code # emerge --sync - # emerge --ask --oneshot --verbose gt;=app-shells/bash-4.1_p12-r1 + # emerge --ask --oneshot --verbose gt;=app-shells/bash-4.1_p12-r1:4.1 /code pAll Bash 4.2 users should upgrade to the latest version:/p @@ -87,7 +87,7 @@ metadata tag=requester timestamp=Thu, 25 Sep 2014 12:49:54 + keytoaster /metadata - metadata tag=submitter timestamp=Thu, 25 Sep 2014
[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201407-05.xml
keytoaster14/07/27 22:47:39 Added:glsa-201407-05.xml Log: GLSA 201407-05 Revision ChangesPath 1.1 xml/htdocs/security/en/glsa/glsa-201407-05.xml file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201407-05.xml?rev=1.1view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201407-05.xml?rev=1.1content-type=text/plain Index: glsa-201407-05.xml === ?xml version=1.0 encoding=UTF-8? ?xml-stylesheet href=/xsl/glsa.xsl type=text/xsl? ?xml-stylesheet href=/xsl/guide.xsl type=text/xsl? !DOCTYPE glsa SYSTEM http://www.gentoo.org/dtd/glsa.dtd; glsa id=201407-05 titleOpenSSL: Multiple vulnerabilities/title synopsisMultiple vulnerabilities have been found in OpenSSL, possibly allowing remote attackers to execute arbitrary code. /synopsis product type=ebuildopenssl/product announcedJuly 27, 2014/announced revisedJuly 27, 2014: 1/revised bug512506/bug accessremote/access affected package name=dev-libs/openssl auto=yes arch=* unaffected range=ge1.0.1h-r1/unaffected unaffected range=rge1.0.0m/unaffected unaffected range=rge0.9.8z_p1/unaffected unaffected range=rge0.9.8z_p2/unaffected unaffected range=rge0.9.8z_p3/unaffected unaffected range=rge0.9.8z_p4/unaffected unaffected range=rge0.9.8z_p5/unaffected vulnerable range=lt1.0.1h-r1/vulnerable /package /affected background pOpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. /p /background description pMultiple vulnerabilities have been discovered in OpenSSL. Please review the OpenSSL Security Advisory [05 Jun 2014] and the CVE identifiers referenced below for details. /p /description impact type=high pA remote attacker could send specially crafted DTLS fragments to an OpenSSL DTLS client or server to possibly execute arbitrary code with the privileges of the process using OpenSSL. /p pFurthermore, an attacker could force the use of weak keying material in OpenSSL SSL/TLS clients and servers, inject data across sessions, or cause a Denial of Service via various vectors. /p /impact workaround pThere is no known workaround at this time./p /workaround resolution pAll OpenSSL users should upgrade to the latest version:/p code # emerge --sync # emerge --ask --oneshot --verbose gt;=dev-libs/openssl-1.0.1h-r1 /code /resolution references uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5298;CVE-2010-5298/uri uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0195;CVE-2014-0195/uri uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0198;CVE-2014-0198/uri uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0221;CVE-2014-0221/uri uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0224;CVE-2014-0224/uri uri link=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3470;CVE-2014-3470/uri uri link=http://www.openssl.org/news/secadv_20140605.txt;OpenSSL Security Advisory [05 Jun 2014] /uri /references metadata tag=requester timestamp=Fri, 06 Jun 2014 10:20:51 + keytoaster /metadata metadata tag=submitter timestamp=Sun, 27 Jul 2014 21:35:36 + keytoaster /metadata /glsa