Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201412-09 ] Multiple packages, Multiple vulnerabilities fixed in 2011
Date: Fri, 12 Dec 2014 00:20:02
Message-Id: 548A3412.8010809@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201412-09
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Multiple packages, Multiple vulnerabilities fixed in 2011
9 Date: December 11, 2014
10 Bugs: #194151, #294253, #294256, #334087, #344059, #346897,
11 #350598, #352608, #354209, #355207, #356893, #358611,
12 #358785, #358789, #360891, #361397, #362185, #366697,
13 #366699, #369069, #370839, #372971, #376793, #381169,
14 #386321, #386361
15 ID: 201412-09
16
17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18
19 Synopsis
20 ========
21
22 This GLSA contains notification of vulnerabilities found in several
23 Gentoo packages which have been fixed prior to January 1, 2012. The
24 worst of these vulnerabilities could lead to local privilege escalation
25 and remote code execution. Please see the package list and CVE
26 identifiers below for more information.
27
28 Background
29 ==========
30
31 For more information on the packages listed in this GLSA, please see
32 their homepage referenced in the ebuild.
33
34 Affected packages
35 =================
36
37 -------------------------------------------------------------------
38 Package / Vulnerable / Unaffected
39 -------------------------------------------------------------------
40 1 games-sports/racer-bin >= 0.5.0-r1 Vulnerable!
41 2 media-libs/fmod < 4.38.00 >= 4.38.00
42 3 dev-php/PEAR-Mail < 1.2.0 >= 1.2.0
43 4 sys-fs/lvm2 < 2.02.72 >= 2.02.72
44 5 app-office/gnucash < 2.4.4 >= 2.4.4
45 6 media-libs/xine-lib < 1.1.19 >= 1.1.19
46 7 media-sound/lastfmplayer
47 < 1.5.4.26862-r3 >= 1.5.4.26862-r3
48 8 net-libs/webkit-gtk < 1.2.7 >= 1.2.7
49 9 sys-apps/shadow < 4.1.4.3 >= 4.1.4.3
50 10 dev-php/PEAR-PEAR < 1.9.2-r1 >= 1.9.2-r1
51 11 dev-db/unixODBC < 2.3.0-r1 >= 2.3.0-r1
52 12 sys-cluster/resource-agents
53 < 1.0.4-r1 >= 1.0.4-r1
54 13 net-misc/mrouted < 3.9.5 >= 3.9.5
55 14 net-misc/rsync < 3.0.8 >= 3.0.8
56 15 dev-libs/xmlsec < 1.2.17 >= 1.2.17
57 16 x11-apps/xrdb < 1.0.9 >= 1.0.9
58 17 net-misc/vino < 2.32.2 >= 2.32.2
59 18 dev-util/oprofile < 0.9.6-r1 >= 0.9.6-r1
60 19 app-admin/syslog-ng < 3.2.4 >= 3.2.4
61 20 net-analyzer/sflowtool < 3.20 >= 3.20
62 21 gnome-base/gdm < 3.8.4-r3 >= 3.8.4-r3
63 22 net-libs/libsoup < 2.34.3 >= 2.34.3
64 23 app-misc/ca-certificates
65 < 20110502-r1 >= 20110502-r1
66 24 dev-vcs/gitolite < 1.5.9.1 >= 1.5.9.1
67 25 dev-util/qt-creator < 2.1.0 >= 2.1.0
68 -------------------------------------------------------------------
69 NOTE: Certain packages are still vulnerable. Users should migrate
70 to another package if one is available or wait for the
71 existing packages to be marked stable by their
72 architecture maintainers.
73 -------------------------------------------------------------------
74 25 affected packages
75
76 Description
77 ===========
78
79 Vulnerabilities have been discovered in the packages listed below.
80 Please review the CVE identifiers in the Reference section for details.
81
82 * FMOD Studio
83 * PEAR Mail
84 * LVM2
85 * GnuCash
86 * xine-lib
87 * Last.fm Scrobbler
88 * WebKitGTK+
89 * shadow tool suite
90 * PEAR
91 * unixODBC
92 * Resource Agents
93 * mrouted
94 * rsync
95 * XML Security Library
96 * xrdb
97 * Vino
98 * OProfile
99 * syslog-ng
100 * sFlow Toolkit
101 * GNOME Display Manager
102 * libsoup
103 * CA Certificates
104 * Gitolite
105 * QtCreator
106 * Racer
107
108 Impact
109 ======
110
111 A context-dependent attacker may be able to gain escalated privileges,
112 execute arbitrary code, cause Denial of Service, obtain sensitive
113 information, or otherwise bypass security restrictions.
114
115 Workaround
116 ==========
117
118 There are no known workarounds at this time.
119
120 Resolution
121 ==========
122
123 All FMOD Studio users should upgrade to the latest version:
124
125 # emerge --sync
126 # emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00"
127
128 All PEAR Mail users should upgrade to the latest version:
129
130 # emerge --sync
131 # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0"
132
133 All LVM2 users should upgrade to the latest version:
134
135 # emerge --sync
136 # emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72"
137
138 All GnuCash users should upgrade to the latest version:
139
140 # emerge --sync
141 # emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4"
142
143 All xine-lib users should upgrade to the latest version:
144
145 # emerge --sync
146 # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19"
147
148 All Last.fm Scrobbler users should upgrade to the latest version:
149
150 # emerge --sync
151 # emerge -a --oneshot -v ">=media-sound/lastfmplayer-1.5.4.26862-r3"
152
153 All WebKitGTK+ users should upgrade to the latest version:
154
155 # emerge --sync
156 # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7"
157
158 All shadow tool suite users should upgrade to the latest version:
159
160 # emerge --sync
161 # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3"
162
163 All PEAR users should upgrade to the latest version:
164
165 # emerge --sync
166 # emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1"
167
168 All unixODBC users should upgrade to the latest version:
169
170 # emerge --sync
171 # emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1"
172
173 All Resource Agents users should upgrade to the latest version:
174
175 # emerge --sync
176 # emerge --ask --oneshot -v ">=sys-cluster/resource-agents-1.0.4-r1"
177
178 All mrouted users should upgrade to the latest version:
179
180 # emerge --sync
181 # emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5"
182
183 All rsync users should upgrade to the latest version:
184
185 # emerge --sync
186 # emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8"
187
188 All XML Security Library users should upgrade to the latest version:
189
190 # emerge --sync
191 # emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17"
192
193 All xrdb users should upgrade to the latest version:
194
195 # emerge --sync
196 # emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9"
197
198 All Vino users should upgrade to the latest version:
199
200 # emerge --sync
201 # emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2"
202
203 All OProfile users should upgrade to the latest version:
204
205 # emerge --sync
206 # emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1"
207
208 All syslog-ng users should upgrade to the latest version:
209
210 # emerge --sync
211 # emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4"
212
213 All sFlow Toolkit users should upgrade to the latest version:
214
215 # emerge --sync
216 # emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20"
217
218 All GNOME Display Manager users should upgrade to the latest version:
219
220 # emerge --sync
221 # emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3"
222
223 All libsoup users should upgrade to the latest version:
224
225 # emerge --sync
226 # emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3"
227
228 All CA Certificates users should upgrade to the latest version:
229
230 # emerge --sync
231 # emerge --ask --oneshot -v ">=app-misc/ca-certificates-20110502-r1"
232
233 All Gitolite users should upgrade to the latest version:
234
235 # emerge --sync
236 # emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1"
237
238 All QtCreator users should upgrade to the latest version:
239
240 # emerge --sync
241 # emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0"
242
243 Gentoo has discontinued support for Racer. We recommend that users
244 unmerge Racer:
245
246 # emerge --unmerge "games-sports/racer-bin"
247
248 NOTE: This is a legacy GLSA. Updates for all affected architectures
249 have been available since 2012. It is likely that your system is
250 already no longer affected by these issues.
251
252 References
253 ==========
254
255 [ 1 ] CVE-2007-4370
256 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4370
257 [ 2 ] CVE-2009-4023
258 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023
259 [ 3 ] CVE-2009-4111
260 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111
261 [ 4 ] CVE-2010-0778
262 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0778
263 [ 5 ] CVE-2010-1780
264 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1780
265 [ 6 ] CVE-2010-1782
266 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1782
267 [ 7 ] CVE-2010-1783
268 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1783
269 [ 8 ] CVE-2010-1784
270 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1784
271 [ 9 ] CVE-2010-1785
272 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1785
273 [ 10 ] CVE-2010-1786
274 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1786
275 [ 11 ] CVE-2010-1787
276 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1787
277 [ 12 ] CVE-2010-1788
278 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1788
279 [ 13 ] CVE-2010-1790
280 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1790
281 [ 14 ] CVE-2010-1791
282 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1791
283 [ 15 ] CVE-2010-1792
284 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1792
285 [ 16 ] CVE-2010-1793
286 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1793
287 [ 17 ] CVE-2010-1807
288 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1807
289 [ 18 ] CVE-2010-1812
290 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1812
291 [ 19 ] CVE-2010-1814
292 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1814
293 [ 20 ] CVE-2010-1815
294 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1815
295 [ 21 ] CVE-2010-2526
296 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2526
297 [ 22 ] CVE-2010-2901
298 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2901
299 [ 23 ] CVE-2010-3255
300 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3255
301 [ 24 ] CVE-2010-3257
302 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3257
303 [ 25 ] CVE-2010-3259
304 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3259
305 [ 26 ] CVE-2010-3362
306 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3362
307 [ 27 ] CVE-2010-3374
308 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3374
309 [ 28 ] CVE-2010-3389
310 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389
311 [ 29 ] CVE-2010-3812
312 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3812
313 [ 30 ] CVE-2010-3813
314 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3813
315 [ 31 ] CVE-2010-3999
316 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999
317 [ 32 ] CVE-2010-4042
318 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4042
319 [ 33 ] CVE-2010-4197
320 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4197
321 [ 34 ] CVE-2010-4198
322 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4198
323 [ 35 ] CVE-2010-4204
324 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4204
325 [ 36 ] CVE-2010-4206
326 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4206
327 [ 37 ] CVE-2010-4492
328 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4492
329 [ 38 ] CVE-2010-4493
330 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4493
331 [ 39 ] CVE-2010-4577
332 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4577
333 [ 40 ] CVE-2010-4578
334 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4578
335 [ 41 ] CVE-2011-0007
336 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0007
337 [ 42 ] CVE-2011-0465
338 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0465
339 [ 43 ] CVE-2011-0482
340 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0482
341 [ 44 ] CVE-2011-0721
342 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0721
343 [ 45 ] CVE-2011-0727
344 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0727
345 [ 46 ] CVE-2011-0904
346 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0904
347 [ 47 ] CVE-2011-0905
348 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0905
349 [ 48 ] CVE-2011-1072
350 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1072
351 [ 49 ] CVE-2011-1097
352 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1097
353 [ 50 ] CVE-2011-1144
354 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1144
355 [ 51 ] CVE-2011-1425
356 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425
357 [ 52 ] CVE-2011-1572
358 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1572
359 [ 53 ] CVE-2011-1760
360 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1760
361 [ 54 ] CVE-2011-1951
362 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951
363 [ 55 ] CVE-2011-2471
364 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2471
365 [ 56 ] CVE-2011-2472
366 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2472
367 [ 57 ] CVE-2011-2473
368 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2473
369 [ 58 ] CVE-2011-2524
370 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2524
371 [ 59 ] CVE-2011-3365
372 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365
373 [ 60 ] CVE-2011-3366
374 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366
375 [ 61 ] CVE-2011-3367
376 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367
377
378 Availability
379 ============
380
381 This GLSA and any updates to it are available for viewing at
382 the Gentoo Security Website:
383
384 http://security.gentoo.org/glsa/glsa-201412-09.xml
385
386 Concerns?
387 =========
388
389 Security is a primary focus of Gentoo Linux and ensuring the
390 confidentiality and security of our users' machines is of utmost
391 importance to us. Any security concerns should be addressed to
392 security@g.o or alternatively, you may file a bug at
393 https://bugs.gentoo.org.
394
395 License
396 =======
397
398 Copyright 2014 Gentoo Foundation, Inc; referenced text
399 belongs to its owner(s).
400
401 The contents of this document are licensed under the
402 Creative Commons - Attribution / Share Alike license.
403
404 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups