1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 201412-09 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org/ |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: High |
8 |
Title: Multiple packages, Multiple vulnerabilities fixed in 2011 |
9 |
Date: December 11, 2014 |
10 |
Bugs: #194151, #294253, #294256, #334087, #344059, #346897, |
11 |
#350598, #352608, #354209, #355207, #356893, #358611, |
12 |
#358785, #358789, #360891, #361397, #362185, #366697, |
13 |
#366699, #369069, #370839, #372971, #376793, #381169, |
14 |
#386321, #386361 |
15 |
ID: 201412-09 |
16 |
|
17 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
18 |
|
19 |
Synopsis |
20 |
======== |
21 |
|
22 |
This GLSA contains notification of vulnerabilities found in several |
23 |
Gentoo packages which have been fixed prior to January 1, 2012. The |
24 |
worst of these vulnerabilities could lead to local privilege escalation |
25 |
and remote code execution. Please see the package list and CVE |
26 |
identifiers below for more information. |
27 |
|
28 |
Background |
29 |
========== |
30 |
|
31 |
For more information on the packages listed in this GLSA, please see |
32 |
their homepage referenced in the ebuild. |
33 |
|
34 |
Affected packages |
35 |
================= |
36 |
|
37 |
------------------------------------------------------------------- |
38 |
Package / Vulnerable / Unaffected |
39 |
------------------------------------------------------------------- |
40 |
1 games-sports/racer-bin >= 0.5.0-r1 Vulnerable! |
41 |
2 media-libs/fmod < 4.38.00 >= 4.38.00 |
42 |
3 dev-php/PEAR-Mail < 1.2.0 >= 1.2.0 |
43 |
4 sys-fs/lvm2 < 2.02.72 >= 2.02.72 |
44 |
5 app-office/gnucash < 2.4.4 >= 2.4.4 |
45 |
6 media-libs/xine-lib < 1.1.19 >= 1.1.19 |
46 |
7 media-sound/lastfmplayer |
47 |
< 1.5.4.26862-r3 >= 1.5.4.26862-r3 |
48 |
8 net-libs/webkit-gtk < 1.2.7 >= 1.2.7 |
49 |
9 sys-apps/shadow < 4.1.4.3 >= 4.1.4.3 |
50 |
10 dev-php/PEAR-PEAR < 1.9.2-r1 >= 1.9.2-r1 |
51 |
11 dev-db/unixODBC < 2.3.0-r1 >= 2.3.0-r1 |
52 |
12 sys-cluster/resource-agents |
53 |
< 1.0.4-r1 >= 1.0.4-r1 |
54 |
13 net-misc/mrouted < 3.9.5 >= 3.9.5 |
55 |
14 net-misc/rsync < 3.0.8 >= 3.0.8 |
56 |
15 dev-libs/xmlsec < 1.2.17 >= 1.2.17 |
57 |
16 x11-apps/xrdb < 1.0.9 >= 1.0.9 |
58 |
17 net-misc/vino < 2.32.2 >= 2.32.2 |
59 |
18 dev-util/oprofile < 0.9.6-r1 >= 0.9.6-r1 |
60 |
19 app-admin/syslog-ng < 3.2.4 >= 3.2.4 |
61 |
20 net-analyzer/sflowtool < 3.20 >= 3.20 |
62 |
21 gnome-base/gdm < 3.8.4-r3 >= 3.8.4-r3 |
63 |
22 net-libs/libsoup < 2.34.3 >= 2.34.3 |
64 |
23 app-misc/ca-certificates |
65 |
< 20110502-r1 >= 20110502-r1 |
66 |
24 dev-vcs/gitolite < 1.5.9.1 >= 1.5.9.1 |
67 |
25 dev-util/qt-creator < 2.1.0 >= 2.1.0 |
68 |
------------------------------------------------------------------- |
69 |
NOTE: Certain packages are still vulnerable. Users should migrate |
70 |
to another package if one is available or wait for the |
71 |
existing packages to be marked stable by their |
72 |
architecture maintainers. |
73 |
------------------------------------------------------------------- |
74 |
25 affected packages |
75 |
|
76 |
Description |
77 |
=========== |
78 |
|
79 |
Vulnerabilities have been discovered in the packages listed below. |
80 |
Please review the CVE identifiers in the Reference section for details. |
81 |
|
82 |
* FMOD Studio |
83 |
* PEAR Mail |
84 |
* LVM2 |
85 |
* GnuCash |
86 |
* xine-lib |
87 |
* Last.fm Scrobbler |
88 |
* WebKitGTK+ |
89 |
* shadow tool suite |
90 |
* PEAR |
91 |
* unixODBC |
92 |
* Resource Agents |
93 |
* mrouted |
94 |
* rsync |
95 |
* XML Security Library |
96 |
* xrdb |
97 |
* Vino |
98 |
* OProfile |
99 |
* syslog-ng |
100 |
* sFlow Toolkit |
101 |
* GNOME Display Manager |
102 |
* libsoup |
103 |
* CA Certificates |
104 |
* Gitolite |
105 |
* QtCreator |
106 |
* Racer |
107 |
|
108 |
Impact |
109 |
====== |
110 |
|
111 |
A context-dependent attacker may be able to gain escalated privileges, |
112 |
execute arbitrary code, cause Denial of Service, obtain sensitive |
113 |
information, or otherwise bypass security restrictions. |
114 |
|
115 |
Workaround |
116 |
========== |
117 |
|
118 |
There are no known workarounds at this time. |
119 |
|
120 |
Resolution |
121 |
========== |
122 |
|
123 |
All FMOD Studio users should upgrade to the latest version: |
124 |
|
125 |
# emerge --sync |
126 |
# emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00" |
127 |
|
128 |
All PEAR Mail users should upgrade to the latest version: |
129 |
|
130 |
# emerge --sync |
131 |
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0" |
132 |
|
133 |
All LVM2 users should upgrade to the latest version: |
134 |
|
135 |
# emerge --sync |
136 |
# emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72" |
137 |
|
138 |
All GnuCash users should upgrade to the latest version: |
139 |
|
140 |
# emerge --sync |
141 |
# emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4" |
142 |
|
143 |
All xine-lib users should upgrade to the latest version: |
144 |
|
145 |
# emerge --sync |
146 |
# emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19" |
147 |
|
148 |
All Last.fm Scrobbler users should upgrade to the latest version: |
149 |
|
150 |
# emerge --sync |
151 |
# emerge -a --oneshot -v ">=media-sound/lastfmplayer-1.5.4.26862-r3" |
152 |
|
153 |
All WebKitGTK+ users should upgrade to the latest version: |
154 |
|
155 |
# emerge --sync |
156 |
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7" |
157 |
|
158 |
All shadow tool suite users should upgrade to the latest version: |
159 |
|
160 |
# emerge --sync |
161 |
# emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3" |
162 |
|
163 |
All PEAR users should upgrade to the latest version: |
164 |
|
165 |
# emerge --sync |
166 |
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1" |
167 |
|
168 |
All unixODBC users should upgrade to the latest version: |
169 |
|
170 |
# emerge --sync |
171 |
# emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1" |
172 |
|
173 |
All Resource Agents users should upgrade to the latest version: |
174 |
|
175 |
# emerge --sync |
176 |
# emerge --ask --oneshot -v ">=sys-cluster/resource-agents-1.0.4-r1" |
177 |
|
178 |
All mrouted users should upgrade to the latest version: |
179 |
|
180 |
# emerge --sync |
181 |
# emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5" |
182 |
|
183 |
All rsync users should upgrade to the latest version: |
184 |
|
185 |
# emerge --sync |
186 |
# emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8" |
187 |
|
188 |
All XML Security Library users should upgrade to the latest version: |
189 |
|
190 |
# emerge --sync |
191 |
# emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17" |
192 |
|
193 |
All xrdb users should upgrade to the latest version: |
194 |
|
195 |
# emerge --sync |
196 |
# emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9" |
197 |
|
198 |
All Vino users should upgrade to the latest version: |
199 |
|
200 |
# emerge --sync |
201 |
# emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2" |
202 |
|
203 |
All OProfile users should upgrade to the latest version: |
204 |
|
205 |
# emerge --sync |
206 |
# emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1" |
207 |
|
208 |
All syslog-ng users should upgrade to the latest version: |
209 |
|
210 |
# emerge --sync |
211 |
# emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4" |
212 |
|
213 |
All sFlow Toolkit users should upgrade to the latest version: |
214 |
|
215 |
# emerge --sync |
216 |
# emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20" |
217 |
|
218 |
All GNOME Display Manager users should upgrade to the latest version: |
219 |
|
220 |
# emerge --sync |
221 |
# emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3" |
222 |
|
223 |
All libsoup users should upgrade to the latest version: |
224 |
|
225 |
# emerge --sync |
226 |
# emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3" |
227 |
|
228 |
All CA Certificates users should upgrade to the latest version: |
229 |
|
230 |
# emerge --sync |
231 |
# emerge --ask --oneshot -v ">=app-misc/ca-certificates-20110502-r1" |
232 |
|
233 |
All Gitolite users should upgrade to the latest version: |
234 |
|
235 |
# emerge --sync |
236 |
# emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1" |
237 |
|
238 |
All QtCreator users should upgrade to the latest version: |
239 |
|
240 |
# emerge --sync |
241 |
# emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0" |
242 |
|
243 |
Gentoo has discontinued support for Racer. We recommend that users |
244 |
unmerge Racer: |
245 |
|
246 |
# emerge --unmerge "games-sports/racer-bin" |
247 |
|
248 |
NOTE: This is a legacy GLSA. Updates for all affected architectures |
249 |
have been available since 2012. It is likely that your system is |
250 |
already no longer affected by these issues. |
251 |
|
252 |
References |
253 |
========== |
254 |
|
255 |
[ 1 ] CVE-2007-4370 |
256 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4370 |
257 |
[ 2 ] CVE-2009-4023 |
258 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023 |
259 |
[ 3 ] CVE-2009-4111 |
260 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111 |
261 |
[ 4 ] CVE-2010-0778 |
262 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0778 |
263 |
[ 5 ] CVE-2010-1780 |
264 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1780 |
265 |
[ 6 ] CVE-2010-1782 |
266 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1782 |
267 |
[ 7 ] CVE-2010-1783 |
268 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1783 |
269 |
[ 8 ] CVE-2010-1784 |
270 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1784 |
271 |
[ 9 ] CVE-2010-1785 |
272 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1785 |
273 |
[ 10 ] CVE-2010-1786 |
274 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1786 |
275 |
[ 11 ] CVE-2010-1787 |
276 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1787 |
277 |
[ 12 ] CVE-2010-1788 |
278 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1788 |
279 |
[ 13 ] CVE-2010-1790 |
280 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1790 |
281 |
[ 14 ] CVE-2010-1791 |
282 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1791 |
283 |
[ 15 ] CVE-2010-1792 |
284 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1792 |
285 |
[ 16 ] CVE-2010-1793 |
286 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1793 |
287 |
[ 17 ] CVE-2010-1807 |
288 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1807 |
289 |
[ 18 ] CVE-2010-1812 |
290 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1812 |
291 |
[ 19 ] CVE-2010-1814 |
292 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1814 |
293 |
[ 20 ] CVE-2010-1815 |
294 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1815 |
295 |
[ 21 ] CVE-2010-2526 |
296 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2526 |
297 |
[ 22 ] CVE-2010-2901 |
298 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2901 |
299 |
[ 23 ] CVE-2010-3255 |
300 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3255 |
301 |
[ 24 ] CVE-2010-3257 |
302 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3257 |
303 |
[ 25 ] CVE-2010-3259 |
304 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3259 |
305 |
[ 26 ] CVE-2010-3362 |
306 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3362 |
307 |
[ 27 ] CVE-2010-3374 |
308 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3374 |
309 |
[ 28 ] CVE-2010-3389 |
310 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389 |
311 |
[ 29 ] CVE-2010-3812 |
312 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3812 |
313 |
[ 30 ] CVE-2010-3813 |
314 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3813 |
315 |
[ 31 ] CVE-2010-3999 |
316 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999 |
317 |
[ 32 ] CVE-2010-4042 |
318 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4042 |
319 |
[ 33 ] CVE-2010-4197 |
320 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4197 |
321 |
[ 34 ] CVE-2010-4198 |
322 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4198 |
323 |
[ 35 ] CVE-2010-4204 |
324 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4204 |
325 |
[ 36 ] CVE-2010-4206 |
326 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4206 |
327 |
[ 37 ] CVE-2010-4492 |
328 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4492 |
329 |
[ 38 ] CVE-2010-4493 |
330 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4493 |
331 |
[ 39 ] CVE-2010-4577 |
332 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4577 |
333 |
[ 40 ] CVE-2010-4578 |
334 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4578 |
335 |
[ 41 ] CVE-2011-0007 |
336 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0007 |
337 |
[ 42 ] CVE-2011-0465 |
338 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0465 |
339 |
[ 43 ] CVE-2011-0482 |
340 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0482 |
341 |
[ 44 ] CVE-2011-0721 |
342 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0721 |
343 |
[ 45 ] CVE-2011-0727 |
344 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0727 |
345 |
[ 46 ] CVE-2011-0904 |
346 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0904 |
347 |
[ 47 ] CVE-2011-0905 |
348 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0905 |
349 |
[ 48 ] CVE-2011-1072 |
350 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1072 |
351 |
[ 49 ] CVE-2011-1097 |
352 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1097 |
353 |
[ 50 ] CVE-2011-1144 |
354 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1144 |
355 |
[ 51 ] CVE-2011-1425 |
356 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425 |
357 |
[ 52 ] CVE-2011-1572 |
358 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1572 |
359 |
[ 53 ] CVE-2011-1760 |
360 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1760 |
361 |
[ 54 ] CVE-2011-1951 |
362 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951 |
363 |
[ 55 ] CVE-2011-2471 |
364 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2471 |
365 |
[ 56 ] CVE-2011-2472 |
366 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2472 |
367 |
[ 57 ] CVE-2011-2473 |
368 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2473 |
369 |
[ 58 ] CVE-2011-2524 |
370 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2524 |
371 |
[ 59 ] CVE-2011-3365 |
372 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365 |
373 |
[ 60 ] CVE-2011-3366 |
374 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366 |
375 |
[ 61 ] CVE-2011-3367 |
376 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367 |
377 |
|
378 |
Availability |
379 |
============ |
380 |
|
381 |
This GLSA and any updates to it are available for viewing at |
382 |
the Gentoo Security Website: |
383 |
|
384 |
http://security.gentoo.org/glsa/glsa-201412-09.xml |
385 |
|
386 |
Concerns? |
387 |
========= |
388 |
|
389 |
Security is a primary focus of Gentoo Linux and ensuring the |
390 |
confidentiality and security of our users' machines is of utmost |
391 |
importance to us. Any security concerns should be addressed to |
392 |
security@g.o or alternatively, you may file a bug at |
393 |
https://bugs.gentoo.org. |
394 |
|
395 |
License |
396 |
======= |
397 |
|
398 |
Copyright 2014 Gentoo Foundation, Inc; referenced text |
399 |
belongs to its owner(s). |
400 |
|
401 |
The contents of this document are licensed under the |
402 |
Creative Commons - Attribution / Share Alike license. |
403 |
|
404 |
http://creativecommons.org/licenses/by-sa/2.5 |