Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201412-10 ] Multiple packages, Multiple vulnerabilities fixed in 2012
Date: Fri, 12 Dec 2014 00:22:40
Message-Id: 548A347D.8040509@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201412-10
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Multiple packages, Multiple vulnerabilities fixed in 2012
9 Date: December 11, 2014
10 Bugs: #284536, #300903, #334475, #358787, #371320, #372905,
11 #399427, #401645, #427802, #428776
12 ID: 201412-10
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 This GLSA contains notification of vulnerabilities found in several
20 Gentoo packages which have been fixed prior to January 1, 2013. The
21 worst of these vulnerabilities could lead to local privilege escalation
22 and remote code execution. Please see the package list and CVE
23 identifiers below for more information.
24
25 Background
26 ==========
27
28 For more information on the packages listed in this GLSA, please see
29 their homepage referenced in the ebuild.
30
31 Affected packages
32 =================
33
34 -------------------------------------------------------------------
35 Package / Vulnerable / Unaffected
36 -------------------------------------------------------------------
37 1 www-apps/egroupware < 1.8.004.20120613 >= 1.8.004.20120613
38 2 x11-libs/vte < 0.32.2 >= 0.32.2
39 *>= 0.28.2-r204
40 *>= 0.28.2-r206
41 3 net-analyzer/lft < 3.33 >= 3.33
42 4 dev-php/suhosin < 0.9.33 >= 0.9.33
43 5 x11-misc/slock < 1.0 >= 1.0
44 6 sys-cluster/ganglia < 3.3.7 >= 3.3.7
45 7 net-im/gg-transport < 2.2.4 >= 2.2.4
46 -------------------------------------------------------------------
47 7 affected packages
48
49 Description
50 ===========
51
52 Vulnerabilities have been discovered in the packages listed below.
53 Please review the CVE identifiers in the Reference section for details.
54
55 * EGroupware
56 * VTE
57 * Layer Four Traceroute (LFT)
58 * Suhosin
59 * Slock
60 * Ganglia
61 * Jabber to GaduGadu Gateway
62
63 Impact
64 ======
65
66 A context-dependent attacker may be able to gain escalated privileges,
67 execute arbitrary code, cause Denial of Service, obtain sensitive
68 information, or otherwise bypass security restrictions.
69
70 Workaround
71 ==========
72
73 There is no known workaround at this time.
74
75 Resolution
76 ==========
77
78 All EGroupware users should upgrade to the latest version:
79
80 # emerge --sync
81 # emerge --ask --oneshot -v ">=www-apps/egroupware-1.8.004.20120613"
82
83 All VTE 0.32 users should upgrade to the latest version:
84
85 # emerge --sync
86 # emerge --ask --oneshot --verbose ">=x11-libs/vte-0.32.2"
87
88 All VTE 0.28 users should upgrade to the latest version:
89
90 # emerge --sync
91 # emerge --ask --oneshot --verbose ">=x11-libs/vte-0.28.2-r204"
92
93 All Layer Four Traceroute users should upgrade to the latest version:
94
95 # emerge --sync
96 # emerge --ask --oneshot --verbose ">=net-analyzer/lft-3.33"
97
98 All Suhosin users should upgrade to the latest version:
99
100 # emerge --sync
101 # emerge --ask --oneshot --verbose ">=dev-php/suhosin-0.9.33"
102
103 All Slock users should upgrade to the latest version:
104
105 # emerge --sync
106 # emerge --ask --oneshot --verbose ">=x11-misc/slock-1.0"
107
108 All Ganglia users should upgrade to the latest version:
109
110 # emerge --sync
111 # emerge --ask --oneshot --verbose ">=sys-cluster/ganglia-3.3.7"
112
113 All Jabber to GaduGadu Gateway users should upgrade to the latest
114 version:
115
116 # emerge --sync
117 # emerge --ask --oneshot --verbose ">=net-im/gg-transport-2.2.4"
118
119 NOTE: This is a legacy GLSA. Updates for all affected architectures
120 have been available since 2013. It is likely that your system is
121 already no longer affected by these issues.
122
123 References
124 ==========
125
126 [ 1 ] CVE-2008-4776
127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4776
128 [ 2 ] CVE-2010-2713
129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2713
130 [ 3 ] CVE-2010-3313
131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3313
132 [ 4 ] CVE-2010-3314
133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3314
134 [ 5 ] CVE-2011-0765
135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0765
136 [ 6 ] CVE-2011-2198
137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2198
138 [ 7 ] CVE-2012-0807
139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0807
140 [ 8 ] CVE-2012-0808
141 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0808
142 [ 9 ] CVE-2012-1620
143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1620
144 [ 10 ] CVE-2012-2738
145 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2738
146 [ 11 ] CVE-2012-3448
147 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3448
148
149 Availability
150 ============
151
152 This GLSA and any updates to it are available for viewing at
153 the Gentoo Security Website:
154
155 http://security.gentoo.org/glsa/glsa-201412-10.xml
156
157 Concerns?
158 =========
159
160 Security is a primary focus of Gentoo Linux and ensuring the
161 confidentiality and security of our users' machines is of utmost
162 importance to us. Any security concerns should be addressed to
163 security@g.o or alternatively, you may file a bug at
164 https://bugs.gentoo.org.
165
166 License
167 =======
168
169 Copyright 2014 Gentoo Foundation, Inc; referenced text
170 belongs to its owner(s).
171
172 The contents of this document are licensed under the
173 Creative Commons - Attribution / Share Alike license.
174
175 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature