1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 201412-10 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org/ |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: High |
8 |
Title: Multiple packages, Multiple vulnerabilities fixed in 2012 |
9 |
Date: December 11, 2014 |
10 |
Bugs: #284536, #300903, #334475, #358787, #371320, #372905, |
11 |
#399427, #401645, #427802, #428776 |
12 |
ID: 201412-10 |
13 |
|
14 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
15 |
|
16 |
Synopsis |
17 |
======== |
18 |
|
19 |
This GLSA contains notification of vulnerabilities found in several |
20 |
Gentoo packages which have been fixed prior to January 1, 2013. The |
21 |
worst of these vulnerabilities could lead to local privilege escalation |
22 |
and remote code execution. Please see the package list and CVE |
23 |
identifiers below for more information. |
24 |
|
25 |
Background |
26 |
========== |
27 |
|
28 |
For more information on the packages listed in this GLSA, please see |
29 |
their homepage referenced in the ebuild. |
30 |
|
31 |
Affected packages |
32 |
================= |
33 |
|
34 |
------------------------------------------------------------------- |
35 |
Package / Vulnerable / Unaffected |
36 |
------------------------------------------------------------------- |
37 |
1 www-apps/egroupware < 1.8.004.20120613 >= 1.8.004.20120613 |
38 |
2 x11-libs/vte < 0.32.2 >= 0.32.2 |
39 |
*>= 0.28.2-r204 |
40 |
*>= 0.28.2-r206 |
41 |
3 net-analyzer/lft < 3.33 >= 3.33 |
42 |
4 dev-php/suhosin < 0.9.33 >= 0.9.33 |
43 |
5 x11-misc/slock < 1.0 >= 1.0 |
44 |
6 sys-cluster/ganglia < 3.3.7 >= 3.3.7 |
45 |
7 net-im/gg-transport < 2.2.4 >= 2.2.4 |
46 |
------------------------------------------------------------------- |
47 |
7 affected packages |
48 |
|
49 |
Description |
50 |
=========== |
51 |
|
52 |
Vulnerabilities have been discovered in the packages listed below. |
53 |
Please review the CVE identifiers in the Reference section for details. |
54 |
|
55 |
* EGroupware |
56 |
* VTE |
57 |
* Layer Four Traceroute (LFT) |
58 |
* Suhosin |
59 |
* Slock |
60 |
* Ganglia |
61 |
* Jabber to GaduGadu Gateway |
62 |
|
63 |
Impact |
64 |
====== |
65 |
|
66 |
A context-dependent attacker may be able to gain escalated privileges, |
67 |
execute arbitrary code, cause Denial of Service, obtain sensitive |
68 |
information, or otherwise bypass security restrictions. |
69 |
|
70 |
Workaround |
71 |
========== |
72 |
|
73 |
There is no known workaround at this time. |
74 |
|
75 |
Resolution |
76 |
========== |
77 |
|
78 |
All EGroupware users should upgrade to the latest version: |
79 |
|
80 |
# emerge --sync |
81 |
# emerge --ask --oneshot -v ">=www-apps/egroupware-1.8.004.20120613" |
82 |
|
83 |
All VTE 0.32 users should upgrade to the latest version: |
84 |
|
85 |
# emerge --sync |
86 |
# emerge --ask --oneshot --verbose ">=x11-libs/vte-0.32.2" |
87 |
|
88 |
All VTE 0.28 users should upgrade to the latest version: |
89 |
|
90 |
# emerge --sync |
91 |
# emerge --ask --oneshot --verbose ">=x11-libs/vte-0.28.2-r204" |
92 |
|
93 |
All Layer Four Traceroute users should upgrade to the latest version: |
94 |
|
95 |
# emerge --sync |
96 |
# emerge --ask --oneshot --verbose ">=net-analyzer/lft-3.33" |
97 |
|
98 |
All Suhosin users should upgrade to the latest version: |
99 |
|
100 |
# emerge --sync |
101 |
# emerge --ask --oneshot --verbose ">=dev-php/suhosin-0.9.33" |
102 |
|
103 |
All Slock users should upgrade to the latest version: |
104 |
|
105 |
# emerge --sync |
106 |
# emerge --ask --oneshot --verbose ">=x11-misc/slock-1.0" |
107 |
|
108 |
All Ganglia users should upgrade to the latest version: |
109 |
|
110 |
# emerge --sync |
111 |
# emerge --ask --oneshot --verbose ">=sys-cluster/ganglia-3.3.7" |
112 |
|
113 |
All Jabber to GaduGadu Gateway users should upgrade to the latest |
114 |
version: |
115 |
|
116 |
# emerge --sync |
117 |
# emerge --ask --oneshot --verbose ">=net-im/gg-transport-2.2.4" |
118 |
|
119 |
NOTE: This is a legacy GLSA. Updates for all affected architectures |
120 |
have been available since 2013. It is likely that your system is |
121 |
already no longer affected by these issues. |
122 |
|
123 |
References |
124 |
========== |
125 |
|
126 |
[ 1 ] CVE-2008-4776 |
127 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4776 |
128 |
[ 2 ] CVE-2010-2713 |
129 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2713 |
130 |
[ 3 ] CVE-2010-3313 |
131 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3313 |
132 |
[ 4 ] CVE-2010-3314 |
133 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3314 |
134 |
[ 5 ] CVE-2011-0765 |
135 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0765 |
136 |
[ 6 ] CVE-2011-2198 |
137 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2198 |
138 |
[ 7 ] CVE-2012-0807 |
139 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0807 |
140 |
[ 8 ] CVE-2012-0808 |
141 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0808 |
142 |
[ 9 ] CVE-2012-1620 |
143 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1620 |
144 |
[ 10 ] CVE-2012-2738 |
145 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2738 |
146 |
[ 11 ] CVE-2012-3448 |
147 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3448 |
148 |
|
149 |
Availability |
150 |
============ |
151 |
|
152 |
This GLSA and any updates to it are available for viewing at |
153 |
the Gentoo Security Website: |
154 |
|
155 |
http://security.gentoo.org/glsa/glsa-201412-10.xml |
156 |
|
157 |
Concerns? |
158 |
========= |
159 |
|
160 |
Security is a primary focus of Gentoo Linux and ensuring the |
161 |
confidentiality and security of our users' machines is of utmost |
162 |
importance to us. Any security concerns should be addressed to |
163 |
security@g.o or alternatively, you may file a bug at |
164 |
https://bugs.gentoo.org. |
165 |
|
166 |
License |
167 |
======= |
168 |
|
169 |
Copyright 2014 Gentoo Foundation, Inc; referenced text |
170 |
belongs to its owner(s). |
171 |
|
172 |
The contents of this document are licensed under the |
173 |
Creative Commons - Attribution / Share Alike license. |
174 |
|
175 |
http://creativecommons.org/licenses/by-sa/2.5 |