1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 201412-08 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org/ |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: High |
8 |
Title: Multiple packages, Multiple vulnerabilities fixed in 2010 |
9 |
Date: December 11, 2014 |
10 |
Bugs: #159556, #208464, #253822, #259968, #298067, #300375, |
11 |
#300943, #302478, #307525, #307633, #315235, #316697, |
12 |
#319719, #320961, #322457, #325507, #326759, #326953, |
13 |
#329125, #329939, #331421, #332527, #333661 |
14 |
ID: 201412-08 |
15 |
|
16 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
17 |
|
18 |
Synopsis |
19 |
======== |
20 |
|
21 |
This GLSA contains notification of vulnerabilities found in several |
22 |
Gentoo packages which have been fixed prior to January 1, 2011. The |
23 |
worst of these vulnerabilities could lead to local privilege escalation |
24 |
and remote code execution. Please see the package list and CVE |
25 |
identifiers below for more information. |
26 |
|
27 |
Background |
28 |
========== |
29 |
|
30 |
For more information on the packages listed in this GLSA, please see |
31 |
their homepage referenced in the ebuild. |
32 |
|
33 |
Affected packages |
34 |
================= |
35 |
|
36 |
------------------------------------------------------------------- |
37 |
Package / Vulnerable / Unaffected |
38 |
------------------------------------------------------------------- |
39 |
1 dev-util/insight < 6.7.1-r1 >= 6.7.1-r1 |
40 |
2 dev-perl/perl-tk < 804.028-r2 >= 804.028-r2 |
41 |
3 dev-util/sourcenav < 5.1.4 >= 5.1.4 |
42 |
4 dev-lang/tk < 8.4.18-r1 >= 8.4.18-r1 |
43 |
5 sys-block/partimage < 0.6.8 >= 0.6.8 |
44 |
6 app-antivirus/bitdefender-console |
45 |
<= 7.1 Vulnerable! |
46 |
7 net-mail/mlmmj < 1.2.17.1 >= 1.2.17.1 |
47 |
8 sys-apps/acl < 2.2.49 >= 2.2.49 |
48 |
9 x11-apps/xinit < 1.2.0-r4 >= 1.2.0-r4 |
49 |
10 app-arch/gzip < 1.4 >= 1.4 |
50 |
11 app-arch/ncompress < 4.2.4.3 >= 4.2.4.3 |
51 |
12 dev-libs/liblzw < 0.2 >= 0.2 |
52 |
13 media-gfx/splashutils < 1.5.4.3-r3 >= 1.5.4.3-r3 |
53 |
14 sys-devel/m4 < 1.4.14-r1 >= 1.4.14-r1 |
54 |
15 kde-base/kdm < 4.3.5-r1 >= 4.3.5-r1 |
55 |
16 x11-libs/gtk+ < 2.18.7 >= 2.18.7 |
56 |
17 kde-base/kget < 4.3.5-r1 >= 4.3.5-r1 |
57 |
18 app-text/dvipng < 1.13 >= 1.13 |
58 |
19 app-misc/beanstalkd < 1.4.6 >= 1.4.6 |
59 |
20 sys-apps/pmount < 0.9.23 >= 0.9.23 |
60 |
21 sys-auth/pam_krb5 < 4.3 >= 4.3 |
61 |
22 app-text/gv < 3.7.1 >= 3.7.1 |
62 |
23 net-ftp/lftp < 4.0.6 >= 4.0.6 |
63 |
24 www-client/uzbl < 2010.08.05 >= 2010.08.05 |
64 |
25 x11-misc/slim < 1.3.2 >= 1.3.2 |
65 |
26 net-misc/iputils < 20100418 >= 20100418 |
66 |
27 media-tv/dvbstreamer < 1.1-r1 >= 1.1-r1 |
67 |
------------------------------------------------------------------- |
68 |
NOTE: Certain packages are still vulnerable. Users should migrate |
69 |
to another package if one is available or wait for the |
70 |
existing packages to be marked stable by their |
71 |
architecture maintainers. |
72 |
------------------------------------------------------------------- |
73 |
27 affected packages |
74 |
|
75 |
Description |
76 |
=========== |
77 |
|
78 |
Vulnerabilities have been discovered in the packages listed below. |
79 |
Please review the CVE identifiers in the Reference section for details. |
80 |
|
81 |
* Insight |
82 |
* Perl Tk Module |
83 |
* Source-Navigator |
84 |
* Tk |
85 |
* Partimage |
86 |
* Mlmmj |
87 |
* acl |
88 |
* Xinit |
89 |
* gzip |
90 |
* ncompress |
91 |
* liblzw |
92 |
* splashutils |
93 |
* GNU M4 |
94 |
* KDE Display Manager |
95 |
* GTK+ |
96 |
* KGet |
97 |
* dvipng |
98 |
* Beanstalk |
99 |
* Policy Mount |
100 |
* pam_krb5 |
101 |
* GNU gv |
102 |
* LFTP |
103 |
* Uzbl |
104 |
* Slim |
105 |
* Bitdefender Console |
106 |
* iputils |
107 |
* DVBStreamer |
108 |
|
109 |
Impact |
110 |
====== |
111 |
|
112 |
A context-dependent attacker may be able to gain escalated privileges, |
113 |
execute arbitrary code, cause Denial of Service, obtain sensitive |
114 |
information, or otherwise bypass security restrictions. |
115 |
|
116 |
Workaround |
117 |
========== |
118 |
|
119 |
There are no known workarounds at this time. |
120 |
|
121 |
Resolution |
122 |
========== |
123 |
|
124 |
All Insight users should upgrade to the latest version: |
125 |
|
126 |
# emerge --sync |
127 |
# emerge --ask --oneshot --verbose ">=dev-util/insight-6.7.1-r1" |
128 |
|
129 |
All Perl Tk Module users should upgrade to the latest version: |
130 |
|
131 |
# emerge --sync |
132 |
# emerge --ask --oneshot --verbose ">=dev-perl/perl-tk-804.028-r2" |
133 |
|
134 |
All Source-Navigator users should upgrade to the latest version: |
135 |
|
136 |
# emerge --sync |
137 |
# emerge --ask --oneshot --verbose ">=dev-util/sourcenav-5.1.4" |
138 |
|
139 |
All Tk users should upgrade to the latest version: |
140 |
|
141 |
# emerge --sync |
142 |
# emerge --ask --oneshot --verbose ">=dev-lang/tk-8.4.18-r1" |
143 |
|
144 |
All Partimage users should upgrade to the latest version: |
145 |
|
146 |
# emerge --sync |
147 |
# emerge --ask --oneshot --verbose ">=sys-block/partimage-0.6.8" |
148 |
|
149 |
All Mlmmj users should upgrade to the latest version: |
150 |
|
151 |
# emerge --sync |
152 |
# emerge --ask --oneshot --verbose ">=net-mail/mlmmj-1.2.17.1" |
153 |
|
154 |
All acl users should upgrade to the latest version: |
155 |
|
156 |
# emerge --sync |
157 |
# emerge --ask --oneshot --verbose ">=sys-apps/acl-2.2.49" |
158 |
|
159 |
All Xinit users should upgrade to the latest version: |
160 |
|
161 |
# emerge --sync |
162 |
# emerge --ask --oneshot --verbose ">=x11-apps/xinit-1.2.0-r4" |
163 |
|
164 |
All gzip users should upgrade to the latest version: |
165 |
|
166 |
# emerge --sync |
167 |
# emerge --ask --oneshot --verbose ">=app-arch/gzip-1.4" |
168 |
|
169 |
All ncompress users should upgrade to the latest version: |
170 |
|
171 |
# emerge --sync |
172 |
# emerge --ask --oneshot --verbose ">=app-arch/ncompress-4.2.4.3" |
173 |
|
174 |
All liblzw users should upgrade to the latest version: |
175 |
|
176 |
# emerge --sync |
177 |
# emerge --ask --oneshot --verbose ">=dev-libs/liblzw-0.2" |
178 |
|
179 |
All splashutils users should upgrade to the latest version: |
180 |
|
181 |
# emerge --sync |
182 |
# emerge --ask --oneshot -v ">=media-gfx/splashutils-1.5.4.3-r3" |
183 |
|
184 |
All GNU M4 users should upgrade to the latest version: |
185 |
|
186 |
# emerge --sync |
187 |
# emerge --ask --oneshot --verbose ">=sys-devel/m4-1.4.14-r1" |
188 |
|
189 |
All KDE Display Manager users should upgrade to the latest version: |
190 |
|
191 |
# emerge --sync |
192 |
# emerge --ask --oneshot --verbose ">=kde-base/kdm-4.3.5-r1" |
193 |
|
194 |
All GTK+ users should upgrade to the latest version: |
195 |
|
196 |
# emerge --sync |
197 |
# emerge --ask --oneshot --verbose ">=x11-libs/gtk+-2.18.7" |
198 |
|
199 |
All KGet 4.3 users should upgrade to the latest version: |
200 |
|
201 |
# emerge --sync |
202 |
# emerge --ask --oneshot --verbose ">=kde-base/kget-4.3.5-r1" |
203 |
|
204 |
All dvipng users should upgrade to the latest version: |
205 |
|
206 |
# emerge --sync |
207 |
# emerge --ask --oneshot --verbose ">=app-text/dvipng-1.13" |
208 |
|
209 |
All Beanstalk users should upgrade to the latest version: |
210 |
|
211 |
# emerge --sync |
212 |
# emerge --ask --oneshot --verbose ">=app-misc/beanstalkd-1.4.6" |
213 |
|
214 |
All Policy Mount users should upgrade to the latest version: |
215 |
|
216 |
# emerge --sync |
217 |
# emerge --ask --oneshot --verbose ">=sys-apps/pmount-0.9.23" |
218 |
|
219 |
All pam_krb5 users should upgrade to the latest version: |
220 |
|
221 |
# emerge --sync |
222 |
# emerge --ask --oneshot --verbose ">=sys-auth/pam_krb5-4.3" |
223 |
|
224 |
All GNU gv users should upgrade to the latest version: |
225 |
|
226 |
# emerge --sync |
227 |
# emerge --ask --oneshot --verbose ">=app-text/gv-3.7.1" |
228 |
|
229 |
All LFTP users should upgrade to the latest version: |
230 |
|
231 |
# emerge --sync |
232 |
# emerge --ask --oneshot --verbose ">=net-ftp/lftp-4.0.6" |
233 |
|
234 |
All Uzbl users should upgrade to the latest version: |
235 |
|
236 |
# emerge --sync |
237 |
# emerge --ask --oneshot --verbose ">=www-client/uzbl-2010.08.05" |
238 |
|
239 |
All Slim users should upgrade to the latest version: |
240 |
|
241 |
# emerge --sync |
242 |
# emerge --ask --oneshot --verbose ">=x11-misc/slim-1.3.2" |
243 |
|
244 |
All iputils users should upgrade to the latest version: |
245 |
|
246 |
# emerge --sync |
247 |
# emerge --ask --oneshot --verbose ">=net-misc/iputils-20100418" |
248 |
|
249 |
All DVBStreamer users should upgrade to the latest version: |
250 |
|
251 |
# emerge --sync |
252 |
# emerge --ask --oneshot --verbose ">=media-tv/dvbstreamer-1.1-r1" |
253 |
|
254 |
Gentoo has discontinued support for Bitdefender Console. We recommend |
255 |
that users unmerge Bitdefender Console: |
256 |
|
257 |
# emerge --unmerge "app-antivirus/bitdefender-console" |
258 |
|
259 |
NOTE: This is a legacy GLSA. Updates for all affected architectures |
260 |
have been available since 2011. It is likely that your system is |
261 |
already no longer affected by these issues. |
262 |
|
263 |
References |
264 |
========== |
265 |
|
266 |
[ 1 ] CVE-2006-3005 |
267 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3005 |
268 |
[ 2 ] CVE-2007-2741 |
269 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2741 |
270 |
[ 3 ] CVE-2008-0553 |
271 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0553 |
272 |
[ 4 ] CVE-2008-1382 |
273 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1382 |
274 |
[ 5 ] CVE-2008-5907 |
275 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5907 |
276 |
[ 6 ] CVE-2008-6218 |
277 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6218 |
278 |
[ 7 ] CVE-2008-6661 |
279 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6661 |
280 |
[ 8 ] CVE-2009-0040 |
281 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0040 |
282 |
[ 9 ] CVE-2009-0360 |
283 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0360 |
284 |
[ 10 ] CVE-2009-0361 |
285 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0361 |
286 |
[ 11 ] CVE-2009-0946 |
287 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0946 |
288 |
[ 12 ] CVE-2009-2042 |
289 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2042 |
290 |
[ 13 ] CVE-2009-2624 |
291 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2624 |
292 |
[ 14 ] CVE-2009-3736 |
293 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3736 |
294 |
[ 15 ] CVE-2009-4029 |
295 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4029 |
296 |
[ 16 ] CVE-2009-4411 |
297 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4411 |
298 |
[ 17 ] CVE-2009-4896 |
299 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4896 |
300 |
[ 18 ] CVE-2010-0001 |
301 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0001 |
302 |
[ 19 ] CVE-2010-0436 |
303 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0436 |
304 |
[ 20 ] CVE-2010-0732 |
305 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0732 |
306 |
[ 21 ] CVE-2010-0829 |
307 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0829 |
308 |
[ 22 ] CVE-2010-1000 |
309 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1000 |
310 |
[ 23 ] CVE-2010-1205 |
311 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1205 |
312 |
[ 24 ] CVE-2010-1511 |
313 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1511 |
314 |
[ 25 ] CVE-2010-2056 |
315 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2056 |
316 |
[ 26 ] CVE-2010-2060 |
317 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2060 |
318 |
[ 27 ] CVE-2010-2192 |
319 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2192 |
320 |
[ 28 ] CVE-2010-2251 |
321 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2251 |
322 |
[ 29 ] CVE-2010-2529 |
323 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2529 |
324 |
[ 30 ] CVE-2010-2809 |
325 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2809 |
326 |
[ 31 ] CVE-2010-2945 |
327 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2945 |
328 |
|
329 |
Availability |
330 |
============ |
331 |
|
332 |
This GLSA and any updates to it are available for viewing at |
333 |
the Gentoo Security Website: |
334 |
|
335 |
http://security.gentoo.org/glsa/glsa-201412-08.xml |
336 |
|
337 |
Concerns? |
338 |
========= |
339 |
|
340 |
Security is a primary focus of Gentoo Linux and ensuring the |
341 |
confidentiality and security of our users' machines is of utmost |
342 |
importance to us. Any security concerns should be addressed to |
343 |
security@g.o or alternatively, you may file a bug at |
344 |
https://bugs.gentoo.org. |
345 |
|
346 |
License |
347 |
======= |
348 |
|
349 |
Copyright 2014 Gentoo Foundation, Inc; referenced text |
350 |
belongs to its owner(s). |
351 |
|
352 |
The contents of this document are licensed under the |
353 |
Creative Commons - Attribution / Share Alike license. |
354 |
|
355 |
http://creativecommons.org/licenses/by-sa/2.5 |