Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201412-08 ] Multiple packages, Multiple vulnerabilities fixed in 2010
Date: Fri, 12 Dec 2014 00:17:06
Message-Id: 548A338F.6020409@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201412-08
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Multiple packages, Multiple vulnerabilities fixed in 2010
9 Date: December 11, 2014
10 Bugs: #159556, #208464, #253822, #259968, #298067, #300375,
11 #300943, #302478, #307525, #307633, #315235, #316697,
12 #319719, #320961, #322457, #325507, #326759, #326953,
13 #329125, #329939, #331421, #332527, #333661
14 ID: 201412-08
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 This GLSA contains notification of vulnerabilities found in several
22 Gentoo packages which have been fixed prior to January 1, 2011. The
23 worst of these vulnerabilities could lead to local privilege escalation
24 and remote code execution. Please see the package list and CVE
25 identifiers below for more information.
26
27 Background
28 ==========
29
30 For more information on the packages listed in this GLSA, please see
31 their homepage referenced in the ebuild.
32
33 Affected packages
34 =================
35
36 -------------------------------------------------------------------
37 Package / Vulnerable / Unaffected
38 -------------------------------------------------------------------
39 1 dev-util/insight < 6.7.1-r1 >= 6.7.1-r1
40 2 dev-perl/perl-tk < 804.028-r2 >= 804.028-r2
41 3 dev-util/sourcenav < 5.1.4 >= 5.1.4
42 4 dev-lang/tk < 8.4.18-r1 >= 8.4.18-r1
43 5 sys-block/partimage < 0.6.8 >= 0.6.8
44 6 app-antivirus/bitdefender-console
45 <= 7.1 Vulnerable!
46 7 net-mail/mlmmj < 1.2.17.1 >= 1.2.17.1
47 8 sys-apps/acl < 2.2.49 >= 2.2.49
48 9 x11-apps/xinit < 1.2.0-r4 >= 1.2.0-r4
49 10 app-arch/gzip < 1.4 >= 1.4
50 11 app-arch/ncompress < 4.2.4.3 >= 4.2.4.3
51 12 dev-libs/liblzw < 0.2 >= 0.2
52 13 media-gfx/splashutils < 1.5.4.3-r3 >= 1.5.4.3-r3
53 14 sys-devel/m4 < 1.4.14-r1 >= 1.4.14-r1
54 15 kde-base/kdm < 4.3.5-r1 >= 4.3.5-r1
55 16 x11-libs/gtk+ < 2.18.7 >= 2.18.7
56 17 kde-base/kget < 4.3.5-r1 >= 4.3.5-r1
57 18 app-text/dvipng < 1.13 >= 1.13
58 19 app-misc/beanstalkd < 1.4.6 >= 1.4.6
59 20 sys-apps/pmount < 0.9.23 >= 0.9.23
60 21 sys-auth/pam_krb5 < 4.3 >= 4.3
61 22 app-text/gv < 3.7.1 >= 3.7.1
62 23 net-ftp/lftp < 4.0.6 >= 4.0.6
63 24 www-client/uzbl < 2010.08.05 >= 2010.08.05
64 25 x11-misc/slim < 1.3.2 >= 1.3.2
65 26 net-misc/iputils < 20100418 >= 20100418
66 27 media-tv/dvbstreamer < 1.1-r1 >= 1.1-r1
67 -------------------------------------------------------------------
68 NOTE: Certain packages are still vulnerable. Users should migrate
69 to another package if one is available or wait for the
70 existing packages to be marked stable by their
71 architecture maintainers.
72 -------------------------------------------------------------------
73 27 affected packages
74
75 Description
76 ===========
77
78 Vulnerabilities have been discovered in the packages listed below.
79 Please review the CVE identifiers in the Reference section for details.
80
81 * Insight
82 * Perl Tk Module
83 * Source-Navigator
84 * Tk
85 * Partimage
86 * Mlmmj
87 * acl
88 * Xinit
89 * gzip
90 * ncompress
91 * liblzw
92 * splashutils
93 * GNU M4
94 * KDE Display Manager
95 * GTK+
96 * KGet
97 * dvipng
98 * Beanstalk
99 * Policy Mount
100 * pam_krb5
101 * GNU gv
102 * LFTP
103 * Uzbl
104 * Slim
105 * Bitdefender Console
106 * iputils
107 * DVBStreamer
108
109 Impact
110 ======
111
112 A context-dependent attacker may be able to gain escalated privileges,
113 execute arbitrary code, cause Denial of Service, obtain sensitive
114 information, or otherwise bypass security restrictions.
115
116 Workaround
117 ==========
118
119 There are no known workarounds at this time.
120
121 Resolution
122 ==========
123
124 All Insight users should upgrade to the latest version:
125
126 # emerge --sync
127 # emerge --ask --oneshot --verbose ">=dev-util/insight-6.7.1-r1"
128
129 All Perl Tk Module users should upgrade to the latest version:
130
131 # emerge --sync
132 # emerge --ask --oneshot --verbose ">=dev-perl/perl-tk-804.028-r2"
133
134 All Source-Navigator users should upgrade to the latest version:
135
136 # emerge --sync
137 # emerge --ask --oneshot --verbose ">=dev-util/sourcenav-5.1.4"
138
139 All Tk users should upgrade to the latest version:
140
141 # emerge --sync
142 # emerge --ask --oneshot --verbose ">=dev-lang/tk-8.4.18-r1"
143
144 All Partimage users should upgrade to the latest version:
145
146 # emerge --sync
147 # emerge --ask --oneshot --verbose ">=sys-block/partimage-0.6.8"
148
149 All Mlmmj users should upgrade to the latest version:
150
151 # emerge --sync
152 # emerge --ask --oneshot --verbose ">=net-mail/mlmmj-1.2.17.1"
153
154 All acl users should upgrade to the latest version:
155
156 # emerge --sync
157 # emerge --ask --oneshot --verbose ">=sys-apps/acl-2.2.49"
158
159 All Xinit users should upgrade to the latest version:
160
161 # emerge --sync
162 # emerge --ask --oneshot --verbose ">=x11-apps/xinit-1.2.0-r4"
163
164 All gzip users should upgrade to the latest version:
165
166 # emerge --sync
167 # emerge --ask --oneshot --verbose ">=app-arch/gzip-1.4"
168
169 All ncompress users should upgrade to the latest version:
170
171 # emerge --sync
172 # emerge --ask --oneshot --verbose ">=app-arch/ncompress-4.2.4.3"
173
174 All liblzw users should upgrade to the latest version:
175
176 # emerge --sync
177 # emerge --ask --oneshot --verbose ">=dev-libs/liblzw-0.2"
178
179 All splashutils users should upgrade to the latest version:
180
181 # emerge --sync
182 # emerge --ask --oneshot -v ">=media-gfx/splashutils-1.5.4.3-r3"
183
184 All GNU M4 users should upgrade to the latest version:
185
186 # emerge --sync
187 # emerge --ask --oneshot --verbose ">=sys-devel/m4-1.4.14-r1"
188
189 All KDE Display Manager users should upgrade to the latest version:
190
191 # emerge --sync
192 # emerge --ask --oneshot --verbose ">=kde-base/kdm-4.3.5-r1"
193
194 All GTK+ users should upgrade to the latest version:
195
196 # emerge --sync
197 # emerge --ask --oneshot --verbose ">=x11-libs/gtk+-2.18.7"
198
199 All KGet 4.3 users should upgrade to the latest version:
200
201 # emerge --sync
202 # emerge --ask --oneshot --verbose ">=kde-base/kget-4.3.5-r1"
203
204 All dvipng users should upgrade to the latest version:
205
206 # emerge --sync
207 # emerge --ask --oneshot --verbose ">=app-text/dvipng-1.13"
208
209 All Beanstalk users should upgrade to the latest version:
210
211 # emerge --sync
212 # emerge --ask --oneshot --verbose ">=app-misc/beanstalkd-1.4.6"
213
214 All Policy Mount users should upgrade to the latest version:
215
216 # emerge --sync
217 # emerge --ask --oneshot --verbose ">=sys-apps/pmount-0.9.23"
218
219 All pam_krb5 users should upgrade to the latest version:
220
221 # emerge --sync
222 # emerge --ask --oneshot --verbose ">=sys-auth/pam_krb5-4.3"
223
224 All GNU gv users should upgrade to the latest version:
225
226 # emerge --sync
227 # emerge --ask --oneshot --verbose ">=app-text/gv-3.7.1"
228
229 All LFTP users should upgrade to the latest version:
230
231 # emerge --sync
232 # emerge --ask --oneshot --verbose ">=net-ftp/lftp-4.0.6"
233
234 All Uzbl users should upgrade to the latest version:
235
236 # emerge --sync
237 # emerge --ask --oneshot --verbose ">=www-client/uzbl-2010.08.05"
238
239 All Slim users should upgrade to the latest version:
240
241 # emerge --sync
242 # emerge --ask --oneshot --verbose ">=x11-misc/slim-1.3.2"
243
244 All iputils users should upgrade to the latest version:
245
246 # emerge --sync
247 # emerge --ask --oneshot --verbose ">=net-misc/iputils-20100418"
248
249 All DVBStreamer users should upgrade to the latest version:
250
251 # emerge --sync
252 # emerge --ask --oneshot --verbose ">=media-tv/dvbstreamer-1.1-r1"
253
254 Gentoo has discontinued support for Bitdefender Console. We recommend
255 that users unmerge Bitdefender Console:
256
257 # emerge --unmerge "app-antivirus/bitdefender-console"
258
259 NOTE: This is a legacy GLSA. Updates for all affected architectures
260 have been available since 2011. It is likely that your system is
261 already no longer affected by these issues.
262
263 References
264 ==========
265
266 [ 1 ] CVE-2006-3005
267 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3005
268 [ 2 ] CVE-2007-2741
269 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2741
270 [ 3 ] CVE-2008-0553
271 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0553
272 [ 4 ] CVE-2008-1382
273 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1382
274 [ 5 ] CVE-2008-5907
275 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5907
276 [ 6 ] CVE-2008-6218
277 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6218
278 [ 7 ] CVE-2008-6661
279 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6661
280 [ 8 ] CVE-2009-0040
281 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0040
282 [ 9 ] CVE-2009-0360
283 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0360
284 [ 10 ] CVE-2009-0361
285 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0361
286 [ 11 ] CVE-2009-0946
287 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0946
288 [ 12 ] CVE-2009-2042
289 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2042
290 [ 13 ] CVE-2009-2624
291 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2624
292 [ 14 ] CVE-2009-3736
293 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3736
294 [ 15 ] CVE-2009-4029
295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4029
296 [ 16 ] CVE-2009-4411
297 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4411
298 [ 17 ] CVE-2009-4896
299 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4896
300 [ 18 ] CVE-2010-0001
301 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0001
302 [ 19 ] CVE-2010-0436
303 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0436
304 [ 20 ] CVE-2010-0732
305 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0732
306 [ 21 ] CVE-2010-0829
307 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0829
308 [ 22 ] CVE-2010-1000
309 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1000
310 [ 23 ] CVE-2010-1205
311 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1205
312 [ 24 ] CVE-2010-1511
313 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1511
314 [ 25 ] CVE-2010-2056
315 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2056
316 [ 26 ] CVE-2010-2060
317 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2060
318 [ 27 ] CVE-2010-2192
319 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2192
320 [ 28 ] CVE-2010-2251
321 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2251
322 [ 29 ] CVE-2010-2529
323 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2529
324 [ 30 ] CVE-2010-2809
325 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2809
326 [ 31 ] CVE-2010-2945
327 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2945
328
329 Availability
330 ============
331
332 This GLSA and any updates to it are available for viewing at
333 the Gentoo Security Website:
334
335 http://security.gentoo.org/glsa/glsa-201412-08.xml
336
337 Concerns?
338 =========
339
340 Security is a primary focus of Gentoo Linux and ensuring the
341 confidentiality and security of our users' machines is of utmost
342 importance to us. Any security concerns should be addressed to
343 security@g.o or alternatively, you may file a bug at
344 https://bugs.gentoo.org.
345
346 License
347 =======
348
349 Copyright 2014 Gentoo Foundation, Inc; referenced text
350 belongs to its owner(s).
351
352 The contents of this document are licensed under the
353 Creative Commons - Attribution / Share Alike license.
354
355 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups