http://blog.gmane.org/gmane.linux.gentoo.announce hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.linux.gentoo.announce/1971 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201205-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium, V8: Multiple vulnerabilities Date: May 21, 2012 Bugs: #416119 ID: 201205-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in Chromium and V8, some of which may allow execution of arbitrary code. Background ========== Chromium is an open source web browser project. V8 is Google’s open source JavaScript engine. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/chromium &lt; 19.0.1084.46 &gt;= 19.0.1084.46 2 dev-lang/v8 &lt; 3.9.24.21 &gt;= 3.9.24.21 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Chromium and V8. Please review the CVE identifiers and release notes referenced below for details. Impact ====== A context-dependent attacker could entice a user to open a specially crafted web site or JavaScript program using Chromium or V8, possibly resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v "&gt;=www-client/chromium-19.0.1084.46" All V8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=dev-lang/v8-3.9.24.21" References ========== [ 1 ] CVE-2011-3083 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3083 [ 2 ] CVE-2011-3084 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3084 [ 3 ] CVE-2011-3085 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3085 [ 4 ] CVE-2011-3086 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3086 [ 5 ] CVE-2011-3087 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3087 [ 6 ] CVE-2011-3088 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3088 [ 7 ] CVE-2011-3089 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3089 [ 8 ] CVE-2011-3090 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3090 [ 9 ] CVE-2011-3091 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3091 [ 10 ] CVE-2011-3092 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3092 [ 11 ] CVE-2011-3093 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3093 [ 12 ] CVE-2011-3094 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3094 [ 13 ] CVE-2011-3095 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3095 [ 14 ] CVE-2011-3096 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3096 [ 15 ] CVE-2011-3100 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3100 [ 16 ] CVE-2011-3101 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3101 [ 17 ] Release Notes 19.0.1084.46 http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201205-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Tim Sammut 2012-05-21T07:09:06 http://comments.gmane.org/gmane.linux.gentoo.announce/1970 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201205-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ConnMan: Multiple vulnerabilities Date: May 15, 2012 Bugs: #415415 ID: 201205-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in ConnMan, allowing attackers to execute arbitrary code or cause Denial of Service. Background ========== ConnMan provides a daemon for managing Internet connections. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/connman &lt; 1.0-r1 &gt;= 1.0-r1 Description =========== Multiple vulnerabilities have been found in ConnMan: * Errors in inet.c and rtnl.c prevent ConnMan from checking the origin of netlink messages (CVE-2012-2320). * ConnMan does not properly check for shell escapes when requesting a hostname via DHCP (CVE-2012-2321). * An infinite loop error exists in client.c (CVE-2012-2322). Impact ====== A remote attacker could execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All ConnMan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=net-misc/connman-1.0-r1" References ========== [ 1 ] CVE-2012-2320 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2320 [ 2 ] CVE-2012-2321 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2321 [ 3 ] CVE-2012-2322 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2322 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201205-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-05-15T22:18:21 http://comments.gmane.org/gmane.linux.gentoo.announce/1969 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201205-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium: Multiple vulnerabilities Date: May 15, 2012 Bugs: #414199 ID: 201205-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in Chromium, some of which may allow execution of arbitrary code. Background ========== Chromium is an open source web browser project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/chromium &lt; 18.0.1025.168 &gt;= 18.0.1025.168 Description =========== Multiple vulnerabilities have been discovered in Chromium. Please review the CVE identifiers and release notes referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted web site using Chromium, possibly resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v "&gt;=www-client/chromium-18.0.1025.168" References ========== [ 1 ] CVE-2011-3078 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3078 [ 2 ] CVE-2011-3081 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3081 [ 3 ] CVE-2012-1521 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1521 [ 4 ] Release Notes 18.0.1025.168 http://googlechromereleases.blogspot.com/2012/04/stable-channel-update_30.html Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201205-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Tim Sammut 2012-05-15T07:12:12 http://comments.gmane.org/gmane.linux.gentoo.announce/1968 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201204-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Perl DBD-Pg Module: Arbitrary code execution Date: April 17, 2012 Bugs: #407549 ID: 201204-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Two format string vulnerabilities have been found in the Perl DBD-Pg module, allowing a remote PostgreSQL servers to execute arbitrary code. Background ========== DBD-Pg is a PostgreSQL interface module for Perl. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-perl/DBD-Pg &lt; 2.19.0 &gt;= 2.19.0 Description =========== Format string vulnerabilities have been found in the the "pg_warn()" and "dbd_st_prepare()" functions in dbdimp.c. Impact ====== A remote PostgreSQL server could send specially crafted database warnings or DBD statements, possibly resulting in execution of arbitrary code. Workaround ========== There is no known workaround at this time. Resolution ========== All users of the Perl DBD-Pg module should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=dev-perl/DBD-Pg-2.19.0" References ========== [ 1 ] CVE-2012-1151 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1151 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-04-17T23:48:14 http://comments.gmane.org/gmane.linux.gentoo.announce/1967 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201204-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Flash Player: Multiple vulnerabilities Date: April 17, 2012 Bugs: #390149, #404101, #407023, #410005 ID: 201204-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Adobe Flash Player, the worst of which might allow remote attackers to execute arbitrary code. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-plugins/adobe-flash &lt; 11.2.202.228 &gt;= 11.2.202.228 Description =========== Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted SWF file, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Furthermore, a remote attacker may be able to bypass intended access restrictions, bypass cross-domain policy, inject arbitrary web script, or obtain sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v "&gt;=www-plugins/adobe-flash-11.2.202.228" References ========== [ 1 ] CVE-2011-2445 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2445 [ 2 ] CVE-2011-2450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2450 [ 3 ] CVE-2011-2451 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2451 [ 4 ] CVE-2011-2452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2452 [ 5 ] CVE-2011-2453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2453 [ 6 ] CVE-2011-2454 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2454 [ 7 ] CVE-2011-2455 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2455 [ 8 ] CVE-2011-2456 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2456 [ 9 ] CVE-2011-2457 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2457 [ 10 ] CVE-2011-2458 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2458 [ 11 ] CVE-2011-2459 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2459 [ 12 ] CVE-2011-2460 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2460 [ 13 ] CVE-2012-0752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0752 [ 14 ] CVE-2012-0753 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0753 [ 15 ] CVE-2012-0754 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0754 [ 16 ] CVE-2012-0755 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0755 [ 17 ] CVE-2012-0756 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0756 [ 18 ] CVE-2012-0767 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0767 [ 19 ] CVE-2012-0768 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0768 [ 20 ] CVE-2012-0769 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0769 [ 21 ] CVE-2012-0773 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0773 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-07.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-04-17T23:46:11 http://comments.gmane.org/gmane.linux.gentoo.announce/1966 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201204-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PolicyKit: Multiple vulnerabilities Date: April 17, 2012 Bugs: #314535, #364973, #401513 ID: 201204-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in PolicyKit, the worst of which may allow a local attacker to gain root privileges. Background ========== PolicyKit is a toolkit for controlling privileges for system-wide services. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-auth/polkit &lt; 0.104-r1 &gt;= 0.104-r1 Description =========== Multiple vulnerabilities have been found in PolicyKit: * Error messages in the pkexec utility disclose the existence of local files (CVE-2010-0750). * The pkexec utility initially checks the effective user ID of its parent process for authorization, instead of checking the real user ID (CVE-2011-1485). * Members of the "wheel" group are able to execute commands as an administrator without a password (CVE-2011-4945). Impact ====== A local attacker could gain elevated privileges or sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All PolicyKit users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=sys-auth/polkit-0.104-r1" References ========== [ 1 ] CVE-2010-0750 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0750 [ 2 ] CVE-2011-1485 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1485 [ 3 ] CVE-2011-4945 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4945 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-04-17T23:42:36 http://comments.gmane.org/gmane.linux.gentoo.announce/1965 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201204-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SWFTools: User-assisted execution of arbitrary code Date: April 17, 2012 Bugs: #332649 ID: 201204-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A heap-based buffer overflow in SWFTools could result in the execution of arbitrary code. Background ========== SWFTools is a collection of SWF manipulation and generation utilities written by Rainer Böhme and Matthias Kramm. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-gfx/swftools &lt;= 0.9.1 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. Description =========== Integer overflow errors in the "getPNG()" function in png.c and the "jpeg_load()" function in jpeg.c could cause a heap-based buffer overflow. Impact ====== A remote attacker could entice a user to open a specially crafted PNG or JPEG file, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== Gentoo discontinued support for SWFTools. We recommend that users unmerge swftools: # emerge --unmerge "media-gfx/swftools" References ========== [ 1 ] CVE-2010-1516 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1516 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-04-17T23:38:13 http://comments.gmane.org/gmane.linux.gentoo.announce/1964 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201204-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: FreeType: Multiple vulnerabilities Date: April 17, 2012 Bugs: #407257 ID: 201204-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in FreeType, allowing remote attackers to possibly execute arbitrary code or cause Denial of Service. Background ========== FreeType is a high-quality and portable font engine. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/freetype &lt; 2.4.9 &gt;= 2.4.9 Description =========== Multiple vulnerabilities have been discovered in FreeType. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted font, possibly resulting in execution of arbitrary code with the privileges of the user running the application, or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All FreeType users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=media-libs/freetype-2.4.9" References ========== [ 1 ] CVE-2012-1126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1126 [ 2 ] CVE-2012-1127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1127 [ 3 ] CVE-2012-1128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1128 [ 4 ] CVE-2012-1129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1129 [ 5 ] CVE-2012-1130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1130 [ 6 ] CVE-2012-1131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1131 [ 7 ] CVE-2012-1132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1132 [ 8 ] CVE-2012-1133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1133 [ 9 ] CVE-2012-1134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1134 [ 10 ] CVE-2012-1135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1135 [ 11 ] CVE-2012-1136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1136 [ 12 ] CVE-2012-1137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1137 [ 13 ] CVE-2012-1138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1138 [ 14 ] CVE-2012-1139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1139 [ 15 ] CVE-2012-1140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1140 [ 16 ] CVE-2012-1141 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1141 [ 17 ] CVE-2012-1142 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1142 [ 18 ] CVE-2012-1143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1143 [ 19 ] CVE-2012-1144 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1144 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-04-17T23:11:18 http://comments.gmane.org/gmane.linux.gentoo.announce/1963 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201204-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium: Multiple vulnerabilities Date: April 10, 2012 Bugs: #410963 ID: 201204-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in Chromium, some of which may allow execution of arbitrary code. Background ========== Chromium is an open source web browser project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/chromium &lt; 18.0.1025.151 &gt;= 18.0.1025.151 Description =========== Multiple vulnerabilities have been discovered in Chromium. Please review the CVE identifiers and release notes referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted web site using Chromium, possibly resulting in the execution of arbitrary code with the privileges of the process, a Denial of Service condition, or bypass of the same origin policy. Workaround ========== There is no known workaround at this time. Resolution ========== All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v "&gt;=www-client/chromium-18.0.1025.151" References ========== [ 1 ] CVE-2011-3066 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3066 [ 2 ] CVE-2011-3067 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3067 [ 3 ] CVE-2011-3068 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3068 [ 4 ] CVE-2011-3069 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3069 [ 5 ] CVE-2011-3070 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3070 [ 6 ] CVE-2011-3071 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3071 [ 7 ] CVE-2011-3072 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3072 [ 8 ] CVE-2011-3073 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3073 [ 9 ] CVE-2011-3074 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3074 [ 10 ] CVE-2011-3075 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3075 [ 11 ] CVE-2011-3076 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3076 [ 12 ] CVE-2011-3077 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3077 [ 13 ] Release Notes 18.0.1025.151 http://googlechromereleases.blogspot.com/2012/04/stable-and-beta-channel-updates.html Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Tim Sammut 2012-04-10T22:07:18 http://comments.gmane.org/gmane.linux.gentoo.announce/1962 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201204-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: InspIRCd: Arbitrary code execution Date: April 10, 2012 Bugs: #409159 ID: 201204-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A heap-based buffer overflow in InspIRCd may allow execution of arbitrary code. Background ========== InspIRCd (Inspire IRCd) is a modular C++ IRC daemon Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-irc/inspircd &lt; 2.0.5-r1 &gt;= 2.0.5-r1 Description =========== A vulnerability in InspIRCd allows DNS compression features to control the number of overflowed bytes sent to the heap-based buffer "res[]" in dns.cpp. Impact ====== A remote attacker could send specially crafted DNS responses, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All InspIRCd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=net-irc/inspircd-2.0.5-r1" References ========== [ 1 ] CVE-2012-1836 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1836 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-04-10T11:22:45 http://comments.gmane.org/gmane.linux.gentoo.announce/1961 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201204-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: VirtualBox: Multiple vulnerabilities Date: April 09, 2012 Bugs: #386317, #399807 ID: 201204-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in VirtualBox, allowing local attackers to gain escalated privileges. Background ========== VirtualBox is a powerful virtualization product from Oracle. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/virtualbox &lt; 4.1.8 &gt;= 4.1.8 2 app-emulation/virtualbox-bin &lt; 4.1.8 &gt;= 4.1.4 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple unspecified vulnerabilities have been discovered in VirtualBox. Please review the CVE identifiers referenced below for details. Impact ====== A local attacker may be able to gain escalated privileges via unknown attack vectors. Workaround ========== There is no known workaround at this time. Resolution ========== All VirtualBox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=app-emulation/virtualbox-4.1.8" All VirtualBox binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v "&gt;=app-emulation/virtualbox-bin-4.1.8" References ========== [ 1 ] CVE-2010-4414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4414 [ 2 ] CVE-2011-2300 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2300 [ 3 ] CVE-2011-2305 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2305 [ 4 ] CVE-2012-0105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0105 [ 5 ] CVE-2012-0111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0111 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201204-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-04-09T22:53:52 http://comments.gmane.org/gmane.linux.gentoo.announce/1960 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium, V8: Multiple vulnerabilities Date: March 30, 2012 Bugs: #410045 ID: 201203-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in Chromium and V8, some of which may allow execution of arbitrary code. Background ========== Chromium is an open source web browser project. V8 is Google's open source JavaScript engine. SPDY is an experimental networking protocol. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/chromium &lt; 18.0.1025.142 &gt;= 18.0.1025.142 2 dev-lang/v8 &lt; 3.8.9.16 &gt;= 3.8.9.16 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Chromium and V8. Please review the CVE identifiers and release notes referenced below for details. Impact ====== A context-dependent attacker could entice a user to open a specially crafted web site or JavaScript program using Chromium or V8, possibly resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. The attacker could also entice a user to open a specially crafted web site using Chromium, possibly resulting in cross-site scripting (XSS), or an unspecified SPDY certificate checking error. Workaround ========== There is no known workaround at this time. Resolution ========== All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v "&gt;=www-client/chromium-18.0.1025.142" All V8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=dev-lang/v8-3.8.9.16" References ========== [ 1 ] CVE-2011-3057 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057 [ 2 ] CVE-2011-3058 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3058 [ 3 ] CVE-2011-3059 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3059 [ 4 ] CVE-2011-3060 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3060 [ 5 ] CVE-2011-3061 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3061 [ 6 ] CVE-2011-3062 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3062 [ 7 ] CVE-2011-3063 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3063 [ 8 ] CVE-2011-3064 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3064 [ 9 ] CVE-2011-3065 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3065 [ 10 ] Release Notes 18.0.1025.142 http://googlechromereleases.blogspot.com/2012/03/stable-channel-release-and-beta-channel.html Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-24.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Tim Sammut 2012-03-30T22:37:39 http://comments.gmane.org/gmane.linux.gentoo.announce/1959 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libzip: Multiple vulnerabilities Date: March 29, 2012 Bugs: #409117 ID: 201203-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in libzip, the worst of which might allow execution of arbitrary code. Background ========== libzip is a library for manipulating zip archives. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libzip &lt; 0.10.1 &gt;= 0.10.1 Description =========== Two vulnerabilities have been found in the "_zip_readcdir()" function in zip_open.c of libzip: * An incorrect loop construct, which could cause a heap-based buffer overflow (CVE-2012-1162). * An integer overflow, which may not restrict operations within the memory buffer (CVE-2012-1163). Impact ====== A remote attacker could entice a user to open a specially crafted ZIP file, possibly resulting in execution of arbitrary code with the privileges of the process, a Denial of Service condition, or information leaks. Workaround ========== There is no known workaround at this time. Resolution ========== All libzip users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=dev-libs/libzip-0.10.1" References ========== [ 1 ] CVE-2012-1162 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1162 [ 2 ] CVE-2012-1163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1163 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-23.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-03-29T11:42:32 http://comments.gmane.org/gmane.linux.gentoo.announce/1958 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: nginx: Multiple vulnerabilities Date: March 28, 2012 Bugs: #293785, #293786, #293788, #389319, #408367 ID: 201203-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in nginx, the worst of which may allow execution of arbitrary code. Background ========== nginx is a robust, small, and high performance HTTP and reverse proxy server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/nginx &lt; 1.0.14 &gt;= 1.0.14 Description =========== Multiple vulnerabilities have been found in nginx: * The TLS protocol does not properly handle session renegotiation requests (CVE-2009-3555). * The "ngx_http_process_request_headers()" function in ngx_http_parse.c could cause a NULL pointer dereference (CVE-2009-3896). * nginx does not properly sanitize user input for the the WebDAV COPY or MOVE methods (CVE-2009-3898). * The "ngx_resolver_copy()" function in ngx_resolver.c contains a boundary error which could cause a heap-based buffer overflow (CVE-2011-4315). * nginx does not properly parse HTTP header responses which could expose sensitive information (CVE-2012-1180). Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the nginx process, cause a Denial of Service condition, create or overwrite arbitrary files, or obtain sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=www-servers/nginx-1.0.14" References ========== [ 1 ] CVE-2009-3555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555 [ 2 ] CVE-2009-3896 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3896 [ 3 ] CVE-2009-3898 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3898 [ 4 ] CVE-2011-4315 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4315 [ 5 ] CVE-2012-1180 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1180 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-22.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-03-28T10:57:55 http://comments.gmane.org/gmane.linux.gentoo.announce/1957 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Asterisk: Multiple vulnerabilities Date: March 28, 2012 Bugs: #408431 ID: 201203-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. Background ========== Asterisk is an open source telephony engine and toolkit. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/asterisk &lt; 1.8.10.1 &gt;= 1.8.10.1 Description =========== Two vulnerabilities have been found in Asterisk: * The "milliwatt_generate()" function in app_milliwatt.c is vulnerable to a stack overrun (AST-2012-002). * The "ast_parse_digest()" function in utils.c is vulnerable to a stack-based buffer overflow (AST-2012-003). Impact ====== A remote unauthenticated attacker could execute arbitrary code or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Asterisk users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=net-misc/asterisk-1.8.10.1" References ========== [ 1 ] AST-2012-002 http://downloads.asterisk.org/pub/security/AST-2012-002.txt [ 2 ] AST-2012-003 http://downloads.asterisk.org/pub/security/AST-2012-003.txt [ 3 ] CVE-2012-1183 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1183 [ 4 ] CVE-2012-1184 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1184 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-21.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-03-28T10:56:07 http://comments.gmane.org/gmane.linux.gentoo.announce/1956 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Logwatch: Arbitrary code execution Date: March 28, 2012 Bugs: #356387 ID: 201203-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in Logwatch might allow remote attackers to execute arbitrary code. Background ========== Logwatch analyzes and reports on system logs. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-apps/logwatch &lt; 7.4.0 &gt;= 7.4.0 Description =========== logwatch.pl does not properly sanitize log filenames against shell metacharacters before passing them to the "system()" function. Impact ====== A remote attacker could pass a specially crafted log filename to Logwatch, possibly resulting in execution of arbitrary code with root privileges or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Logwatch users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=sys-apps/logwatch-7.4.0" References ========== [ 1 ] CVE-2011-1018 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1018 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-20.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-03-28T10:53:26 http://comments.gmane.org/gmane.linux.gentoo.announce/1955 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium: Multiple vulnerabilities Date: March 25, 2012 Bugs: #406975, #407465, #407755, #409251 ID: 201203-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in Chromium, some of which may allow execution of arbitrary code. Background ========== Chromium is an open source web browser project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/chromium &lt; 17.0.963.83 &gt;= 17.0.963.83 Description =========== Multiple vulnerabilities have been discovered in Chromium. Please review the CVE identifiers and release notes referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted web site using Chromium, possibly resulting in the execution of arbitrary code with the privileges of the process, a Denial of Service condition, Universal Cross-Site Scripting, or installation of an extension without user interaction. A remote attacker could also entice a user to install a specially crafted extension that would interfere with browser-issued web requests. Workaround ========== There is no known workaround at this time. Resolution ========== All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v "&gt;=www-client/chromium-17.0.963.83" References ========== [ 1 ] CVE-2011-3031 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031 [ 2 ] CVE-2011-3032 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032 [ 3 ] CVE-2011-3033 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033 [ 4 ] CVE-2011-3034 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034 [ 5 ] CVE-2011-3035 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035 [ 6 ] CVE-2011-3036 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036 [ 7 ] CVE-2011-3037 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037 [ 8 ] CVE-2011-3038 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038 [ 9 ] CVE-2011-3039 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039 [ 10 ] CVE-2011-3040 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040 [ 11 ] CVE-2011-3041 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041 [ 12 ] CVE-2011-3042 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042 [ 13 ] CVE-2011-3043 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043 [ 14 ] CVE-2011-3044 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044 [ 15 ] CVE-2011-3046 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046 [ 16 ] CVE-2011-3047 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047 [ 17 ] CVE-2011-3049 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049 [ 18 ] CVE-2011-3050 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050 [ 19 ] CVE-2011-3051 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051 [ 20 ] CVE-2011-3052 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052 [ 21 ] CVE-2011-3053 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053 [ 22 ] CVE-2011-3054 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054 [ 23 ] CVE-2011-3055 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055 [ 24 ] CVE-2011-3056 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056 [ 25 ] CVE-2011-3057 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057 [ 26 ] Release Notes 17.0.963.65 http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html [ 27 ] Release Notes 17.0.963.78 http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-update.html [ 28 ] Release Notes 17.0.963.79 http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.html [ 29 ] Release Notes 17.0.963.83 http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21.html Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Tim Sammut 2012-03-25T16:22:48 http://comments.gmane.org/gmane.linux.gentoo.announce/1954 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Minitube: Insecure temporary file usage Date: March 16, 2012 Bugs: #388867 ID: 201203-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== An insecure temporary file usage has been reported in Minitube, possibly allowing symlink attacks. Background ========== Minitube is a Qt4 YouTube desktop client. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-video/minitube &lt; 1.6 &gt;= 1.6 Description =========== Tomáš Pružina reported that Minitube does not handle temporary files securely. Impact ====== A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround ========== There is no known workaround at this time. Resolution ========== All Minitube users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=media-video/minitube-1.6" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since November 11, 2011. It is likely that your system is already no longer affected by this issue. References ========== [ 1 ] Minitube 1.6 Release http://flavio.tordini.org/minitube-1-6-released Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-18.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-03-16T12:45:31 http://comments.gmane.org/gmane.linux.gentoo.announce/1953 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: HPLIP: Multiple vulnerabilities Date: March 16, 2012 Bugs: #352085, #388655 ID: 201203-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in HPLIP, the worst of which may allow execution of arbitrary code. Background ========== The Hewlett-Packard Linux Imaging and Printing system (HPLIP) provides drivers for HP's inkjet and laser printers, scanners and fax machines. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-print/hplip &lt; 3.11.10 &gt;= 3.11.10 Description =========== Two vulnerabilities have been found in HPLIP: * The "hpmud_get_pml()" function in pml.c contains a boundary error which could cause a stack-based buffer overflow (CVE-2010-4267). * The "send_data_to_stdout()" function in hpcupsfax.cpp creates insecure temporary files (CVE-2011-2722). Impact ====== A remote attacker might send specially crafted SNMP reponses, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a local attacker could perform symlink attacks to overwrite arbitrary files. Workaround ========== There is no known workaround at this time. Resolution ========== All HPLIP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=net-print/hplip-3.11.10" References ========== [ 1 ] CVE-2010-4267 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4267 [ 2 ] CVE-2011-2722 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2722 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-03-16T12:36:25 http://comments.gmane.org/gmane.linux.gentoo.announce/1952 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ModPlug: User-assisted execution of arbitrary code Date: March 16, 2012 Bugs: #362503, #379557 ID: 201203-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in ModPlug could result in execution of arbitrary code or Denial of Service. Background ========== ModPlug is a library for playing MOD-like music. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/libmodplug &lt; 0.8.8.4 &gt;= 0.8.8.4 Description =========== Multiple vulnerabilities have been found in ModPlug: * The ReadS3M method in load_s3m.cpp fails to validate user-supplied information, which could cause a stack-based buffer overflow (CVE-2011-1574). * The "CSoundFile::ReadWav()" function in load_wav.cpp contains an integer overflow which could cause a heap-based buffer overflow (CVE-2011-2911). * The "CSoundFile::ReadS3M()" function in load_s3m.cpp contains multiple boundary errors which could cause a stack-based buffer overflow (CVE-2011-2912). * The "CSoundFile::ReadAMS()" function in load_ams.cpp contains an off-by-one error which could cause memory corruption (CVE-2011-2913). * The "CSoundFile::ReadDSM()" function in load_dms.cpp contains an off-by-one error which could cause memory corruption (CVE-2011-2914). * The "CSoundFile::ReadAMS2()" function in load_ams.cpp contains an off-by-one error which could cause memory corruption (CVE-2011-2915). Impact ====== A remote attacker could entice a user to open a specially crafted media file, possibly resulting in execution of arbitrary code, or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All ModPlug users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=media-libs/libmodplug-0.8.8.4" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since August 27, 2011. It is likely that your system is already no longer affected by this issue. References ========== [ 1 ] CVE-2011-1574 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1574 [ 2 ] CVE-2011-2911 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2911 [ 3 ] CVE-2011-2912 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2912 [ 4 ] CVE-2011-2913 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2913 [ 5 ] CVE-2011-2914 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2914 [ 6 ] CVE-2011-2915 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2915 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-16.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-03-16T12:16:27 http://comments.gmane.org/gmane.linux.gentoo.announce/1951 <pre>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: gif2png: Multiple vulnerabilities Date: March 16, 2012 Bugs: #351698 ID: 201203-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in gif2png, the worst of which might allow execution of arbitrary code. Background ========== gif2png converts images from GIF format to PNG format. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-gfx/gif2png &lt; 2.5.8 &gt;= 2.5.8 Description =========== Two vulnerabilities have been found in gif2png: * A boundary error in gif2png.c could cause a buffer overflow (CVE-2010-4694). * The patch for CVE-2009-5018 causes gif2png to truncate GIF pathnames (CVE-2010-4695). Impact ====== A remote attacker could entice a user to open a specially crafted GIF file, possibly resulting in execution of arbitrary code, a Denial of Service condition, or the creation of PNG files in unintended directories. Workaround ========== There is no known workaround at this time. Resolution ========== All gif2png users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "&gt;=media-gfx/gif2png-2.5.8" References ========== [ 1 ] CVE-2010-4694 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4694 [ 2 ] CVE-2010-4695 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4695 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-15.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security&lt; at &gt;gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 </pre> Sean Amoss 2012-03-16T11:43:29 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.linux.gentoo.announce