Gentoo 2510 Published by

The following updates has been released for Gentoo Linux:

GLSA 201810-05 : xkbcommon: Multiple vulnerabilities
GLSA 201810-06 : Xen: Multiple vulnerabilities
GLSA 201810-07 : Mutt, NeoMutt: Multiple vulnerabilities
GLSA 201810-08 : PostgreSQL: Multiple vulnerabilities
GLSA 201810-09 : X.Org X Server: Privilege escalation
GLSA 201810-10 : systemd: Multiple vulnerabilities



GLSA 201810-05 : xkbcommon: Multiple vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201810-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: xkbcommon: Multiple vulnerabilities
Date: October 30, 2018
Bugs: #665702
ID: 201810-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in xkbcommon, the worst of
which may lead to a Denial of Service condition.

Background
==========

xkbcommon is a library to handle keyboard descriptions, including
loading them from disk, parsing them and handling their state.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 x11-libs/libxkbcommon < 0.8.2 >= 0.8.2

Description
===========

Multiple vulnerabilities have been discovered in libxkbcommon. Please
review the CVE identifiers referenced below for details.

Impact
======

A local attacker could supply a specially crafted keymap file possibly
resulting in a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All libxkbcommon users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/libxkbcommon-0.8.2"

References
==========

[ 1 ] CVE-2018-15853
https://nvd.nist.gov/vuln/detail/CVE-2018-15853
[ 2 ] CVE-2018-15854
https://nvd.nist.gov/vuln/detail/CVE-2018-15854
[ 3 ] CVE-2018-15855
https://nvd.nist.gov/vuln/detail/CVE-2018-15855
[ 4 ] CVE-2018-15856
https://nvd.nist.gov/vuln/detail/CVE-2018-15856
[ 5 ] CVE-2018-15857
https://nvd.nist.gov/vuln/detail/CVE-2018-15857
[ 6 ] CVE-2018-15858
https://nvd.nist.gov/vuln/detail/CVE-2018-15858
[ 7 ] CVE-2018-15859
https://nvd.nist.gov/vuln/detail/CVE-2018-15859
[ 8 ] CVE-2018-15861
https://nvd.nist.gov/vuln/detail/CVE-2018-15861
[ 9 ] CVE-2018-15862
https://nvd.nist.gov/vuln/detail/CVE-2018-15862
[ 10 ] CVE-2018-15863
https://nvd.nist.gov/vuln/detail/CVE-2018-15863
[ 11 ] CVE-2018-15864
https://nvd.nist.gov/vuln/detail/CVE-2018-15864

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201810-05

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

GLSA 201810-06 : Xen: Multiple vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201810-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Xen: Multiple vulnerabilities
Date: October 30, 2018
Bugs: #643350, #655188, #655544, #659442
ID: 201810-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Xen, the worst of which
could cause a Denial of Service condition.

Background
==========

Xen is a bare-metal hypervisor.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/xen < 4.10.1-r2 >= 4.10.1-r2
2 app-emulation/xen-tools < 4.10.1-r2 >= 4.10.1-r2
-------------------------------------------------------------------
2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Xen. Please review the
referenced CVE identifiers for details.

Impact
======

A local attacker could cause a Denial of Service condition or disclose
sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Xen users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.10.1-r2"

All Xen tools users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.10.1-r2"

References
==========

[ 1 ] CVE-2017-5715
https://nvd.nist.gov/vuln/detail/CVE-2017-5715
[ 2 ] CVE-2017-5753
https://nvd.nist.gov/vuln/detail/CVE-2017-5753
[ 3 ] CVE-2017-5754
https://nvd.nist.gov/vuln/detail/CVE-2017-5754
[ 4 ] CVE-2018-10471
https://nvd.nist.gov/vuln/detail/CVE-2018-10471
[ 5 ] CVE-2018-10472
https://nvd.nist.gov/vuln/detail/CVE-2018-10472
[ 6 ] CVE-2018-10981
https://nvd.nist.gov/vuln/detail/CVE-2018-10981
[ 7 ] CVE-2018-10982
https://nvd.nist.gov/vuln/detail/CVE-2018-10982
[ 8 ] CVE-2018-12891
https://nvd.nist.gov/vuln/detail/CVE-2018-12891
[ 9 ] CVE-2018-12892
https://nvd.nist.gov/vuln/detail/CVE-2018-12892
[ 10 ] CVE-2018-12893
https://nvd.nist.gov/vuln/detail/CVE-2018-12893
[ 11 ] CVE-2018-15468
https://nvd.nist.gov/vuln/detail/CVE-2018-15468
[ 12 ] CVE-2018-15469
https://nvd.nist.gov/vuln/detail/CVE-2018-15469
[ 13 ] CVE-2018-15470
https://nvd.nist.gov/vuln/detail/CVE-2018-15470
[ 14 ] CVE-2018-3620
https://nvd.nist.gov/vuln/detail/CVE-2018-3620
[ 15 ] CVE-2018-3646
https://nvd.nist.gov/vuln/detail/CVE-2018-3646
[ 16 ] CVE-2018-5244
https://nvd.nist.gov/vuln/detail/CVE-2018-5244
[ 17 ] CVE-2018-7540
https://nvd.nist.gov/vuln/detail/CVE-2018-7540
[ 18 ] CVE-2018-7541
https://nvd.nist.gov/vuln/detail/CVE-2018-7541
[ 19 ] CVE-2018-7542
https://nvd.nist.gov/vuln/detail/CVE-2018-7542

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201810-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5


GLSA 201810-07 : Mutt, NeoMutt: Multiple vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201810-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Mutt, NeoMutt: Multiple vulnerabilities
Date: October 30, 2018
Bugs: #661436
ID: 201810-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Mutt and NeoMutt, the worst
of which allows for arbitrary code execution.

Background
==========

Mutt is a small but very powerful text-based mail client.

NeoMutt is a command line mail reader (or MUA). It's a fork of Mutt
with added features.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-client/mutt < 1.10-1 >= 1.10-1
2 mail-client/neomutt < 20180716 >= 20180716
-------------------------------------------------------------------
2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Mutt, and NeoMutt.
Please review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could entice a user to open a specially crafted mail
message or connect to malicious mail server using Mutt or NeoMutt,
possibly resulting in execution of arbitrary code or directory
traversal with the privileges of the process or a Denial of Service
condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Mutt users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-client/mutt-1.10-1"

All NeoMuutt users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/neomutt-20180716"

References
==========

[ 1 ] CVE-2018-14349
https://nvd.nist.gov/vuln/detail/CVE-2018-14349
[ 2 ] CVE-2018-14350
https://nvd.nist.gov/vuln/detail/CVE-2018-14350
[ 3 ] CVE-2018-14351
https://nvd.nist.gov/vuln/detail/CVE-2018-14351
[ 4 ] CVE-2018-14352
https://nvd.nist.gov/vuln/detail/CVE-2018-14352
[ 5 ] CVE-2018-14353
https://nvd.nist.gov/vuln/detail/CVE-2018-14353
[ 6 ] CVE-2018-14354
https://nvd.nist.gov/vuln/detail/CVE-2018-14354
[ 7 ] CVE-2018-14355
https://nvd.nist.gov/vuln/detail/CVE-2018-14355
[ 8 ] CVE-2018-14356
https://nvd.nist.gov/vuln/detail/CVE-2018-14356
[ 9 ] CVE-2018-14357
https://nvd.nist.gov/vuln/detail/CVE-2018-14357
[ 10 ] CVE-2018-14358
https://nvd.nist.gov/vuln/detail/CVE-2018-14358
[ 11 ] CVE-2018-14359
https://nvd.nist.gov/vuln/detail/CVE-2018-14359
[ 12 ] CVE-2018-14362
https://nvd.nist.gov/vuln/detail/CVE-2018-14362

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201810-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

GLSA 201810-08 : PostgreSQL: Multiple vulnerabilities


Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201810-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: PostgreSQL: Multiple vulnerabilities
Date: October 30, 2018
Bugs: #603716, #603720, #664332
ID: 201810-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in PostgreSQL, the worst which
could lead to privilege escalation.

Background
==========

PostgreSQL is an open source object-relational database management
system.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-db/postgresql < 10.5 >= 9.3.24:9.3
>= 9.4.19:9.4
>= 9.5.14:9.5
>= 9.6.10:9.6
>= 10.5:10

Description
===========

Multiple vulnerabilities have been discovered in PostgreSQL. Please
review the referenced CVE identifiers for details.

In addition it was discovered that Gentoo's PostgreSQL installation
suffered from a privilege escalation vulnerability due to a runscript
which called OpenRC's checkpath() on a user controlled path and allowed
user running PostgreSQL to kill arbitrary processes via PID file
manipulation.

Impact
======

A remote attacker could bypass certain client-side connection security
features, read arbitrary server memory or alter certain data.

In addition, a local attacker could gain privileges or cause a Denial
of Service condition by killing arbitrary processes.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PostgreSQL users up to 9.3 should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.24:9.3"

All PostgreSQL 9.4 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.19:9.4"

All PostgreSQL 9.5 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.14:9.5"

All PostgreSQL 9.6 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.10:9.6"

All PostgreSQL 10 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.5:10"

References
==========

[ 1 ] CVE-2018-10915
https://nvd.nist.gov/vuln/detail/CVE-2018-10915
[ 2 ] CVE-2018-10925
https://nvd.nist.gov/vuln/detail/CVE-2018-10925
[ 3 ] CVE-2018-1115
https://nvd.nist.gov/vuln/detail/CVE-2018-1115

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201810-08

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5


GLSA 201810-09 : X.Org X Server: Privilege escalation



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201810-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: X.Org X Server: Privilege escalation
Date: October 30, 2018
Bugs: #669588
ID: 201810-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in X.Org X Server allows local users to escalate
privileges.

Background
==========

The X Window System is a graphical windowing system based on a
client/server model.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 x11-base/xorg-server < 1.20.3 >= 1.20.3

Description
===========

An incorrect permission check for -modulepath and -logfile options when
starting Xorg. X server allows unprivileged users with the ability to
log in to the system via physical console to escalate their privileges
and run arbitrary code under root privileges.

Impact
======

A local attacker can escalate privileges to root by passing crafted
parameters to the X.org X server.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All X.Org X Server users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.20.3"

References
==========

[ 1 ] CVE-2018-14665
https://nvd.nist.gov/vuln/detail/CVE-2018-14665

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201810-09

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

GLSA 201810-10 : systemd: Multiple vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201810-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: systemd: Multiple vulnerabilities
Date: October 30, 2018
Bugs: #669664, #669716
ID: 201810-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in systemd, the worst of which
may allow execution of arbitrary code.

Background
==========

A system and service manager.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-apps/systemd < 239-r2 >= 239-r2

Description
===========

Multiple vulnerabilities have been discovered in systemd. Please review
the CVE identifiers referenced below for details.

Impact
======

An attacker could possibly execute arbitrary code, cause a Denial of
Service condition, or gain escalated privileges.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All systemd users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/systemd-239-r2"

References
==========

[ 1 ] CVE-2018-15686
https://nvd.nist.gov/vuln/detail/CVE-2018-15686
[ 2 ] CVE-2018-15687
https://nvd.nist.gov/vuln/detail/CVE-2018-15687
[ 3 ] CVE-2018-15688
https://nvd.nist.gov/vuln/detail/CVE-2018-15688

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201810-10

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5