Gentoo 2514 Published by

The following updates are available for Gentoo Linux:

[ GLSA 201412-38 ] Icecast: Multiple Vulnerabilities
[ GLSA 201412-39 ] OpenSSL: Multiple vulnerabilities
[ GLSA 201412-40 ] FLAC: User-assisted execution of arbitrary code
[ GLSA 201412-41 ] OpenVPN: Denial of Service
[ GLSA 201412-42 ] Xen: Denial of Service
[ GLSA 201412-43 ] MuPDF: User-assisted execution of arbitrary code
[ GLSA 201412-44 ] policycoreutils: Privilege escalation
[ GLSA 201412-45 ] Facter: Privilege escalation
[ GLSA 201412-46 ] LittleCMS: Denial of Service
[ GLSA 201412-47 ] TORQUE Resource Manager: Multiple vulnerabilities



[ GLSA 201412-38 ] Icecast: Multiple Vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-38
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Icecast: Multiple Vulnerabilities
Date: December 26, 2014
Bugs: #529956, #530784
ID: 201412-38

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Two vulnerabilities have been found in Icecast, possibly resulting in
privilege escalation or disclosure of information.

Background
==========

Icecast is an open source alternative to SHOUTcast that supports MP3,
OGG (Vorbis/Theora) and AAC streaming.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/icecast < 2.4.1 >= 2.4.1

Description
===========

Two vulnerabilities have been discovered in Icecast:

* Icecast does not properly handle shared file descriptors
(CVE-2014-9018)
* Supplementary group privileges are not changed (CVE-2014-9091)

Impact
======

A local attacker can possibly gain escalated privileges or obtain
sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Icecast users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/icecast-2.4.1"

References
==========

[ 1 ] CVE-2014-9018
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9018
[ 2 ] CVE-2014-9091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9091

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-38.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-39 ] OpenSSL: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-39
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: OpenSSL: Multiple vulnerabilities
Date: December 26, 2014
Bugs: #494816, #519264, #525468
ID: 201412-39

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in OpenSSL, the worst of which
could result in Denial of Service or Man-in-the-Middle attacks.

Background
==========

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/openssl < 1.0.1j *>= 0.9.8z_p2
>= 1.0.1j

Description
===========

Multiple vulnerabilities have been discovered in OpenSSL. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker may be able to cause a Denial of Service condition,
perform Man-in-the-Middle attacks, obtain sensitive information, or
bypass security restrictions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenSSL 1.0.1 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1j"

All OpenSSL 0.9.8 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8z_p2"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying these packages.

References
==========

[ 1 ] CVE-2013-6449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6449
[ 2 ] CVE-2013-6450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6450
[ 3 ] CVE-2014-3505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3505
[ 4 ] CVE-2014-3506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3506
[ 5 ] CVE-2014-3507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3507
[ 6 ] CVE-2014-3509
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3509
[ 7 ] CVE-2014-3510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3510
[ 8 ] CVE-2014-3511
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3511
[ 9 ] CVE-2014-3512
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3512
[ 10 ] CVE-2014-3513
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3513
[ 11 ] CVE-2014-3567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3567
[ 12 ] CVE-2014-3568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3568
[ 13 ] CVE-2014-5139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5139

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-39.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-40 ] FLAC: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-40
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: FLAC: User-assisted execution of arbitrary code
Date: December 26, 2014
Bugs: #530288
ID: 201412-40

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow vulnerability in FLAC could lead to execution of
arbitrary code or Denial of Service.

Background
==========

The Free Lossless Audio Codec (FLAC) library is the reference
implementation of the FLAC audio file format.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/flac < 1.3.1-r1 >= 1.3.1-r1

Description
===========

A stack-based buffer overflow flaw has been discovered in FLAC.

Impact
======

A remote attacker could entice a user to open a specially crafted .flac
file using an application linked against FLAC, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All FLAC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/flac-1.3.1-r1"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying these packages.

References
==========

[ 1 ] CVE-2014-8962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8962

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-40.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-41 ] OpenVPN: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-41
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: OpenVPN: Denial of Service
Date: December 26, 2014
Bugs: #531308
ID: 201412-41

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in OpenVPN could lead to Denial of Service.

Background
==========

OpenVPN is a multi-platform, full-featured SSL VPN solution.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/openvpn < 2.3.6 >= 2.3.6

Description
===========

OpenVPN does not properly handle control channel packets that are too
small.

Impact
======

A remote authenticated attacker could send a specially crafted control
channel packet, possibly resulting in a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenVPN users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/openvpn-2.3.6"

References
==========

[ 1 ] CVE-2014-8104
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8104

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-41.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-42 ] Xen: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-42
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Xen: Denial of Service
Date: December 26, 2014
Bugs: #523524, #524200
ID: 201412-42

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Xen, possibly resulting in
Denial of Service.

Background
==========

Xen is a bare-metal hypervisor.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/xen < 4.4.1-r2 *>= 4.2.5-r1
>= 4.4.1-r2

Description
===========

Multiple vulnerabilities have been discovered in Xen. Please review the
CVE identifiers referenced below for details.

Impact
======

A local user could possibly cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Xen 4.2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.2.5-r1"

All Xen 4.4 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.4.1-r2"

References
==========

[ 1 ] CVE-2014-7154
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7154
[ 2 ] CVE-2014-7155
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7155
[ 3 ] CVE-2014-7156
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7156
[ 4 ] CVE-2014-7188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7188

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-42.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-43 ] MuPDF: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-43
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: MuPDF: User-assisted execution of arbitrary code
Date: December 26, 2014
Bugs: #358029, #498876
ID: 201412-43

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in MuPDF, possibly resulting
in remote code execution or Denial of Service.

Background
==========

MuPDF is a lightweight PDF viewer and toolkit written in portable C.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/mupdf < 1.3_p20140118 >= 1.3_p20140118

Description
===========

Multiple vulnerabilities have been discovered in MuPDF. Please review
the CVE identifier and Secunia Research referenced below for details.

Impact
======

A remote attacker could entice a user to open a specially crafted PDF
using MuPDF, possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MuPDF users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/mupdf-1.3_p20140118"

References
==========

[ 1 ] CVE-2014-2013
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2013
[ 2 ] Secunia Research: MuPDF Two Integer Overflow Vulnerabilities
http://secunia.com/secunia_research/2011-12/

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-43.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-44 ] policycoreutils: Privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-44
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: policycoreutils: Privilege escalation
Date: December 26, 2014
Bugs: #509896
ID: 201412-44

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in policycoreutils could lead to local privilege
escalation.

Background
==========

policycoreutils is a collection of SELinux policy utilities.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-apps/policycoreutils
< 2.2.5-r4 >= 2.2.5-r4

Description
===========

The seunshare utility is owned by root with 4755 permissions which can
be exploited by a setuid system call.

Impact
======

A local attacker may be able to gain escalated privileges.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All policycoreutils users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=sys-apps/policycoreutils-2.2.5-r4"

References
==========

[ 1 ] CVE-2014-3215
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3215

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-44.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-45 ] Facter: Privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-45
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Facter: Privilege escalation
Date: December 26, 2014
Bugs: #514476
ID: 201412-45

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An untrusted search path vulnerability in Facter could lead to local
privilege escalation.

Background
==========

Facter is a cross-platform Ruby library for retrieving facts from
operating systems.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-ruby/facter < 1.7.6 >= 1.7.6

Description
===========

Facter includes the current working directory in the search path.

Impact
======

A local attacker may be able to gain escalated privileges.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Facter users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/facter-1.7.6"

References
==========

[ 1 ] CVE-2014-3248
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3248

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-45.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-46 ] LittleCMS: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-46
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: LittleCMS: Denial of Service
Date: December 26, 2014
Bugs: #479874, #507788
ID: 201412-46

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple buffer overflow flaws and a parser error in LittleCMS could
cause Denial of Service.

Background
==========

LittleCMS, or short lcms, is a color management system for working with
ICC profiles. It is used by many applications including GIMP and
Firefox.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/lcms < 2.6-r1 >= 2.6-r1

Description
===========

Multiple stack-based buffer overflows and a profile parser error have
been found in LittleCMS.

Impact
======

A remote attacker could entice a user or automated system to open a
specially crafted file containing a malicious ICC profile, possibly
resulting in a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All LittleCMS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/lcms-2.6-r1"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying these packages.

NOTE: Gentoo has discontinued support for the LittleCMS 1.9 branch.

References
==========

[ 1 ] CVE-2013-4276
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4276
[ 2 ] CVE-2014-0459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0459

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-46.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-47 ] TORQUE Resource Manager: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-47
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: TORQUE Resource Manager: Multiple vulnerabilities
Date: December 26, 2014
Bugs: #372959, #378805, #390167, #484320, #491270, #510726
ID: 201412-47

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in TORQUE Resource Manager,
possibly resulting in escalation of privileges or remote code
execution.

Background
==========

TORQUE is a resource manager and queuing system based on OpenPBS.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-cluster/torque < 4.1.7 *>= 2.5.13
>= 4.1.7

Description
===========

Multiple vulnerabilities have been discovered in TORQUE Resource
Manager. Please review the CVE identifiers referenced below for
details.

Impact
======

A context-dependent attacker may be able to gain escalated privileges,
execute arbitrary code, or bypass security restrictions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All TORQUE Resource Manager 4.x users should upgrade to the latest
version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-cluster/torque-4.1.7"

All TORQUE Resource Manager 2.x users should upgrade to the latest
version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-cluster/torque-2.5.13"

NOTE: One or more of the issues described in this advisory have been
fixed in previous updates. They are included in this advisory for the
sake of completeness. It is likely that your system is already no
longer affected by them.

References
==========

[ 1 ] CVE-2011-2193
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2193
[ 2 ] CVE-2011-2907
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2907
[ 3 ] CVE-2011-4925
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4925
[ 4 ] CVE-2013-4319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4319
[ 5 ] CVE-2013-4495
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4495
[ 6 ] CVE-2014-0749
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0749

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-47.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5