Gentoo 2514 Published by

Aaron Bauman has announced 14 Gentoo Linux security updates:

GLSA 201908-06 : glibc: Multiple vulnerabilities
GLSA 201908-07 : KDE KConfig: User-assisted execution of arbitrary code
GLSA 201908-08 : CUPS: Multiple vulnerabilities
GLSA 201908-09 : SQLite: Multiple vulnerabilities
GLSA 201908-10 : Oracle JDK/JRE: Multiple vulnerabilities
GLSA 201908-11 : libarchive: Multiple vulnerabilities
GLSA 201908-12 : Mozilla Firefox: Multiple vulnerabilities
GLSA 201908-13 : LibreOffice: Multiple vulnerabilities
GLSA 201908-14 : polkit: Multiple vulnerabilities
GLSA 201908-15 : ZNC: Privilege escalation
GLSA 201908-16 : ProFTPD: Remote code execution
GLSA 201908-17 : ZeroMQ: Arbitrary code execution
GLSA 201908-18 : Chromium, Google Chrome: Multiple vulnerabilities
GLSA 201908-19 : GNU Wget: Arbitrary code execution



GLSA 201908-06 : glibc: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: glibc: Multiple vulnerabilities
Date: August 15, 2019
Bugs: #609386, #635012, #672228
ID: 201908-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in glibc, the worst of which
could result in a Denial of Service condition.

Background
==========

glibc is a package that contains the GNU C library.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-libs/glibc < 2.28-r4 >= 2.28-r4

Description
===========

Multiple vulnerabilities have been discovered in glibc. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All glibc users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.28-r4"

References
==========

[ 1 ] CVE-2015-8985
https://nvd.nist.gov/vuln/detail/CVE-2015-8985
[ 2 ] CVE-2016-6263
https://nvd.nist.gov/vuln/detail/CVE-2016-6263
[ 3 ] CVE-2018-19591
https://nvd.nist.gov/vuln/detail/CVE-2018-19591

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-07 : KDE KConfig: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: KDE KConfig: User-assisted execution of arbitrary code
Date: August 15, 2019
Bugs: #691858
ID: 201908-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerablity has been found in KDE KConfig that could allow a remote
attacker to execute arbitrary code.

Background
==========

Provides an advanced configuration system.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 kde-frameworks/kconfig < 5.60.0-r1 >= 5.60.0-r1

Description
===========

A vulnerability was discovered in KDE KConfig's handling of .desktop
and .directory files.

Impact
======

An attacker could entice a user to execute a specially crafted .desktop
or .directory file possibly resulting in execution of arbitrary code
with the privileges of the process.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All KConfig users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=kde-frameworks/kconfig-5.60.0-r1"

References
==========

[ 1 ] CVE-2019-14744
https://nvd.nist.gov/vuln/detail/CVE-2019-14744

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-08 : CUPS: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: CUPS: Multiple vulnerabilities
Date: August 15, 2019
Bugs: #660954
ID: 201908-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in CUPS, the worst of which
could result in the arbitrary execution of code.

Background
==========

CUPS, the Common Unix Printing System, is a full-featured print server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-print/cups < 2.2.8 >= 2.2.8

Description
===========

Multiple vulnerabilities have been discovered in CUPS. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All CUPS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-2.2.8"

References
==========

[ 1 ] CVE-2017-15400
https://nvd.nist.gov/vuln/detail/CVE-2017-15400
[ 2 ] CVE-2018-4180
https://nvd.nist.gov/vuln/detail/CVE-2018-4180
[ 3 ] CVE-2018-4181
https://nvd.nist.gov/vuln/detail/CVE-2018-4181
[ 4 ] CVE-2018-4182
https://nvd.nist.gov/vuln/detail/CVE-2018-4182
[ 5 ] CVE-2018-4183
https://nvd.nist.gov/vuln/detail/CVE-2018-4183
[ 6 ] CVE-2018-6553
https://nvd.nist.gov/vuln/detail/CVE-2018-6553

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-08

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201908-09 : SQLite: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: SQLite: Multiple vulnerabilities
Date: August 15, 2019
Bugs: #684840, #685838
ID: 201908-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in SQLite, the worst of which
could result in the arbitrary execution of code.

Background
==========

SQLite is a C library that implements an SQL database engine.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-db/sqlite < 3.28.0 >= 3.28.0

Description
===========

Multiple vulnerabilities have been discovered in SQLite. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could, by executing arbitrary SQL statements against
a vulnerable host, execute arbitrary code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All SQLite users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.28.0"

References
==========

[ 1 ] CVE-2019-5018
https://nvd.nist.gov/vuln/detail/CVE-2019-5018
[ 2 ] CVE-2019-9936
https://nvd.nist.gov/vuln/detail/CVE-2019-9936
[ 3 ] CVE-2019-9937
https://nvd.nist.gov/vuln/detail/CVE-2019-9937

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-09

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-10 : Oracle JDK/JRE: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Oracle JDK/JRE: Multiple vulnerabilities
Date: August 15, 2019
Bugs: #668948, #691336
ID: 201908-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Oracle’s JDK and JRE
software suites.

Background
==========

Java Platform, Standard Edition (Java SE) lets you develop and deploy
Java applications on desktops and servers, as well as in today’s
demanding embedded environments. Java offers the rich user interface,
performance, versatility, portability, and security that today’s
applications require.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/oracle-jdk-bin < 1.8.0.202:1.8 >= 1.8.0.202:1.8
2 dev-java/oracle-jre-bin < 1.8.0.202:1.8 >= 1.8.0.202:1.8
-------------------------------------------------------------------
2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Oracle’s JDK and JRE
software suites. Please review the CVE identifiers referenced below for
details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Oracle JDK bin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.8.0.202:1.8"

All Oracle JRE bin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.8.0.202:1.8"

References
==========

[ 1 ] CVE-2018-13785
https://nvd.nist.gov/vuln/detail/CVE-2018-13785
[ 2 ] CVE-2018-3136
https://nvd.nist.gov/vuln/detail/CVE-2018-3136
[ 3 ] CVE-2018-3139
https://nvd.nist.gov/vuln/detail/CVE-2018-3139
[ 4 ] CVE-2018-3149
https://nvd.nist.gov/vuln/detail/CVE-2018-3149
[ 5 ] CVE-2018-3150
https://nvd.nist.gov/vuln/detail/CVE-2018-3150
[ 6 ] CVE-2018-3157
https://nvd.nist.gov/vuln/detail/CVE-2018-3157
[ 7 ] CVE-2018-3169
https://nvd.nist.gov/vuln/detail/CVE-2018-3169
[ 8 ] CVE-2018-3180
https://nvd.nist.gov/vuln/detail/CVE-2018-3180
[ 9 ] CVE-2018-3183
https://nvd.nist.gov/vuln/detail/CVE-2018-3183
[ 10 ] CVE-2018-3209
https://nvd.nist.gov/vuln/detail/CVE-2018-3209
[ 11 ] CVE-2018-3211
https://nvd.nist.gov/vuln/detail/CVE-2018-3211
[ 12 ] CVE-2018-3214
https://nvd.nist.gov/vuln/detail/CVE-2018-3214
[ 13 ] CVE-2019-2602
https://nvd.nist.gov/vuln/detail/CVE-2019-2602
[ 14 ] CVE-2019-2684
https://nvd.nist.gov/vuln/detail/CVE-2019-2684
[ 15 ] CVE-2019-2697
https://nvd.nist.gov/vuln/detail/CVE-2019-2697
[ 16 ] CVE-2019-2698
https://nvd.nist.gov/vuln/detail/CVE-2019-2698
[ 17 ] CVE-2019-2699
https://nvd.nist.gov/vuln/detail/CVE-2019-2699

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-10

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-11 : libarchive: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: libarchive: Multiple vulnerabilities
Date: August 15, 2019
Bugs: #631294, #636070
ID: 201908-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in libarchive, the worst of
which could result in the arbitrary execution of code.

Background
==========

libarchive is a library for manipulating different streaming archive
formats, including certain tar variants, several cpio formats, and both
BSD and GNU ar variants.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-arch/libarchive < 3.3.3 >= 3.3.3

Description
===========

Multiple vulnerabilities have been discovered in libarchive. Please
review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All libarchive users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.3.3"

References
==========

[ 1 ] CVE-2017-14166
https://nvd.nist.gov/vuln/detail/CVE-2017-14166
[ 2 ] CVE-2017-14501
https://nvd.nist.gov/vuln/detail/CVE-2017-14501
[ 3 ] CVE-2017-14502
https://nvd.nist.gov/vuln/detail/CVE-2017-14502
[ 4 ] CVE-2017-14503
https://nvd.nist.gov/vuln/detail/CVE-2017-14503

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-11

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-12 : Mozilla Firefox: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Mozilla Firefox: Multiple vulnerabilities
Date: August 15, 2019
Bugs: #688332, #690626
ID: 201908-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Mozilla Firefox, the worst
of which could result in the arbitrary execution of code.

Background
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla
Project.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/firefox < 60.8.0 >= 60.8.0
2 www-client/firefox-bin < 60.8.0 >= 60.8.0
-------------------------------------------------------------------
2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox.
Please review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could entice a user to view a specially crafted web
page, possibly resulting in the execution of arbitrary code with the
privileges of the process or a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Mozilla Firefox users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-60.8.0"

All Mozilla Firefox binary users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-60.8.0"

References
==========

[ 1 ] CVE-2019-11707
https://nvd.nist.gov/vuln/detail/CVE-2019-11707
[ 2 ] CVE-2019-11708
https://nvd.nist.gov/vuln/detail/CVE-2019-11708
[ 3 ] CVE-2019-11709
https://nvd.nist.gov/vuln/detail/CVE-2019-11709
[ 4 ] CVE-2019-11710
https://nvd.nist.gov/vuln/detail/CVE-2019-11710
[ 5 ] CVE-2019-11711
https://nvd.nist.gov/vuln/detail/CVE-2019-11711
[ 6 ] CVE-2019-11712
https://nvd.nist.gov/vuln/detail/CVE-2019-11712
[ 7 ] CVE-2019-11713
https://nvd.nist.gov/vuln/detail/CVE-2019-11713
[ 8 ] CVE-2019-11714
https://nvd.nist.gov/vuln/detail/CVE-2019-11714
[ 9 ] CVE-2019-11715
https://nvd.nist.gov/vuln/detail/CVE-2019-11715
[ 10 ] CVE-2019-11716
https://nvd.nist.gov/vuln/detail/CVE-2019-11716
[ 11 ] CVE-2019-11717
https://nvd.nist.gov/vuln/detail/CVE-2019-11717
[ 12 ] CVE-2019-11718
https://nvd.nist.gov/vuln/detail/CVE-2019-11718
[ 13 ] CVE-2019-11719
https://nvd.nist.gov/vuln/detail/CVE-2019-11719
[ 14 ] CVE-2019-11720
https://nvd.nist.gov/vuln/detail/CVE-2019-11720
[ 15 ] CVE-2019-11721
https://nvd.nist.gov/vuln/detail/CVE-2019-11721
[ 16 ] CVE-2019-11723
https://nvd.nist.gov/vuln/detail/CVE-2019-11723
[ 17 ] CVE-2019-11724
https://nvd.nist.gov/vuln/detail/CVE-2019-11724
[ 18 ] CVE-2019-11725
https://nvd.nist.gov/vuln/detail/CVE-2019-11725
[ 19 ] CVE-2019-11727
https://nvd.nist.gov/vuln/detail/CVE-2019-11727
[ 20 ] CVE-2019-11728
https://nvd.nist.gov/vuln/detail/CVE-2019-11728
[ 21 ] CVE-2019-11729
https://nvd.nist.gov/vuln/detail/CVE-2019-11729
[ 22 ] CVE-2019-11730
https://nvd.nist.gov/vuln/detail/CVE-2019-11730
[ 23 ] CVE-2019-9811
https://nvd.nist.gov/vuln/detail/CVE-2019-9811
[ 24 ] MFSA2019-18
https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/
[ 25 ] MFSA2019-19
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
[ 26 ] MFSA2019-21
https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/
[ 27 ] MFSA2019-22
https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-12

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-13 : LibreOffice: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: LibreOffice: Multiple vulnerabilities
Date: August 15, 2019
Bugs: #690354
ID: 201908-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in LibreOffice, the worst of
which could result in the arbitrary execution of code.

Background
==========

LibreOffice is a powerful office suite; its clean interface and
powerful tools let you unleash your creativity and grow your
productivity.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-office/libreoffice < 6.2.5.2 >= 6.2.5.2
2 app-office/libreoffice-bin
< 6.2.5.2 >= 6.2.5.2
-------------------------------------------------------------------
2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in LibreOffice. Please
review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All LibreOffice users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/libreoffice-6.2.5.2"

All LibreOffice binary users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=app-office/libreoffice-bin-6.2.5.2"

References
==========

[ 1 ] CVE-2019-9848
https://nvd.nist.gov/vuln/detail/CVE-2019-9848
[ 2 ] CVE-2019-9849
https://nvd.nist.gov/vuln/detail/CVE-2019-9849

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-13

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-14 : polkit: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: polkit: Multiple vulnerabilities
Date: August 15, 2019
Bugs: #661470, #672578
ID: 201908-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in polkit, the worst of which
could result in privilege escalation.

Background
==========

polkit is a toolkit for managing policies relating to unprivileged
processes communicating with privileged processes.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-auth/polkit < 0.115-r2 >= 0.115-r2

Description
===========

Multiple vulnerabilities have been discovered in polkit. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All polkit users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/polkit-0.115-r2"

References
==========

[ 1 ] CVE-2018-1116
https://nvd.nist.gov/vuln/detail/CVE-2018-1116
[ 2 ] CVE-2018-19788
https://nvd.nist.gov/vuln/detail/CVE-2018-19788

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-14

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-15 : ZNC: Privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: ZNC: Privilege escalation
Date: August 15, 2019
Bugs: #688152
ID: 201908-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in ZNC allows users to escalate privileges.

Background
==========

ZNC is an advanced IRC bouncer.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-irc/znc < 1.7.4_rc1 >= 1.7.4_rc1

Description
===========

It was discovered that ZNC's "Modules.cpp" allows remote authenticated
non-admin users to escalate privileges.

Impact
======

A remote authenticated attacker could escalate privileges and
subsequently execute arbitrary code or conduct a Denial of Service
attack.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All ZNC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-irc/znc-1.7.4_rc1"

References
==========

[ 1 ] CVE-2019-12816
https://nvd.nist.gov/vuln/detail/CVE-2019-12816

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-15

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-16 : ProFTPD: Remote code execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: ProFTPD: Remote code execution
Date: August 15, 2019
Bugs: #690528
ID: 201908-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in ProFTPD could result in the arbitrary execution of
code.

Background
==========

ProFTPD is an advanced and very configurable FTP server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-ftp/proftpd < 1.3.6-r5 >= 1.3.6-r5

Description
===========

It was discovered that ProFTPD's "mod_copy" module does not properly
restrict privileges for anonymous users.

Impact
======

A remote attacker, by anonymously uploading a malicious file, could
possibly execute arbitrary code with the privileges of the process,
cause a Denial of Service condition or disclose information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All ProFTPD users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.6-r5"

References
==========

[ 1 ] CVE-2019-12815
https://nvd.nist.gov/vuln/detail/CVE-2019-12815

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-16

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-17 : ZeroMQ: Arbitrary code execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: ZeroMQ: Arbitrary code execution
Date: August 15, 2019
Bugs: #689426
ID: 201908-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in ZeroMQ might allow an attacker to execute arbitrary
code.

Background
==========

Looks like an embeddable networking library but acts like a concurrency
framework.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/zeromq < 4.3.2 >= 4.3.2

Description
===========

A buffer overflow was discovered in ZeroMQ.

Impact
======

An attacker could possibly execute arbitrary code with the privileges
of the process or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All ZeroMQ users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/zeromq-4.3.2"

References
==========

[ 1 ] CVE-2019-13132
https://nvd.nist.gov/vuln/detail/CVE-2019-13132

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-17

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-18 : Chromium, Google Chrome: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Chromium, Google Chrome: Multiple vulnerabilities
Date: August 15, 2019
Bugs: #684238, #684272, #687732, #688072, #689944, #691098, #691682
ID: 201908-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Chromium and Google Chrome,
the worst of which could allow remote attackers to execute arbitrary
code.

Background
==========

Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.

Google Chrome is one fast, simple, and secure browser for all your
devices.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 76.0.3809.100 >= 76.0.3809.100
2 www-client/google-chrome
< 76.0.3809.100 >= 76.0.3809.100
-------------------------------------------------------------------
2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Chromium and Google
Chrome. Please review the referenced CVE identifiers and Google Chrome
Releases for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Chromium users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-76.0.3809.100"

All Google Chrome users should upgrade to the latest version:

# emerge --sync
# emerge -a --oneshot -v ">=www-client/google-chrome-76.0.3809.100"

References
==========

[ 1 ] CVE-2019-5805
https://nvd.nist.gov/vuln/detail/CVE-2019-5805
[ 2 ] CVE-2019-5806
https://nvd.nist.gov/vuln/detail/CVE-2019-5806
[ 3 ] CVE-2019-5807
https://nvd.nist.gov/vuln/detail/CVE-2019-5807
[ 4 ] CVE-2019-5808
https://nvd.nist.gov/vuln/detail/CVE-2019-5808
[ 5 ] CVE-2019-5809
https://nvd.nist.gov/vuln/detail/CVE-2019-5809
[ 6 ] CVE-2019-5810
https://nvd.nist.gov/vuln/detail/CVE-2019-5810
[ 7 ] CVE-2019-5811
https://nvd.nist.gov/vuln/detail/CVE-2019-5811
[ 8 ] CVE-2019-5812
https://nvd.nist.gov/vuln/detail/CVE-2019-5812
[ 9 ] CVE-2019-5813
https://nvd.nist.gov/vuln/detail/CVE-2019-5813
[ 10 ] CVE-2019-5814
https://nvd.nist.gov/vuln/detail/CVE-2019-5814
[ 11 ] CVE-2019-5815
https://nvd.nist.gov/vuln/detail/CVE-2019-5815
[ 12 ] CVE-2019-5816
https://nvd.nist.gov/vuln/detail/CVE-2019-5816
[ 13 ] CVE-2019-5817
https://nvd.nist.gov/vuln/detail/CVE-2019-5817
[ 14 ] CVE-2019-5818
https://nvd.nist.gov/vuln/detail/CVE-2019-5818
[ 15 ] CVE-2019-5819
https://nvd.nist.gov/vuln/detail/CVE-2019-5819
[ 16 ] CVE-2019-5820
https://nvd.nist.gov/vuln/detail/CVE-2019-5820
[ 17 ] CVE-2019-5821
https://nvd.nist.gov/vuln/detail/CVE-2019-5821
[ 18 ] CVE-2019-5822
https://nvd.nist.gov/vuln/detail/CVE-2019-5822
[ 19 ] CVE-2019-5823
https://nvd.nist.gov/vuln/detail/CVE-2019-5823
[ 20 ] CVE-2019-5828
https://nvd.nist.gov/vuln/detail/CVE-2019-5828
[ 21 ] CVE-2019-5829
https://nvd.nist.gov/vuln/detail/CVE-2019-5829
[ 22 ] CVE-2019-5830
https://nvd.nist.gov/vuln/detail/CVE-2019-5830
[ 23 ] CVE-2019-5831
https://nvd.nist.gov/vuln/detail/CVE-2019-5831
[ 24 ] CVE-2019-5832
https://nvd.nist.gov/vuln/detail/CVE-2019-5832
[ 25 ] CVE-2019-5833
https://nvd.nist.gov/vuln/detail/CVE-2019-5833
[ 26 ] CVE-2019-5834
https://nvd.nist.gov/vuln/detail/CVE-2019-5834
[ 27 ] CVE-2019-5835
https://nvd.nist.gov/vuln/detail/CVE-2019-5835
[ 28 ] CVE-2019-5836
https://nvd.nist.gov/vuln/detail/CVE-2019-5836
[ 29 ] CVE-2019-5837
https://nvd.nist.gov/vuln/detail/CVE-2019-5837
[ 30 ] CVE-2019-5838
https://nvd.nist.gov/vuln/detail/CVE-2019-5838
[ 31 ] CVE-2019-5839
https://nvd.nist.gov/vuln/detail/CVE-2019-5839
[ 32 ] CVE-2019-5840
https://nvd.nist.gov/vuln/detail/CVE-2019-5840
[ 33 ] CVE-2019-5842
https://nvd.nist.gov/vuln/detail/CVE-2019-5842
[ 34 ] CVE-2019-5847
https://nvd.nist.gov/vuln/detail/CVE-2019-5847
[ 35 ] CVE-2019-5848
https://nvd.nist.gov/vuln/detail/CVE-2019-5848
[ 36 ] CVE-2019-5850
https://nvd.nist.gov/vuln/detail/CVE-2019-5850
[ 37 ] CVE-2019-5851
https://nvd.nist.gov/vuln/detail/CVE-2019-5851
[ 38 ] CVE-2019-5852
https://nvd.nist.gov/vuln/detail/CVE-2019-5852
[ 39 ] CVE-2019-5853
https://nvd.nist.gov/vuln/detail/CVE-2019-5853
[ 40 ] CVE-2019-5854
https://nvd.nist.gov/vuln/detail/CVE-2019-5854
[ 41 ] CVE-2019-5855
https://nvd.nist.gov/vuln/detail/CVE-2019-5855
[ 42 ] CVE-2019-5856
https://nvd.nist.gov/vuln/detail/CVE-2019-5856
[ 43 ] CVE-2019-5857
https://nvd.nist.gov/vuln/detail/CVE-2019-5857
[ 44 ] CVE-2019-5858
https://nvd.nist.gov/vuln/detail/CVE-2019-5858
[ 45 ] CVE-2019-5859
https://nvd.nist.gov/vuln/detail/CVE-2019-5859
[ 46 ] CVE-2019-5860
https://nvd.nist.gov/vuln/detail/CVE-2019-5860
[ 47 ] CVE-2019-5861
https://nvd.nist.gov/vuln/detail/CVE-2019-5861
[ 48 ] CVE-2019-5862
https://nvd.nist.gov/vuln/detail/CVE-2019-5862
[ 49 ] CVE-2019-5863
https://nvd.nist.gov/vuln/detail/CVE-2019-5863
[ 50 ] CVE-2019-5864
https://nvd.nist.gov/vuln/detail/CVE-2019-5864
[ 51 ] CVE-2019-5865
https://nvd.nist.gov/vuln/detail/CVE-2019-5865
[ 52 ] CVE-2019-5867
https://nvd.nist.gov/vuln/detail/CVE-2019-5867
[ 53 ] CVE-2019-5868
https://nvd.nist.gov/vuln/detail/CVE-2019-5868

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-18

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5




GLSA 201908-19 : GNU Wget: Arbitrary code execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GNU Wget: Arbitrary code execution
Date: August 15, 2019
Bugs: #682994
ID: 201908-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in GNU Wget might allow an attacker to execute
arbitrary code.

Background
==========

GNU Wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/wget < 1.20.3 >= 1.20.3

Description
===========

A buffer overflow was discovered in GNU's Wget.

Impact
======

An attacker could possibly execute arbitrary code with the privileges
of the process or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GNU Wget users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/wget-1.20.3"

References
==========

[ 1 ] CVE-2019-5953
https://nvd.nist.gov/vuln/detail/CVE-2019-5953

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-19

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5