Gentoo 2514 Published by

The following security advisories has been published for Gentoo Linux:

[ GLSA 201412-12 ] D-Bus: Multiple Vulnerabilities
[ GLSA 201412-13 ] Chromium: Multiple vulnerabilities
[ GLSA 201412-14 ] Xfig: User-assisted execution of arbitrary code
[ GLSA 201412-15 ] MCollective: Privilege escalation
[ GLSA 201412-16 ] CouchDB: Denial of Service
[ GLSA 201412-17 ] GPL Ghostscript: Multiple vulnerabilities
[ GLSA 201412-18 ] FreeRDP: User-assisted execution of arbitrary code
[ GLSA 201412-19 ] PPP: Information disclosure
[ GLSA 201412-20 ] GNUstep Base library: Denial of Service
[ GLSA 201412-21 ] mod_wsgi: Privilege escalation
[ GLSA 201412-22 ] Django: Multiple vulnerabilities
[ GLSA 201412-23 ] Nagios: Multiple vulnerabilities
[ GLSA 201412-24 ] OpenJPEG: Multiple vulnerabilities
[ GLSA 201412-25 ] QtGui: Denial of Service
[ GLSA 201412-26 ] strongSwan: Multiple Vulnerabilities
[ GLSA 201412-27 ] Ruby: Denial of Service



[ GLSA 201412-12 ] D-Bus: Multiple Vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: D-Bus: Multiple Vulnerabilities
Date: December 13, 2014
Bugs: #512940, #516080, #522982, #528900
ID: 201412-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in D-Bus, possibly resulting
in local Denial of Service.

Background
==========

D-Bus is a message bus system, a simple way for applications to talk to
one another.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-apps/dbus < 1.8.10 >= 1.8.10

Description
===========

Multiple vulnerabilities have been discovered in D-Bus. Please review
the CVE identifiers referenced below for details.

Impact
======

A local attacker could possibly cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All D-Bus users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.8.10"

References
==========

[ 1 ] CVE-2014-3477
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3477
[ 2 ] CVE-2014-3532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3532
[ 3 ] CVE-2014-3533
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3533
[ 4 ] CVE-2014-3635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3635
[ 5 ] CVE-2014-3636
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3636
[ 6 ] CVE-2014-3637
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3637
[ 7 ] CVE-2014-3638
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3638
[ 8 ] CVE-2014-3639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3639
[ 9 ] CVE-2014-7824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7824

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-12.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201412-13 ] Chromium: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: December 13, 2014
Bugs: #524764, #529858
ID: 201412-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Chromium, the worst of
which can allow remote attackers to execute arbitrary code.

Background
==========

Chromium is an open-source web browser project.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 39.0.2171.65 >= 39.0.2171.65

Description
===========

Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker may be able to execute arbitrary code with the
privileges of the process or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Chromium users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-39.0.2171.65"

References
==========

[ 1 ] CVE-2014-3188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3188
[ 2 ] CVE-2014-3189
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3189
[ 3 ] CVE-2014-3190
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3190
[ 4 ] CVE-2014-3191
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3191
[ 5 ] CVE-2014-3192
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3192
[ 6 ] CVE-2014-3193
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3193
[ 7 ] CVE-2014-3194
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3194
[ 8 ] CVE-2014-3195
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3195
[ 9 ] CVE-2014-3197
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3197
[ 10 ] CVE-2014-3198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3198
[ 11 ] CVE-2014-3199
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3199
[ 12 ] CVE-2014-3200
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3200
[ 13 ] CVE-2014-7899
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7899
[ 14 ] CVE-2014-7900
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7900
[ 15 ] CVE-2014-7901
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7901
[ 16 ] CVE-2014-7902
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7902
[ 17 ] CVE-2014-7903
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7903
[ 18 ] CVE-2014-7904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7904
[ 19 ] CVE-2014-7906
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7906
[ 20 ] CVE-2014-7907
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7907
[ 21 ] CVE-2014-7908
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7908
[ 22 ] CVE-2014-7909
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7909
[ 23 ] CVE-2014-7910
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7910

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-13.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-14 ] Xfig: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Xfig: User-assisted execution of arbitrary code
Date: December 13, 2014
Bugs: #297379
ID: 201412-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Two vulnerabilities have been found in Xfig, possibly resulting in
execution of arbitrary code or Denial of Service.

Background
==========

Xfig is an interactive drawing tool.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-gfx/xfig < 3.2.5c >= 3.2.5c

Description
===========

A stack-based buffer overflow and a stack consumption vulnerability
have been found in Xfig.

Impact
======

A remote attacker could entice a user to open a specially-crafted file,
potentially resulting in arbitrary code execution or a Denial of
Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Xfig users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/xfig-3.2.5c"

References
==========

[ 1 ] CVE-2009-4227
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4227
[ 2 ] CVE-2009-4228
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4228

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-14.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-15 ] MCollective: Privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: MCollective: Privilege escalation
Date: December 13, 2014
Bugs: #513292, #517286
ID: 201412-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Two vulnerabilities have been found in MCollective, the worst of which
could lead to privilege escalation.

Background
==========

MCollective is a framework to build server orchestration or parallel
job execution systems.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/mcollective < 2.5.3 >= 2.5.3

Description
===========

Two vulnerabilities have been found in MCollective:

* An untrusted search path vulnerability exists in MCollective
(CVE-2014-3248)
* MCollective does not properly validate server certificates
(CVE-2014-3251)

Impact
======

A local attacker can execute arbitrary a Trojan horse shared library,
potentially resulting in arbitrary code execution and privilege
escalation. Furthermore, a local attacker may be able to establish
unauthorized MCollective connections.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MCollective users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/mcollective-2.5.3"

References
==========

[ 1 ] CVE-2014-3248
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3248
[ 2 ] CVE-2014-3251
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3251

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-15.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-16 ] CouchDB: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: CouchDB: Denial of Service
Date: December 13, 2014
Bugs: #506354
ID: 201412-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in CouchDB could result in Denial of Service.

Background
==========

Apache CouchDB is a distributed, fault-tolerant and schema-free
document-oriented database.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-db/couchdb < 1.5.1 >= 1.5.1

Description
===========

CouchDB does not properly sanitize the count parameter for Universally
Unique Identifiers (UUID) requests.

Impact
======

A remote attacker could send a specially crafted request to CouchDB,
possibly resulting in a Denial of Service condition.

Workaround
==========

The /_uuids handler can be disabled in local.ini with the following
configuration:

[httpd_global_handlers]
_uuids =

Resolution
==========

All CouchDB users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/couchdb-1.5.1"

References
==========

[ 1 ] CVE-2014-2668
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2668

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-16.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-17 ] GPL Ghostscript: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GPL Ghostscript: Multiple vulnerabilities
Date: December 13, 2014
Bugs: #264594, #300192, #332061, #437654
ID: 201412-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in GPL Ghostscript, the worst
of which may allow execution of arbitrary code.

Background
==========

Ghostscript is an interpreter for the PostScript language and for PDF.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/ghostscript-gpl
< 9.10-r2 >= 9.10-r2

Description
===========

Multiple vulnerabilities have been discovered in GPL Ghostscript.
Please review the CVE identifiers referenced below for details.

Impact
======

A context-dependent attacker could entice a user to open a specially
crafted PostScript file or PDF using GPL Ghostscript, possibly
resulting in execution of arbitrary code with the privileges of the
process or a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GPL Ghostscript users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=app-text/ghostscript-gpl-9.10-r2"

References
==========

[ 1 ] CVE-2009-0196
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0196
[ 2 ] CVE-2009-0792
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0792
[ 3 ] CVE-2009-3743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3743
[ 4 ] CVE-2009-4270
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4270
[ 5 ] CVE-2009-4897
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4897
[ 6 ] CVE-2010-1628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1628
[ 7 ] CVE-2010-2055
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2055
[ 8 ] CVE-2010-4054
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4054
[ 9 ] CVE-2012-4405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4405

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-17.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-18 ] FreeRDP: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: FreeRDP: User-assisted execution of arbitrary code
Date: December 13, 2014
Bugs: #511688
ID: 201412-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An integer overflow in FreeRDP couuld result in execution of arbitrary
code or Denial of Service.

Background
==========

FreeRDP is a free implementation of the remote desktop protocol.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/freerdp < 1.1.0_beta1_p20130710-r1>=
1.1.0_beta1_p20130710-r1

Description
===========

FreeRDP does not properly validate user-supplied input, which could
lead to an integer overflow in the xf_Pointer_New() function.

Impact
======

A remote attacker could execute arbitrary code with the privileges of
the process or cause Denial of Service.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All FreeRDP users should upgrade to the latest version:

# emerge --sync
# emerge -a -1 -v ">=net-misc/freerdp-1.1.0_beta1_p20130710-r1"

References
==========

[ 1 ] CVE-2014-0250
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0250

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-18.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-19 ] PPP: Information disclosure

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: PPP: Information disclosure
Date: December 13, 2014
Bugs: #519650
ID: 201412-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An integer overflow in PPP might allow local attackers to obtain
sensitive information.

Background
==========

PPP is a Unix implementation of the Point-to-Point Protocol.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dialup/ppp < 2.4.7 >= 2.4.7

Description
===========

Integer overflow is discovered in the getword function in options.c in
PPP.

Impact
======

A local attacker could execute process with extremely long options
list, possibly obtaining sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PPP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dialup/ppp-2.4.7"

References
==========

[ 1 ] CVE-2014-3158
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3158

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-19.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-20 ] GNUstep Base library: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GNUstep Base library: Denial of Service
Date: December 13, 2014
Bugs: #508370
ID: 201412-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in GNUstep Base library could lead to Denial of
Service.

Background
==========

GNUstep Base library is a free software package implementing the API of
the OpenStep Foundation Kit (tm), including later additions.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 gnustep-base/gnustep-base
< 1.24.6-r1 >= 1.24.6-r1

Description
===========

GNUstep Base library does not properly handle the file descriptor for
logging, when run as a daemon.

Impact
======

A remote attacker could send a specially crafted request, possibly
resulting in a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GNUstep Base library users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=gnustep-base/gnustep-base-1.24.6-r1"

References
==========

[ 1 ] CVE-2014-2980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2980

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-20.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-21 ] mod_wsgi: Privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: mod_wsgi: Privilege escalation
Date: December 13, 2014
Bugs: #510938
ID: 201412-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Two vulnerabilities have been found in mod_wsgi, the worst of which
could result in local privilege escalation.

Background
==========

mod_wsgi is an Apache2 module for running Python WSGI applications.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apache/mod_wsgi < 3.5 >= 3.5

Description
===========

Two vulnerabilities have been found in mod_wsgi:

* Error codes returned by setuid are not properly handled
(CVE-2014-0240)
* A memory leak exists via the "Content-Type" header (CVE-2014-0242)

Impact
======

A local attacker may be able to gain escalated privileges. Furthermore,
a remote attacker may be able to obtain sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All mod_wsgi users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apache/mod_wsgi-3.5"

References
==========

[ 1 ] CVE-2014-0240
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0240
[ 2 ] CVE-2014-0242
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0242

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-21.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-22 ] Django: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Django: Multiple vulnerabilities
Date: December 13, 2014
Bugs: #521324
ID: 201412-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Django, the worst of which
may lead to Denial of Service.

Background
==========

Django is a Python-based web framework.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-python/django < 1.6.7 >= 1.6.7
*>= 1.5.10
*>= 1.4.15

Description
===========

Multiple vulnerabilities have been discovered in Django. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker may be able to create a Denial of Service condition,
obtain sensitive information, or hijack web sessions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Django 1.6 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.6.7"

All Django 1.5 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.5.10"

All Django 1.4 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.4.15"

References
==========

[ 1 ] CVE-2014-0480
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0480
[ 2 ] CVE-2014-0481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0481
[ 3 ] CVE-2014-0482
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0482
[ 4 ] CVE-2014-0483
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0483

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-22.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-23 ] Nagios: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Nagios: Multiple vulnerabilities
Date: December 13, 2014
Bugs: #447802, #495132, #501200
ID: 201412-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Nagios, the worst of which
may allow remote code execution.

Background
==========

Nagios is an open source host, service and network monitoring program.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/nagios-core
< 3.5.1 >= 3.5.1

Description
===========

Multiple vulnerabilities have been discovered in Nagios. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker may be able to execute arbitrary code, cause a Denial
of Service condition, or obtain sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Nagios users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/nagios-core-3.5.1"

References
==========

[ 1 ] CVE-2012-6096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6096
[ 2 ] CVE-2013-7108
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7108
[ 3 ] CVE-2013-7205
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7205

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-23.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-24 ] OpenJPEG: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: OpenJPEG: Multiple vulnerabilities
Date: December 13, 2014
Bugs: #484802, #493662
ID: 201412-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in OpenJPEG, the worst of
which may result in execution of arbitrary code.

Background
==========

OpenJPEG is an open-source JPEG 2000 library.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/openjpeg < 1.5.2 >= 1.5.2

Description
===========

Multiple vulnerabilities have been discovered in OpenJPEG. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could entice a user to open a specially crafted JPEG
file, possibly resulting in execution of arbitrary code or a Denial of
Service condition. Furthermore, a remote attacker may be able to obtain
sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenJPEG users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/openjpeg-1.5.2"

References
==========

[ 1 ] CVE-2013-1447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1447
[ 2 ] CVE-2013-4289
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4289
[ 3 ] CVE-2013-4290
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4290
[ 4 ] CVE-2013-6045
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6045
[ 5 ] CVE-2013-6052
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6052
[ 6 ] CVE-2013-6053
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6053
[ 7 ] CVE-2013-6054
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6054
[ 8 ] CVE-2013-6887
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6887

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-24.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-25 ] QtGui: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: QtGui: Denial of Service
Date: December 13, 2014
Bugs: #508984
ID: 201412-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A NULL pointer dereference in QtGui could lead to Denial of Service.

Background
==========

QtGui is the GUI module and platform plugins for the Qt5 framework.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-qt/qtgui < 4.8.5-r2 >= 4.8.5-r2

Description
===========

A NULL pointer dereference has been found in QtGui.

Impact
======

A remote attacker could send a specially crafted GIF image, possibly
resulting in a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All QtGui users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtgui-4.8.5-r2"

References
==========

[ 1 ] CVE-2014-0190
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0190

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-25.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-26 ] strongSwan: Multiple Vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: strongSwan: Multiple Vulnerabilities
Date: December 13, 2014
Bugs: #507722, #509832
ID: 201412-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Two vulnerabilities have been found in strongSwan, possibly resulting
in Denial of Service or a bypass in authentication restrictions.

Background
==========

strongSwan is an IPSec implementation for Linux.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/strongswan < 5.1.3 >= 5.1.3

Description
===========

A NULL pointer dereference and an error in the IKEv2 implementation
have been found in strongSwan.

Impact
======

A remote attacker could create a Denial of Service condition or bypass
security restrictions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All strongSwan users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/strongswan-5.1.3"

References
==========

[ 1 ] CVE-2014-2338
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2338
[ 2 ] CVE-2014-2891
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2891

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-26.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201412-27 ] Ruby: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-27
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Ruby: Denial of Service
Date: December 13, 2014
Bugs: #355439, #369141, #396301, #437366, #442580, #458776,
#492282, #527084, #529216
ID: 201412-27

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Ruby, allowing
context-dependent attackers to cause a Denial of Service condition.

Background
==========

Ruby is an object-oriented scripting language.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/ruby < 2.0.0_p598 *>= 1.9.3_p551
>= 2.0.0_p598

Description
===========

Multiple vulnerabilities have been discovered in Ruby. Please review
the CVE identifiers referenced below for details.

Impact
======

A context-dependent attacker could possibly execute arbitrary code with
the privileges of the process, cause a Denial of Service condition, or
bypass security restrictions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Ruby 1.9 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.9.3_p551"

All Ruby 2.0 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-2.0.0_p598"

References
==========

[ 1 ] CVE-2011-0188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0188
[ 2 ] CVE-2011-1004
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1004
[ 3 ] CVE-2011-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1005
[ 4 ] CVE-2011-4815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4815
[ 5 ] CVE-2012-4481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4481
[ 6 ] CVE-2012-5371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5371
[ 7 ] CVE-2013-0269
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0269
[ 8 ] CVE-2013-1821
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1821
[ 9 ] CVE-2013-4164
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4164
[ 10 ] CVE-2014-8080
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8080
[ 11 ] CVE-2014-8090
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8090

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-27.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5