The following security advisories has been published for Gentoo Linux:
[ GLSA 201412-12 ] D-Bus: Multiple Vulnerabilities
[ GLSA 201412-13 ] Chromium: Multiple vulnerabilities
[ GLSA 201412-14 ] Xfig: User-assisted execution of arbitrary code
[ GLSA 201412-15 ] MCollective: Privilege escalation
[ GLSA 201412-16 ] CouchDB: Denial of Service
[ GLSA 201412-17 ] GPL Ghostscript: Multiple vulnerabilities
[ GLSA 201412-18 ] FreeRDP: User-assisted execution of arbitrary code
[ GLSA 201412-19 ] PPP: Information disclosure
[ GLSA 201412-20 ] GNUstep Base library: Denial of Service
[ GLSA 201412-21 ] mod_wsgi: Privilege escalation
[ GLSA 201412-22 ] Django: Multiple vulnerabilities
[ GLSA 201412-23 ] Nagios: Multiple vulnerabilities
[ GLSA 201412-24 ] OpenJPEG: Multiple vulnerabilities
[ GLSA 201412-25 ] QtGui: Denial of Service
[ GLSA 201412-26 ] strongSwan: Multiple Vulnerabilities
[ GLSA 201412-27 ] Ruby: Denial of Service
[ GLSA 201412-12 ] D-Bus: Multiple Vulnerabilities
[ GLSA 201412-13 ] Chromium: Multiple vulnerabilities
[ GLSA 201412-14 ] Xfig: User-assisted execution of arbitrary code
[ GLSA 201412-15 ] MCollective: Privilege escalation
[ GLSA 201412-16 ] CouchDB: Denial of Service
[ GLSA 201412-17 ] GPL Ghostscript: Multiple vulnerabilities
[ GLSA 201412-18 ] FreeRDP: User-assisted execution of arbitrary code
[ GLSA 201412-19 ] PPP: Information disclosure
[ GLSA 201412-20 ] GNUstep Base library: Denial of Service
[ GLSA 201412-21 ] mod_wsgi: Privilege escalation
[ GLSA 201412-22 ] Django: Multiple vulnerabilities
[ GLSA 201412-23 ] Nagios: Multiple vulnerabilities
[ GLSA 201412-24 ] OpenJPEG: Multiple vulnerabilities
[ GLSA 201412-25 ] QtGui: Denial of Service
[ GLSA 201412-26 ] strongSwan: Multiple Vulnerabilities
[ GLSA 201412-27 ] Ruby: Denial of Service
[ GLSA 201412-12 ] D-Bus: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: D-Bus: Multiple Vulnerabilities
Date: December 13, 2014
Bugs: #512940, #516080, #522982, #528900
ID: 201412-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in D-Bus, possibly resulting
in local Denial of Service.
Background
==========
D-Bus is a message bus system, a simple way for applications to talk to
one another.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-apps/dbus < 1.8.10 >= 1.8.10
Description
===========
Multiple vulnerabilities have been discovered in D-Bus. Please review
the CVE identifiers referenced below for details.
Impact
======
A local attacker could possibly cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All D-Bus users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.8.10"
References
==========
[ 1 ] CVE-2014-3477
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3477
[ 2 ] CVE-2014-3532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3532
[ 3 ] CVE-2014-3533
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3533
[ 4 ] CVE-2014-3635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3635
[ 5 ] CVE-2014-3636
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3636
[ 6 ] CVE-2014-3637
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3637
[ 7 ] CVE-2014-3638
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3638
[ 8 ] CVE-2014-3639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3639
[ 9 ] CVE-2014-7824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7824
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-12.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-13 ] Chromium: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: December 13, 2014
Bugs: #524764, #529858
ID: 201412-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Chromium, the worst of
which can allow remote attackers to execute arbitrary code.
Background
==========
Chromium is an open-source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 39.0.2171.65 >= 39.0.2171.65
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker may be able to execute arbitrary code with the
privileges of the process or cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-39.0.2171.65"
References
==========
[ 1 ] CVE-2014-3188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3188
[ 2 ] CVE-2014-3189
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3189
[ 3 ] CVE-2014-3190
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3190
[ 4 ] CVE-2014-3191
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3191
[ 5 ] CVE-2014-3192
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3192
[ 6 ] CVE-2014-3193
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3193
[ 7 ] CVE-2014-3194
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3194
[ 8 ] CVE-2014-3195
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3195
[ 9 ] CVE-2014-3197
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3197
[ 10 ] CVE-2014-3198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3198
[ 11 ] CVE-2014-3199
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3199
[ 12 ] CVE-2014-3200
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3200
[ 13 ] CVE-2014-7899
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7899
[ 14 ] CVE-2014-7900
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7900
[ 15 ] CVE-2014-7901
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7901
[ 16 ] CVE-2014-7902
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7902
[ 17 ] CVE-2014-7903
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7903
[ 18 ] CVE-2014-7904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7904
[ 19 ] CVE-2014-7906
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7906
[ 20 ] CVE-2014-7907
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7907
[ 21 ] CVE-2014-7908
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7908
[ 22 ] CVE-2014-7909
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7909
[ 23 ] CVE-2014-7910
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7910
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-13.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-14 ] Xfig: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Xfig: User-assisted execution of arbitrary code
Date: December 13, 2014
Bugs: #297379
ID: 201412-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Two vulnerabilities have been found in Xfig, possibly resulting in
execution of arbitrary code or Denial of Service.
Background
==========
Xfig is an interactive drawing tool.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-gfx/xfig < 3.2.5c >= 3.2.5c
Description
===========
A stack-based buffer overflow and a stack consumption vulnerability
have been found in Xfig.
Impact
======
A remote attacker could entice a user to open a specially-crafted file,
potentially resulting in arbitrary code execution or a Denial of
Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Xfig users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/xfig-3.2.5c"
References
==========
[ 1 ] CVE-2009-4227
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4227
[ 2 ] CVE-2009-4228
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4228
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-14.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-15 ] MCollective: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: MCollective: Privilege escalation
Date: December 13, 2014
Bugs: #513292, #517286
ID: 201412-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Two vulnerabilities have been found in MCollective, the worst of which
could lead to privilege escalation.
Background
==========
MCollective is a framework to build server orchestration or parallel
job execution systems.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/mcollective < 2.5.3 >= 2.5.3
Description
===========
Two vulnerabilities have been found in MCollective:
* An untrusted search path vulnerability exists in MCollective
(CVE-2014-3248)
* MCollective does not properly validate server certificates
(CVE-2014-3251)
Impact
======
A local attacker can execute arbitrary a Trojan horse shared library,
potentially resulting in arbitrary code execution and privilege
escalation. Furthermore, a local attacker may be able to establish
unauthorized MCollective connections.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All MCollective users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/mcollective-2.5.3"
References
==========
[ 1 ] CVE-2014-3248
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3248
[ 2 ] CVE-2014-3251
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3251
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-15.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-16 ] CouchDB: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: CouchDB: Denial of Service
Date: December 13, 2014
Bugs: #506354
ID: 201412-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in CouchDB could result in Denial of Service.
Background
==========
Apache CouchDB is a distributed, fault-tolerant and schema-free
document-oriented database.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-db/couchdb < 1.5.1 >= 1.5.1
Description
===========
CouchDB does not properly sanitize the count parameter for Universally
Unique Identifiers (UUID) requests.
Impact
======
A remote attacker could send a specially crafted request to CouchDB,
possibly resulting in a Denial of Service condition.
Workaround
==========
The /_uuids handler can be disabled in local.ini with the following
configuration:
[httpd_global_handlers]
_uuids =
Resolution
==========
All CouchDB users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/couchdb-1.5.1"
References
==========
[ 1 ] CVE-2014-2668
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2668
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-16.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-17 ] GPL Ghostscript: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: GPL Ghostscript: Multiple vulnerabilities
Date: December 13, 2014
Bugs: #264594, #300192, #332061, #437654
ID: 201412-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in GPL Ghostscript, the worst
of which may allow execution of arbitrary code.
Background
==========
Ghostscript is an interpreter for the PostScript language and for PDF.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/ghostscript-gpl
< 9.10-r2 >= 9.10-r2
Description
===========
Multiple vulnerabilities have been discovered in GPL Ghostscript.
Please review the CVE identifiers referenced below for details.
Impact
======
A context-dependent attacker could entice a user to open a specially
crafted PostScript file or PDF using GPL Ghostscript, possibly
resulting in execution of arbitrary code with the privileges of the
process or a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All GPL Ghostscript users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=app-text/ghostscript-gpl-9.10-r2"
References
==========
[ 1 ] CVE-2009-0196
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0196
[ 2 ] CVE-2009-0792
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0792
[ 3 ] CVE-2009-3743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3743
[ 4 ] CVE-2009-4270
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4270
[ 5 ] CVE-2009-4897
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4897
[ 6 ] CVE-2010-1628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1628
[ 7 ] CVE-2010-2055
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2055
[ 8 ] CVE-2010-4054
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4054
[ 9 ] CVE-2012-4405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4405
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-17.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-18 ] FreeRDP: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: FreeRDP: User-assisted execution of arbitrary code
Date: December 13, 2014
Bugs: #511688
ID: 201412-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
An integer overflow in FreeRDP couuld result in execution of arbitrary
code or Denial of Service.
Background
==========
FreeRDP is a free implementation of the remote desktop protocol.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/freerdp < 1.1.0_beta1_p20130710-r1>=
1.1.0_beta1_p20130710-r1
Description
===========
FreeRDP does not properly validate user-supplied input, which could
lead to an integer overflow in the xf_Pointer_New() function.
Impact
======
A remote attacker could execute arbitrary code with the privileges of
the process or cause Denial of Service.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All FreeRDP users should upgrade to the latest version:
# emerge --sync
# emerge -a -1 -v ">=net-misc/freerdp-1.1.0_beta1_p20130710-r1"
References
==========
[ 1 ] CVE-2014-0250
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0250
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-18.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-19 ] PPP: Information disclosure
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: PPP: Information disclosure
Date: December 13, 2014
Bugs: #519650
ID: 201412-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
An integer overflow in PPP might allow local attackers to obtain
sensitive information.
Background
==========
PPP is a Unix implementation of the Point-to-Point Protocol.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dialup/ppp < 2.4.7 >= 2.4.7
Description
===========
Integer overflow is discovered in the getword function in options.c in
PPP.
Impact
======
A local attacker could execute process with extremely long options
list, possibly obtaining sensitive information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All PPP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dialup/ppp-2.4.7"
References
==========
[ 1 ] CVE-2014-3158
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3158
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-20 ] GNUstep Base library: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: GNUstep Base library: Denial of Service
Date: December 13, 2014
Bugs: #508370
ID: 201412-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in GNUstep Base library could lead to Denial of
Service.
Background
==========
GNUstep Base library is a free software package implementing the API of
the OpenStep Foundation Kit (tm), including later additions.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 gnustep-base/gnustep-base
< 1.24.6-r1 >= 1.24.6-r1
Description
===========
GNUstep Base library does not properly handle the file descriptor for
logging, when run as a daemon.
Impact
======
A remote attacker could send a specially crafted request, possibly
resulting in a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All GNUstep Base library users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=gnustep-base/gnustep-base-1.24.6-r1"
References
==========
[ 1 ] CVE-2014-2980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2980
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-20.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-21 ] mod_wsgi: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: mod_wsgi: Privilege escalation
Date: December 13, 2014
Bugs: #510938
ID: 201412-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Two vulnerabilities have been found in mod_wsgi, the worst of which
could result in local privilege escalation.
Background
==========
mod_wsgi is an Apache2 module for running Python WSGI applications.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apache/mod_wsgi < 3.5 >= 3.5
Description
===========
Two vulnerabilities have been found in mod_wsgi:
* Error codes returned by setuid are not properly handled
(CVE-2014-0240)
* A memory leak exists via the "Content-Type" header (CVE-2014-0242)
Impact
======
A local attacker may be able to gain escalated privileges. Furthermore,
a remote attacker may be able to obtain sensitive information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All mod_wsgi users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apache/mod_wsgi-3.5"
References
==========
[ 1 ] CVE-2014-0240
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0240
[ 2 ] CVE-2014-0242
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0242
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-21.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-22 ] Django: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Django: Multiple vulnerabilities
Date: December 13, 2014
Bugs: #521324
ID: 201412-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Django, the worst of which
may lead to Denial of Service.
Background
==========
Django is a Python-based web framework.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-python/django < 1.6.7 >= 1.6.7
*>= 1.5.10
*>= 1.4.15
Description
===========
Multiple vulnerabilities have been discovered in Django. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker may be able to create a Denial of Service condition,
obtain sensitive information, or hijack web sessions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Django 1.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.6.7"
All Django 1.5 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.5.10"
All Django 1.4 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.4.15"
References
==========
[ 1 ] CVE-2014-0480
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0480
[ 2 ] CVE-2014-0481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0481
[ 3 ] CVE-2014-0482
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0482
[ 4 ] CVE-2014-0483
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0483
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-22.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-23 ] Nagios: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Nagios: Multiple vulnerabilities
Date: December 13, 2014
Bugs: #447802, #495132, #501200
ID: 201412-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Nagios, the worst of which
may allow remote code execution.
Background
==========
Nagios is an open source host, service and network monitoring program.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/nagios-core
< 3.5.1 >= 3.5.1
Description
===========
Multiple vulnerabilities have been discovered in Nagios. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker may be able to execute arbitrary code, cause a Denial
of Service condition, or obtain sensitive information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Nagios users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/nagios-core-3.5.1"
References
==========
[ 1 ] CVE-2012-6096
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6096
[ 2 ] CVE-2013-7108
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7108
[ 3 ] CVE-2013-7205
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7205
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-23.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-24 ] OpenJPEG: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: OpenJPEG: Multiple vulnerabilities
Date: December 13, 2014
Bugs: #484802, #493662
ID: 201412-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in OpenJPEG, the worst of
which may result in execution of arbitrary code.
Background
==========
OpenJPEG is an open-source JPEG 2000 library.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/openjpeg < 1.5.2 >= 1.5.2
Description
===========
Multiple vulnerabilities have been discovered in OpenJPEG. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted JPEG
file, possibly resulting in execution of arbitrary code or a Denial of
Service condition. Furthermore, a remote attacker may be able to obtain
sensitive information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All OpenJPEG users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/openjpeg-1.5.2"
References
==========
[ 1 ] CVE-2013-1447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1447
[ 2 ] CVE-2013-4289
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4289
[ 3 ] CVE-2013-4290
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4290
[ 4 ] CVE-2013-6045
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6045
[ 5 ] CVE-2013-6052
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6052
[ 6 ] CVE-2013-6053
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6053
[ 7 ] CVE-2013-6054
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6054
[ 8 ] CVE-2013-6887
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6887
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-24.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-25 ] QtGui: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: QtGui: Denial of Service
Date: December 13, 2014
Bugs: #508984
ID: 201412-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A NULL pointer dereference in QtGui could lead to Denial of Service.
Background
==========
QtGui is the GUI module and platform plugins for the Qt5 framework.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-qt/qtgui < 4.8.5-r2 >= 4.8.5-r2
Description
===========
A NULL pointer dereference has been found in QtGui.
Impact
======
A remote attacker could send a specially crafted GIF image, possibly
resulting in a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All QtGui users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtgui-4.8.5-r2"
References
==========
[ 1 ] CVE-2014-0190
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0190
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-25.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-26 ] strongSwan: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: strongSwan: Multiple Vulnerabilities
Date: December 13, 2014
Bugs: #507722, #509832
ID: 201412-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Two vulnerabilities have been found in strongSwan, possibly resulting
in Denial of Service or a bypass in authentication restrictions.
Background
==========
strongSwan is an IPSec implementation for Linux.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/strongswan < 5.1.3 >= 5.1.3
Description
===========
A NULL pointer dereference and an error in the IKEv2 implementation
have been found in strongSwan.
Impact
======
A remote attacker could create a Denial of Service condition or bypass
security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All strongSwan users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/strongswan-5.1.3"
References
==========
[ 1 ] CVE-2014-2338
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2338
[ 2 ] CVE-2014-2891
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2891
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-26.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201412-27 ] Ruby: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-27
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Ruby: Denial of Service
Date: December 13, 2014
Bugs: #355439, #369141, #396301, #437366, #442580, #458776,
#492282, #527084, #529216
ID: 201412-27
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Ruby, allowing
context-dependent attackers to cause a Denial of Service condition.
Background
==========
Ruby is an object-oriented scripting language.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/ruby < 2.0.0_p598 *>= 1.9.3_p551
>= 2.0.0_p598
Description
===========
Multiple vulnerabilities have been discovered in Ruby. Please review
the CVE identifiers referenced below for details.
Impact
======
A context-dependent attacker could possibly execute arbitrary code with
the privileges of the process, cause a Denial of Service condition, or
bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Ruby 1.9 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.9.3_p551"
All Ruby 2.0 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-2.0.0_p598"
References
==========
[ 1 ] CVE-2011-0188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0188
[ 2 ] CVE-2011-1004
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1004
[ 3 ] CVE-2011-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1005
[ 4 ] CVE-2011-4815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4815
[ 5 ] CVE-2012-4481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4481
[ 6 ] CVE-2012-5371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5371
[ 7 ] CVE-2013-0269
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0269
[ 8 ] CVE-2013-1821
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1821
[ 9 ] CVE-2013-4164
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4164
[ 10 ] CVE-2014-8080
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8080
[ 11 ] CVE-2014-8090
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8090
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-27.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
