Gentoo 2514 Published by

The following updates has been released for Gentoo Linux:

[ GLSA 201509-01 ] NTP: Multiple vulnerablities
[ GLSA 201509-02 ] cURL: Multiple vulnerabilities
[ GLSA 201509-03 ] Cacti: Multiple vulnerabilities
[ GLSA 201509-04 ] libtasn1: Multiple vulnerabilities
[ GLSA 201509-05 ] NetworkManager: Denial of Service
[ GLSA 201509-06 ] Git: Arbitrary command execution
[ GLSA 201509-07 ] Adobe Flash Player: Multiple vulnerabilities



[ GLSA 201509-01 ] NTP: Multiple vulnerablities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: NTP: Multiple vulnerablities
Date: September 24, 2015
Bugs: #545836, #553682
ID: 201509-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in NTP, the worst of which
could lead to arbitrary code execution.

Background
==========

NTP contains software for the Network Time Protocol.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/ntp < 4.2.8_p3 >= 4.2.8_p3

Description
===========

Multiple vulnerabilities have been discovered in NTP. Please review the
CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All NTP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8_p3"

References
==========

[ 1 ] CVE-2015-1798
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1798
[ 2 ] CVE-2015-1799
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1799
[ 3 ] CVE-2015-5146
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5146

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201509-01

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201509-02 ] cURL: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: cURL: Multiple vulnerabilities
Date: September 24, 2015
Bugs: #547376, #552618
ID: 201509-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in cURL, the worst of which
can allow remote attackers to cause Denial of Service condition.

Background
==========

cURL is a tool and libcurl is a library for transferring data with URL
syntax.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/curl < 7.43.0 >= 7.43.0

Description
===========

Multiple vulnerabilities have been discovered in cURL. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly obtain sensitive information, or cause
a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All cURL users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-7.43.0"

References
==========

[ 1 ] CVE-2015-3143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3143
[ 2 ] CVE-2015-3144
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3144
[ 3 ] CVE-2015-3145
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3145
[ 4 ] CVE-2015-3148
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3148
[ 5 ] CVE-2015-3236
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3236
[ 6 ] CVE-2015-3237
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3237

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201509-02

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201509-03 ] Cacti: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Cacti: Multiple vulnerabilities
Date: September 24, 2015
Bugs: #506356, #515108, #554758
ID: 201509-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Cacti, the worst of which
could lead to arbitrary code execution.

Background
==========

Cacti is a complete frontend to rrdtool

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/cacti < 0.8.8d >= 0.8.8d

Description
===========

Multiple vulnerabilities have been discovered in cacti. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Cacti users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.8d"

References
==========

[ 1 ] CVE-2014-2326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2326
[ 2 ] CVE-2014-2327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2327
[ 3 ] CVE-2014-2328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2328
[ 4 ] CVE-2014-2708
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2708
[ 5 ] CVE-2014-2709
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2709
[ 6 ] CVE-2014-4002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4002
[ 7 ] CVE-2014-5025
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5025
[ 8 ] CVE-2014-5026
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5026
[ 9 ] CVE-2015-2967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2967

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201509-03

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201509-04 ] libtasn1: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: libtasn1: Multiple vulnerabilities
Date: September 24, 2015
Bugs: #544922, #548252
ID: 201509-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in libtasn1, the worst of
which could lead to arbitrary code execution.

Background
==========

libtasn1 is an ASN.1 library

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/libtasn1 < 1.4.5 >= 1.4.5

Description
===========

Multiple vulnerabilities have been discovered in libtasn1. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All libtasn1 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libtasn1-1.4.5"

References
==========

[ 1 ] CVE-2015-2806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2806
[ 2 ] CVE-2015-3622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3622

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201509-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201509-05 ] NetworkManager: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: NetworkManager: Denial of Service
Date: September 24, 2015
Bugs: #545980
ID: 201509-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Improper handling of Router Advertisements in NetworkManager could
cause a Denial of Service condition in IPv6 network stacks.

Background
==========

NetworkManager is an universal network configuration daemon for
laptops, desktops, servers and virtualization hosts.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/networkmanager < 1.0.2 >= 1.0.2

Description
===========

IPv6 Neighbour Discovery ICMP broadcast containing a non-route with a
low hop limit causes a Denial of Service by lowering the hop limit on
existing IPv6 routes in NetworkManager.

Impact
======

A remote attacker on the same network segment could cause a Denial of
Service condition in NetworkManager

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All NetworkManager users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/networkmanager-1.0.2"

References
==========

[ 1 ] CVE-2015-2924
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2924

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201509-05

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201509-06 ] Git: Arbitrary command execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Git: Arbitrary command execution
Date: September 24, 2015
Bugs: #532984
ID: 201509-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An attacker could execute arbitrary commands via Git repositories in a
case-insensitive or case-normalizing filesystem.

Background
==========

Git is a free and open source distributed version control system
designed to handle everything from small to very large projects with
speed and efficiency.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-vcs/git < 2.0.5 *>= 1.8.5.6
*>= 1.9.5
>= 2.0.5

Description
===========

A vulnerability in Git causing Git-compatible clients that access
case-insensitive or case-normalizing filesystems to overwrite the
.git/config when cloning or checking out a repository, leading to
execution of arbitrary commands.

Impact
======

An attacker can execute arbitrary commands on a client machine that
clones a crafted malicious Git tree.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Git 1.8.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/git-1.8.5.6"

All Git 1.9.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/git-1.9.5"

All Git 2.0.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/git-2.0.5"

References
==========

[ 1 ] CVE-2014-9390
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9390

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201509-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201509-07 ] Adobe Flash Player: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Adobe Flash Player: Multiple vulnerabilities
Date: September 25, 2015
Bugs: #561076
ID: 201509-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Adobe Flash Player, the
worst of which allows remote attackers to execute arbitrary code.

Background
==========

The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-plugins/adobe-flash < 11.2.202.521 >= 11.2.202.521

Description
===========

Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Adobe Flash Player users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"

References
==========

[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201509-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5