The following updates has been released for Gentoo Linux:
[ GLSA 201510-02 ] QEMU: Arbitrary code execution
[ GLSA 201510-03 ] Wireshark: Multiple vulnerabilities
[ GLSA 201510-04 ] tcpdump: Multiple vulnerabilities
[ GLSA 201510-05 ] MediaWiki: Multiple vulnerabilities
[ GLSA 201510-06 ] Django: Multiple vulnerabilities
[ GLSA 201510-07 ] CUPS: Multiple vulnerabilities
[ GLSA 201510-08 ] cups-filters: Multiple vulnerabilities
[ GLSA 201510-02 ] QEMU: Arbitrary code execution
[ GLSA 201510-03 ] Wireshark: Multiple vulnerabilities
[ GLSA 201510-04 ] tcpdump: Multiple vulnerabilities
[ GLSA 201510-05 ] MediaWiki: Multiple vulnerabilities
[ GLSA 201510-06 ] Django: Multiple vulnerabilities
[ GLSA 201510-07 ] CUPS: Multiple vulnerabilities
[ GLSA 201510-08 ] cups-filters: Multiple vulnerabilities
[ GLSA 201510-02 ] QEMU: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: QEMU: Arbitrary code execution
Date: October 31, 2015
Bugs: #551752, #555680, #556050, #556052
ID: 201510-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A heap-based buffer overflow in QEMU could result in execution of
arbitrary code.
Background
==========
QEMU is a generic and open source machine emulator and virtualizer.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/qemu < 2.3.0-r4 >= 2.3.0-r4
Description
===========
Heap-based buffer overflow has been found in QEMU's PCNET controller.
Impact
======
A remote attacker could execute arbitrary code via a specially crafted
packets.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All QEMU users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.3.0-r4"
References
==========
[ 1 ] CVE-2015-3209
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3209
[ 2 ] CVE-2015-3214
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3214
[ 3 ] CVE-2015-5154
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5154
[ 4 ] CVE-2015-5158
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5158
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201510-02
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201510-03 ] Wireshark: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Wireshark: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #536034, #542206, #548898, #549432, #552434, #557522
ID: 201510-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Wireshark, allowing
attackers to cause Denial of Service condition.
Background
==========
Wireshark is a network protocol analyzer formerly known as ethereal.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/wireshark < 1.12.7 >= 1.12.7
Description
===========
Multiple vulnerabilities have been discovered in Wireshark. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Wireshark users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.12.7"
References
==========
[ 1 ] CVE-2015-2187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2187
[ 2 ] CVE-2015-2188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2188
[ 3 ] CVE-2015-2189
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2189
[ 4 ] CVE-2015-2190
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2190
[ 5 ] CVE-2015-2191
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2191
[ 6 ] CVE-2015-2192
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2192
[ 7 ] CVE-2015-3182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3182
[ 8 ] CVE-2015-3808
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3808
[ 9 ] CVE-2015-3809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3809
[ 10 ] CVE-2015-3810
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3810
[ 11 ] CVE-2015-3811
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3811
[ 12 ] CVE-2015-3812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3812
[ 13 ] CVE-2015-3813
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3813
[ 14 ] CVE-2015-3814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3814
[ 15 ] CVE-2015-3815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3815
[ 16 ] CVE-2015-3906
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3906
[ 17 ] CVE-2015-4651
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4651
[ 18 ] CVE-2015-4652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4652
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201510-03
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201510-04 ] tcpdump: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: tcpdump: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #552632
ID: 201510-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in tcpdump, the worst of which
can allow remote attackers to cause Denial of Service condition or
executive arbitrary code.
Background
==========
tcpdump is a Tool for network monitoring and data acquisition.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/tcpdump < 4.7.4 >= 4.7.4
Description
===========
Multiple vulnerabilities have been discovered in tcpdump. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All tcpdump users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/tcpdump-4.7.4"
References
==========
[ 1 ] CVE-2015-0261
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0261
[ 2 ] CVE-2015-2153
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2153
[ 3 ] CVE-2015-2154
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2154
[ 4 ] CVE-2015-2155
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2155
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201510-04
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201510-05 ] MediaWiki: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: MediaWiki: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #545944, #557844
ID: 201510-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in MediaWiki, the worst of
which may allow remote attackers to cause a Denial of Service.
Background
==========
MediaWiki is a collaborative editing software used by large projects
such as Wikipedia.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/mediawiki < 1.25.2 >= 1.25.2
*>= 1.24.3
*>= 1.23.10
Description
===========
Multiple vulnerabilities have been discovered in MediaWiki. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker may be able to create a Denial of Service condition,
obtain sensitive information, bypass security restrictions, and inject
arbitrary web script or HTML.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All MediaWiki 1.25 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.25.2"
All MediaWiki 1.24 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.24.3"
All MediaWiki 1.23 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.23.10"
References
==========
[ 1 ] CVE-2015-2931
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2931
[ 2 ] CVE-2015-2932
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2932
[ 3 ] CVE-2015-2933
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2933
[ 4 ] CVE-2015-2934
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2934
[ 5 ] CVE-2015-2935
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2935
[ 6 ] CVE-2015-2936
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2936
[ 7 ] CVE-2015-2937
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2937
[ 8 ] CVE-2015-2938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2938
[ 9 ] CVE-2015-2939
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2939
[ 10 ] CVE-2015-2940
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2940
[ 11 ] CVE-2015-2941
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2941
[ 12 ] CVE-2015-2942
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2942
[ 13 ] CVE-2015-6728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6728
[ 14 ] CVE-2015-6729
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6729
[ 15 ] CVE-2015-6730
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6730
[ 16 ] CVE-2015-6731
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6731
[ 17 ] CVE-2015-6732
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6732
[ 18 ] CVE-2015-6733
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6733
[ 19 ] CVE-2015-6734
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6734
[ 20 ] CVE-2015-6735
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6735
[ 21 ] CVE-2015-6736
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6736
[ 22 ] CVE-2015-6737
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6737
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201510-05
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201510-06 ] Django: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Django: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #554864
ID: 201510-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Django, the worst of which
may allow a remote attacker to cause Denial of Service.
Background
==========
Django is a Python-based web framework.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-python/django < 1.8.3 >= 1.8.3
*>= 1.7.9
*>= 1.4.21
Description
===========
Multiple vulnerabilities have been found in Django:
* Session backends create a new record anytime request.session was
accessed (CVE-2015-5143)
* Built-in validators in Django do not properly sanitize input
(CVE-2015-5144)
* URL validation included a regular expression that was extremely slow
(CVE-2015-5145)
Impact
======
A remote attacker may be able cause a Denial of Service condition,
inject arbitrary headers, and conduct HTTP response splitting attacks.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Django 1.8 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.8.3"
All Django 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.7.9"
All Django 1.4 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.4.21"
References
==========
[ 1 ] CVE-2015-5143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5143
[ 2 ] CVE-2015-5144
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5144
[ 3 ] CVE-2015-5145
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5145
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201510-06
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201510-07 ] CUPS: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: CUPS: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #551846
ID: 201510-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in CUPS, the worst of which
could lead to arbitrary code execution.
Background
==========
CUPS, the Common Unix Printing System, is a full-featured print server.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-print/cups < 2.0.3 >= 2.0.3
Description
===========
Multiple vulnerabilities have been discovered in cups. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All CUPS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-2.0.3"
References
==========
[ 1 ] CVE-2015-1158
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1158
[ 2 ] CVE-2015-1159
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1159
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201510-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201510-08 ] cups-filters: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: cups-filters: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #553644, #553836
ID: 201510-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in cups-filters, the worst of
which could lead to arbitrary code execution.
Background
==========
cups-filters is an OpenPrinting CUPS Filters.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-print/cups-filters < 1.0.71 >= 1.0.71
Description
===========
Multiple vulnerabilities have been discovered in cups-filters. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted print
job using cups-filters, possibly resulting in execution of arbitrary
code with the privileges of the process or a Denial of Service
condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All cups-filters users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-filters-1.0.71"
References
==========
[ 1 ] CVE-2015-3258
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3258
[ 2 ] CVE-2015-3279
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3279
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201510-08
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
