Gentoo 2508 Published by

The following updates has been released for Gentoo Linux:

[ GLSA 201510-02 ] QEMU: Arbitrary code execution
[ GLSA 201510-03 ] Wireshark: Multiple vulnerabilities
[ GLSA 201510-04 ] tcpdump: Multiple vulnerabilities
[ GLSA 201510-05 ] MediaWiki: Multiple vulnerabilities
[ GLSA 201510-06 ] Django: Multiple vulnerabilities
[ GLSA 201510-07 ] CUPS: Multiple vulnerabilities
[ GLSA 201510-08 ] cups-filters: Multiple vulnerabilities



[ GLSA 201510-02 ] QEMU: Arbitrary code execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: QEMU: Arbitrary code execution
Date: October 31, 2015
Bugs: #551752, #555680, #556050, #556052
ID: 201510-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A heap-based buffer overflow in QEMU could result in execution of
arbitrary code.

Background
==========

QEMU is a generic and open source machine emulator and virtualizer.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/qemu < 2.3.0-r4 >= 2.3.0-r4

Description
===========

Heap-based buffer overflow has been found in QEMU's PCNET controller.

Impact
======

A remote attacker could execute arbitrary code via a specially crafted
packets.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All QEMU users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.3.0-r4"

References
==========

[ 1 ] CVE-2015-3209
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3209
[ 2 ] CVE-2015-3214
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3214
[ 3 ] CVE-2015-5154
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5154
[ 4 ] CVE-2015-5158
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5158

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201510-02

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201510-03 ] Wireshark: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Wireshark: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #536034, #542206, #548898, #549432, #552434, #557522
ID: 201510-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Wireshark, allowing
attackers to cause Denial of Service condition.

Background
==========

Wireshark is a network protocol analyzer formerly known as ethereal.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/wireshark < 1.12.7 >= 1.12.7

Description
===========

Multiple vulnerabilities have been discovered in Wireshark. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Wireshark users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.12.7"

References
==========

[ 1 ] CVE-2015-2187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2187
[ 2 ] CVE-2015-2188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2188
[ 3 ] CVE-2015-2189
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2189
[ 4 ] CVE-2015-2190
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2190
[ 5 ] CVE-2015-2191
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2191
[ 6 ] CVE-2015-2192
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2192
[ 7 ] CVE-2015-3182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3182
[ 8 ] CVE-2015-3808
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3808
[ 9 ] CVE-2015-3809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3809
[ 10 ] CVE-2015-3810
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3810
[ 11 ] CVE-2015-3811
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3811
[ 12 ] CVE-2015-3812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3812
[ 13 ] CVE-2015-3813
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3813
[ 14 ] CVE-2015-3814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3814
[ 15 ] CVE-2015-3815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3815
[ 16 ] CVE-2015-3906
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3906
[ 17 ] CVE-2015-4651
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4651
[ 18 ] CVE-2015-4652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4652

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201510-03

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201510-04 ] tcpdump: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: tcpdump: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #552632
ID: 201510-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in tcpdump, the worst of which
can allow remote attackers to cause Denial of Service condition or
executive arbitrary code.

Background
==========

tcpdump is a Tool for network monitoring and data acquisition.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/tcpdump < 4.7.4 >= 4.7.4

Description
===========

Multiple vulnerabilities have been discovered in tcpdump. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All tcpdump users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/tcpdump-4.7.4"

References
==========

[ 1 ] CVE-2015-0261
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0261
[ 2 ] CVE-2015-2153
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2153
[ 3 ] CVE-2015-2154
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2154
[ 4 ] CVE-2015-2155
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2155

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201510-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201510-05 ] MediaWiki: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: MediaWiki: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #545944, #557844
ID: 201510-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in MediaWiki, the worst of
which may allow remote attackers to cause a Denial of Service.

Background
==========

MediaWiki is a collaborative editing software used by large projects
such as Wikipedia.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/mediawiki < 1.25.2 >= 1.25.2
*>= 1.24.3
*>= 1.23.10

Description
===========

Multiple vulnerabilities have been discovered in MediaWiki. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker may be able to create a Denial of Service condition,
obtain sensitive information, bypass security restrictions, and inject
arbitrary web script or HTML.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MediaWiki 1.25 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.25.2"

All MediaWiki 1.24 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.24.3"

All MediaWiki 1.23 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.23.10"

References
==========

[ 1 ] CVE-2015-2931
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2931
[ 2 ] CVE-2015-2932
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2932
[ 3 ] CVE-2015-2933
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2933
[ 4 ] CVE-2015-2934
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2934
[ 5 ] CVE-2015-2935
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2935
[ 6 ] CVE-2015-2936
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2936
[ 7 ] CVE-2015-2937
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2937
[ 8 ] CVE-2015-2938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2938
[ 9 ] CVE-2015-2939
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2939
[ 10 ] CVE-2015-2940
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2940
[ 11 ] CVE-2015-2941
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2941
[ 12 ] CVE-2015-2942
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2942
[ 13 ] CVE-2015-6728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6728
[ 14 ] CVE-2015-6729
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6729
[ 15 ] CVE-2015-6730
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6730
[ 16 ] CVE-2015-6731
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6731
[ 17 ] CVE-2015-6732
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6732
[ 18 ] CVE-2015-6733
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6733
[ 19 ] CVE-2015-6734
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6734
[ 20 ] CVE-2015-6735
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6735
[ 21 ] CVE-2015-6736
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6736
[ 22 ] CVE-2015-6737
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6737

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201510-05

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201510-06 ] Django: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Django: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #554864
ID: 201510-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Django, the worst of which
may allow a remote attacker to cause Denial of Service.

Background
==========

Django is a Python-based web framework.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-python/django < 1.8.3 >= 1.8.3
*>= 1.7.9
*>= 1.4.21

Description
===========

Multiple vulnerabilities have been found in Django:

* Session backends create a new record anytime request.session was
accessed (CVE-2015-5143)
* Built-in validators in Django do not properly sanitize input
(CVE-2015-5144)
* URL validation included a regular expression that was extremely slow
(CVE-2015-5145)

Impact
======

A remote attacker may be able cause a Denial of Service condition,
inject arbitrary headers, and conduct HTTP response splitting attacks.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Django 1.8 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.8.3"

All Django 1.7 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.7.9"

All Django 1.4 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/django-1.4.21"

References
==========

[ 1 ] CVE-2015-5143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5143
[ 2 ] CVE-2015-5144
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5144
[ 3 ] CVE-2015-5145
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5145

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201510-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201510-07 ] CUPS: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: CUPS: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #551846
ID: 201510-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in CUPS, the worst of which
could lead to arbitrary code execution.

Background
==========

CUPS, the Common Unix Printing System, is a full-featured print server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-print/cups < 2.0.3 >= 2.0.3

Description
===========

Multiple vulnerabilities have been discovered in cups. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All CUPS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-2.0.3"

References
==========

[ 1 ] CVE-2015-1158
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1158
[ 2 ] CVE-2015-1159
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1159

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201510-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201510-08 ] cups-filters: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201510-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: cups-filters: Multiple vulnerabilities
Date: October 31, 2015
Bugs: #553644, #553836
ID: 201510-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in cups-filters, the worst of
which could lead to arbitrary code execution.

Background
==========

cups-filters is an OpenPrinting CUPS Filters.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-print/cups-filters < 1.0.71 >= 1.0.71

Description
===========

Multiple vulnerabilities have been discovered in cups-filters. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could entice a user to open a specially crafted print
job using cups-filters, possibly resulting in execution of arbitrary
code with the privileges of the process or a Denial of Service
condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All cups-filters users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-filters-1.0.71"

References
==========

[ 1 ] CVE-2015-3258
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3258
[ 2 ] CVE-2015-3279
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3279

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201510-08

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5