[ GLSA 202405-16 ] Apache Commons BCEL: Remote Code Execution
[ GLSA 202405-15 ] Mozilla Firefox: Multiple Vulnerabilities
[ GLSA 202405-14 ] QtWebEngine: Multiple Vulnerabilities
[ GLSA 202405-13 ] borgmatic: Shell Injection
[ GLSA 202405-12 ] Pillow: Multiple Vulnerabilities
[ GLSA 202405-11 ] MIT krb5: Multiple Vulnerabilities
[ GLSA 202405-10 ] Setuptools: Denial of Service
[ GLSA 202405-16 ] Apache Commons BCEL: Remote Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Apache Commons BCEL: Remote Code Execution
Date: May 05, 2024
Bugs: #880447
ID: 202405-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in Apache Commons BCEL, which can
lead to remote code execution.
Background
==========
The Byte Code Engineering Library (Apache Commons BCEL) is intended to
give users a convenient way to analyze, create, and manipulate (binary)
Java class files (those ending with .class).
Affected packages
=================
Package Vulnerable Unaffected
------------- ------------ ------------
dev-java/bcel < 6.6.0 >= 6.6.0
Description
===========
A vulnerability has been discovered in U-Boot tools. Please review the
CVE identifier referenced below for details.
Impact
======
Please review the referenced CVE identifier for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Apache Commons BCEL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/bcel-6.6.0"
References
==========
[ 1 ] CVE-2022-34169
https://nvd.nist.gov/vuln/detail/CVE-2022-34169
[ 2 ] CVE-2022-42920
https://nvd.nist.gov/vuln/detail/CVE-2022-42920
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202405-16
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202405-15 ] Mozilla Firefox: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Mozilla Firefox: Multiple Vulnerabilities
Date: May 05, 2024
Bugs: #925122
ID: 202405-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in Mozilla Firefox, the
worst of which can lead to remote code execution.
Background
==========
Mozilla Firefox is a popular open-source web browser from the Mozilla
project.
Affected packages
=================
Package Vulnerable Unaffected
---------------------- ------------- --------------
www-client/firefox < 115.8.0:esr >= 115.8.0:esr
>= 123.0:rapid
< 123.0 >= 123.0
www-client/firefox-bin < 115.8.0:esr >= 115.8.0:esr
>= 123.0:rapid
< 123.0 >= 123.0
Description
===========
Multiple vulnerabilities have been discovered in Mozilla Firefox. Please
review the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Mozilla Firefox rapid release users should upgrade to the latest
version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-123.0"
All Mozilla Firefox users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-123.0"
All Mozilla Firefox ESR users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.8.0:esr"
All Mozilla Firefox users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-115.8.0:esr"
References
==========
[ 1 ] CVE-2024-1546
https://nvd.nist.gov/vuln/detail/CVE-2024-1546
[ 2 ] CVE-2024-1547
https://nvd.nist.gov/vuln/detail/CVE-2024-1547
[ 3 ] CVE-2024-1548
https://nvd.nist.gov/vuln/detail/CVE-2024-1548
[ 4 ] CVE-2024-1549
https://nvd.nist.gov/vuln/detail/CVE-2024-1549
[ 5 ] CVE-2024-1550
https://nvd.nist.gov/vuln/detail/CVE-2024-1550
[ 6 ] CVE-2024-1551
https://nvd.nist.gov/vuln/detail/CVE-2024-1551
[ 7 ] CVE-2024-1552
https://nvd.nist.gov/vuln/detail/CVE-2024-1552
[ 8 ] CVE-2024-1553
https://nvd.nist.gov/vuln/detail/CVE-2024-1553
[ 9 ] CVE-2024-1554
https://nvd.nist.gov/vuln/detail/CVE-2024-1554
[ 10 ] CVE-2024-1555
https://nvd.nist.gov/vuln/detail/CVE-2024-1555
[ 11 ] CVE-2024-1556
https://nvd.nist.gov/vuln/detail/CVE-2024-1556
[ 12 ] CVE-2024-1557
https://nvd.nist.gov/vuln/detail/CVE-2024-1557
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202405-15
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202405-14 ] QtWebEngine: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: QtWebEngine: Multiple Vulnerabilities
Date: May 05, 2024
Bugs: #927746
ID: 202405-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in QtWebEngine, the worst
of which could lead to remote code execution.
Background
==========
QtWebEngine is a library for rendering dynamic web content in Qt5 and
Qt6 C++ and QML applications.
Affected packages
=================
Package Vulnerable Unaffected
------------------ ------------------- --------------------
dev-qt/qtwebengine < 5.15.13_p20240322 >= 5.15.13_p20240322
Description
===========
Multiple vulnerabilities have been discovered in QtWebEngine. Please
review the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All QtWebEngine users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.13_p20240322"
References
==========
[ 1 ] CVE-2024-0804
https://nvd.nist.gov/vuln/detail/CVE-2024-0804
[ 2 ] CVE-2024-0805
https://nvd.nist.gov/vuln/detail/CVE-2024-0805
[ 3 ] CVE-2024-0806
https://nvd.nist.gov/vuln/detail/CVE-2024-0806
[ 4 ] CVE-2024-0807
https://nvd.nist.gov/vuln/detail/CVE-2024-0807
[ 5 ] CVE-2024-0808
https://nvd.nist.gov/vuln/detail/CVE-2024-0808
[ 6 ] CVE-2024-0809
https://nvd.nist.gov/vuln/detail/CVE-2024-0809
[ 7 ] CVE-2024-0810
https://nvd.nist.gov/vuln/detail/CVE-2024-0810
[ 8 ] CVE-2024-0811
https://nvd.nist.gov/vuln/detail/CVE-2024-0811
[ 9 ] CVE-2024-0812
https://nvd.nist.gov/vuln/detail/CVE-2024-0812
[ 10 ] CVE-2024-0813
https://nvd.nist.gov/vuln/detail/CVE-2024-0813
[ 11 ] CVE-2024-0814
https://nvd.nist.gov/vuln/detail/CVE-2024-0814
[ 12 ] CVE-2024-1059
https://nvd.nist.gov/vuln/detail/CVE-2024-1059
[ 13 ] CVE-2024-1060
https://nvd.nist.gov/vuln/detail/CVE-2024-1060
[ 14 ] CVE-2024-1077
https://nvd.nist.gov/vuln/detail/CVE-2024-1077
[ 15 ] CVE-2024-1283
https://nvd.nist.gov/vuln/detail/CVE-2024-1283
[ 16 ] CVE-2024-1284
https://nvd.nist.gov/vuln/detail/CVE-2024-1284
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202405-14
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202405-13 ] borgmatic: Shell Injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: borgmatic: Shell Injection
Date: May 05, 2024
Bugs: #924892
ID: 202405-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in borgmatic, which can lead to
shell injection.
Background
==========
borgmatic is simple, configuration-driven backup software for servers
and workstations.
Affected packages
=================
Package Vulnerable Unaffected
-------------------- ------------ ------------
app-backup/borgmatic < 1.8.8 >= 1.8.8
Description
===========
Prevent shell injection attacks within the PostgreSQL hook, the MongoDB
hook, the SQLite hook, the "borgmatic borg" action, and command hook
variable/constant interpolation.
Impact
======
Shell injection may be used in several borgmatic backends to execute
arbitrary code.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All borgmatic users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-backup/borgmatic-1.8.8"
References
==========
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202405-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202405-12 ] Pillow: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Pillow: Multiple Vulnerabilities
Date: May 05, 2024
Bugs: #889594, #903664, #916907, #922577
ID: 202405-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in Pillow, the worst of
which can lead to arbitrary code execution.
Background
==========
The friendly PIL fork.
Affected packages
=================
Package Vulnerable Unaffected
----------------- ------------ ------------
dev-python/pillow < 10.2.0 >= 10.2.0
Description
===========
Multiple vulnerabilities have been discovered in Pillow. Please review
the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Pillow users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pillow-10.2.0"
References
==========
[ 1 ] CVE-2023-44271
https://nvd.nist.gov/vuln/detail/CVE-2023-44271
[ 2 ] CVE-2023-50447
https://nvd.nist.gov/vuln/detail/CVE-2023-50447
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202405-12
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202405-11 ] MIT krb5: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: MIT krb5: Multiple Vulnerabilities
Date: May 05, 2024
Bugs: #803434, #809845, #879875, #917464
ID: 202405-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in MIT krb5, the worst of
which could lead to remote code execution.
Background
==========
MIT krb5 is the free implementation of the Kerberos network
authentication protocol by the Massachusetts Institute of Technology.
Affected packages
=================
Package Vulnerable Unaffected
------------------ ------------ ------------
app-crypt/mit-krb5 < 1.21.2 >= 1.21.2
Description
===========
Multiple vulnerabilities have been discovered in MIT krb5. Please review
the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All MIT krb5 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.21.2"
References
==========
[ 1 ] CVE-2021-36222
https://nvd.nist.gov/vuln/detail/CVE-2021-36222
[ 2 ] CVE-2021-37750
https://nvd.nist.gov/vuln/detail/CVE-2021-37750
[ 3 ] CVE-2022-42898
https://nvd.nist.gov/vuln/detail/CVE-2022-42898
[ 4 ] CVE-2023-36054
https://nvd.nist.gov/vuln/detail/CVE-2023-36054
[ 5 ] CVE-2023-39975
https://nvd.nist.gov/vuln/detail/CVE-2023-39975
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202405-11
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202405-10 ] Setuptools: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Setuptools: Denial of Service
Date: May 05, 2024
Bugs: #879813
ID: 202405-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in Setuptools, which can lead to
denial of service.
Background
==========
Setuptools is a manager for Python packages.
Affected packages
=================
Package Vulnerable Unaffected
--------------------- ------------ ------------
dev-python/setuptools < 65.5.1 >= 65.5.1
Description
===========
A vulnerability has been discovered in Setuptools. See the impact field.
Impact
======
An inefficiency in a regular expression may end in a denial of service
if an user is fetching malicious HTML from a package in PyPI or a custom
PackageIndex page.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Setuptools users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/setuptools-65.5.1"
References
==========
[ 1 ] CVE-2022-40897
https://nvd.nist.gov/vuln/detail/CVE-2022-40897
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202405-10
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
