Gentoo 2514 Published by

The following security advisories has been published for Gentoo Linux:

GLSA 201908-21 : Adobe Flash Player: Multiple vulnerabilities
GLSA 201908-22 : Patch: Multiple vulnerabilities
GLSA 201908-23 : VLC: Multiple vulnerabilities
GLSA 201908-24 : MariaDB, MySQL: Multiple vulnerabilities
GLSA 201908-25 : hostapd and wpa_supplicant: Denial of Service



GLSA 201908-21 : Adobe Flash Player: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Adobe Flash Player: Multiple vulnerabilities
Date: August 18, 2019
Bugs: #683006, #687894
ID: 201908-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Adobe Flash Player, the
worst of which could result in the arbitrary execution of code.

Background
==========

The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-plugins/adobe-flash < 32.0.0.207 >= 32.0.0.207

Description
===========

Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process or bypass security restrictions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Adobe Flash Player users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-32.0.0.207"

References
==========

[ 1 ] CVE-2019-7096
https://nvd.nist.gov/vuln/detail/CVE-2019-7096
[ 2 ] CVE-2019-7108
https://nvd.nist.gov/vuln/detail/CVE-2019-7108
[ 3 ] CVE-2019-7845
https://nvd.nist.gov/vuln/detail/CVE-2019-7845

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-21

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

GLSA 201908-22 : Patch: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Patch: Multiple vulnerabilities
Date: August 18, 2019
Bugs: #690136
ID: 201908-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Patch, the worst of which
could result in the arbitrary execution of code.

Background
==========

Patch takes a patch file containing a difference listing produced by
the diff program and applies those differences to one or more original
files, producing patched versions.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-devel/patch < 2.7.6-r4 >= 2.7.6-r4

Description
===========

Multiple vulnerabilities have been discovered in Patch. Please review
the CVE identifiers referenced below for details.

Impact
======

A local attacker could pass a specially crafted diff file to Patch,
possibly resulting in a Denial of Service condition or arbitrary code
execution.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Patch users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-devel/patch-2.7.6-r4"

References
==========

[ 1 ] CVE-2019-13636
https://nvd.nist.gov/vuln/detail/CVE-2019-13636
[ 2 ] CVE-2019-13638
https://nvd.nist.gov/vuln/detail/CVE-2019-13638

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-22

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

GLSA 201908-23 : VLC: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: VLC: Multiple vulnerabilities
Date: August 18, 2019
Bugs: #688642
ID: 201908-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in VLC, the worst of which
could result in the arbitrary execution of code.

Background
==========

VLC is a cross-platform media player and streaming server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-video/vlc < 3.0.7 >= 3.0.7

Description
===========

Multiple vulnerabilities have been discovered in VLC. Please review the
CVE identifiers referenced below for details.

Impact
======

Remote attackers, by enticing a user to execute a specially crafted
media file, could cause a Denial of Service condition or possibly
execute arbitrary code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All VLC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/vlc-3.0.7"

References
==========

[ 1 ] CVE-2019-12874
https://nvd.nist.gov/vuln/detail/CVE-2019-12874
[ 2 ] CVE-2019-5439
https://nvd.nist.gov/vuln/detail/CVE-2019-5439

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-23

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

GLSA 201908-24 : MariaDB, MySQL: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: MariaDB, MySQL: Multiple vulnerabilities
Date: August 18, 2019
Bugs: #661500, #670388, #679024
ID: 201908-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in MariaDB and MySQL, the
worst of which could result in privilege escalation.

Background
==========

MariaDB is an enhanced, drop-in replacement for MySQL. MySQL is a
popular multi-threaded, multi-user SQL server. MySQL is a popular
multi-threaded, multi-user SQL server

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-db/mariadb < 10.1.38-r1 >= 10.1.38-r1
< 10.2.22 >= 10.2.22
2 dev-db/mysql < 5.6.42 >= 5.6.42
< 5.7.24 >= 5.7.24
-------------------------------------------------------------------
2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in MariaDB and MySQL.
Please review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MariaDB 10.1.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.1.38-r1"

All MariaDB 10.2.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.2.22"

All MySQL 5.6.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-5.6.42"

All MySQL 5.7.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-5.7.24"

References
==========

[ 1 ] CVE-2018-2755
https://nvd.nist.gov/vuln/detail/CVE-2018-2755
[ 2 ] CVE-2018-2759
https://nvd.nist.gov/vuln/detail/CVE-2018-2759
[ 3 ] CVE-2018-2761
https://nvd.nist.gov/vuln/detail/CVE-2018-2761
[ 4 ] CVE-2018-2766
https://nvd.nist.gov/vuln/detail/CVE-2018-2766
[ 5 ] CVE-2018-2771
https://nvd.nist.gov/vuln/detail/CVE-2018-2771
[ 6 ] CVE-2018-2777
https://nvd.nist.gov/vuln/detail/CVE-2018-2777
[ 7 ] CVE-2018-2781
https://nvd.nist.gov/vuln/detail/CVE-2018-2781
[ 8 ] CVE-2018-2782
https://nvd.nist.gov/vuln/detail/CVE-2018-2782
[ 9 ] CVE-2018-2784
https://nvd.nist.gov/vuln/detail/CVE-2018-2784
[ 10 ] CVE-2018-2786
https://nvd.nist.gov/vuln/detail/CVE-2018-2786
[ 11 ] CVE-2018-2787
https://nvd.nist.gov/vuln/detail/CVE-2018-2787
[ 12 ] CVE-2018-2810
https://nvd.nist.gov/vuln/detail/CVE-2018-2810
[ 13 ] CVE-2018-2813
https://nvd.nist.gov/vuln/detail/CVE-2018-2813
[ 14 ] CVE-2018-2817
https://nvd.nist.gov/vuln/detail/CVE-2018-2817
[ 15 ] CVE-2018-2819
https://nvd.nist.gov/vuln/detail/CVE-2018-2819
[ 16 ] CVE-2018-3143
https://nvd.nist.gov/vuln/detail/CVE-2018-3143
[ 17 ] CVE-2018-3156
https://nvd.nist.gov/vuln/detail/CVE-2018-3156
[ 18 ] CVE-2018-3162
https://nvd.nist.gov/vuln/detail/CVE-2018-3162
[ 19 ] CVE-2018-3173
https://nvd.nist.gov/vuln/detail/CVE-2018-3173
[ 20 ] CVE-2018-3174
https://nvd.nist.gov/vuln/detail/CVE-2018-3174
[ 21 ] CVE-2018-3185
https://nvd.nist.gov/vuln/detail/CVE-2018-3185
[ 22 ] CVE-2018-3200
https://nvd.nist.gov/vuln/detail/CVE-2018-3200
[ 23 ] CVE-2018-3251
https://nvd.nist.gov/vuln/detail/CVE-2018-3251
[ 24 ] CVE-2018-3252
https://nvd.nist.gov/vuln/detail/CVE-2018-3252
[ 25 ] CVE-2018-3277
https://nvd.nist.gov/vuln/detail/CVE-2018-3277
[ 26 ] CVE-2018-3282
https://nvd.nist.gov/vuln/detail/CVE-2018-3282
[ 27 ] CVE-2018-3284
https://nvd.nist.gov/vuln/detail/CVE-2018-3284
[ 28 ] CVE-2019-2510
https://nvd.nist.gov/vuln/detail/CVE-2019-2510
[ 29 ] CVE-2019-2529
https://nvd.nist.gov/vuln/detail/CVE-2019-2529
[ 30 ] CVE-2019-2537
https://nvd.nist.gov/vuln/detail/CVE-2019-2537

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-24

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

GLSA 201908-25 : hostapd and wpa_supplicant: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201908-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: hostapd and wpa_supplicant: Denial of Service
Date: August 18, 2019
Bugs: #685860, #688588
ID: 201908-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in hostapd and wpa_supplicant could lead to a Denial of
Service condition.

Background
==========

wpa_supplicant is a WPA Supplicant with support for WPA and WPA2 (IEEE
802.11i / RSN).

hostapd is a user space daemon for access point and authentication
servers.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-wireless/hostapd < 2.8 >= 2.8
2 net-wireless/wpa_supplicant
< 2.8 >= 2.8
-------------------------------------------------------------------
2 affected packages

Description
===========

A vulnerability was discovered in hostapd's and wpa_supplicant's
eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c files.

Impact
======

An attacker could cause a possible Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All hostapd users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-wireless/hostapd-2.8"

All wpa_supplicant users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=net-wireless/wpa_supplicant-2.8"

References
==========

[ 1 ] CVE-2019-11555
https://nvd.nist.gov/vuln/detail/CVE-2019-11555

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201908-25

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5