Gentoo 2509 Published by

A pump security update to fix execution of arbitrary code has been released for Gentoo Linux



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory                           GLSA 201911-02- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                           https://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal    Title: pump: User-assisted execution of arbitrary code     Date: November 07, 2019     Bugs: #694314       ID: 201911-02- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis========A buffer overflow in pump might allow remote attacker to executearbitrary code.Background==========BOOTP and DHCP client for automatic IP configuration.Affected packages=================    -------------------------------------------------------------------     Package              /     Vulnerable     /            Unaffected    -------------------------------------------------------------------  1  net-misc/pump              <= 0.8.24-r4               Vulnerable!    -------------------------------------------------------------------     NOTE: Certain packages are still vulnerable. Users should migrate           to another package if one is available or wait for the           existing packages to be marked stable by their           architecture maintainers.Description===========It was discovered that there was an arbitrary code executionvulnerability in the pump DHCP/BOOTP client.Impact======A remote attacker, by enticing a user to connect to a malicious server,could cause the execution of arbitrary code with the privileges of theuser running pump DHCP/BOOTP client.Workaround==========There is no known workaround at this time.Resolution==========Gentoo has discontinued support for pump. We recommend that usersunmerge pump:  # emerge --unmerge "net-misc/pump"References==========[ 1 ] Debian Bug Report 933674      https://bugs.debian.org/933674Availability============This GLSA and any updates to it are available for viewing atthe Gentoo Security Website: https://security.gentoo.org/glsa/201911-02Concerns?=========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users' machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttps://bugs.gentoo.org.License=======Copyright 2019 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.https://creativecommons.org/licenses/by-sa/2.5