Gentoo 2509 Published by

The following updates has been released for Gentoo Linux:

GLSA 201903-09 : GNU C Library: Arbitrary descriptor allocation
GLSA 201903-10 : OpenSSL: Multiple vulnerabilities
GLSA 201903-11 : XRootD: Remote code execution
GLSA 201903-12 : WebkitGTK+: Multiple vulnerabilities
GLSA 201903-13 : BIND: Multiple vulnerabilities
GLSA 201903-14 : Oracle JDK/JRE: Multiple vulnerabilities



GLSA 201903-09 : GNU C Library: Arbitrary descriptor allocation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GNU C Library: Arbitrary descriptor allocation
Date: March 14, 2019
Bugs: #617938
ID: 201903-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in the GNU C Library could result in a Denial of
Service condition.

Background
==========

The GNU C library is the standard C library used by Gentoo Linux
systems.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-libs/glibc < 2.26.0 >= 2.26.0

Description
===========

A vulnerability was discovered in the GNU C Library functions xdr_bytes
and xdr_string.

Impact
======

A remote attacker, by sending a crafted UDP packet, could cause a
Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GNU C Library users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.26.0"

References
==========

[ 1 ] CVE-2018-19591
https://nvd.nist.gov/vuln/detail/CVE-2018-19591

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-09

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201903-10 : OpenSSL: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: OpenSSL: Multiple vulnerabilities
Date: March 14, 2019
Bugs: #673056, #678564
ID: 201903-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple Information Disclosure vulnerabilities in OpenSSL allow
attackers to obtain sensitive information.

Background
==========

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/openssl < 1.0.2r >= 1.0.2r

Description
===========

Multiple vulnerabilities have been discovered in OpenSSL. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker to obtain sensitive information, caused by the
failure to immediately close the TCP connection after the hosts
encounter a zero-length record with valid padding.

A local attacker could run a malicious process next to legitimate
processes using the architecture’s parallel thread running capabilities
to leak encrypted data from the CPU's internal processes.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenSSL users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2r"

References
==========

[ 1 ] CVE-2018-5407
https://nvd.nist.gov/vuln/detail/CVE-2018-5407
[ 2 ] CVE-2019-1559
https://nvd.nist.gov/vuln/detail/CVE-2019-1559

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-10

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201903-11 : XRootD: Remote code execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: XRootD: Remote code execution
Date: March 14, 2019
Bugs: #638420
ID: 201903-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability was discovered in XRootD which could lead to the remote
execution of code.

Background
==========

A project that aims at giving high performance, scalable, and fault
tolerant access to data repositories of many kinds.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/xrootd < 4.8.3 >= 4.8.3

Description
===========

A shell command injection was discovered in XRootD.

Impact
======

A remote attacker could execute arbitrary code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All XRootD users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/xrootd-4.8.3"

References
==========

[ 1 ] CVE-2017-1000215
https://nvd.nist.gov/vuln/detail/CVE-2017-1000215

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-11

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201903-12 : WebkitGTK+: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: WebkitGTK+: Multiple vulnerabilities
Date: March 14, 2019
Bugs: #672108, #674702, #678334
ID: 201903-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in WebkitGTK+, the worst of
which could result in the arbitrary execution of code.

Background
==========

WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, from
hybrid HTML/CSS applications to full-fledged web browsers.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/webkit-gtk < 2.22.6 >= 2.22.6

Description
===========

Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the referenced CVE identifiers for details.

Impact
======

An attacker could execute arbitrary code or conduct cross-site
scripting.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All WebkitGTK+ users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.22.6"

References
==========

[ 1 ] CVE-2019-6212
https://nvd.nist.gov/vuln/detail/CVE-2019-6212
[ 2 ] CVE-2019-6215
https://nvd.nist.gov/vuln/detail/CVE-2019-6215
[ 3 ] CVE-2019-6216
https://nvd.nist.gov/vuln/detail/CVE-2019-6216
[ 4 ] CVE-2019-6217
https://nvd.nist.gov/vuln/detail/CVE-2019-6217
[ 5 ] CVE-2019-6226
https://nvd.nist.gov/vuln/detail/CVE-2019-6226
[ 6 ] CVE-2019-6227
https://nvd.nist.gov/vuln/detail/CVE-2019-6227
[ 7 ] CVE-2019-6229
https://nvd.nist.gov/vuln/detail/CVE-2019-6229
[ 8 ] CVE-2019-6233
https://nvd.nist.gov/vuln/detail/CVE-2019-6233
[ 9 ] CVE-2019-6234
https://nvd.nist.gov/vuln/detail/CVE-2019-6234

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-12

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201903-13 : BIND: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: BIND: Multiple vulnerabilities
Date: March 14, 2019
Bugs: #657654, #666946
ID: 201903-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in BIND, the worst of which
could result in a Denial of Service condition.

Background
==========

BIND (Berkeley Internet Name Domain) is a Name Server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dns/bind < 9.12.1_p2-r1 >= 9.12.1_p2-r1

Description
===========

Multiple vulnerabilities have been discovered in BIND. Please review
the CVE identifiers referenced below for details.

Impact
======

BIND can improperly permit recursive query service to unauthorized
clients possibly resulting in a Denial of Service condition or to be
used in DNS reflection attacks.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All bind users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/bind-9.12.1_p2-r1"

References
==========

[ 1 ] CVE-2018-5738
https://nvd.nist.gov/vuln/detail/CVE-2018-5738
[ 2 ] CVE-2018-5740
https://nvd.nist.gov/vuln/detail/CVE-2018-5740
[ 3 ] CVE-2018-5741
https://nvd.nist.gov/vuln/detail/CVE-2018-5741

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-13

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201903-14 : Oracle JDK/JRE: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Oracle JDK/JRE: Multiple vulnerabilities
Date: March 14, 2019
Bugs: #653560, #661456, #676134
ID: 201903-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Oracle’s JDK and JRE
software suites.

Background
==========

Java Platform, Standard Edition (Java SE) lets you develop and deploy
Java applications on desktops and servers, as well as in today’s
demanding embedded environments. Java offers the rich user interface,
performance, versatility, portability, and security that today’s
applications require.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/oracle-jdk-bin < 1.8.0.202 >= 1.8.0.202
2 dev-java/oracle-jre-bin < 1.8.0.202 >= 1.8.0.202
-------------------------------------------------------------------
2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Oracle’s JDK and JRE
software suites. Please review the CVE identifiers referenced below for
details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, gain access to information, or cause a
Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Oracle JDK bin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.8.0.202"

All Oracle JRE bin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.8.0.202"

References
==========

[ 1 ] CVE-2018-2790
https://nvd.nist.gov/vuln/detail/CVE-2018-2790
[ 2 ] CVE-2018-2794
https://nvd.nist.gov/vuln/detail/CVE-2018-2794
[ 3 ] CVE-2018-2795
https://nvd.nist.gov/vuln/detail/CVE-2018-2795
[ 4 ] CVE-2018-2796
https://nvd.nist.gov/vuln/detail/CVE-2018-2796
[ 5 ] CVE-2018-2797
https://nvd.nist.gov/vuln/detail/CVE-2018-2797
[ 6 ] CVE-2018-2798
https://nvd.nist.gov/vuln/detail/CVE-2018-2798
[ 7 ] CVE-2018-2799
https://nvd.nist.gov/vuln/detail/CVE-2018-2799
[ 8 ] CVE-2018-2800
https://nvd.nist.gov/vuln/detail/CVE-2018-2800
[ 9 ] CVE-2018-2811
https://nvd.nist.gov/vuln/detail/CVE-2018-2811
[ 10 ] CVE-2018-2814
https://nvd.nist.gov/vuln/detail/CVE-2018-2814
[ 11 ] CVE-2018-2815
https://nvd.nist.gov/vuln/detail/CVE-2018-2815
[ 12 ] CVE-2019-2422
https://nvd.nist.gov/vuln/detail/CVE-2019-2422
[ 13 ] CVE-2019-2426
https://nvd.nist.gov/vuln/detail/CVE-2019-2426

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-14

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5