Gentoo 2514 Published by

The following updates has been released for Gentoo Linux:

GLSA 201710-28 : Jython: Arbitrary code execution
GLSA 201710-29 : Asterisk: Multiple vulnerabilities
GLSA 201710-30 : X.Org Server: Multiple vulnerabilities
GLSA 201710-31 : Oracle JDK/JRE: Multiple vulnerabilities
GLSA 201710-32 : Apache: Multiple vulnerabilities



GLSA 201710-28 : Jython: Arbitrary code execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-28
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Jython: Arbitrary code execution
Date: October 29, 2017
Bugs: #621876
ID: 201710-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in Jython may lead to arbitrary code execution.

Background
==========

An implementation of Python written in Java.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/jython < 2.7.0-r2 >= 2.7.0-r2

Description
===========

It was found that Jython is vulnerable to arbitrary code execution by
sending a serialized function to the deserializer.

Impact
======

Remote execution of arbitrary code by enticing a user to execute
malicious code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Jython users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/jython-2.7.0-r2"

References
==========

[ 1 ] CVE-2016-4000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-28

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-29 : Asterisk: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Asterisk: Multiple vulnerabilities
Date: October 29, 2017
Bugs: #629682, #629692, #633856
ID: 201710-29

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Asterisk, the worst of
which allows remote execution of arbitrary shell commands.

Background
==========

A Modular Open Source PBX System.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/asterisk < 11.25.3 >= 11.25.3

Description
===========

Multiple vulnerabilities have been discovered in Asterisk. Please
review the referenced CVE identifiers for details.

Impact
======

A remote attacker could execute arbitrary code, cause a denial of
service condition, or cause an unauthorized data disclosure by enticing
a user to run malicious code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Asterisk users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-13.17.2"

References
==========

[ 1 ] CVE-2017-14098
https://nvd.nist.gov/vuln/detail/CVE-2017-14098
[ 2 ] CVE-2017-14099
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14099
[ 3 ] CVE-2017-14100
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14100
[ 4 ] CVE-2017-14603
https://nvd.nist.gov/vuln/detail/CVE-2017-14603

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-29

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-30 : X.Org Server: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: X.Org Server: Multiple vulnerabilities
Date: October 29, 2017
Bugs: #493294, #611350, #633910
ID: 201710-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in X.Org Server the worst of
which could allow a local attacker to replace shared memory segments.

Background
==========

The X.Org project provides an open source implementation of the X
Window System.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 x11-base/xorg-server < 1.19.4 >= 1.19.4

Description
===========

Multiple vulnerabilities have been discovered in X.Org Server. Please
review the referenced CVE identifiers for details.

Impact
======

A local attacker could cause a global buffer overflow or a Denial of
Service condition.

Workaround
==========

There is no known workaround at this time

Resolution
==========

All X.Org Server users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.19.4"

References
==========

[ 1 ] CVE-2013-6424
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6424
[ 2 ] CVE-2017-13721
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13721
[ 3 ] CVE-2017-13723
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13723
[ 4 ] CVE-2017-2624
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2624

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-30

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-31 : Oracle JDK/JRE: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-31
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Oracle JDK/JRE: Multiple vulnerabilities
Date: October 29, 2017
Bugs: #635030
ID: 201710-31

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Oracle's JDK and JRE
software suites, the worst of which can be remotely exploited without
authentication.

Background
==========

Java Platform, Standard Edition (Java SE) lets you develop and deploy
Java applications on desktops and servers, as well as in today’s
demanding embedded environments. Java offers the rich user interface,
performance, versatility, portability, and security that today’s
applications require.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/oracle-jdk-bin < 1.8.0.152-r1 >= 1.8.0.152-r1
2 dev-java/oracle-jre-bin < 1.8.0.152-r1 >= 1.8.0.152-r1
-------------------------------------------------------------------
2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Oracle’s Java SE.
Please review the referenced CVE identifiers for details.

Impact
======

A remote attacker could cause a Denial of Service condition, modify
arbitrary data, or have numerous other impacts.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Oracle JDK users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.8.0.152-r1"

All Oracle JRE users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.8.0.152-r1"

References
==========

[ 1 ] CVE-2017-10274
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10274
[ 2 ] CVE-2017-10281
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10281
[ 3 ] CVE-2017-10285
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10285
[ 4 ] CVE-2017-10293
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10293
[ 5 ] CVE-2017-10295
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10295
[ 6 ] CVE-2017-10309
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10309
[ 7 ] CVE-2017-10345
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10345
[ 8 ] CVE-2017-10346
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10346
[ 9 ] CVE-2017-10347
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10347
[ 10 ] CVE-2017-10348
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10348
[ 11 ] CVE-2017-10349
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10349
[ 12 ] CVE-2017-10350
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10350
[ 13 ] CVE-2017-10355
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10355
[ 14 ] CVE-2017-10356
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10356
[ 15 ] CVE-2017-10357
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10357
[ 16 ] CVE-2017-10388
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10388

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-31

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-32 : Apache: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Apache: Multiple vulnerabilities
Date: October 29, 2017
Bugs: #622240, #624868, #631308
ID: 201710-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Apache, the worst of which
may result in the loss of secrets.

Background
==========

The Apache HTTP server is one of the most popular web servers on the
Internet.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/apache < 2.4.27-r1 >= 2.4.27-r1

Description
===========

Multiple vulnerabilities have been discovered in Apache. Please review
the referenced CVE identifiers for details.

Impact
======

The Optionsbleed vulnerability can leak arbitrary memory from the
server process that may contain secrets. Additionally attackers may
cause a Denial of Service condition, bypass authentication, or cause
information loss.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Apache users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.27-r1"

References
==========

[ 1 ] CVE-2017-3167
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3167
[ 2 ] CVE-2017-3169
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3169
[ 3 ] CVE-2017-7659
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7659
[ 4 ] CVE-2017-7668
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7668
[ 5 ] CVE-2017-7679
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7679
[ 6 ] CVE-2017-9788
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9788
[ 7 ] CVE-2017-9789
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9789
[ 8 ] CVE-2017-9798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-32

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5