Gentoo 2514 Published by

The following security updates are available for Gentoo Linux:

[ GLSA 202405-09 ] MediaInfo, MediaInfoLib: Multiple Vulnerabilities
[ GLSA 202405-08 ] strongSwan: Multiple Vulnerabilities
[ GLSA 202405-07 ] HTMLDOC: Multiple Vulnerabilities
[ GLSA 202405-06 ] mujs: Multiple Vulnerabilities
[ GLSA 202405-05 ] MPlayer: Multiple Vulnerabilities
[ GLSA 202405-04 ] systemd: Multiple Vulnerabilities
[ GLSA 202405-03 ] Dalli: Code Injection
[ GLSA 202405-02 ] ImageMagick: Multiple Vulnerabilities




[ GLSA 202405-09 ] MediaInfo, MediaInfoLib: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: MediaInfo, MediaInfoLib: Multiple Vulnerabilities
Date: May 04, 2024
Bugs: #778992, #836564, #875374, #917612
ID: 202405-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in MediaInfo and MediaInfoLib,
the worst of which could allow user-assisted remote code execution.

Background
==========

MediaInfo supplies technical and tag information about media files.
MediaInfoLib contains MediaInfo libraries.

Affected packages
=================

Package Vulnerable Unaffected
----------------------- ------------ ------------
media-libs/libmediainfo < 23.10 >= 23.10
media-video/mediainfo < 23.10 >= 23.10

Description
===========

Multiple vulnerabilities have been discovered in MediaInfo and
MediaInfoLib. Please review the CVE identifiers referenced below for
details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MediaInfo users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/mediainfo-23.10"

All MediaInfolib users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libmediainfo-23.10"

References
==========

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-09

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-08 ] strongSwan: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: strongSwan: Multiple Vulnerabilities
Date: May 04, 2024
Bugs: #818841, #832460, #878887, #899964
ID: 202405-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in strongSwan, the worst
of which could possibly lead to remote code execution.

Background
==========

strongSwan is an IPSec implementation for Linux.

Affected packages
=================

Package Vulnerable Unaffected
------------------ ------------ ------------
net-vpn/strongswan < 5.9.10 >= 5.9.10

Description
===========

Multiple vulnerabilities have been discovered in strongSwan. Please
review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All strongSwan users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-vpn/strongswan-5.9.10"

References
==========

[ 1 ] CVE-2021-41991
https://nvd.nist.gov/vuln/detail/CVE-2021-41991
[ 2 ] CVE-2021-45079
https://nvd.nist.gov/vuln/detail/CVE-2021-45079
[ 3 ] CVE-2022-40617
https://nvd.nist.gov/vuln/detail/CVE-2022-40617
[ 4 ] CVE-2023-26463
https://nvd.nist.gov/vuln/detail/CVE-2023-26463

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-08

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-07 ] HTMLDOC: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: HTMLDOC: Multiple Vulnerabilities
Date: May 04, 2024
Bugs: #780489
ID: 202405-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in HTMLDOC, the worst of
which can lead to arbitrary code execution.

Background
==========

HTMLDOC is a HTML indexer and HTML to PS and PDF converter.

Affected packages
=================

Package Vulnerable Unaffected
---------------- ------------ ------------
app-text/htmldoc < 1.9.16 >= 1.9.16

Description
===========

Multiple vulnerabilities have been discovered in HTMLDOC. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All HTMLDOC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/htmldoc-1.9.16"

References
==========

[ 1 ] CVE-2021-20308
https://nvd.nist.gov/vuln/detail/CVE-2021-20308
[ 2 ] CVE-2021-23158
https://nvd.nist.gov/vuln/detail/CVE-2021-23158
[ 3 ] CVE-2021-23165
https://nvd.nist.gov/vuln/detail/CVE-2021-23165
[ 4 ] CVE-2021-23180
https://nvd.nist.gov/vuln/detail/CVE-2021-23180
[ 5 ] CVE-2021-23191
https://nvd.nist.gov/vuln/detail/CVE-2021-23191
[ 6 ] CVE-2021-23206
https://nvd.nist.gov/vuln/detail/CVE-2021-23206
[ 7 ] CVE-2021-26252
https://nvd.nist.gov/vuln/detail/CVE-2021-26252
[ 8 ] CVE-2021-26259
https://nvd.nist.gov/vuln/detail/CVE-2021-26259
[ 9 ] CVE-2021-26948
https://nvd.nist.gov/vuln/detail/CVE-2021-26948
[ 10 ] CVE-2021-33235
https://nvd.nist.gov/vuln/detail/CVE-2021-33235
[ 11 ] CVE-2021-33236
https://nvd.nist.gov/vuln/detail/CVE-2021-33236
[ 12 ] CVE-2021-40985
https://nvd.nist.gov/vuln/detail/CVE-2021-40985
[ 13 ] CVE-2021-43579
https://nvd.nist.gov/vuln/detail/CVE-2021-43579
[ 14 ] CVE-2022-0137
https://nvd.nist.gov/vuln/detail/CVE-2022-0137
[ 15 ] CVE-2022-0534
https://nvd.nist.gov/vuln/detail/CVE-2022-0534
[ 16 ] CVE-2022-24191
https://nvd.nist.gov/vuln/detail/CVE-2022-24191
[ 17 ] CVE-2022-27114
https://nvd.nist.gov/vuln/detail/CVE-2022-27114
[ 18 ] CVE-2022-28085
https://nvd.nist.gov/vuln/detail/CVE-2022-28085
[ 19 ] CVE-2022-34033
https://nvd.nist.gov/vuln/detail/CVE-2022-34033
[ 20 ] CVE-2022-34035
https://nvd.nist.gov/vuln/detail/CVE-2022-34035

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-06 ] mujs: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: mujs: Multiple Vulnerabilities
Date: May 04, 2024
Bugs: #833453, #845399, #882775
ID: 202405-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in mujs, the worst of
which could lead to remote code execution.

Background
==========

mujs is an embeddable Javascript interpreter in C.

Affected packages
=================

Package Vulnerable Unaffected
------------- ------------ ------------
dev-lang/mujs < 1.3.2 >= 1.3.2

Description
===========

Multiple vulnerabilities have been discovered in mujs. Please review the
CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All mujs users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/mujs-1.3.2"

References
==========

[ 1 ] CVE-2021-45005
https://nvd.nist.gov/vuln/detail/CVE-2021-45005
[ 2 ] CVE-2022-30974
https://nvd.nist.gov/vuln/detail/CVE-2022-30974
[ 3 ] CVE-2022-30975
https://nvd.nist.gov/vuln/detail/CVE-2022-30975
[ 4 ] CVE-2022-44789
https://nvd.nist.gov/vuln/detail/CVE-2022-44789

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-05 ] MPlayer: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: MPlayer: Multiple Vulnerabilities
Date: May 04, 2024
Bugs: #870406
ID: 202405-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in MPlayer, the worst of
which can lead to arbitrary code execution.

Background
==========

MPlayer is a media player capable of handling multiple multimedia file
formats.

Affected packages
=================

Package Vulnerable Unaffected
------------------- ------------ ------------
media-video/mplayer < 1.5 >= 1.5

Description
===========

Multiple vulnerabilities have been discovered in MPlayer. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MPlayer users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/mplayer-1.5"

References
==========

[ 1 ] CVE-2022-38600
https://nvd.nist.gov/vuln/detail/CVE-2022-38600
[ 2 ] CVE-2022-38850
https://nvd.nist.gov/vuln/detail/CVE-2022-38850
[ 3 ] CVE-2022-38851
https://nvd.nist.gov/vuln/detail/CVE-2022-38851
[ 4 ] CVE-2022-38853
https://nvd.nist.gov/vuln/detail/CVE-2022-38853
[ 5 ] CVE-2022-38855
https://nvd.nist.gov/vuln/detail/CVE-2022-38855
[ 6 ] CVE-2022-38856
https://nvd.nist.gov/vuln/detail/CVE-2022-38856
[ 7 ] CVE-2022-38858
https://nvd.nist.gov/vuln/detail/CVE-2022-38858
[ 8 ] CVE-2022-38860
https://nvd.nist.gov/vuln/detail/CVE-2022-38860
[ 9 ] CVE-2022-38861
https://nvd.nist.gov/vuln/detail/CVE-2022-38861
[ 10 ] CVE-2022-38862
https://nvd.nist.gov/vuln/detail/CVE-2022-38862
[ 11 ] CVE-2022-38863
https://nvd.nist.gov/vuln/detail/CVE-2022-38863
[ 12 ] CVE-2022-38864
https://nvd.nist.gov/vuln/detail/CVE-2022-38864
[ 13 ] CVE-2022-38865
https://nvd.nist.gov/vuln/detail/CVE-2022-38865
[ 14 ] CVE-2022-38866
https://nvd.nist.gov/vuln/detail/CVE-2022-38866

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-05

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-04 ] systemd: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: systemd: Multiple Vulnerabilities
Date: May 04, 2024
Bugs: #882769, #887581
ID: 202405-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in systemd, the worst of
which can lead to a denial of service.

Background
==========

A system and service manager.

Affected packages
=================

Package Vulnerable Unaffected
---------------- ------------ ------------
sys-apps/systemd < 252.4 >= 252.4

Description
===========

Multiple vulnerabilities have been discovered in systemd. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All systemd users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/systemd-252.4"

References
==========

[ 1 ] CVE-2022-4415
https://nvd.nist.gov/vuln/detail/CVE-2022-4415
[ 2 ] CVE-2022-45873
https://nvd.nist.gov/vuln/detail/CVE-2022-45873

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-03 ] Dalli: Code Injection


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Dalli: Code Injection
Date: May 04, 2024
Bugs: #882077
ID: 202405-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Dalli, which can lead to code
injection.

Background
==========

Dalli is a high performance pure Ruby client for accessing memcached
servers.

Affected packages
=================

Package Vulnerable Unaffected
-------------- ------------ ------------
dev-ruby/dalli < 3.2.3 >= 3.2.3

Description
===========

A vulnerability was found in Dalli. Affected is the function
self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb
of the component Meta Protocol Handler. The manipulation leads to
injection.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Dalli users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/dalli-3.2.3"

References
==========

[ 1 ] CVE-2022-4064
https://nvd.nist.gov/vuln/detail/CVE-2022-4064

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-03

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-02 ] ImageMagick: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: ImageMagick: Multiple Vulnerabilities
Date: May 04, 2024
Bugs: #835931, #843833, #852947, #871954, #893526, #904357, #908082, #917594
ID: 202405-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in ImageMagick, the worst
of which can lead to remote code execution.

Background
==========

ImageMagick is a software suite to create, edit, and compose bitmap
images, that can also read, write, and convert images in many other
formats.

Affected packages
=================

Package Vulnerable Unaffected
--------------------- ------------ ------------
media-gfx/imagemagick < 6.9.12.88 >= 6.9.13.0

Description
===========

Multiple vulnerabilities have been discovered in ImageMagick. Please
review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All ImageMagick 6.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.9.13.0" =media-gfx/imagemagick-6*"

All ImageMagick 7.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-7.1.1.22"

References
==========

[ 1 ] CVE-2021-4219
https://nvd.nist.gov/vuln/detail/CVE-2021-4219
[ 2 ] CVE-2021-20224
https://nvd.nist.gov/vuln/detail/CVE-2021-20224
[ 3 ] CVE-2022-0284
https://nvd.nist.gov/vuln/detail/CVE-2022-0284
[ 4 ] CVE-2022-1115
https://nvd.nist.gov/vuln/detail/CVE-2022-1115
[ 5 ] CVE-2022-2719
https://nvd.nist.gov/vuln/detail/CVE-2022-2719
[ 6 ] CVE-2022-3213
https://nvd.nist.gov/vuln/detail/CVE-2022-3213
[ 7 ] CVE-2022-28463
https://nvd.nist.gov/vuln/detail/CVE-2022-28463
[ 8 ] CVE-2022-32545
https://nvd.nist.gov/vuln/detail/CVE-2022-32545
[ 9 ] CVE-2022-32546
https://nvd.nist.gov/vuln/detail/CVE-2022-32546
[ 10 ] CVE-2022-32547
https://nvd.nist.gov/vuln/detail/CVE-2022-32547
[ 11 ] CVE-2022-44267
https://nvd.nist.gov/vuln/detail/CVE-2022-44267
[ 12 ] CVE-2022-44268
https://nvd.nist.gov/vuln/detail/CVE-2022-44268
[ 13 ] CVE-2023-1906
https://nvd.nist.gov/vuln/detail/CVE-2023-1906
[ 14 ] CVE-2023-2157
https://nvd.nist.gov/vuln/detail/CVE-2023-2157
[ 15 ] CVE-2023-5341
https://nvd.nist.gov/vuln/detail/CVE-2023-5341
[ 16 ] CVE-2023-34151
https://nvd.nist.gov/vuln/detail/CVE-2023-34151
[ 17 ] CVE-2023-34153
https://nvd.nist.gov/vuln/detail/CVE-2023-34153

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-02

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5