[ GLSA 202408-13 ] Nokogiri: Denial of Service
[ GLSA 202408-05 ] Redis: Multiple Vulnerabilities
[ GLSA 202408-12 ] Bitcoin: Denial of Service
[ GLSA 202408-11 ] aiohttp: Multiple Vulnerabilities
[ GLSA 202408-10 ] nghttp2: Multiple Vulnerabilities
[ GLSA 202408-09 ] Cairo: Multiple Vulnerabilities
[ GLSA 202408-08 ] json-c: Buffer Overflow
[ GLSA 202408-07 ] Go: Multiple Vulnerabilities
[ GLSA 202408-06 ] PostgreSQL: Multiple Vulnerabilities
[ GLSA 202408-04 ] Levenshtein: Remote Code Execution
[ GLSA 202408-13 ] Nokogiri: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Nokogiri: Denial of Service
Date: August 07, 2024
Bugs: #884863
ID: 202408-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in Nokogiri, which can lead to a
denial of service.
Background
==========
Nokogiri is an HTML, XML, SAX, and Reader parser.
Affected packages
=================
Package Vulnerable Unaffected
----------------- ------------ ------------
dev-ruby/nokogiri < 1.13.10 >= 1.13.10
Description
===========
A denial of service vulnerability has been discovered in Nokogiri.
Please review the CVE identifier referenced below for details.
Impact
======
Nokogiri fails to check the return value from `xmlTextReaderExpand` in
the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a
null pointer exception when invalid markup is being parsed. For
applications using `XML::Reader` to parse untrusted inputs, this may
potentially be a vector for a denial of service attack.
Workaround
==========
Users may be able to search their code for calls to either
`XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if
they are affected.
Resolution
==========
All Nokogiri users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/nokogiri-1.13.10"
References
==========
[ 1 ] CVE-2022-23476
https://nvd.nist.gov/vuln/detail/CVE-2022-23476
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-05 ] Redis: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Redis: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #891169, #898464, #902501, #904486, #910191, #913741, #915989, #921662
ID: 202408-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in Redis, the worst of
which may lead to a denial of service or possible remote code execution.
Background
==========
Redis is an open source (BSD licensed), in-memory data structure store,
used as a database, cache and message broker.
Affected packages
=================
Package Vulnerable Unaffected
------------ ------------ ------------
dev-db/redis < 7.2.4 >= 7.2.4
Description
===========
Multiple vulnerabilities have been discovered in Redis. Please review
the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Redis users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/redis-7.2.4"
References
==========
[ 1 ] CVE-2022-24834
https://nvd.nist.gov/vuln/detail/CVE-2022-24834
[ 2 ] CVE-2022-35977
https://nvd.nist.gov/vuln/detail/CVE-2022-35977
[ 3 ] CVE-2022-36021
https://nvd.nist.gov/vuln/detail/CVE-2022-36021
[ 4 ] CVE-2023-22458
https://nvd.nist.gov/vuln/detail/CVE-2023-22458
[ 5 ] CVE-2023-25155
https://nvd.nist.gov/vuln/detail/CVE-2023-25155
[ 6 ] CVE-2023-28425
https://nvd.nist.gov/vuln/detail/CVE-2023-28425
[ 7 ] CVE-2023-28856
https://nvd.nist.gov/vuln/detail/CVE-2023-28856
[ 8 ] CVE-2023-36824
https://nvd.nist.gov/vuln/detail/CVE-2023-36824
[ 9 ] CVE-2023-41053
https://nvd.nist.gov/vuln/detail/CVE-2023-41053
[ 10 ] CVE-2023-41056
https://nvd.nist.gov/vuln/detail/CVE-2023-41056
[ 11 ] CVE-2023-45145
https://nvd.nist.gov/vuln/detail/CVE-2023-45145
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-05
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-12 ] Bitcoin: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Bitcoin: Denial of Service
Date: August 07, 2024
Bugs: #908084
ID: 202408-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in Bitcoin, which can lead to a
denial of service.
Background
==========
Bitcoin Core consists of both "full-node" software for fully validating
the blockchain as well as a bitcoin wallet.
Affected packages
=================
Package Vulnerable Unaffected
---------------- ------------ ------------
net-p2p/bitcoind < 25.0 >= 25.0
Description
===========
Please review the CVE identifier referenced below for details.
Impact
======
Bitcoin Core, when debug mode is not used, allows attackers to cause a
denial of service (CPU consumption) because draining the inventory-to-
send queue is inefficient, as exploited in the wild in May 2023.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Bitcoin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-p2p/bitcoind-25.0"
References
==========
[ 1 ] CVE-2023-33297
https://nvd.nist.gov/vuln/detail/CVE-2023-33297
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-12
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-11 ] aiohttp: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: aiohttp: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #918541, #918968, #931097
ID: 202408-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in aiohttp, the worst of
which could lead to service compromise.
Background
==========
aiohttp is an asynchronous HTTP client/server framework for asyncio and
Python.
Affected packages
=================
Package Vulnerable Unaffected
------------------ ------------ ------------
dev-python/aiohttp < 3.9.4 >= 3.9.4
Description
===========
Multiple vulnerabilities have been discovered in aiohttp. Please review
the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All aiohttp users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/aiohttp-3.9.4"
References
==========
[ 1 ] CVE-2023-47641
https://nvd.nist.gov/vuln/detail/CVE-2023-47641
[ 2 ] CVE-2023-49082
https://nvd.nist.gov/vuln/detail/CVE-2023-49082
[ 3 ] CVE-2024-30251
https://nvd.nist.gov/vuln/detail/CVE-2024-30251
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-11
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-10 ] nghttp2: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: nghttp2: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #915554, #928541
ID: 202408-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in nghttp2, the worst of
which could lead to a denial of service.
Background
==========
Nghttp2 is an implementation of HTTP/2 and its header compression
algorithm HPACK in C.
Affected packages
=================
Package Vulnerable Unaffected
---------------- ------------ ------------
net-libs/nghttp2 < 1.61.0 >= 1.61.0
Description
===========
Multiple vulnerabilities have been discovered in nghttp2. Please review
the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All nghttp2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/nghttp2-1.61.0"
References
==========
[ 1 ] CVE-2023-44487
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
[ 2 ] CVE-2024-28182
https://nvd.nist.gov/vuln/detail/CVE-2024-28182
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-10
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-09 ] Cairo: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Cairo: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #717778
ID: 202408-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
=======
Multiple vulnerabilities have been discovered in Cairo, the worst of
which a denial of service.
Background
=========
Cairo is a 2D vector graphics library with cross-device output support.
Affected packages
================
Package Vulnerable Unaffected
-------------- ------------ ------------
x11-libs/cairo < 1.18.0 >= 1.18.0
Description
==========
Multiple vulnerabilities have been discovered in Cairo. Please review
the CVE identifiers referenced below for details.
Impact
=====
Please review the referenced CVE identifiers for details.
Workaround
=========
There is no known workaround at this time.
Resolution
=========
All Cairo users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/cairo-1.18.0"
References
=========
[ 1 ] CVE-2019-6461
https://nvd.nist.gov/vuln/detail/CVE-2019-6461
[ 2 ] CVE-2019-6462
https://nvd.nist.gov/vuln/detail/CVE-2019-6462
Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-09
Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-08 ] json-c: Buffer Overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: json-c: Buffer Overflow
Date: August 07, 2024
Bugs: #918555
ID: 202408-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in json-c, which can lead to a stack
buffer overflow.
Background
==========
json-c is a JSON implementation in C.
Affected packages
=================
Package Vulnerable Unaffected
--------------- ------------ ------------
dev-libs/json-c < 0.16 >= 0.16
Description
===========
Please review the CVE identifier referenced below for details.
Impact
======
A stack-buffer-overflow exists in the auxiliary sample program
json_parse which is located in the function parseit.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All json-c users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/json-c-0.16"
References
==========
[ 1 ] CVE-2021-32292
https://nvd.nist.gov/vuln/detail/CVE-2021-32292
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-08
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-07 ] Go: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Go: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #906043, #919310, #926530, #928539, #931602
ID: 202408-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in Go, the worst of which
could lead to information leakage or a denial of service.
Background
==========
Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.
Affected packages
=================
Package Vulnerable Unaffected
----------- ------------ ------------
dev-lang/go < 1.22.3 >= 1.22.3
Description
===========
Multiple vulnerabilities have been discovered in Go. Please review the
CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Go users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/go-1.22.3"
Due to Go programs typically being statically compiled, Go users should
also recompile the reverse dependencies of the Go language to ensure
statically linked programs are remediated:
# emerge --ask --oneshot --verbose @golang-rebuild
References
==========
[ 1 ] CVE-2023-24539
https://nvd.nist.gov/vuln/detail/CVE-2023-24539
[ 2 ] CVE-2023-24540
https://nvd.nist.gov/vuln/detail/CVE-2023-24540
[ 3 ] CVE-2023-29400
https://nvd.nist.gov/vuln/detail/CVE-2023-29400
[ 4 ] CVE-2023-39326
https://nvd.nist.gov/vuln/detail/CVE-2023-39326
[ 5 ] CVE-2023-45283
https://nvd.nist.gov/vuln/detail/CVE-2023-45283
[ 6 ] CVE-2023-45285
https://nvd.nist.gov/vuln/detail/CVE-2023-45285
[ 7 ] CVE-2023-45288
https://nvd.nist.gov/vuln/detail/CVE-2023-45288
[ 8 ] CVE-2023-45289
https://nvd.nist.gov/vuln/detail/CVE-2023-45289
[ 9 ] CVE-2023-45290
https://nvd.nist.gov/vuln/detail/CVE-2023-45290
[ 10 ] CVE-2024-24783
https://nvd.nist.gov/vuln/detail/CVE-2024-24783
[ 11 ] CVE-2024-24784
https://nvd.nist.gov/vuln/detail/CVE-2024-24784
[ 12 ] CVE-2024-24785
https://nvd.nist.gov/vuln/detail/CVE-2024-24785
[ 13 ] CVE-2024-24788
https://nvd.nist.gov/vuln/detail/CVE-2024-24788
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-06 ] PostgreSQL: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: PostgreSQL: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #903193, #912251, #917153, #924110, #931849
ID: 202408-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in PostgreSQL, the worst
of which could lead to privilege escalation or denial of service.
Background
==========
PostgreSQL is an open source object-relational database management
system.
Affected packages
=================
Package Vulnerable Unaffected
----------------- ------------- --------------
dev-db/postgresql < 12.19:12 >= 12.19:12
< 13.14:13 >= 13.14:13
< 14.12-r1:14 >= 14.12-r1:14
< 15.7-r1:15 >= 15.7-r1:15
< 16.3-r1:16 >= 16.3-r1:16
< 12 >= 12.19
Description
===========
Multiple vulnerabilities have been discovered in PostgreSQL. Please
review the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All PostgreSQL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.3-r1:16"
Or update an older slot if that is still in use.
References
==========
[ 1 ] CVE-2023-5868
https://nvd.nist.gov/vuln/detail/CVE-2023-5868
[ 2 ] CVE-2023-5869
https://nvd.nist.gov/vuln/detail/CVE-2023-5869
[ 3 ] CVE-2023-5870
https://nvd.nist.gov/vuln/detail/CVE-2023-5870
[ 4 ] CVE-2024-0985
https://nvd.nist.gov/vuln/detail/CVE-2024-0985
[ 5 ] CVE-2024-4317
https://nvd.nist.gov/vuln/detail/CVE-2024-4317
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-06
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-04 ] Levenshtein: Remote Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Levenshtein: Remote Code Execution
Date: August 07, 2024
Bugs: #766009
ID: 202408-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in Levenshtein, which could lead to
a remote code execution.
Background
==========
Levenshtein is a Python extension for computing string edit distances
and similarities.
Affected packages
=================
Package Vulnerable Unaffected
---------------------- ------------ ------------
dev-python/Levenshtein < 0.12.1 >= 0.12.1
Description
===========
Fixed handling of numerous possible wraparounds in calculating the size
of memory allocations; incorrect handling of which could cause denial of
service or even possible remote code execution.
Impact
======
Fixed handling of numerous possible wraparounds in calculating the size
of memory allocations; incorrect handling of which could cause denial of
service or even possible remote code execution.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Levenshtein users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/Levenshtein-0.12.1"
References
==========
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-04
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
