Gentoo 2514 Published by

The following security updates are available for Gentoo Linux:

[ GLSA 202405-33 ] PoDoFo: Multiple Vulnerabilities
[ GLSA 202405-32 ] Mozilla Thunderbird: Multiple Vulnerabilities
[ GLSA 202405-31 ] Kubelet: Privilege Escalation
[ GLSA 202405-30 ] Rebar3: Command Injection




[ GLSA 202405-33 ] PoDoFo: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-33
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: PoDoFo: Multiple Vulnerabilities
Date: May 12, 2024
Bugs: #906105
ID: 202405-33

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in PoDoFo, the worst of
which could lead to code execution.

Background
==========

PoDoFo is a free portable C++ library to work with the PDF file format.

Affected packages
=================

Package Vulnerable Unaffected
--------------- ------------ ------------
app-text/podofo < 0.10.1 >= 0.10.1

Description
===========

Please review the referenced CVE identifiers for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PoDoFo users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/podofo-0.10.1"

References
==========

[ 1 ] CVE-2023-31566
https://nvd.nist.gov/vuln/detail/CVE-2023-31566
[ 2 ] CVE-2023-31567
https://nvd.nist.gov/vuln/detail/CVE-2023-31567

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-33

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-32 ] Mozilla Thunderbird: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Mozilla Thunderbird: Multiple Vulnerabilities
Date: May 12, 2024
Bugs: #925123, #926533, #930381
ID: 202405-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird,
the worst of which could lead to remote code execution.

Background
==========

Mozilla Thunderbird is a popular open-source email client from the
Mozilla project.

Affected packages
=================

Package Vulnerable Unaffected
--------------------------- ------------ ------------
mail-client/thunderbird < 115.10.0 >= 115.10.0
mail-client/thunderbird-bin < 115.10.0 >= 115.10.0

Description
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.
Please review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Mozilla Thunderbird users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.10.0"

All Mozilla Thunderbird users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.10.0"

References
==========

[ 1 ] CVE-2024-1546
https://nvd.nist.gov/vuln/detail/CVE-2024-1546
[ 2 ] CVE-2024-1547
https://nvd.nist.gov/vuln/detail/CVE-2024-1547
[ 3 ] CVE-2024-1548
https://nvd.nist.gov/vuln/detail/CVE-2024-1548
[ 4 ] CVE-2024-1549
https://nvd.nist.gov/vuln/detail/CVE-2024-1549
[ 5 ] CVE-2024-1550
https://nvd.nist.gov/vuln/detail/CVE-2024-1550
[ 6 ] CVE-2024-1551
https://nvd.nist.gov/vuln/detail/CVE-2024-1551
[ 7 ] CVE-2024-1552
https://nvd.nist.gov/vuln/detail/CVE-2024-1552
[ 8 ] CVE-2024-1553
https://nvd.nist.gov/vuln/detail/CVE-2024-1553
[ 9 ] CVE-2024-1936
https://nvd.nist.gov/vuln/detail/CVE-2024-1936
[ 10 ] CVE-2024-2609
https://nvd.nist.gov/vuln/detail/CVE-2024-2609
[ 11 ] CVE-2024-3302
https://nvd.nist.gov/vuln/detail/CVE-2024-3302
[ 12 ] CVE-2024-3854
https://nvd.nist.gov/vuln/detail/CVE-2024-3854
[ 13 ] CVE-2024-3857
https://nvd.nist.gov/vuln/detail/CVE-2024-3857
[ 14 ] CVE-2024-3859
https://nvd.nist.gov/vuln/detail/CVE-2024-3859
[ 15 ] CVE-2024-3861
https://nvd.nist.gov/vuln/detail/CVE-2024-3861
[ 16 ] CVE-2024-3864
https://nvd.nist.gov/vuln/detail/CVE-2024-3864

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-32

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-31 ] Kubelet: Privilege Escalation


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-31
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Kubelet: Privilege Escalation
Date: May 12, 2024
Bugs: #918665
ID: 202405-31

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Kubelet, which can lead to
privilege escalation.

Background
==========

Kubelet is a Kubernetes Node Agent.

Affected packages
=================

Package Vulnerable Unaffected
------------------- ------------ ------------
sys-cluster/kubelet < 1.28.5 >= 1.28.5

Description
===========

A vulnerability has been discovered in Kubelet. Please review the CVE
identifier referenced below for details.

Impact
======

A security issue was discovered in Kubernetes where a user that can
create pods and persistent volumes on Windows nodes may be able to
escalate to admin privileges on those nodes. Kubernetes clusters are
only affected if they are using an in-tree storage plugin for Windows
nodes.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Kubelet users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-cluster/kubelet-1.28.5"

References
==========

[ 1 ] CVE-2023-5528
https://nvd.nist.gov/vuln/detail/CVE-2023-5528

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-31

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-30 ] Rebar3: Command Injection


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Rebar3: Command Injection
Date: May 12, 2024
Bugs: #749363
ID: 202405-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Rebar3, which can lead to command
injection.

Background
==========

A sophisticated build-tool for Erlang projects that follows OTP
principles.

Affected packages
=================

Package Vulnerable Unaffected
------------------ ------------ ------------
dev-util/rebar-bin < 3.14.4 >= 3.14.4

Description
===========

Rebar3 is vulnerable to OS command injection via the URL parameter of a
dependency specification.

Impact
======

A vulnerability has been discovered in Rebar3. Please review the CVE
identifier referenced below for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

Gentoo has discontinued support for Rebar3 binary package. We recommend
that users unmerge it:

# emerge --ask --depclean "dev-util/rebar-bin"

References
==========

[ 1 ] CVE-2020-13802
https://nvd.nist.gov/vuln/detail/CVE-2020-13802

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-30

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5