Gentoo 2508 Published by

The following updates has been released for Gentoo Linux:

GLSA 201804-03 : Poppler: Multiple vulnerabilities:
GLSA 201804-04 : cURL: Multiple vulnerabilities
GLSA 201804-05 : ISC DHCP: Multiple vulnerabilities
GLSA 201804-06 : mailx: Multiple vulnerabilities
GLSA 201804-07 : libvirt: Multiple vulnerabilities
GLSA 201804-08 : QEMU: Multiple vulnerabilities
GLSA 201804-09 : SPICE VDAgent: Arbitrary command injection



GLSA 201804-03 : Poppler: Multiple vulnerabilities:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Poppler: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #644388, #645868
ID: 201804-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Poppler, the worst of which
could allow a Denial of Service.

Background
==========

Poppler is a PDF rendering library based on the xpdf-3.0 code base.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/poppler < 0.61.1 >= 0.61.1

Description
===========

Multiple vulnerabilities have been discovered in Poppler. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker, by enticing a user to open a specially crafted PDF,
could cause a Denial of Service condition or have other unspecified
impacts.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Poppler users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.61.1"

References
==========

[ 1 ] CVE-2017-1000456
https://nvd.nist.gov/vuln/detail/CVE-2017-1000456
[ 2 ] CVE-2017-14975
https://nvd.nist.gov/vuln/detail/CVE-2017-14975
[ 3 ] CVE-2017-14976
https://nvd.nist.gov/vuln/detail/CVE-2017-14976
[ 4 ] CVE-2017-14977
https://nvd.nist.gov/vuln/detail/CVE-2017-14977

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-03

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201804-04 : cURL: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: cURL: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #645698, #650056
ID: 201804-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in cURL, the worst of which
could result in a Denial of Service condition.

Background
==========

A command line tool and library for transferring data with URLs.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/curl < 7.59.0 >= 7.59.0

Description
===========

Multiple vulnerabilities have been discovered in cURL. Please review
the CVE identifiers referenced below for details.

Impact
======

Remote attackers could cause a Denial of Service condition, obtain
sensitive information, or have other unspecified impacts.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All cURL users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-7.59.0"

References
==========

[ 1 ] CVE-2018-1000005
https://nvd.nist.gov/vuln/detail/CVE-2018-1000005
[ 2 ] CVE-2018-1000007
https://nvd.nist.gov/vuln/detail/CVE-2018-1000007
[ 3 ] CVE-2018-1000120
https://nvd.nist.gov/vuln/detail/CVE-2018-1000120
[ 4 ] CVE-2018-1000121
https://nvd.nist.gov/vuln/detail/CVE-2018-1000121
[ 5 ] CVE-2018-1000122
https://nvd.nist.gov/vuln/detail/CVE-2018-1000122

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201804-05 : ISC DHCP: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: ISC DHCP: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #644708, #649010
ID: 201804-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in ISC DHCP, the worst of
which could allow for the remote execution of arbitrary code.

Background
==========

ISC DHCP is a Dynamic Host Configuration Protocol (DHCP) client/server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/dhcp < 4.3.6_p1 >= 4.3.6_p1

Description
===========

Multiple vulnerabilities have been discovered in ISC DHCP. Please
review the CVE identifiers referenced below for details.

Impact
======

Remote attackers could execute arbitrary code, cause a Denial of
Service condition, or have other unspecified impacts.

Workaround
==========

There are no known workarounds at this time for CVE-2018-5732 or
CVE-2018-5733.

In accordance with upstream documentation, the recommended workaround
for CVE-2017-3144 is, "to disallow access to the OMAPI control port
from unauthorized clients (in accordance with best practices for server
operation)."

Resolution
==========

All DHCP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/dhcp-4.3.6_p1"

References
==========

[ 1 ] CVE-2017-3144
https://nvd.nist.gov/vuln/detail/CVE-2017-3144
[ 2 ] CVE-2018-5732
https://nvd.nist.gov/vuln/detail/CVE-2018-5732
[ 3 ] CVE-2018-5733
https://nvd.nist.gov/vuln/detail/CVE-2018-5733

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-05

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201804-06 : mailx: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: mailx: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #533208
ID: 201804-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were discovered in mailx, the worst of which
may allow a remote attacker to execute arbitrary commands.

Background
==========

A utility program for sending and receiving mail, also known as a Mail
User Agent program.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 mail-client/mailx < 8.1.2.20160123 >= 8.1.2.20160123

Description
===========

Multiple vulnerabilities have been discovered in mailx. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could execute arbitrary commands.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All mailx users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=mail-client/mailx-8.1.2.20160123"

References
==========

[ 1 ] CVE-2004-2771
https://nvd.nist.gov/vuln/detail/CVE-2004-2771
[ 2 ] CVE-2014-7844
https://nvd.nist.gov/vuln/detail/CVE-2014-7844

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201804-07 : libvirt: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: libvirt: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #647338, #650018
ID: 201804-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in libvirt, the worst of
which may result in the execution of arbitrary commands.

Background
==========

libvirt is a C toolkit for manipulating virtual machines.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/libvirt < 4.1.0 >= 4.1.0

Description
===========

Multiple vulnerabilities have been discovered in libvirt. Please review
the CVE identifiers referenced below for details.

Impact
======

A local privileged attacker could execute arbitrary commands or cause a
Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All libvirt users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/libvirt-4.1.0"

References
==========

[ 1 ] CVE-2018-5748
https://nvd.nist.gov/vuln/detail/CVE-2018-5748
[ 2 ] CVE-2018-6764
https://nvd.nist.gov/vuln/detail/CVE-2018-6764

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201804-08 : QEMU: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: QEMU: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #629348, #638506, #643432, #646814, #649616
ID: 201804-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in QEMU, the worst of which
may allow an attacker to execute arbitrary code.

Background
==========

QEMU is a generic and open source machine emulator and virtualizer.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/qemu < 2.11.1-r1 >= 2.11.1-r1

Description
===========

Multiple vulnerabilities have been discovered in QEMU. Please review
the CVE identifiers referenced below for details.

Impact
======

An attacker could execute arbitrary code, cause a Denial of Service
condition, or obtain sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All QEMU users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.11.1-r1"

References
==========

[ 1 ] CVE-2017-13672
https://nvd.nist.gov/vuln/detail/CVE-2017-13672
[ 2 ] CVE-2017-15124
https://nvd.nist.gov/vuln/detail/CVE-2017-15124
[ 3 ] CVE-2017-16845
https://nvd.nist.gov/vuln/detail/CVE-2017-16845
[ 4 ] CVE-2017-17381
https://nvd.nist.gov/vuln/detail/CVE-2017-17381
[ 5 ] CVE-2017-18030
https://nvd.nist.gov/vuln/detail/CVE-2017-18030
[ 6 ] CVE-2017-18043
https://nvd.nist.gov/vuln/detail/CVE-2017-18043
[ 7 ] CVE-2017-5715
https://nvd.nist.gov/vuln/detail/CVE-2017-5715
[ 8 ] CVE-2018-5683
https://nvd.nist.gov/vuln/detail/CVE-2018-5683
[ 9 ] CVE-2018-5748
https://nvd.nist.gov/vuln/detail/CVE-2018-5748
[ 10 ] CVE-2018-7550
https://nvd.nist.gov/vuln/detail/CVE-2018-7550

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-08

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201804-09 : SPICE VDAgent: Arbitrary command injection

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: SPICE VDAgent: Arbitrary command injection
Date: April 08, 2018
Bugs: #650020
ID: 201804-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in SPICE VDAgent could allow local attackers to execute
arbitrary commands.

Background
==========

Provides a complete open source solution for remote access to virtual
machines in a seamless way so you can play videos, record audio, share
USB devices and share folders without complications.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/spice-vdagent
< 0.17.0_p20180319 >= 0.17.0_p20180319

Description
===========

SPICE VDAgent does not properly escape save directory before passing to
shell.

Impact
======

A local attacker could execute arbitrary commands.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All SPICE VDAgent users should upgrade to the latest version:

# emerge --sync
# emerge -a -1 -v ">=app-emulation/spice-vdagent-0.17.0_p20180319"

References
==========

[ 1 ] CVE-2017-15108
https://nvd.nist.gov/vuln/detail/CVE-2017-15108

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201804-09

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5