[ GLSA 202408-33 ] protobuf-c: Multiple Vulnerabilities
[ GLSA 202408-32 ] PHP: Multiple Vulnerabilities
[ GLSA 202408-31 ] protobuf, protobuf-python: Denial of Service
[ GLSA 202408-30 ] dpkg: Directory Traversal
[ GLSA 202408-29 ] MuPDF: Multiple Vulnerabilities
[ GLSA 202408-33 ] protobuf-c: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-33
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: protobuf-c: Multiple Vulnerabilities
Date: August 12, 2024
Bugs: #856043, #904423
ID: 202408-33
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in protobuf-c, the worst
of which could result in denial of service.
Background
==========
protobuf-c is a protocol buffers implementation in C.
Affected packages
=================
Package Vulnerable Unaffected
------------------- ------------ ------------
dev-libs/protobuf-c < 1.4.1 >= 1.4.1
Description
===========
Multiple denial of service vulnerabilities have been discovered in
protobuf-c.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All protobuf-c users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/protobuf-c-1.4.1"
References
==========
[ 1 ] CVE-2022-33070
https://nvd.nist.gov/vuln/detail/CVE-2022-33070
[ 2 ] CVE-2022-48468
https://nvd.nist.gov/vuln/detail/CVE-2022-48468
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-33
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-32 ] PHP: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: PHP: Multiple Vulnerabilities
Date: August 12, 2024
Bugs: #889882, #895416, #908259, #912331, #929929, #933752
ID: 202408-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in PHP, the worst of which
can lead to a denial of service.
Background
==========
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Affected packages
=================
Package Vulnerable Unaffected
------------ ------------- -------------
dev-lang/php >= 8.1.29:8.1 >= 8.1.29:8.1
>= 8.2.20:8.2 >= 8.2.20:8.2
>= 8.3.8:8.3 >= 8.3.8:8.3
< 8.1 >= 8.1.29
Description
===========
Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All PHP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-8.1.29:8.1"
# emerge --ask --oneshot --verbose ">=dev-lang/php-8.2.20:8.2"
# emerge --ask --oneshot --verbose ">=dev-lang/php-8.3.8:8.3"
Support for older version has been discontinued:
# emerge --ask --verbose --depclean "=dev-libs/protobuf-3.20.3"
# emerge --ask --oneshot --verbose ">=dev-python/protobuf-python-3.19.6"
References
==========
[ 1 ] CVE-2022-1941
https://nvd.nist.gov/vuln/detail/CVE-2022-1941
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-31
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-30 ] dpkg: Directory Traversal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: dpkg: Directory Traversal
Date: August 12, 2024
Bugs: #847976
ID: 202408-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in dpkg, which allows for directory
traversal.
Background
==========
Debian package management system.
Affected packages
=================
Package Vulnerable Unaffected
------------- ------------ ------------
app-arch/dpkg < 1.20.9-r1 >= 1.20.9-r1
Description
===========
Please review the CVE indentifier referenced below for details.
Impact
======
Dpkg::Source::Archive in dpkg, the Debian package management system, is
prone to a directory traversal vulnerability. When extracting untrusted
source packages in v2 and v3 source package formats that include a
debian.tar, the in-place extraction can lead to directory traversal
situations on specially crafted orig.tar and debian.tar tarballs.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All dpkg users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/dpkg-1.20.9-r1"
References
==========
[ 1 ] CVE-2022-1664
https://nvd.nist.gov/vuln/detail/CVE-2022-1664
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-30
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202408-29 ] MuPDF: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: MuPDF: Multiple Vulnerabilities
Date: August 12, 2024
Bugs: #803305
ID: 202408-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in MuPDF, the worst of
which could lead to arbitrary code execution.
Background
==========
A lightweight PDF, XPS, and E-book viewer.
Affected packages
=================
Package Vulnerable Unaffected
-------------- ------------ ------------
app-text/mupdf < 1.20.0 >= 1.20.0
Description
===========
Multiple vulnerabilities have been discovered in MuPDF. Please review
the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All MuPDF users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/mupdf-1.20.0"
References
==========
[ 1 ] CVE-2021-4216
https://nvd.nist.gov/vuln/detail/CVE-2021-4216
[ 2 ] CVE-2021-37220
https://nvd.nist.gov/vuln/detail/CVE-2021-37220
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-29
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
