Gentoo 2514 Published by

The following updates has been released for Gentoo Linux:

GLSA 201903-17 : SDL2_Image: Multiple vulnerabilities
GLSA 201903-18 : GD: Multiple vulnerabilities
GLSA 201903-19 : NASM: Multiple vulnerabilities
GLSA 201903-20 : cabextract, libmspack: Multiple vulnerabilities
GLSA 201903-21 : Apache: Multiple vulnerabilities
GLSA 201903-22 : ZeroMQ: Code execution
GLSA 201903-23 : Chromium: Multiple vulnerabilities



GLSA 201903-17 : SDL2_Image: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: SDL2_Image: Multiple vulnerabilities
Date: March 28, 2019
Bugs: #655226, #674132
ID: 201903-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in the image loading library
for Simple DirectMedia Layer, the worst of which could result in the
remote execution of arbitrary code.

Background
==========

SDL_image is an image file library that loads images as SDL surfaces,
and supports various formats like BMP, GIF, JPEG, LBM, PCX, PNG, PNM,
TGA, TIFF, XCF, XPM, and XV.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/sdl2-image < 2.0.4 >= 2.0.4

Description
===========

Multiple vulnerabilities have been discovered in SDL2_Image. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker, by enticing a user to process a specially crafted
image file, could execute arbitrary code, cause a Denial of Service
condition, or obtain sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All SDL2_Image users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/sdl2-image-2.0.4"

References
==========

[ 1 ] CVE-2017-12122
https://nvd.nist.gov/vuln/detail/CVE-2017-12122
[ 2 ] CVE-2017-14440
https://nvd.nist.gov/vuln/detail/CVE-2017-14440
[ 3 ] CVE-2017-14441
https://nvd.nist.gov/vuln/detail/CVE-2017-14441
[ 4 ] CVE-2017-14442
https://nvd.nist.gov/vuln/detail/CVE-2017-14442
[ 5 ] CVE-2017-14448
https://nvd.nist.gov/vuln/detail/CVE-2017-14448
[ 6 ] CVE-2017-14449
https://nvd.nist.gov/vuln/detail/CVE-2017-14449
[ 7 ] CVE-2017-14450
https://nvd.nist.gov/vuln/detail/CVE-2017-14450
[ 8 ] CVE-2018-3837
https://nvd.nist.gov/vuln/detail/CVE-2018-3837
[ 9 ] CVE-2018-3838
https://nvd.nist.gov/vuln/detail/CVE-2018-3838
[ 10 ] CVE-2018-3839
https://nvd.nist.gov/vuln/detail/CVE-2018-3839
[ 11 ] CVE-2018-3977
https://nvd.nist.gov/vuln/detail/CVE-2018-3977

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-17

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201903-18 : GD: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GD: Multiple vulnerabilities
Date: March 28, 2019
Bugs: #664732, #679702
ID: 201903-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in GD, the worst of which
could result in the remote execution of arbitrary code.

Background
==========

GD is a graphic library for fast image creation.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/gd < 2.2.5-r2 >= 2.2.5-r2

Description
===========

Multiple vulnerabilities have been discovered in GD. Please review the
CVE identifiers referenced below for details.

Impact
======

A remote attacker could entice a user to process a specially crafted
image, possibly resulting in execution of arbitrary code or a Denial of
Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GD users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/gd-2.2.5-r2"

References
==========

[ 1 ] CVE-2018-1000222
https://nvd.nist.gov/vuln/detail/CVE-2018-1000222
[ 2 ] CVE-2018-5711
https://nvd.nist.gov/vuln/detail/CVE-2018-5711
[ 3 ] CVE-2019-6977
https://nvd.nist.gov/vuln/detail/CVE-2019-6977
[ 4 ] CVE-2019-6978
https://nvd.nist.gov/vuln/detail/CVE-2019-6978

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-18

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201903-19 : NASM: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: NASM: Multiple vulnerabilities
Date: March 28, 2019
Bugs: #635358, #659550, #670884
ID: 201903-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in NASM, the worst of which
could result in the remote execution of arbitrary code.

Background
==========

NASM is a 80x86 assembler that has been created for portability and
modularity. NASM supports Pentium, P6, SSE MMX, and 3DNow extensions.
It also supports a wide range of objects formats (ELF, a.out, COFF,
etc), and has its own disassembler.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/nasm < 2.14.02 >= 2.14.02

Description
===========

Multiple vulnerabilities have been discovered in NASM. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could cause a Denial of Service condition or execute
arbitrary code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All NASM users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/nasm-2.14.02"

References
==========

[ 1 ] CVE-2017-10686
https://nvd.nist.gov/vuln/detail/CVE-2017-10686
[ 2 ] CVE-2017-11111
https://nvd.nist.gov/vuln/detail/CVE-2017-11111
[ 3 ] CVE-2017-14228
https://nvd.nist.gov/vuln/detail/CVE-2017-14228

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-19

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201903-20 : cabextract, libmspack: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: cabextract, libmspack: Multiple vulnerabilities
Date: March 28, 2019
Bugs: #662874, #669280
ID: 201903-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in cabextract and libmspack,
the worst of which could result in a Denial of Service.

Background
==========

cabextract is free software for extracting Microsoft cabinet files.

libmspack is a portable library for some loosely related Microsoft
compression formats

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-arch/cabextract < 1.8 >= 1.8
2 dev-libs/libmspack < 0.8_alpha >= 0.8_alpha
-------------------------------------------------------------------
2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in cabextract and
libmspack. Please review the CVE identifiers referenced below for
details.

Impact
======

Please review the referenced CVE's for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All cabextract users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/cabextract-1.8"

All libmspack users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libmspack-0.8_alpha"

References
==========

[ 1 ] CVE-2018-14679
https://nvd.nist.gov/vuln/detail/CVE-2018-14679
[ 2 ] CVE-2018-14680
https://nvd.nist.gov/vuln/detail/CVE-2018-14680
[ 3 ] CVE-2018-14681
https://nvd.nist.gov/vuln/detail/CVE-2018-14681
[ 4 ] CVE-2018-14682
https://nvd.nist.gov/vuln/detail/CVE-2018-14682
[ 5 ] CVE-2018-18584
https://nvd.nist.gov/vuln/detail/CVE-2018-18584
[ 6 ] CVE-2018-18585
https://nvd.nist.gov/vuln/detail/CVE-2018-18585
[ 7 ] CVE-2018-18586
https://nvd.nist.gov/vuln/detail/CVE-2018-18586

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-20

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201903-21 : Apache: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Apache: Multiple vulnerabilities
Date: March 28, 2019
Bugs: #676064
ID: 201903-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Apache Web Server, the
worst of which could result in a Denial of Service condition.

Background
==========

The Apache HTTP server is one of the most popular web servers on the
Internet.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/apache < 2.4.38-r1 >= 2.4.38-r1

Description
===========

Multiple vulnerabilities have been discovered in Apache. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker can possibly cause a Denial of Service condition or
could bypass mod_session_cookie expiration time.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Apache users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.38-r1"

References
==========

[ 1 ] CVE-2018-17189
https://nvd.nist.gov/vuln/detail/CVE-2018-17189
[ 2 ] CVE-2018-17190
https://nvd.nist.gov/vuln/detail/CVE-2018-17190
[ 3 ] CVE-2018-17199
https://nvd.nist.gov/vuln/detail/CVE-2018-17199
[ 4 ] CVE-2019-0190
https://nvd.nist.gov/vuln/detail/CVE-2019-0190

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-21

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201903-22 : ZeroMQ: Code execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: ZeroMQ: Code execution
Date: March 28, 2019
Bugs: #675376
ID: 201903-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An overflow was discovered in ZeroMQ which could lead to arbitrary code
execution.

Background
==========

Looks like an embeddable networking library but acts like a concurrency
framework

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/zeromq < 4.3.1 >= 4.3.1

Description
===========

Please reference the CVE for details.

Impact
======

Please reference the CVE for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All ZeroMQ users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/zeromq-4.3.1"

References
==========

[ 1 ] CVE-2019-6250
https://nvd.nist.gov/vuln/detail/CVE-2019-6250

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-22

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201903-23 : Chromium: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Chromium: Multiple vulnerabilities
Date: March 28, 2019
Bugs: #671550, #677066, #679530, #680242
ID: 201903-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Chromium, the worst of
which could result in the remote execution of code.

Background
==========

Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 73.0.3683.75 >= 73.0.3683.75

Description
===========

Multiple vulnerabilities have been discovered in Chromium and Google
Chrome. Please review the referenced CVE identifiers and Google Chrome
Releases for details.

Impact
======

Please review the referenced CVE identifiers and Google Chrome Releases
for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Chromium users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-73.0.3683.75"

References
==========

[ 1 ] CVE-2018-17479
https://nvd.nist.gov/vuln/detail/CVE-2018-17479
[ 2 ] CVE-2019-5786
https://nvd.nist.gov/vuln/detail/CVE-2019-5786
[ 3 ] CVE-2019-5786
https://nvd.nist.gov/vuln/detail/CVE-2019-5786
[ 4 ] CVE-2019-5787
https://nvd.nist.gov/vuln/detail/CVE-2019-5787
[ 5 ] CVE-2019-5788
https://nvd.nist.gov/vuln/detail/CVE-2019-5788
[ 6 ] CVE-2019-5789
https://nvd.nist.gov/vuln/detail/CVE-2019-5789
[ 7 ] CVE-2019-5790
https://nvd.nist.gov/vuln/detail/CVE-2019-5790
[ 8 ] CVE-2019-5791
https://nvd.nist.gov/vuln/detail/CVE-2019-5791
[ 9 ] CVE-2019-5792
https://nvd.nist.gov/vuln/detail/CVE-2019-5792
[ 10 ] CVE-2019-5793
https://nvd.nist.gov/vuln/detail/CVE-2019-5793
[ 11 ] CVE-2019-5794
https://nvd.nist.gov/vuln/detail/CVE-2019-5794
[ 12 ] CVE-2019-5795
https://nvd.nist.gov/vuln/detail/CVE-2019-5795
[ 13 ] CVE-2019-5796
https://nvd.nist.gov/vuln/detail/CVE-2019-5796
[ 14 ] CVE-2019-5797
https://nvd.nist.gov/vuln/detail/CVE-2019-5797
[ 15 ] CVE-2019-5798
https://nvd.nist.gov/vuln/detail/CVE-2019-5798
[ 16 ] CVE-2019-5799
https://nvd.nist.gov/vuln/detail/CVE-2019-5799
[ 17 ] CVE-2019-5800
https://nvd.nist.gov/vuln/detail/CVE-2019-5800
[ 18 ] CVE-2019-5801
https://nvd.nist.gov/vuln/detail/CVE-2019-5801
[ 19 ] CVE-2019-5802
https://nvd.nist.gov/vuln/detail/CVE-2019-5802
[ 20 ] CVE-2019-5803
https://nvd.nist.gov/vuln/detail/CVE-2019-5803
[ 21 ] CVE-2019-5804
https://nvd.nist.gov/vuln/detail/CVE-2019-5804

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-23

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5