Gentoo 2514 Published by

The following updates has been released for Gentoo Linux:

GLSA 201711-06 : GNU Wget: Multiple vulnerabilities
GLSA 201711-07 : ImageMagick: Multiple vulnerabilities
GLSA 201711-08 : LibXfont, LibXfont2: Multiple vulnerabilities
GLSA 201711-09 : LXC: Remote security bypass
GLSA 201711-10 : Cacti: Multiple vulnerabilities



GLSA 201711-06 : GNU Wget: Multiple vulnerabilities



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201711-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GNU Wget: Multiple vulnerabilities
Date: November 11, 2017
Bugs: #635496
ID: 201711-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
Multiple vulnerabilities have been found in Wget, the worst of which
could allow remote attackers to execute arbitrary code.

Background
=========
GNU Wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols.

Affected packages
================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/wget < 1.19.1-r2 >= 1.19.1-r2

Description
==========
Multiple vulnerabilities have been discovered in Wget. Please review
the referenced CVE identifiers for details.

Impact
=====
A remote attacker, by enticing a user to connect to a malicious server,
could remotely execute arbitrary code or cause a Denial of Service
condition.

Workaround
=========
There is no known workaround at this time.

Resolution
=========
All Wget users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/wget-1.19.1-r2"

References
=========
[ 1 ] CVE-2017-13089
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13089
[ 2 ] CVE-2017-13090
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13090

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201711-06

GLSA 201711-07 : ImageMagick: Multiple vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201711-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: ImageMagick: Multiple vulnerabilities
Date: November 11, 2017
Bugs: #626454, #626906, #627036, #628192, #628490, #628646,
#628650, #628700, #628702, #629354, #629482, #629576,
#629932, #630256, #630458, #630674, #635200, #635664, #635666
ID: 201711-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
Multiple vulnerabilities have been found in ImageMagick, the worst of
which may allow remote attackers to cause a Denial of Service
condition.

Background
=========
A collection of tools and libraries for many image formats.

Affected packages
================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-gfx/imagemagick < 6.9.9.20 >= 6.9.9.20

Description
==========
Multiple vulnerabilities have been discovered in ImageMagick. Please
review the referenced CVE identifiers for details.

Impact
=====
Remote attackers, by enticing a user to process a specially crafted
file, could obtain sensitive information, cause a Denial of Service
condition, or have other unspecified impacts.

Workaround
=========
There is no known workaround at this time.

Resolution
=========
All ImageMagick users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.9.9.20"

References
=========
[ 1 ] CVE-2017-11640
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11640
[ 2 ] CVE-2017-11724
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11724
[ 3 ] CVE-2017-12140
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12140
[ 4 ] CVE-2017-12418
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12418
[ 5 ] CVE-2017-12427
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12427
[ 6 ] CVE-2017-12691
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12691
[ 7 ] CVE-2017-12692
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12692
[ 8 ] CVE-2017-12693
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12693
[ 9 ] CVE-2017-12876
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12876
[ 10 ] CVE-2017-12877


GLSA 201711-08 : LibXfont, LibXfont2: Multiple vulnerabilities



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201711-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: LibXfont, LibXfont2: Multiple vulnerabilities
Date: November 11, 2017
Bugs: #634044
ID: 201711-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
Multiple vulnerabilities have been found in LibXfont and Libxfont2, the
worst of which could allow attackers to cause a Denial of Service
condition.

Background
=========
X.Org Xfont library

Affected packages
================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 x11-libs/libXfont2 < 2.0.2 >= 2.0.2
2 x11-libs/libXfont < 1.5.3 >= 1.5.3
-------------------------------------------------------------------
2 affected packages

Description
==========
Multiple vulnerabilities have been discovered in LibXfont and
LibXfont2. Please review the referenced CVE identifiers for details.

Impact
=====
Local attackers could obtain sensitive information or possibly cause a
Denial of Service condition.

Workaround
=========
There is no known workaround at this time.

Resolution
=========
All LibXfont2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/libXfont2-2.0.2"

All LibXfont users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.5.3"

References
=========
[ 1 ] CVE-2017-13720
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13720
[ 2 ] CVE-2017-13722
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13722

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201711-08

GLSA 201711-09 : LXC: Remote security bypass



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201711-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: LXC: Remote security bypass
Date: November 11, 2017
Bugs: #636386
ID: 201711-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
A vulnerability in LXC may lead to an unauthorized security bypass.

Background
=========
LinuX Containers userspace utilities

Affected packages
================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/lxc < 2.0.7 >= 2.0.7

Description
==========
Previous versions of lxc-attach ran a shell or the specified command
without allocating a pseudo terminal making it vulnerable to input
faking via a TIOCSTI ioctl call.

Impact
=====
Remote attackers can escape the container and perform unauthorized
modifications.

Workaround
=========
There is no know workaround at this time.

Resolution
=========
All LXC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/lxc-2.0.7"

References
=========
[ 1 ] CVE-2016-10124
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10124

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201711-09

GLSA 201711-10 : Cacti: Multiple vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201711-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Cacti: Multiple vulnerabilities
Date: November 11, 2017
Bugs: #607732, #626828
ID: 201711-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
Multiple vulnerabilities have been found in Cacti, the worst of which
could lead to the remote execution of arbitrary code.

Background
=========
Cacti is a complete frontend to rrdtool.

Affected packages
================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/cacti < 1.1.20:1.1.20 >= 1.1.20:1.1.20

Description
==========
Multiple vulnerabilities have been discovered in Cacti. Please review
the CVE identifiers referenced below for details.

Impact
=====
Remote attackers could execute arbitrary code or bypass intended access
restrictions.

Workaround
=========
There is no known workaround at this time.

Resolution
=========
All Cacti users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=net-analyzer/cacti-1.1.20:1.1.20"

References
=========
[ 1 ] CVE-2014-4000
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4000
[ 2 ] CVE-2016-2313
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2313
[ 3 ] CVE-2017-12065
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12065

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201711-10