Gentoo 2514 Published by

The most recent Gentoo Linux security updates address several vulnerabilities in Xen, Exo, OpenVPN, Rust, file, PJSIP, calibre, GPL Ghostscript, PostgreSQL, Portage, Emacs, org-mode, liblouis, VLC, Slurm, stb, Mbed TLS, gst-plugins-good, pypy, pypy3, and Oracle VirtualBox. These vulnerabilities are intended to address concerns such as arbitrary code execution, file stack buffer overflow, PJSIP, portage, command execution, and others.

[ GLSA 202409-10 ] Xen: Multiple Vulnerabilities
[ GLSA 202409-09 ] Exo: Arbitrary Code Execution
[ GLSA 202409-08 ] OpenVPN: Multiple Vulnerabilities
[ GLSA 202409-07 ] Rust: Multiple Vulnerabilities
[ GLSA 202409-06 ] file: Stack Buffer Overread
[ GLSA 202409-05 ] PJSIP: Heap Buffer Overflow
[ GLSA 202409-04 ] calibre: Multiple Vulnerabilities
[ GLSA 202409-03 ] GPL Ghostscript: Multiple Vulnerabilities
[ GLSA 202409-02 ] PostgreSQL: Privilege Escalation
[ GLSA 202409-01 ] Portage: Unverified PGP Signatures
[ GLSA 202409-19 ] Emacs, org-mode: Command Execution Vulnerability
[ GLSA 202409-18 ] liblouis: Multiple Vulnerabilities
[ GLSA 202409-17 ] VLC: Multiple Vulnerabilities
[ GLSA 202409-16 ] Slurm: Multiple Vulnerabilities
[ GLSA 202409-15 ] stb: Multiple Vulnerabilities
[ GLSA 202409-14 ] Mbed TLS: Multiple Vulnerabilities
[ GLSA 202409-13 ] gst-plugins-good: Multiple Vulnerabilities
[ GLSA 202409-12 ] pypy, pypy3: Multiple Vulnerabilities
[ GLSA 202409-11 ] Oracle VirtualBox: Multiple Vulnerabilities




[ GLSA 202409-10 ] Xen: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Xen: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #918669, #921355, #923741, #928620, #929038
ID: 202409-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Xen, the worst of which
could lead to privilege escalation.

Background
==========

Xen is a bare-metal hypervisor.

Affected packages
=================

Package Vulnerable Unaffected
----------------- ------------ ------------
app-emulation/xen < 4.17.4 >= 4.17.4

Description
===========

Multiple vulnerabilities have been discovered in Xen. Please review the
CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Xen users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.17.4"

References
==========

[ 1 ] CVE-2022-4949
https://nvd.nist.gov/vuln/detail/CVE-2022-4949
[ 2 ] CVE-2022-42336
https://nvd.nist.gov/vuln/detail/CVE-2022-42336
[ 3 ] CVE-2023-28746
https://nvd.nist.gov/vuln/detail/CVE-2023-28746
[ 4 ] CVE-2023-34319
https://nvd.nist.gov/vuln/detail/CVE-2023-34319
[ 5 ] CVE-2023-34320
https://nvd.nist.gov/vuln/detail/CVE-2023-34320
[ 6 ] CVE-2023-34321
https://nvd.nist.gov/vuln/detail/CVE-2023-34321
[ 7 ] CVE-2023-34322
https://nvd.nist.gov/vuln/detail/CVE-2023-34322
[ 8 ] CVE-2023-34323
https://nvd.nist.gov/vuln/detail/CVE-2023-34323
[ 9 ] CVE-2023-34324
https://nvd.nist.gov/vuln/detail/CVE-2023-34324
[ 10 ] CVE-2023-34325
https://nvd.nist.gov/vuln/detail/CVE-2023-34325
[ 11 ] CVE-2023-34327
https://nvd.nist.gov/vuln/detail/CVE-2023-34327
[ 12 ] CVE-2023-34328
https://nvd.nist.gov/vuln/detail/CVE-2023-34328
[ 13 ] CVE-2023-46835
https://nvd.nist.gov/vuln/detail/CVE-2023-46835
[ 14 ] CVE-2023-46836
https://nvd.nist.gov/vuln/detail/CVE-2023-46836
[ 15 ] CVE-2023-46837
https://nvd.nist.gov/vuln/detail/CVE-2023-46837
[ 16 ] CVE-2023-46839
https://nvd.nist.gov/vuln/detail/CVE-2023-46839
[ 17 ] CVE-2023-46840
https://nvd.nist.gov/vuln/detail/CVE-2023-46840
[ 18 ] CVE-2023-46841
https://nvd.nist.gov/vuln/detail/CVE-2023-46841
[ 19 ] CVE-2023-46842
https://nvd.nist.gov/vuln/detail/CVE-2023-46842
[ 20 ] CVE-2024-2193
https://nvd.nist.gov/vuln/detail/CVE-2024-2193
[ 21 ] CVE-2024-31142
https://nvd.nist.gov/vuln/detail/CVE-2024-31142
[ 22 ] XSA-431
https://xenbits.xen.org/xsa/advisory-431.html
[ 23 ] XSA-432
https://xenbits.xen.org/xsa/advisory-432.html
[ 24 ] XSA-436
https://xenbits.xen.org/xsa/advisory-436.html
[ 25 ] XSA-437
https://xenbits.xen.org/xsa/advisory-437.html
[ 26 ] XSA-438
https://xenbits.xen.org/xsa/advisory-438.html
[ 27 ] XSA-439
https://xenbits.xen.org/xsa/advisory-439.html
[ 28 ] XSA-440
https://xenbits.xen.org/xsa/advisory-440.html
[ 29 ] XSA-441
https://xenbits.xen.org/xsa/advisory-441.html
[ 30 ] XSA-442
https://xenbits.xen.org/xsa/advisory-442.html
[ 31 ] XSA-447
https://xenbits.xen.org/xsa/advisory-447.html
[ 32 ] XSA-449
https://xenbits.xen.org/xsa/advisory-449.html
[ 33 ] XSA-450
https://xenbits.xen.org/xsa/advisory-450.html
[ 34 ] XSA-451
https://xenbits.xen.org/xsa/advisory-451.html
[ 35 ] XSA-452
https://xenbits.xen.org/xsa/advisory-452.html
[ 36 ] XSA-453
https://xenbits.xen.org/xsa/advisory-453.html
[ 37 ] XSA-454
https://xenbits.xen.org/xsa/advisory-454.html
[ 38 ] XSA-455
https://xenbits.xen.org/xsa/advisory-455.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-10

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-09 ] Exo: Arbitrary Code Execution


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Exo: Arbitrary Code Execution
Date: September 22, 2024
Bugs: #851201
ID: 202409-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Exo, which can lead to arbitrary
code execution.

Background
==========

Exo is an Xfce library targeted at application development, originally
developed by os-cillation. It contains various custom widgets and APIs
extending the functionality of GLib and GTK. It also has some helper
applications that are used throughout the entire Xfce desktop to manage
preferred applications and edit .desktop files.

Affected packages
=================

Package Vulnerable Unaffected
------------- ------------ ------------
xfce-base/exo < 4.17.2 >= 4.17.2

Description
===========

A vulnerability has been discovered in Exo. Please review the CVE
identifiers referenced below for details.

Impact
======

Exo executes remote desktop files which may lead to unexpected arbitrary
code execution.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Exo users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=xfce-base/exo-4.17.2"

References
==========

[ 1 ] CVE-2022-32278
https://nvd.nist.gov/vuln/detail/CVE-2022-32278

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-09

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-08 ] OpenVPN: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: OpenVPN: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #835514, #917272
ID: 202409-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in OpenVPN, the worst of
which could lead to information disclosure.

Background
==========

OpenVPN is a multi-platform, full-featured SSL VPN solution.

Affected packages
=================

Package Vulnerable Unaffected
--------------- ------------ ------------
net-vpn/openvpn < 2.6.7 >= 2.6.7

Description
===========

Multiple vulnerabilities have been discovered in OpenVPN. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenVPN users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-vpn/openvpn-2.6.7"

References
==========

[ 1 ] CVE-2022-0547
https://nvd.nist.gov/vuln/detail/CVE-2022-0547
[ 2 ] CVE-2023-46849
https://nvd.nist.gov/vuln/detail/CVE-2023-46849
[ 3 ] CVE-2023-46850
https://nvd.nist.gov/vuln/detail/CVE-2023-46850

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-08

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-07 ] Rust: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Rust: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #890371, #911685
ID: 202409-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Rust, the worst of
which could lead to arbitrary code execution.

Background
==========

A systems programming language that runs blazingly fast, prevents
segfaults, and guarantees thread safety.

Affected packages
=================

Package Vulnerable Unaffected
----------------- ------------ ------------
dev-lang/rust < 1.71.1 >= 1.71.1
dev-lang/rust-bin < 1.71.1 >= 1.71.1

Description
===========

Multiple vulnerabilities have been discovered in Rust. Please review the
CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Rust binary users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/rust-bin-1.71.1"

All Rust users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/rust-1.71.1"

References
==========

[ 1 ] CVE-2022-46176
https://nvd.nist.gov/vuln/detail/CVE-2022-46176
[ 2 ] CVE-2023-38497
https://nvd.nist.gov/vuln/detail/CVE-2023-38497

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-06 ] file: Stack Buffer Overread


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: file: Stack Buffer Overread
Date: September 22, 2024
Bugs: #918554
ID: 202409-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in file, which could lead to a
denial of service.

Background
==========

The file utility attempts to identify a file’s format by scanning binary
data for patterns.

Affected packages
=================

Package Vulnerable Unaffected
------------- ------------ ------------
sys-apps/file < 5.42 >= 5.42

Description
===========

Multiple vulnerabilities have been discovered in file. Please review the
CVE identifiers referenced below for details.

Impact
======

File has an stack-based buffer over-read in file_copystr in funcs.c.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All file users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/file-5.42"

References
==========

[ 1 ] CVE-2022-48554
https://nvd.nist.gov/vuln/detail/CVE-2022-48554

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-05 ] PJSIP: Heap Buffer Overflow


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: PJSIP: Heap Buffer Overflow
Date: September 22, 2024
Bugs: #917463
ID: 202409-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in PJSIP, which could lead to
arbitrary code execution.

Background
==========

PJSIP is a free and open source multimedia communication library written
in C language implementing standard based protocols such as SIP, SDP,
RTP, STUN, TURN, and ICE.

Affected packages
=================

Package Vulnerable Unaffected
------------------ ------------ ------------
net-libs/pjproject < 2.13.1 >= 2.13.1

Description
===========

Please review the CVE identifier referenced below for details.

Impact
======

Please review the CVE identifier referenced below for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PJSIP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/pjproject-2.13.1"

References
==========

[ 1 ] CVE-2023-27585
https://nvd.nist.gov/vuln/detail/CVE-2023-27585

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-05

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-04 ] calibre: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: calibre: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #918429, #936961
ID: 202409-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in calibre, the worst of
which could lead to remote code execution.

Background
==========

calibre is a powerful and easy to use e-book manager.

Affected packages
=================

Package Vulnerable Unaffected
---------------- ------------ ------------
app-text/calibre < 7.16.0 >= 7.16.0

Description
===========

Multiple vulnerabilities have been discovered in calibre. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All calibre users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/calibre-7.16.0"

References
==========

[ 1 ] CVE-2023-46303
https://nvd.nist.gov/vuln/detail/CVE-2023-46303
[ 2 ] CVE-2024-6781
https://nvd.nist.gov/vuln/detail/CVE-2024-6781
[ 3 ] CVE-2024-6782
https://nvd.nist.gov/vuln/detail/CVE-2024-6782
[ 4 ] CVE-2024-7008
https://nvd.nist.gov/vuln/detail/CVE-2024-7008
[ 5 ] CVE-2024-7009
https://nvd.nist.gov/vuln/detail/CVE-2024-7009

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-03 ] GPL Ghostscript: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: GPL Ghostscript: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #932125
ID: 202409-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in GPL Ghostscript, the
worst of which could lead to arbitrary code execution.

Background
==========

Ghostscript is an interpreter for the PostScript language and for PDF.

Affected packages
=================

Package Vulnerable Unaffected
------------------------ ------------ ------------
app-text/ghostscript-gpl < 10.03.1 >= 10.03.1

Description
===========

Multiple vulnerabilities have been discovered in GPL Ghostscript. Please
review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GPL Ghostscript users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-10.03.1"

References
==========

[ 1 ] CVE-2023-52722
https://nvd.nist.gov/vuln/detail/CVE-2023-52722
[ 2 ] CVE-2024-29510
https://nvd.nist.gov/vuln/detail/CVE-2024-29510
[ 3 ] CVE-2024-33869
https://nvd.nist.gov/vuln/detail/CVE-2024-33869
[ 4 ] CVE-2024-33870
https://nvd.nist.gov/vuln/detail/CVE-2024-33870
[ 5 ] CVE-2024-33871
https://nvd.nist.gov/vuln/detail/CVE-2024-33871

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-03

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-02 ] PostgreSQL: Privilege Escalation


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: PostgreSQL: Privilege Escalation
Date: September 22, 2024
Bugs: #937573
ID: 202409-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in PostgreSQL, which can lead to
privilege escalation.

Background
==========

PostgreSQL is an open source object-relational database management
system.

Affected packages
=================

Package Vulnerable Unaffected
----------------- ------------ ------------
dev-db/postgresql < 12.20:12 >= 12.20:12
< 13.16:13 >= 13.16:13
< 14.13:14 >= 14.13:14
< 15.8:15 >= 15.8:15
< 16.4:16 >= 16.4:16

Description
===========

A vulnerability has been discovered in PostgreSQL. Please review the CVE
identifier referenced below for details.

Impact
======

An attacker able to create and drop non-temporary objects could inject
SQL code that would be executed by a concurrent pg_dump session with the
privileges of the role running pg_dump (which is often a superuser). The
attack involves replacing a sequence or similar object with a view or
foreign table that will execute malicious code. To prevent this,
introduce a new server parameter restrict_nonsystem_relation_kind that
can disable expansion of non-builtin views as well as access to foreign
tables, and teach pg_dump to set it when available. Note that the attack
is prevented only if both pg_dump and the server it is dumping from are
new enough to have this fix.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PostgreSQL users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.20:12"
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.16:13"
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.13:14"
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-15.8:15"
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.4:16"

References
==========

[ 1 ] CVE-2024-7348
https://nvd.nist.gov/vuln/detail/CVE-2024-7348

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-02

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-01 ] Portage: Unverified PGP Signatures


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Portage: Unverified PGP Signatures
Date: September 22, 2024
Bugs: #905356
ID: 202409-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Portage, where PGP signatures
would not be verified.

Background
==========

Portage is the default Gentoo package management system.

Affected packages
=================

Package Vulnerable Unaffected
---------------- ------------ ------------
sys-apps/portage < 3.0.47 >= 3.0.47

Description
===========

Multiple vulnerabilities have been discovered in Portage. Please review
the CVE identifiers referenced below for details.

Impact
======

When using the webrsync mechanism to sync the tree the PGP signatures
that protect the integrity of the data in the tree would not be
verified. This would allow a man-in-the-middle attack to inject
arbitrary content into the tree.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Portage users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/portage-3.0.47"

References
==========

[ 1 ] CVE-2016-20021
https://nvd.nist.gov/vuln/detail/CVE-2016-20021

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-01

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-19 ] Emacs, org-mode: Command Execution Vulnerability


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Emacs, org-mode: Command Execution Vulnerability
Date: September 22, 2024
Bugs: #934736
ID: 202409-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been found in Emacs and org-mode which could result
in arbitrary code execution.

Background
==========

Emacs is the extensible, customizable, self-documenting real-time
display editor. org-mode is an Emacs mode for notes and project
planning.

Affected packages
=================

Package Vulnerable Unaffected
------------------ ------------- --------------
app-editors/emacs < 26.3-r19:26 >= 26.3-r19:26
< 27.2-r17:27 >= 27.2-r17:27
< 28.2-r13:28 >= 28.2-r13:28
< 29.3-r3:29 >= 29.3-r3:29
app-emacs/org-mode < 9.7.5 >= 9.7.5

Description
===========

%(...) link abbreviations could specify unsafe functions.

Impact
======

Opening a malicious org-mode file could result in arbitrary code
execution.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Emacs users should upgrade to the latest version according to the
installed slot, one of:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-editors/emacs-26.3-r19:26"

Alternatively:

# emerge --ask --oneshot --verbose ">=app-editors/emacs-27.2-r17:27"

# emerge --ask --oneshot --verbose ">=app-editors/emacs-28.2-r13:28"

# emerge --ask --oneshot --verbose ">=app-editors/emacs-29.3-r3:29"

All org-mode users should upgrade to the latest package:

# emerge --ask --oneshot --verbose ">=app-emacs/org-mode-9.7.5"

References
==========

[ 1 ] CVE-2024-39331
https://nvd.nist.gov/vuln/detail/CVE-2024-39331

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-19

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-18 ] liblouis: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Low
Title: liblouis: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #905298
ID: 202409-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in liblouis, the worst of
which could result in denial of service.

Background
==========

liblouis is an open-source braille translator and back-translator.

Affected packages
=================

Package Vulnerable Unaffected
----------------- ------------ ------------
dev-libs/liblouis < 3.25.0 >= 3.25.0

Description
===========

Multiple vulnerabilities have been discovered in liblouis. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All liblouis users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/liblouis-3.25.0"

References
==========

[ 1 ] CVE-2023-26767
https://nvd.nist.gov/vuln/detail/CVE-2023-26767
[ 2 ] CVE-2023-26768
https://nvd.nist.gov/vuln/detail/CVE-2023-26768
[ 3 ] CVE-2023-26769
https://nvd.nist.gov/vuln/detail/CVE-2023-26769

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-18

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-17 ] VLC: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: VLC: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #788226, #883943, #917274
ID: 202409-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in VLC, the worst of which
could result in arbitrary code execution.

Background
==========

VLC is a cross-platform media player and streaming server.

Affected packages
=================

Package Vulnerable Unaffected
--------------- ------------ ------------
media-video/vlc < 3.0.20 >= 3.0.20

Description
===========

Multiple vulnerabilities have been discovered in VLC. Please review the
CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All VLC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/vlc-3.0.20"

References
==========

[ 1 ] CVE-2022-41325
https://nvd.nist.gov/vuln/detail/CVE-2022-41325

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-17

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-16 ] Slurm: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Slurm: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #631552, #920104
ID: 202409-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Slurm, the worst of
which could result in privilege escalation or code execution.

Background
==========

Slurm is a highly scalable resource manager.

Affected packages
=================

Package Vulnerable Unaffected
----------------- ------------ ------------
sys-cluster/slurm = 2.28.7

Description
===========

Multiple vulnerabilities have been discovered in Mbed TLS. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Mbed TLS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/mbedtls-2.28.7"

References
==========

[ 1 ] CVE-2022-46392
https://nvd.nist.gov/vuln/detail/CVE-2022-46392
[ 2 ] CVE-2022-46393
https://nvd.nist.gov/vuln/detail/CVE-2022-46393
[ 3 ] CVE-2023-43615
https://nvd.nist.gov/vuln/detail/CVE-2023-43615
[ 4 ] CVE-2023-45199
https://nvd.nist.gov/vuln/detail/CVE-2023-45199
[ 5 ] CVE-2024-23170
https://nvd.nist.gov/vuln/detail/CVE-2024-23170
[ 6 ] CVE-2024-23775
https://nvd.nist.gov/vuln/detail/CVE-2024-23775

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-14

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-13 ] gst-plugins-good: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: gst-plugins-good: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #859418
ID: 202409-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in gst-plugins-good, the
worst of which could lead to denial of service or arbitrary code
execution.

Background
==========

gst-plugins-good contains a set of plugins for the GStreamer open source
multimedia framework.

Affected packages
=================

Package Vulnerable Unaffected
--------------------------- ------------ ------------
media-libs/gst-plugins-good < 1.20.3 >= 1.20.3

Description
===========

Multiple vulnerabilities have been discovered in gst-plugins-good.
Please review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All gst-plugins-good users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-good-1.20.3"

References
==========

[ 1 ] CVE-2022-1920
https://nvd.nist.gov/vuln/detail/CVE-2022-1920
[ 2 ] CVE-2022-1921
https://nvd.nist.gov/vuln/detail/CVE-2022-1921
[ 3 ] CVE-2022-1922
https://nvd.nist.gov/vuln/detail/CVE-2022-1922
[ 4 ] CVE-2022-1923
https://nvd.nist.gov/vuln/detail/CVE-2022-1923
[ 5 ] CVE-2022-1924
https://nvd.nist.gov/vuln/detail/CVE-2022-1924
[ 6 ] CVE-2022-1925
https://nvd.nist.gov/vuln/detail/CVE-2022-1925
[ 7 ] CVE-2022-2122
https://nvd.nist.gov/vuln/detail/CVE-2022-2122

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-13

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-12 ] pypy, pypy3: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: pypy, pypy3: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #741496, #741560, #774114, #782520
ID: 202409-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in pypy and pypy3, the
worst of which could lead to arbitrary code execution.

Background
==========

A fast, compliant alternative implementation of the Python language.

Affected packages
=================

Package Vulnerable Unaffected
----------------------- ----------------- ------------------
dev-python/pypy < 7.3.3_p37_p1-r1 >= 7.3.3_p37_p1-r1
dev-python/pypy-exe < 7.3.2 >= 7.3.2
dev-python/pypy-exe-bin < 7.3.2 Vulnerable!
dev-python/pypy3 < 7.3.3_p37_p1-r1 >= 7.3.3_p37_p1-r1

Description
===========

Multiple vulnerabilities have been discovered in pypy. Please review the
CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All pypy users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pypy-7.3.3_p37_p1-r1"
# emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-7.3.2"
# emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-bin-7.3.2"

All pypy3 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pypy3-7.3.3_p37_p1-r1"

References
==========

[ 1 ] CVE-2020-27619
https://nvd.nist.gov/vuln/detail/CVE-2020-27619

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-12

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202409-11 ] Oracle VirtualBox: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202409-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Oracle VirtualBox: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #918524
ID: 202409-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Oracle VirtualBox, the
worst of which could lead to privilege escalation.

Background
==========

VirtualBox is a powerful virtualization product from Oracle.

Affected packages
=================

Package Vulnerable Unaffected
------------------------ ------------ ------------
app-emulation/virtualbox < 7.0.12 >= 7.0.12

Description
===========

Multiple vulnerabilities have been discovered in Oracle VirtualBox.
Please review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Oracle VirtualBox users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-7.0.12"

References
==========

[ 1 ] CVE-2023-22098
https://nvd.nist.gov/vuln/detail/CVE-2023-22098
[ 2 ] CVE-2023-22099
https://nvd.nist.gov/vuln/detail/CVE-2023-22099
[ 3 ] CVE-2023-22100
https://nvd.nist.gov/vuln/detail/CVE-2023-22100

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-11

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5