Gentoo 2508 Published by

The following four new security updates are now available for Gentoo Linux, addressing denial of service, privilege escalation, remote code execution, and arbitrary code execution vulnerabilities:

[ GLSA 202407-21 ] X.Org X11 library: Multiple Vulnerabilities
[ GLSA 202407-20 ] KDE Plasma Workspaces: Privilege Escalation
[ GLSA 202407-19 ] Mozilla Thunderbird: Multiple Vulnerabilities
[ GLSA 202407-22 ] Mozilla Firefox: Multiple Vulnerabilities




[ GLSA 202407-21 ] X.Org X11 library: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202407-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: X.Org X11 library: Multiple Vulnerabilities
Date: July 06, 2024
Bugs: #877461, #908549, #915129
ID: 202407-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
Multiple vulnerabilities have been discovered in the X.Org X11 library,
the worst of which could lead to a denial of service.

Background
=========
X.Org is an implementation of the X Window System. The X.Org X11 library
provides the X11 protocol library files.

Affected packages
================
Package Vulnerable Unaffected
--------------- ------------ ------------
x11-libs/libX11 < 1.8.7 >= 1.8.7

Description
==========
Multiple vulnerabilities have been discovered in X.Org X11 library.
Please review the CVE identifiers referenced below for details.

Impact
=====
Please review the referenced CVE identifiers for details.

Workaround
=========
There is no known workaround at this time.

Resolution
=========
All X.Org X11 library users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/libX11-1.8.7"

References
=========
[ 1 ] CVE-2022-3554
https://nvd.nist.gov/vuln/detail/CVE-2022-3554
[ 2 ] CVE-2022-3555
https://nvd.nist.gov/vuln/detail/CVE-2022-3555
[ 3 ] CVE-2023-3138
https://nvd.nist.gov/vuln/detail/CVE-2023-3138
[ 4 ] CVE-2023-43785
https://nvd.nist.gov/vuln/detail/CVE-2023-43785
[ 5 ] CVE-2023-43786
https://nvd.nist.gov/vuln/detail/CVE-2023-43786
[ 6 ] CVE-2023-43787
https://nvd.nist.gov/vuln/detail/CVE-2023-43787

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202407-21

Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202407-20 ] KDE Plasma Workspaces: Privilege Escalation


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202407-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: KDE Plasma Workspaces: Privilege Escalation
Date: July 06, 2024
Bugs: #933342
ID: 202407-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in KDE Plasma Workspaces, which can
lead to privilege escalation.

Background
==========

KDE Plasma workspace is a widget based desktop environment designed to
be fast and efficient.

Affected packages
=================

Package Vulnerable Unaffected
--------------------------- ------------ ------------
kde-plasma/plasma-workspace < 5.27.11.1 >= 5.27.11.1

Description
===========

Multiple vulnerabilities have been discovered in KDE Plasma Workspaces.
Please review the CVE identifiers referenced below for details.

Impact
======

KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE
based purely on the host, allowing all local connections. This allows
another user on the same machine to gain access to the session
manager.

A well crafted client could use the session restore feature to execute
arbitrary code as the user on the next boot.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All KDE Plasma Workspaces users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-plasma/plasma-workspace-5.27.11.1"

References
==========

[ 1 ] CVE-2024-36041
https://nvd.nist.gov/vuln/detail/CVE-2024-36041

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202407-20

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202407-19 ] Mozilla Thunderbird: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202407-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Mozilla Thunderbird: Multiple Vulnerabilities
Date: July 06, 2024
Bugs: #932375
ID: 202407-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird,
the worst of which could lead to remote code execution.

Background
==========

Mozilla Thunderbird is a popular open-source email client from the
Mozilla project.

Affected packages
=================

Package Vulnerable Unaffected
--------------------------- ------------ ------------
mail-client/thunderbird < 115.11.0 >= 115.11.0
mail-client/thunderbird-bin < 115.11.0 >= 115.11.0

Description
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.
Please review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Mozilla Thunderbird binary users should upgrade to the latest
version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.11.0"

All Mozilla Thunderbird users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.11.0"

References
==========

[ 1 ] CVE-2024-2609
https://nvd.nist.gov/vuln/detail/CVE-2024-2609
[ 2 ] CVE-2024-3302
https://nvd.nist.gov/vuln/detail/CVE-2024-3302
[ 3 ] CVE-2024-3854
https://nvd.nist.gov/vuln/detail/CVE-2024-3854
[ 4 ] CVE-2024-3857
https://nvd.nist.gov/vuln/detail/CVE-2024-3857
[ 5 ] CVE-2024-3859
https://nvd.nist.gov/vuln/detail/CVE-2024-3859
[ 6 ] CVE-2024-3861
https://nvd.nist.gov/vuln/detail/CVE-2024-3861
[ 7 ] CVE-2024-3864
https://nvd.nist.gov/vuln/detail/CVE-2024-3864

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202407-19

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202407-22 ] Mozilla Firefox: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202407-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Mozilla Firefox: Multiple Vulnerabilities
Date: July 06, 2024
Bugs: #927559
ID: 202407-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Mozilla Firefox, the
worst of which could arbitrary code execution.

Background
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla
project.

Affected packages
=================

Package Vulnerable Unaffected
---------------------- --------------- ----------------
www-client/firefox < 115.9.1:esr >= 115.9.1:esr
< 124.0.1:rapid >= 124.0.1:rapid
www-client/firefox-bin < 115.9.1:esr >= 115.9.1:esr
< 124.0.1:rapid >= 124.0.1:rapid

Description
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please
review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Mozilla Firefox binary users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-124.0.1"

All Mozilla Firefox users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-124.0.1:rapid"

All Mozilla Firefox ESR users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-115.9.1:esr"

All Mozilla Firefox ESR binary users should upgrade to the latest
version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.9.1:esr"

References
==========

[ 1 ] CVE-2024-29943
https://nvd.nist.gov/vuln/detail/CVE-2024-29943
[ 2 ] CVE-2024-29944
https://nvd.nist.gov/vuln/detail/CVE-2024-29944

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202407-22

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5