Gentoo Linux Security Advisory 202405-14 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.13_p20240322 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: QtWebEngine: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #927746  
       ID: 202405-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in QtWebEngine, the worst  
of which could lead to remote code execution.

Background  
=========  
QtWebEngine is a library for rendering dynamic web content in Qt5 and  
Qt6 C++ and QML applications.

Affected packages  
================  
Package             Vulnerable           Unaffected  
------------------  -------------------  --------------------  
dev-qt/qtwebengine  < 5.15.13_p20240322  >= 5.15.13_p20240322

Description  
==========  
Multiple vulnerabilities have been discovered in QtWebEngine. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All QtWebEngine users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-qt/qtwebengine-5.15.13_p20240322"

References  
=========  
[ 1 ] CVE-2024-0804  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0804  
[ 2 ] CVE-2024-0805  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0805  
[ 3 ] CVE-2024-0806  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0806  
[ 4 ] CVE-2024-0807  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0807  
[ 5 ] CVE-2024-0808  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0808  
[ 6 ] CVE-2024-0809  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0809  
[ 7 ] CVE-2024-0810  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0810  
[ 8 ] CVE-2024-0811  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0811  
[ 9 ] CVE-2024-0812  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0812  
[ 10 ] CVE-2024-0813  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0813  
[ 11 ] CVE-2024-0814  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0814  
[ 12 ] CVE-2024-1059  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1059  
[ 13 ] CVE-2024-1060  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1060  
[ 14 ] CVE-2024-1077  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1077  
[ 15 ] CVE-2024-1283  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1283  
[ 16 ] CVE-2024-1284  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1284

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-14

Gentoo Linux Security Advisory 202405-13 - A vulnerability has been discovered in borgmatic, which can lead to shell injection. Versions greater than or equal to 1.8.8 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: borgmatic: Shell Injection  
     Date: May 05, 2024  
     Bugs: #924892  
       ID: 202405-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in borgmatic, which can lead to  
shell injection.

Background  
=========  
borgmatic is simple, configuration-driven backup software for servers  
and workstations.

Affected packages  
================  
Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
app-backup/borgmatic  < 1.8.8       >= 1.8.8

Description  
==========  
Prevent shell injection attacks within the PostgreSQL hook, the MongoDB  
hook, the SQLite hook, the "borgmatic borg" action, and command hook  
variable/constant interpolation.

Impact  
=====  
Shell injection may be used in several borgmatic backends to execute  
arbitrary code.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All borgmatic users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-backup/borgmatic-1.8.8"

References  
=========

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-13

Gentoo Linux Security Advisory 202405-12 - Multiple vulnerabilities have been discovered in Pillow, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 10.2.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Pillow: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #889594, #903664, #916907, #922577  
       ID: 202405-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Pillow, the worst of  
which can lead to arbitrary code execution.

Background  
=========  
The friendly PIL fork.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
dev-python/pillow  < 10.2.0      >= 10.2.0

Description  
==========  
Multiple vulnerabilities have been discovered in Pillow. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Pillow users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-python/pillow-10.2.0"

References  
=========  
[ 1 ] CVE-2023-44271  
      https://nvd.nist.gov/vuln/detail/CVE-2023-44271  
[ 2 ] CVE-2023-50447  
      https://nvd.nist.gov/vuln/detail/CVE-2023-50447

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-12

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-12

Gentoo Linux Security Advisory 202405-11 - Multiple vulnerabilities have been discovered in MIT krb5, the worst of which could lead to remote code execution. Versions greater than or equal to 1.21.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: MIT krb5: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #803434, #809845, #879875, #917464  
       ID: 202405-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in MIT krb5, the worst of  
which could lead to remote code execution.

Background  
=========  
MIT krb5 is the free implementation of the Kerberos network  
authentication protocol by the Massachusetts Institute of Technology.

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
app-crypt/mit-krb5  < 1.21.2      >= 1.21.2

Description  
==========  
Multiple vulnerabilities have been discovered in MIT krb5. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All MIT krb5 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.21.2"

References  
=========  
[ 1 ] CVE-2021-36222  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36222  
[ 2 ] CVE-2021-37750  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37750  
[ 3 ] CVE-2022-42898  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42898  
[ 4 ] CVE-2023-36054  
      https://nvd.nist.gov/vuln/detail/CVE-2023-36054  
[ 5 ] CVE-2023-39975  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39975

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-11

Gentoo Linux Security Advisory 202405-10 - A vulnerability has been discovered in Setuptools, which can lead to denial of service. Versions greater than or equal to 65.5.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Setuptools: Denial of Service  
     Date: May 05, 2024  
     Bugs: #879813  
       ID: 202405-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Setuptools, which can lead to  
denial of service.

Background  
=========  
Setuptools is a manager for Python packages.

Affected packages  
================  
Package                Vulnerable    Unaffected  
---------------------  ------------  ------------  
dev-python/setuptools  < 65.5.1      >= 65.5.1

Description  
==========  
A vulnerability has been discovered in Setuptools. See the impact field.

Impact  
=====  
An inefficiency in a regular expression may end in a denial of service  
if an user is fetching malicious HTML from a package in PyPI or a custom  
PackageIndex page.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Setuptools users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-python/setuptools-65.5.1"

References  
=========  
[ 1 ] CVE-2022-40897  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40897

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-10

Gentoo Linux Security Advisory 202405-9 - Multiple vulnerabilities have been found in MediaInfo and MediaInfoLib, the worst of which could allow user-assisted remote code execution. Versions greater than or equal to 23.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: MediaInfo, MediaInfoLib: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #778992, #836564, #875374, #917612  
       ID: 202405-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in MediaInfo and MediaInfoLib,  
the worst of which could allow user-assisted remote code execution.

Background  
=========  
MediaInfo supplies technical and tag information about media files.  
MediaInfoLib contains MediaInfo libraries.

Affected packages  
================  
Package                  Vulnerable    Unaffected  
-----------------------  ------------  ------------  
media-libs/libmediainfo  < 23.10       >= 23.10  
media-video/mediainfo    < 23.10       >= 23.10

Description  
==========  
Multiple vulnerabilities have been discovered in MediaInfo and  
MediaInfoLib. Please review the CVE identifiers referenced below for  
details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All MediaInfo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-video/mediainfo-23.10"

All MediaInfolib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libmediainfo-23.10"

References  
=========

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-09

Gentoo Linux Security Advisory 202405-8 - Multiple vulnerabilities have been discovered in strongSwan, the worst of which could possibly lead to remote code execution. Versions greater than or equal to 5.9.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: strongSwan: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #818841, #832460, #878887, #899964  
       ID: 202405-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in strongSwan, the worst  
of which could possibly lead to remote code execution.

Background  
=========  
strongSwan is an IPSec implementation for Linux.

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
net-vpn/strongswan  < 5.9.10      >= 5.9.10

Description  
==========  
Multiple vulnerabilities have been discovered in strongSwan. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All strongSwan users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-vpn/strongswan-5.9.10"

References  
=========  
[ 1 ] CVE-2021-41991  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41991  
[ 2 ] CVE-2021-45079  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45079  
[ 3 ] CVE-2022-40617  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40617  
[ 4 ] CVE-2023-26463  
      https://nvd.nist.gov/vuln/detail/CVE-2023-26463

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-08

Gentoo Linux Security Advisory 202405-7 - Multiple vulnerabilities have been discovered in HTMLDOC, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 1.9.16 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: HTMLDOC: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #780489  
       ID: 202405-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in HTMLDOC, the worst of  
which can lead to arbitrary code execution.

Background  
=========  
HTMLDOC is a HTML indexer and HTML to PS and PDF converter.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
app-text/htmldoc  < 1.9.16      >= 1.9.16

Description  
==========  
Multiple vulnerabilities have been discovered in HTMLDOC. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All HTMLDOC users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/htmldoc-1.9.16"

References  
=========  
[ 1 ] CVE-2021-20308  
      https://nvd.nist.gov/vuln/detail/CVE-2021-20308  
[ 2 ] CVE-2021-23158  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23158  
[ 3 ] CVE-2021-23165  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23165  
[ 4 ] CVE-2021-23180  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23180  
[ 5 ] CVE-2021-23191  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23191  
[ 6 ] CVE-2021-23206  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23206  
[ 7 ] CVE-2021-26252  
      https://nvd.nist.gov/vuln/detail/CVE-2021-26252  
[ 8 ] CVE-2021-26259  
      https://nvd.nist.gov/vuln/detail/CVE-2021-26259  
[ 9 ] CVE-2021-26948  
      https://nvd.nist.gov/vuln/detail/CVE-2021-26948  
[ 10 ] CVE-2021-33235  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33235  
[ 11 ] CVE-2021-33236  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33236  
[ 12 ] CVE-2021-40985  
      https://nvd.nist.gov/vuln/detail/CVE-2021-40985  
[ 13 ] CVE-2021-43579  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43579  
[ 14 ] CVE-2022-0137  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0137  
[ 15 ] CVE-2022-0534  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0534  
[ 16 ] CVE-2022-24191  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24191  
[ 17 ] CVE-2022-27114  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27114  
[ 18 ] CVE-2022-28085  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28085  
[ 19 ] CVE-2022-34033  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34033  
[ 20 ] CVE-2022-34035  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34035

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-07

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-07

Gentoo Linux Security Advisory 202405-6 - Multiple vulnerabilities have been discovered in mujs, the worst of which could lead to remote code execution. Versions greater than or equal to 1.3.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: mujs: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #833453, #845399, #882775  
       ID: 202405-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in mujs, the worst of  
which could lead to remote code execution.

Background  
=========  
mujs is an embeddable Javascript interpreter in C.

Affected packages  
================  
Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-lang/mujs  < 1.3.2       >= 1.3.2

Description  
==========  
Multiple vulnerabilities have been discovered in mujs. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All mujs users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-lang/mujs-1.3.2"

References  
=========  
[ 1 ] CVE-2021-45005  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45005  
[ 2 ] CVE-2022-30974  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30974  
[ 3 ] CVE-2022-30975  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30975  
[ 4 ] CVE-2022-44789  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44789

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-06

Gentoo Linux Security Advisory 202405-5 - Multiple vulnerabilities have been discovered in MPlayer, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 1.5 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: MPlayer: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #870406  
       ID: 202405-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in MPlayer, the worst of  
which can lead to arbitrary code execution.

Background  
=========  
MPlayer is a media player capable of handling multiple multimedia file  
formats.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
media-video/mplayer  < 1.5         >= 1.5

Description  
==========  
Multiple vulnerabilities have been discovered in MPlayer. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All MPlayer users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.5"

References  
=========  
[ 1 ] CVE-2022-38600  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38600  
[ 2 ] CVE-2022-38850  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38850  
[ 3 ] CVE-2022-38851  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38851  
[ 4 ] CVE-2022-38853  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38853  
[ 5 ] CVE-2022-38855  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38855  
[ 6 ] CVE-2022-38856  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38856  
[ 7 ] CVE-2022-38858  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38858  
[ 8 ] CVE-2022-38860  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38860  
[ 9 ] CVE-2022-38861  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38861  
[ 10 ] CVE-2022-38862  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38862  
[ 11 ] CVE-2022-38863  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38863  
[ 12 ] CVE-2022-38864  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38864  
[ 13 ] CVE-2022-38865  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38865  
[ 14 ] CVE-2022-38866  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38866

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#linux