Gentoo Linux Security Advisory 202311-12 - Multiple vulnerabilities have been discovered in MiniDLNA, the worst of which could lead to remote code execution. Versions greater than or equal to 1.3.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: MiniDLNA: Multiple Vulnerabilities  
     Date: November 25, 2023  
     Bugs: #834642, #907926  
       ID: 202311-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in MiniDLNA, the worst of  
which could lead to remove code execution.

Background  
=========  
MiniDLNA is a simple media server software, with the aim of being fully  
compliant with DLNA/UPnP-AV clients.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
net-misc/minidlna  < 1.3.3       >= 1.3.3

Description  
==========  
Multiple vulnerabilities have been discovered in MiniDLNA. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All MiniDLNA users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/minidlna-1.3.3"

References  
=========  
[ 1 ] CVE-2022-26505  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26505  
[ 2 ] CVE-2023-33476  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33476

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-12

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-12

Gentoo Linux Security Advisory 202311-11 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.10_p20230623 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: QtWebEngine: Multiple Vulnerabilities  
     Date: November 25, 2023  
     Bugs: #866332, #888181, #903544, #904290, #906857, #909778  
       ID: 202311-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in QtWebEngine, the worst  
of which could lead to remote code execution.

Background  
=========  
QtWebEngine is a library for rendering dynamic web content in Qt5 and  
Qt6 C++ and QML applications.

Affected packages  
================  
Package             Vulnerable           Unaffected  
------------------  -------------------  --------------------  
dev-qt/qtwebengine  < 5.15.10_p20230623  >= 5.15.10_p20230623

Description  
==========  
Multiple vulnerabilities have been discovered in QtWebEngine. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All QtWebEngine users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-qt/qtwebengine-5.15.10_p20230623"

References  
=========  
[ 1 ] CVE-2022-2294  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2294  
[ 2 ] CVE-2022-3201  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3201  
[ 3 ] CVE-2022-4174  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4174  
[ 4 ] CVE-2022-4175  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4175  
[ 5 ] CVE-2022-4176  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4176  
[ 6 ] CVE-2022-4177  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4177  
[ 7 ] CVE-2022-4178  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4178  
[ 8 ] CVE-2022-4179  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4179  
[ 9 ] CVE-2022-4180  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4180  
[ 10 ] CVE-2022-4181  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4181  
[ 11 ] CVE-2022-4182  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4182  
[ 12 ] CVE-2022-4183  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4183  
[ 13 ] CVE-2022-4184  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4184  
[ 14 ] CVE-2022-4185  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4185  
[ 15 ] CVE-2022-4186  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4186  
[ 16 ] CVE-2022-4187  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4187  
[ 17 ] CVE-2022-4188  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4188  
[ 18 ] CVE-2022-4189  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4189  
[ 19 ] CVE-2022-4190  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4190  
[ 20 ] CVE-2022-4191  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4191  
[ 21 ] CVE-2022-4192  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4192  
[ 22 ] CVE-2022-4193  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4193  
[ 23 ] CVE-2022-4194  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4194  
[ 24 ] CVE-2022-4195  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4195  
[ 25 ] CVE-2022-4436  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4436  
[ 26 ] CVE-2022-4437  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4437  
[ 27 ] CVE-2022-4438  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4438  
[ 28 ] CVE-2022-4439  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4439  
[ 29 ] CVE-2022-4440  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4440  
[ 30 ] CVE-2022-41115  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41115  
[ 31 ] CVE-2022-44688  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44688  
[ 32 ] CVE-2022-44708  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44708  
[ 33 ] CVE-2023-0128  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0128  
[ 34 ] CVE-2023-0129  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0129  
[ 35 ] CVE-2023-0130  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0130  
[ 36 ] CVE-2023-0131  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0131  
[ 37 ] CVE-2023-0132  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0132  
[ 38 ] CVE-2023-0133  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0133  
[ 39 ] CVE-2023-0134  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0134  
[ 40 ] CVE-2023-0135  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0135  
[ 41 ] CVE-2023-0136  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0136  
[ 42 ] CVE-2023-0137  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0137  
[ 43 ] CVE-2023-0138  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0138  
[ 44 ] CVE-2023-0139  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0139  
[ 45 ] CVE-2023-0140  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0140  
[ 46 ] CVE-2023-0141  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0141  
[ 47 ] CVE-2023-2721  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2721  
[ 48 ] CVE-2023-2722  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2722  
[ 49 ] CVE-2023-2723  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2723  
[ 50 ] CVE-2023-2724  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2724  
[ 51 ] CVE-2023-2725  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2725  
[ 52 ] CVE-2023-2726  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2726  
[ 53 ] CVE-2023-2929  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2929  
[ 54 ] CVE-2023-2930  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2930  
[ 55 ] CVE-2023-2931  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2931  
[ 56 ] CVE-2023-2932  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2932  
[ 57 ] CVE-2023-2933  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2933  
[ 58 ] CVE-2023-2934  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2934  
[ 59 ] CVE-2023-2935  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2935  
[ 60 ] CVE-2023-2936  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2936  
[ 61 ] CVE-2023-2937  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2937  
[ 62 ] CVE-2023-2938  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2938  
[ 63 ] CVE-2023-2939  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2939  
[ 64 ] CVE-2023-2940  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2940  
[ 65 ] CVE-2023-2941  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2941  
[ 66 ] CVE-2023-3079  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3079  
[ 67 ] CVE-2023-3214  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3214  
[ 68 ] CVE-2023-3215  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3215  
[ 69 ] CVE-2023-3216  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3216  
[ 70 ] CVE-2023-3217  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3217  
[ 71 ] CVE-2023-4068  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4068  
[ 72 ] CVE-2023-4069  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4069  
[ 73 ] CVE-2023-4070  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4070  
[ 74 ] CVE-2023-4071  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4071  
[ 75 ] CVE-2023-4072  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4072  
[ 76 ] CVE-2023-4073  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4073  
[ 77 ] CVE-2023-4074  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4074  
[ 78 ] CVE-2023-4075  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4075  
[ 79 ] CVE-2023-4076  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4076  
[ 80 ] CVE-2023-4077  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4077  
[ 81 ] CVE-2023-4078  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4078  
[ 82 ] CVE-2023-4761  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4761  
[ 83 ] CVE-2023-4762  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4762  
[ 84 ] CVE-2023-4763  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4763  
[ 85 ] CVE-2023-4764  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4764  
[ 86 ] CVE-2023-5218  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5218  
[ 87 ] CVE-2023-5473  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5473  
[ 88 ] CVE-2023-5474  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5474  
[ 89 ] CVE-2023-5475  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5475  
[ 90 ] CVE-2023-5476  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5476  
[ 91 ] CVE-2023-5477  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5477  
[ 92 ] CVE-2023-5478  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5478  
[ 93 ] CVE-2023-5479  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5479  
[ 94 ] CVE-2023-5480  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5480  
[ 95 ] CVE-2023-5481  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5481  
[ 96 ] CVE-2023-5482  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5482  
[ 97 ] CVE-2023-5483  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5483  
[ 98 ] CVE-2023-5484  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5484  
[ 99 ] CVE-2023-5485  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5485  
[ 100 ] CVE-2023-5486  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5486  
[ 101 ] CVE-2023-5487  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5487  
[ 102 ] CVE-2023-5849  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5849  
[ 103 ] CVE-2023-5850  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5850  
[ 104 ] CVE-2023-5851  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5851  
[ 105 ] CVE-2023-5852  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5852  
[ 106 ] CVE-2023-5853  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5853  
[ 107 ] CVE-2023-5854  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5854  
[ 108 ] CVE-2023-5855  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5855  
[ 109 ] CVE-2023-5856  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5856  
[ 110 ] CVE-2023-5857  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5857  
[ 111 ] CVE-2023-5858  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5858  
[ 112 ] CVE-2023-5859  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5859  
[ 113 ] CVE-2023-5996  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5996  
[ 114 ] CVE-2023-5997  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5997  
[ 115 ] CVE-2023-6112  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6112  
[ 116 ] CVE-2023-21775  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21775  
[ 117 ] CVE-2023-21796  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21796

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-11

Gentoo Linux Security Advisory 202311-10 - Multiple vulnerabilities have been discovered in RenderDoc, the worst of which leads to remote code execution. Versions greater than or equal to 1.27 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: RenderDoc: Multiple Vulnerabilities  
     Date: November 25, 2023  
     Bugs: #908031  
       ID: 202311-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in RenderDoc, the worst of  
which leads to remote code execution.

Background  
=========  
RenderDoc is a free MIT licensed stand-alone graphics debugger that  
allows quick and easy single-frame capture and detailed introspection of  
any application using Vulkan, D3D11, OpenGL & OpenGL ES or D3D12 across  
Windows, Linux, Android, or Nintendo Switch™.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
media-gfx/renderdoc  < 1.27        >= 1.27

Description  
==========  
Multiple vulnerabilities have been discovered in GRUB. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All RenderDoc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/renderdoc-1.27"

References  
=========  
[ 1 ] CVE-2023-33863  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33863  
[ 2 ] CVE-2023-33864  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33864  
[ 3 ] CVE-2023-33865  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33865

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-10

Gentoo Linux Security Advisory 202311-9 - Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution. Versions greater than or equal to 1.20.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Go: Multiple Vulnerabilities  
     Date: November 25, 2023  
     Bugs: #873637, #883783, #894478, #903979, #908255, #915555, #916494  
       ID: 202311-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Go, the worst of which  
could lead to remote code execution.

Background  
=========  
Go is an open source programming language that makes it easy to build  
simple, reliable, and efficient software.

Affected packages  
================  
Package      Vulnerable    Unaffected  
-----------  ------------  ------------  
dev-lang/go  < 1.20.10     >= 1.20.10

Description  
==========  
Multiple vulnerabilities have been discovered in Go. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Go users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-lang/go-1.20.10"  
  # emerge --ask --oneshot --verbose @golang-rebuild

References  
=========  
[ 1 ] CVE-2022-2879  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2879  
[ 2 ] CVE-2022-2880  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2880  
[ 3 ] CVE-2022-41715  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41715  
[ 4 ] CVE-2022-41717  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41717  
[ 5 ] CVE-2022-41723  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41723  
[ 6 ] CVE-2022-41724  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41724  
[ 7 ] CVE-2022-41725  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41725  
[ 8 ] CVE-2023-24534  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24534  
[ 9 ] CVE-2023-24536  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24536  
[ 10 ] CVE-2023-24537  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24537  
[ 11 ] CVE-2023-24538  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24538  
[ 12 ] CVE-2023-29402  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29402  
[ 13 ] CVE-2023-29403  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29403  
[ 14 ] CVE-2023-29404  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29404  
[ 15 ] CVE-2023-29405  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29405  
[ 16 ] CVE-2023-29406  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29406  
[ 17 ] CVE-2023-29409  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29409  
[ 18 ] CVE-2023-39318  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39318  
[ 19 ] CVE-2023-39319  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39319  
[ 20 ] CVE-2023-39320  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39320  
[ 21 ] CVE-2023-39321  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39321  
[ 22 ] CVE-2023-39322  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39322  
[ 23 ] CVE-2023-39323  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39323  
[ 24 ] CVE-2023-39325  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39325  
[ 25 ] CVE-2023-44487  
      https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-09

Gentoo Linux Security Advisory 202311-8 - A buffer overflow vulnerability has been discovered in GNU Libmicrohttpd. Versions greater than 0.9.70 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GNU Libmicrohttpd: Buffer Overflow Vulnerability  
     Date: November 25, 2023  
     Bugs: #778296  
       ID: 202311-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A buffer overflow vulnerability has been discovered in GNU  
Libmicrohttpd.

Background  
=========  
GNU libmicrohttpd is a small C library that makes it easy to run an HTTP  
server as part of another application. GNU Libmicrohttpd is free  
software and part of the GNU project.

Affected packages  
================  
Package                 Vulnerable    Unaffected  
----------------------  ------------  ------------  
net-libs/libmicrohttpd  = 0.9.70      > 0.9.70

Description  
==========  
A buffer overflow vulnerability has been discovered in GNU  
Libmicrohttpd. Please review the CVE identifier referenced below for  
details.

Impact  
=====  
A missing bounds check in the post_process_urlencoded function leads to  
a buffer overflow, allowing a remote attacker to write arbitrary data in  
an application that uses libmicrohttpd. The highest threat from this  
vulnerability is to data confidentiality and integrity as well as system  
availability.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All GNU Libmicrohttpd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">net-libs/libmicrohttpd-0.9.70"

References  
=========  
[ 1 ] CVE-2021-3466  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3466

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-08

Debian Linux Security Advisory 5564-1 - Michael Randrianantenaina reported several vulnerabilities in GIMP, the GNU Image Manipulation Program, which could result in denial of service (application crash) or potentially the execution of arbitrary code if malformed DDS, PSD and PSP files are opened.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5564-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoNovember 24, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : gimpCVE ID         : CVE-2023-44441 CVE-2023-44442 CVE-2023-44443 CVE-2023-44444Debian Bug     : 1055984Michael Randrianantenaina reported several vulnerabilities in GIMP, theGNU Image Manipulation Program, which could result in denial of service(application crash) or potentially the execution of arbitrary code ifmalformed DDS, PSD and PSP files are opened.For the oldstable distribution (bullseye), these problems have been fixedin version 2.10.22-4+deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 2.10.34-1+deb12u1.We recommend that you upgrade your gimp packages.For the detailed security status of gimp please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/gimpFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVhJD5fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0R/hxAAlMYQg+W/jKy/+bgIgisVlRM1dSij6pPFqqCh0aMZr9j8AX8CpZvJBCiRmlfPZe6qS88LKt70zX5xoJOFQ5XS/b9HTMFrv2V6l3pe83Hag0sJOic4WbmI258iB6DFb3qVA9PZjQ+a7JsoPBVc80M3o+rkFbdn2e/d+6ApLxq0XGb3iH0JkYIny41F3FLYhFI1iRCbX9Oxhe91MmtM2CvI5/UWjALS9+U3IgnuyfnTLUEkCfMnvTLEiMBBTwt/rD+zhOEFMvQazocoqEDDjmo4aJ4CVC78EJYbfthUH55JVordifVS6u0tQM0wXGPJhQPsDIModp0KoukvUVlj/LLKa2q9xr5IAM7G5IM3vah8yAFAiF5BFEE4nIRtBBlwfPPVJjrnZEd+pb02HaKgD7bdmAC775HtX8ExGmMeg54ckXv3gokUbFIzDXBAKXhWjoNztrrRiWIo08knZCIYPTxe0Ou6XvrYxcD0UufxqXkSsCdYzC+aBIJasfpdXpbUZ6ECwK/A7DmaIj7Ar4ssvQKf0uLGmQDzGZiLpNsgXg4tR04xCBwQIU7ONr5b629hDt0Lo6QCjNsSlWKNdOkiIZ3DIYRGUEq4dL56pa+vz74nhvEYq2pWu5ijCAk7XOZWuw/CkcMpeXp4Y5yZ88eUYdM3bvpCgriqXvpWJA1NxAiw0/sêEb-----END PGP SIGNATURE-----

Debian Security Advisory 5564-1

Gentoo Linux Security Advisory 202311-5 - Multiple vulnerabilities have been discovered in LinuxCIFS utils, the worst of which can lead to local root privilege escalation. Versions greater than or equal to 6.15 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: LinuxCIFS utils: Multiple Vulnerabilities  
     Date: November 24, 2023  
     Bugs: #842234  
       ID: 202311-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in LinuxCIFS utils, the  
worst of which can lead to local root privilege escalation.

Background  
=========  
The LinuxCIFS utils are a collection of tools for managing Linux CIFS  
Client Filesystems.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
net-fs/cifs-utils  < 6.15        >= 6.15

Description  
==========  
Multiple vulnerabilities have been discovered in LinuxCIFS utils. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
A stack-based buffer overflow when parsing the mount.cifs ip= command-  
line argument could lead to local attackers gaining root privileges.

When verbose logging is enabled, invalid credentials file lines may be  
dumped to stderr. This may lead to information disclosure in particular  
conditions when the credentials file given is sensitive and contains '='  
signs.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All LinuxCIFS utils users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-fs/cifs-utils-6.15"

References  
=========  
[ 1 ] CVE-2022-27239  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27239  
[ 2 ] CVE-2022-29869  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29869

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-05

Debian Linux Security Advisory 5563-1 - Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, Alyssa Milburn, Hisham Shafi, Nir Shlomovich, avis Ormandy, Daniel Moghimi, Josh Eads, Salman Qazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela, Doug Kwan, and Kostik Shtoyk discovered that some Intel processors mishandle repeated sequences of instructions leading to unexpected behavior, which may result in privilege escalation, information disclosure or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5563-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoNovember 23, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : intel-microcodeCVE ID         : CVE-2023-23583Debian Bug     : 1055962Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, AlyssaMilburn, Hisham Shafi, Nir Shlomovich, avis Ormandy, Daniel Moghimi,Josh Eads, Salman Qazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela,Doug Kwan, and Kostik Shtoyk discovered that some Intel processorsmishandle repeated sequences of instructions leading to unexpectedbehavior, which may result in privilege escalation, informationdisclosure or denial of service.For the oldstable distribution (bullseye), this problem has been fixedin version 3.20231114.1~deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 3.20231114.1~deb12u1.We recommend that you upgrade your intel-microcode packages.For the detailed security status of intel-microcode please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/intel-microcodeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVfcuFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0SRaw/+JwZlE+c2OdKBuLSQCrlASs1iM+iDrbEYKWU/F+RX5HZgB7O5d953MSnC3jIE0+93CY0oW6iwc3ZTaY4cVt7bVC5MmAzkhcVuxLFNqHoBMUtiqIFX4TguWokALnuXQRrs6+DyZ+3C0gcvHtINnEJzlhS8Oqb0xyJQqSlpYiNng7Wa/F8rfLYGWh6ZN+KIYlyVRBfSO+9pMhRFCM29DWdakdgC5KfHNtRENZxpgeGRxCQQuJIs30hIqKc2Zma3AcSDU3hiHYSXTD7GjMxD5MYkV0U3ervXgcsfpmbW0rczOOK49VZHdQC2frYPEYnFGSMwl72adEtdKctocqRSjtnAbCanEY8Ses7ihTB5l9H7u4TXgzJrHnZSiZ0LXd08AJ8m5zglYg9t4UF3qRYgbdRdAvcOpqggAsZVT5UJWVTVP1rAXhyWGXqh39k9/+JAwjJUTVBIkgJMWPWvj9vLeR7fNKNkJPRfi6wRVZ+cWf5Z2/VqHRkjgT4pDImyadFzRFFzy2JLLett0wpF7Elkpb/0RFOmZw0GbBIOM3XU+/OD93TcT0o0i4gU7DHiW/tEOUk7tnGcIAz3/h9yaOVObm36RdiAHZ+Mprk/GpiSLBsfBQueo+gra2vo0qcqpEgA2XiHqT1LQeqcfJ5AXvdBZAL4bxeWx6DteLL6k1OLrvg4qUc=l9kq-----END PGP SIGNATURE-----

Debian Security Advisory 5563-1

Ubuntu Security Notice 6511-1 - It was discovered that the OpenZFS sharenfs feature incorrectly handled IPv6 address data. This could result in IPv6 restrictions not being applied, contrary to expectations.

==========================================================================  
Ubuntu Security Notice USN-6511-1  
November 23, 2023

zfs-linux vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

OpenZFS could allow unintended access to network services.

Software Description:  
- zfs-linux: OpenZFS filesystem for Linux

Details:

It was discovered that the OpenZFS sharenfs feature incorrectly handled  
IPv6 address data. This could result in IPv6 restrictions not being  
applied, contrary to expectations.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   libuutil3linux                  2.1.9-2ubuntu1.2  
   zfsutils-linux                  2.1.9-2ubuntu1.2

Ubuntu 22.04 LTS:  
   libuutil3linux                  2.1.5-1ubuntu6~22.04.2  
   zfsutils-linux                  2.1.5-1ubuntu6~22.04.2

Ubuntu 20.04 LTS:  
   libuutil1linux                  0.8.3-1ubuntu12.16  
   zfsutils-linux                  0.8.3-1ubuntu12.16

After a standard system update you need to reboot your computer to make all  
the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6511-1  
   CVE-2013-20001

Package Information:  
   https://launchpad.net/ubuntu/+source/zfs-linux/2.1.9-2ubuntu1.2  
   https://launchpad.net/ubuntu/+source/zfs-linux/2.1.5-1ubuntu6~22.04.2  
   https://launchpad.net/ubuntu/+source/zfs-linux/0.8.3-1ubuntu12.16

Ubuntu Security Notice USN-6511-1

Debian Linux Security Advisory 5562-1 - It was discovered that Tor was susceptible to a crash during handshake with a remote relay, resulting in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5562-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 22, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : torCVE ID         : not yet availableIt was discovered that Tor was susceptible to a crash during handshakewith a remote relay, resulting in denial of service.For the oldstable distribution (bullseye), support for tor is nowdiscontinued. Please upgrade to the stable release (bullseye) to continuereceiving tor updates.For the stable distribution (bookworm), this problem has been fixed inversion 0.4.7.16-1.We recommend that you upgrade your tor packages.For the detailed security status of tor please refer toits security tracker page at:https://security-tracker.debian.org/tracker/torFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVeVPMACgkQEMKTtsN8TjbMIA/9EhW1HGw07Hn4iLfT369mukHIEN8TNTS1hGwRKJAf0yZFnqdqdKJ7EsBINIh8LlaHxq09JmMN92oMSvenMMrmpCYCRL2UicPTO59ChueUmIH9gLgr1EqWly2b/A09bfCc3TXA35XDzdFWHuI6k6BV6YVQXfeJP4Xxqg+wrYoXSKq1urhtCIT8+11mmylwKsE0uaIAatMhpLRDPCc4yp0brQTklup+bn7GMpgQbbyuPHazJMYmU7qgRh2u9KPa7XMTt1mpx/b55TRQ2EatVwpHukY131putTfV195i96yD/wECZ9R/ey/maF17EGDq+FtnTus1ePuZmV5eVAZRe1+4wOlUoUggVysJUsor6CYIJ0gTwdozXRzFfR4nkfF+odUBhJAivLvPi9UB0iLo3o3c0l83l0tHRsCVC3TtBo1svo8Q4Ri9p8U1ajmKh8AaNHzGgxwdmot5vbTkyO/Hy4tR7Z3PTWne2OsiL0NcQdQZ1/Cxbcr0h3BFF0fkYtQhG4pMa7luQxQC4GSAVQqKqB4IR4RnSHflCpQcbNm3g9UyYv6G4m6RmVfRuSlaG04TOz3MkLqzdn3iKLsyMbQw2Ojq6CWRUYa4QazjIb6owFjQnarUGKDxlnKtJW2W4IJVCi0Wgt2HwmgCtXjOEqtyhdPhlCGNEViocseong99Mz0Sm6E==H3jh-----END PGP SIGNATURE-----

Tag

#linux