Gentoo Linux Security Advisory 202209-20 - Multiple vulnerabilities have been discovered in PHP, the worst of which could result in local root privilege escalation. Versions less than 7.4.30:7.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-20  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: PHP: Multiple Vulnerabilities  
     Date: September 29, 2022  
     Bugs: #799776, #810526, #819510, #833585, #850772, #857054  
       ID: 202209-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in PHP, the worst of which  
could result in local root privilege escalation.

Background  
=========  
PHP is a widely-used general-purpose scripting language that is  
especially suited for Web development and can be embedded into HTML.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-lang/php               < 7.4.30:7.4             >= 7.4.30:7.4  
                                < 8.0.23:8.0             >= 8.0.23:8.0  
                                < 8.1.8:8.1               >= 8.1.8:8.1

Description  
==========  
Multiple vulnerabilities have been discovered in PHP. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All PHP 7.4 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-lang/php-7.4.30:7.4"

All PHP 8.0 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-lang/php-8.0.23:8.0"

All PHP 8.1 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-lang/php-8.1.8:8.1"

References  
=========  
[ 1 ] CVE-2021-21703  
      https://nvd.nist.gov/vuln/detail/CVE-2021-21703  
[ 2 ] CVE-2021-21704  
      https://nvd.nist.gov/vuln/detail/CVE-2021-21704  
[ 3 ] CVE-2021-21705  
      https://nvd.nist.gov/vuln/detail/CVE-2021-21705  
[ 4 ] CVE-2021-21708  
      https://nvd.nist.gov/vuln/detail/CVE-2021-21708  
[ 5 ] CVE-2022-31625  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31625  
[ 6 ] CVE-2022-31626  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31626  
[ 7 ] CVE-2022-31627  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31627

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-20

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-20

Gentoo Linux Security Advisory 202209-24 - Multiple vulnerabilities have been discovered in Expat, the worst of which could result in arbitrary code execution. Versions less than 2.4.9 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-24  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Expat: Multiple Vulnerabilities  
     Date: September 29, 2022  
     Bugs: #791703, #830422, #831918, #833431, #870097  
       ID: 202209-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Expat, the worst of  
which could result in arbitrary code execution.

Background  
=========  
Expat is a set of XML parsing libraries.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/expat             < 2.4.9                      >= 2.4.9

Description  
==========  
Multiple vulnerabilities have been discovered in Expat. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Expat users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/expat-2.4.9"

References  
=========  
[ 1 ] CVE-2021-45960  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45960  
[ 2 ] CVE-2021-46143  
      https://nvd.nist.gov/vuln/detail/CVE-2021-46143  
[ 3 ] CVE-2022-22822  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22822  
[ 4 ] CVE-2022-22823  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22823  
[ 5 ] CVE-2022-22824  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22824  
[ 6 ] CVE-2022-22825  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22825  
[ 7 ] CVE-2022-22826  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22826  
[ 8 ] CVE-2022-22827  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22827  
[ 9 ] CVE-2022-23852  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23852  
[ 10 ] CVE-2022-23990  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23990  
[ 11 ] CVE-2022-25235  
      https://nvd.nist.gov/vuln/detail/CVE-2022-25235  
[ 12 ] CVE-2022-25236  
      https://nvd.nist.gov/vuln/detail/CVE-2022-25236  
[ 13 ] CVE-2022-25313  
      https://nvd.nist.gov/vuln/detail/CVE-2022-25313  
[ 14 ] CVE-2022-25314  
      https://nvd.nist.gov/vuln/detail/CVE-2022-25314  
[ 15 ] CVE-2022-25315  
      https://nvd.nist.gov/vuln/detail/CVE-2022-25315  
[ 16 ] CVE-2022-40674  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40674

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-24

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-24

Gentoo Linux Security Advisory 202209-22 - A vulnerability has been found in Kitty which could allow for arbitrary code execution with user input. Versions less than 0.26.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-22  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Kitty: Arbitrary Code Execution  
     Date: September 29, 2022  
     Bugs: #868543  
       ID: 202209-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in Kitty which could allow for arbitrary  
code execution with user input.

Background  
=========  
Kitty is a fast, feature-rich, GPU-based terminal.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  x11-terms/kitty            < 0.26.2                    >= 0.26.2

Description  
==========  
Carter Sande discovered that maliciously constructed control sequences  
can cause Kitty to display a notification that, when clicked, can cause  
Kitty to execute arbitrary commands.

Impact  
=====  
Kitty can produce notifications that, when clicked, can execute  
arbitrary commands.

Workaround  
=========  
Avoid clicking unexpected notifications.

Resolution  
=========  
All Kitty users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-terms/kitty-0.26.2"

References  
=========  
[ 1 ] CVE-2022-41322  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41322

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-22

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-22

Gentoo Linux Security Advisory 202209-26 - Multiple vulnerabilities have been discovered in Go, the worst of which could result in denial of service. Versions less than 1.18.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-26  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Go: Multiple Vulnerabilities  
     Date: September 29, 2022  
     Bugs: #869002  
       ID: 202209-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Go, the worst of which  
could result in denial of service.

Background  
=========  
Go is an open source programming language that makes it easy to build  
simple, reliable, and efficient software.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-lang/go                < 1.18.6                    >= 1.18.6

Description  
==========  
Multiple vulnerabilities have been discovered in Go. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Go users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-lang/go-1.18.6"

In addition, users using Portage 3.0.9 or later should ensure that  
packages with Go binaries have no vulnerable code statically linked into  
their binaries by rebuilding the @golang-rebuild set:

  # emerge --ask --oneshot --verbose @golang-rebuild

References  
=========  
[ 1 ] CVE-2022-27664  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27664  
[ 2 ] CVE-2022-32190  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32190

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-26

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-26

Gentoo Linux Security Advisory 202209-23 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 105.0.5195.125 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-23  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities  
     Date: September 29, 2022  
     Bugs: #868156, #868354, #872407, #870142  
       ID: 202209-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in Chromium and its  
derivatives, the worst of which could result in remote code execution.

Background  
=========  
Chromium is an open-source browser project that aims to build a safer,  
faster, and more stable way for all users to experience the web.

Google Chrome is one fast, simple, and secure browser for all your  
devices.

Microsoft Edge is a browser that combines a minimal design with  
sophisticated technology to make the web faster, safer, and easier.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-client/chromium        < 105.0.5195.125    >= 105.0.5195.125  
  2  www-client/chromium-bin    < 105.0.5195.125    >= 105.0.5195.125  
  3  www-client/google-chrome   < 105.0.5195.125    >= 105.0.5195.125  
  4  www-client/microsoft-edge  < 105.0.1343.42      >= 105.0.1343.42

Description  
==========  
Multiple vulnerabilities have been discovered in Chromium, Google  
Chrome, Microsoft Edge. Please review the CVE identifiers referenced  
below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Chromium users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-105.0.5195.125"

All Chromium binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-bin-105.0.5195.125"

All Google Chrome users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-105.0.5195.125"

All Microsoft Edge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-105.0.1343.42"

References  
=========  
[ 1 ] CVE-2022-3038  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3038  
[ 2 ] CVE-2022-3039  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3039  
[ 3 ] CVE-2022-3040  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3040  
[ 4 ] CVE-2022-3041  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3041  
[ 5 ] CVE-2022-3042  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3042  
[ 6 ] CVE-2022-3043  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3043  
[ 7 ] CVE-2022-3044  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3044  
[ 8 ] CVE-2022-3045  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3045  
[ 9 ] CVE-2022-3046  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3046  
[ 10 ] CVE-2022-3047  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3047  
[ 11 ] CVE-2022-3048  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3048  
[ 12 ] CVE-2022-3049  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3049  
[ 13 ] CVE-2022-3050  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3050  
[ 14 ] CVE-2022-3051  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3051  
[ 15 ] CVE-2022-3052  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3052  
[ 16 ] CVE-2022-3053  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3053  
[ 17 ] CVE-2022-3054  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3054  
[ 18 ] CVE-2022-3055  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3055  
[ 19 ] CVE-2022-3056  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3056  
[ 20 ] CVE-2022-3057  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3057  
[ 21 ] CVE-2022-3058  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3058  
[ 22 ] CVE-2022-3071  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3071  
[ 23 ] CVE-2022-3075  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3075  
[ 24 ] CVE-2022-3195  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3195  
[ 25 ] CVE-2022-3196  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3196  
[ 26 ] CVE-2022-3197  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3197  
[ 27 ] CVE-2022-3198  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3198  
[ 28 ] CVE-2022-3199  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3199  
[ 29 ] CVE-2022-3200  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3200  
[ 30 ] CVE-2022-3201  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3201  
[ 31 ] CVE-2022-38012  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38012

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-23

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-23

Gentoo Linux Security Advisory 202209-25 - A vulnerability has been discovered in Zutty which could allow for arbitrary code execution. Versions less than 0.13 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-25  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Zutty: Arbitrary Code Execution  
     Date: September 29, 2022  
     Bugs: #868495  
       ID: 202209-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Zutty which could allow for  
arbitrary code execution.

Background  
=========  
Zutty is an X terminal emulator rendering through OpenGL ES Compute  
Shaders.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  x11-terms/zutty            < 0.13                        >= 0.13

Description  
==========  
Zutty does not correctly handle invalid DECRQSS commands, which can be  
exploited to run arbitrary commands in the terminal.

Impact  
=====  
Untrusted text written to the Zutty terminal can achieve arbitrary code  
execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Zutty users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-terms/zutty-0.13"

References  
=========  
[ 1 ] CVE-2022-41138  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41138

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-25

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-25

Gentoo Linux Security Advisory 202209-21 - A vulnerability has been discovered in Poppler which could allow for arbitrary code execution. Versions less than 22.09.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-21  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Poppler: Arbitrary Code Execution  
     Date: September 29, 2022  
     Bugs: #867958  
       ID: 202209-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Poppler which could allow for  
arbitrary code execution.

Background  
=========  
Poppler is a PDF rendering library based on the xpdf-3.0 code base.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-text/poppler           < 22.09.0                  >= 22.09.0

Description  
==========  
Multiple vulnerabilities have been discovered in Poppler. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Processing a specially crafted PDF file or JBIG2 image could lead to a  
crash or the execution of arbitrary code.

Workaround  
=========  
Avoid opening untrusted PDFs.

Resolution  
=========  
All Poppler users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/poppler-22.09.0"

References  
=========  
[ 1 ] CVE-2021-30860  
      https://nvd.nist.gov/vuln/detail/CVE-2021-30860  
[ 2 ] CVE-2022-38784  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38784

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-21

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-21

Gentoo Linux Security Advisory 202209-19 - Multiple vulnerabilities have been discovered in GraphicsMagick, the worst of which are fuzzing issues presumed to allow for arbitrary code execution. Versions less than 1.3.38 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-19  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: GraphicsMagick: Multiple Vulnerabilities  
     Date: September 29, 2022  
     Bugs: #721328, #836283, #873367  
       ID: 202209-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in GraphicsMagick, the  
worst of which are fuzzing issues presumed to allow for arbitrary code  
execution.

Background  
=========  
GraphicsMagick is a collection of tools and libraries which support  
reading, writing, and manipulating images in many major formats.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-gfx/graphicsmagick   < 1.3.38                    >= 1.3.38

Description  
==========  
Multiple vulnerabilities have been discovered in GraphicsMagick. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All GraphicsMagick users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.3.38"

References  
=========  
[ 1 ] CVE-2020-12672  
      https://nvd.nist.gov/vuln/detail/CVE-2020-12672  
[ 2 ] CVE-2022-1270  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1270

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-19

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-19

Gentoo Linux Security Advisory 202209-18 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the world of which could result in arbitrary code execution. Versions less than 102.3.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-18  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Thunderbird: Multiple Vulnerabilities  
     Date: September 29, 2022  
     Bugs: #872572  
       ID: 202209-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Mozilla Thunderbird, the  
world of which could result in arbitrary code execution.

Background  
==========

Mozilla Thunderbird is a popular open-source email client from the  
Mozilla project.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  mail-client/thunderbird    < 102.3.0                  >= 102.3.0  
  2  mail-client/thunderbird-bin  < 102.3.0                >= 102.3.0

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.3.0"

All Mozilla Thunderbird binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.3.0"

References  
==========

[ 1 ] CVE-2022-3155  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3155  
[ 2 ] CVE-2022-40956  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40956  
[ 3 ] CVE-2022-40957  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40957  
[ 4 ] CVE-2022-40958  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40958  
[ 5 ] CVE-2022-40959  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40959  
[ 6 ] CVE-2022-40960  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40960  
[ 7 ] CVE-2022-40962  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40962

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-18

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-18

Gentoo Linux Security Advisory 202209-17 - Multiple vulnerabilities have been found in Redis, the worst of which could result in arbitrary code execution. Versions less than 7.0.5 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Redis: Multiple Vulnerabilities  
     Date: September 29, 2022  
     Bugs: #803302, #816282, #841404, #856040, #859181, #872278  
       ID: 202209-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Redis, the worst of which  
could result in arbitrary code execution.

Background  
==========

Redis is an open source (BSD licensed), in-memory data structure store,  
used as a database, cache and message broker.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-db/redis               < 7.0.5                      >= 7.0.5

Description  
===========

Multiple vulnerabilities have been discovered in Redis. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Redis users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-db/redis-7.0.5"

References  
==========

[ 1 ] CVE-2021-32626  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32626  
[ 2 ] CVE-2021-32627  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32627  
[ 3 ] CVE-2021-32628  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32628  
[ 4 ] CVE-2021-32672  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32672  
[ 5 ] CVE-2021-32675  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32675  
[ 6 ] CVE-2021-32687  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32687  
[ 7 ] CVE-2021-32761  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32761  
[ 8 ] CVE-2021-32762  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32762  
[ 9 ] CVE-2021-41099  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41099  
[ 10 ] CVE-2022-24735  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24735  
[ 11 ] CVE-2022-24736  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24736  
[ 12 ] CVE-2022-31144  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31144  
[ 13 ] CVE-2022-33105  
      https://nvd.nist.gov/vuln/detail/CVE-2022-33105  
[ 14 ] CVE-2022-35951  
      https://nvd.nist.gov/vuln/detail/CVE-2022-35951

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-17

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#linux