Gentoo Linux Security Advisory 202305-19 - A vulnerability has been discovered in Firejail which could result in local root privilege escalation.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-19  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Firejail: Local Privilege Escalation  
     Date: May 03, 2023  
     Bugs: #850748  
       ID: 202305-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Firejail which could result in  
local root privilege escalation.

Background  
==========

A SUID program that reduces the risk of security breaches by restricting  
the running environment of untrusted applications using Linux namespaces  
and seccomp-bpf.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
Traceback (most recent call last):  
  File "/usr/local/lib/python3.9/site-packages/glsamaker/models/glsa.py", line 326, in generate_mail_table  
    return self._generate_mail_table()  
  File "/usr/local/lib/python3.9/site-packages/glsamaker/models/glsa.py", line 297, in _generate_mail_table  
    vuln.range_types_rev[vuln.pkg_range], vuln.version  
KeyError: None

Description  
===========

Firejail does not sufficiently validate the user's environment prior to  
using it as the root user when using the --join command line option.

Impact  
======

An unprivileged user can exploit this vulnerability to achieve local  
root privileges.

Workaround  
==========

System administrators can mitigate this vulnerability via adding either  
"force-nonewprivs yes" or "join no" to the Firejail configuration file  
in /etc/firejail/firejail.config.

Resolution  
==========

Gentoo has discontinued support for sys-apps/firejail-lts. Users should  
unmerge it in favor of sys-apps/firejail:

  # emerge --ask --depclean --verbose "sys-apps/firejail-lts"  
  # emerge --ask --verbose "sys-apps/firejail"

All Firejail users should upgrade to the latest version:

  # emerge --ask --oneshot --verbose ">=sys-apps/firejail-0.9.70"

References  
==========

[ 1 ] CVE-2022-31214  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31214

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-19

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-19

Gentoo Linux Security Advisory 202305-18 - Multiple vulnerabilities have been found in libsdl2, the worst of which could result in arbitrary code execution. Versions less than 2.26.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-18  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libsdl2: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #836665, #890614  
       ID: 202305-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in libsdl2, the worst of which  
could result in arbitrary code execution.

Background  
==========

Simple DirectMedia Layer is a cross-platform development library  
designed to provide low level access to audio, keyboard, mouse,  
joystick, and graphics hardware via OpenGL and Direct3D.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-libs/libsdl2         < 2.26.0                    >= 2.26.0

Description  
===========

Multiple vulnerabilities have been discovered in libsdl2. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libsdl2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libsdl2-2.26.0"

References  
==========

[ 1 ] CVE-2021-33657  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33657  
[ 2 ] CVE-2022-4743  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4743

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-18

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-18

Gentoo Linux Security Advisory 202305-17 - Multiple vulnerabilities have been found in libsdl, the worst of which could result in arbitrary code execution. Versions less than 1.2.15_p20221201>= are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libsdl: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #692388, #836665, #861809  
       ID: 202305-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in libsdl, the worst of which  
could result in arbitrary code execution.

Background  
==========

Simple DirectMedia Layer is a cross-platform development library  
designed to provide low level access to audio, keyboard, mouse,  
joystick, and graphics hardware via OpenGL and Direct3D.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-libs/libsdl          < 1.2.15_p20221201>= 1.2.15_p20221201

Description  
===========

Multiple vulnerabilities have been discovered in SDL. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libsdl users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libsdl-1.2.15_p20221201"

References  
==========

[ 1 ] CVE-2019-7572  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7572  
[ 2 ] CVE-2019-7573  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7573  
[ 3 ] CVE-2019-7574  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7574  
[ 4 ] CVE-2019-7575  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7575  
[ 5 ] CVE-2019-7576  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7576  
[ 6 ] CVE-2019-7577  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7577  
[ 7 ] CVE-2019-7578  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7578  
[ 8 ] CVE-2019-7635  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7635  
[ 9 ] CVE-2019-7636  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7636  
[ 10 ] CVE-2019-7638  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7638  
[ 11 ] CVE-2019-13616  
      https://nvd.nist.gov/vuln/detail/CVE-2019-13616  
[ 12 ] CVE-2021-33657  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33657  
[ 13 ] CVE-2022-34568  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34568

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-17

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-17

Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Vim, gVim: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #851231, #861092, #869359, #879257, #883681, #889730  
       ID: 202305-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Vim, the worst of which  
could result in denial of service.

Background  
==========

Vim is an efficient, highly configurable improved version of the classic  
‘vi’ text editor. gVim is the GUI version of Vim.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-editors/gvim           < 9.0.1157                >= 9.0.1157  
  2  app-editors/vim            < 9.0.1157                >= 9.0.1157  
  3  app-editors/vim-core       < 9.0.1157                >= 9.0.1157

Description  
===========

Multiple vulnerabilities have been discovered in Vim, gVim. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Vim users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-editors/vim-9.0.1157"

All gVim users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-editors/gvim-9.0.1157"

All vim-core users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-editors/vim-core-9.0.1157"

References  
==========

[ 1 ] CVE-2022-1154  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1154  
[ 2 ] CVE-2022-1160  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1160  
[ 3 ] CVE-2022-1381  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1381  
[ 4 ] CVE-2022-1420  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1420  
[ 5 ] CVE-2022-1616  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1616  
[ 6 ] CVE-2022-1619  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1619  
[ 7 ] CVE-2022-1620  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1620  
[ 8 ] CVE-2022-1621  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1621  
[ 9 ] CVE-2022-1629  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1629  
[ 10 ] CVE-2022-1674  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1674  
[ 11 ] CVE-2022-1720  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1720  
[ 12 ] CVE-2022-1725  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1725  
[ 13 ] CVE-2022-1733  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1733  
[ 14 ] CVE-2022-1735  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1735  
[ 15 ] CVE-2022-1769  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1769  
[ 16 ] CVE-2022-1771  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1771  
[ 17 ] CVE-2022-1785  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1785  
[ 18 ] CVE-2022-1796  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1796  
[ 19 ] CVE-2022-1851  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1851  
[ 20 ] CVE-2022-1886  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1886  
[ 21 ] CVE-2022-1897  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1897  
[ 22 ] CVE-2022-1898  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1898  
[ 23 ] CVE-2022-1927  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1927  
[ 24 ] CVE-2022-1942  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1942  
[ 25 ] CVE-2022-1968  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1968  
[ 26 ] CVE-2022-2000  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2000  
[ 27 ] CVE-2022-2042  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2042  
[ 28 ] CVE-2022-2124  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2124  
[ 29 ] CVE-2022-2125  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2125  
[ 30 ] CVE-2022-2126  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2126  
[ 31 ] CVE-2022-2129  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2129  
[ 32 ] CVE-2022-2175  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2175  
[ 33 ] CVE-2022-2182  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2182  
[ 34 ] CVE-2022-2183  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2183  
[ 35 ] CVE-2022-2206  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2206  
[ 36 ] CVE-2022-2207  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2207  
[ 37 ] CVE-2022-2208  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2208  
[ 38 ] CVE-2022-2210  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2210  
[ 39 ] CVE-2022-2231  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2231  
[ 40 ] CVE-2022-2257  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2257  
[ 41 ] CVE-2022-2264  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2264  
[ 42 ] CVE-2022-2284  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2284  
[ 43 ] CVE-2022-2285  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2285  
[ 44 ] CVE-2022-2286  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2286  
[ 45 ] CVE-2022-2287  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2287  
[ 46 ] CVE-2022-2288  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2288  
[ 47 ] CVE-2022-2289  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2289  
[ 48 ] CVE-2022-2304  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2304  
[ 49 ] CVE-2022-2343  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2343  
[ 50 ] CVE-2022-2344  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2344  
[ 51 ] CVE-2022-2345  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2345  
[ 52 ] CVE-2022-2522  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2522  
[ 53 ] CVE-2022-2816  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2816  
[ 54 ] CVE-2022-2817  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2817  
[ 55 ] CVE-2022-2819  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2819  
[ 56 ] CVE-2022-2845  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2845  
[ 57 ] CVE-2022-2849  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2849  
[ 58 ] CVE-2022-2862  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2862  
[ 59 ] CVE-2022-2874  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2874  
[ 60 ] CVE-2022-2889  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2889  
[ 61 ] CVE-2022-2923  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2923  
[ 62 ] CVE-2022-2946  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2946  
[ 63 ] CVE-2022-2980  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2980  
[ 64 ] CVE-2022-2982  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2982  
[ 65 ] CVE-2022-3016  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3016  
[ 66 ] CVE-2022-3099  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3099  
[ 67 ] CVE-2022-3134  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3134  
[ 68 ] CVE-2022-3153  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3153  
[ 69 ] CVE-2022-3234  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3234  
[ 70 ] CVE-2022-3235  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3235  
[ 71 ] CVE-2022-3256  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3256  
[ 72 ] CVE-2022-3278  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3278  
[ 73 ] CVE-2022-3296  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3296  
[ 74 ] CVE-2022-3297  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3297  
[ 75 ] CVE-2022-3324  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3324  
[ 76 ] CVE-2022-3352  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3352  
[ 77 ] CVE-2022-3491  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3491  
[ 78 ] CVE-2022-3520  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3520  
[ 79 ] CVE-2022-3591  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3591  
[ 80 ] CVE-2022-3705  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3705  
[ 81 ] CVE-2022-4141  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4141  
[ 82 ] CVE-2022-4292  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4292  
[ 83 ] CVE-2022-4293  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4293  
[ 84 ] CVE-2022-47024  
      https://nvd.nist.gov/vuln/detail/CVE-2022-47024  
[ 85 ] CVE-2023-0049  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0049  
[ 86 ] CVE-2023-0051  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0051  
[ 87 ] CVE-2023-0054  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0054

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-16

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-16

Gentoo Linux Security Advisory 202305-15 - Multiple vulnerabilities have been discovered in systemd, the worst of which could result in denial of service.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: systemd: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #880547, #830967  
       ID: 202305-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in systemd, the worst of  
which could result in denial of service.

Background  
==========

A system and service manager.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
Traceback (most recent call last):  
  File "/usr/local/lib/python3.9/site-packages/glsamaker/models/glsa.py", line 326, in generate_mail_table  
    return self._generate_mail_table()  
  File "/usr/local/lib/python3.9/site-packages/glsamaker/models/glsa.py", line 297, in _generate_mail_table  
    vuln.range_types_rev[vuln.pkg_range], vuln.version  
KeyError: None

Description  
===========

Multiple vulnerabilities have been discovered in systemd. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All systemd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/systemd-251.3"

All systemd-utils users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/systemd-utils-251.3"

Gentoo has discontinued support for sys-apps/systemd-tmpfiles, sys-  
boot/systemd-boot, and sys-fs/udev. See the 2022-04-19-systemd-utils  
news item. Users should unmerge it in favor of sys-apps/systemd-utils on  
non-systemd systems:

  # emerge --ask --depclean --verbose "sys-apps/systemd-tmpfiles" "sys-boot/systemd-boot" "sys-fs/udev"  
  # emerge --ask --verbose --oneshot ">=sys-apps/systemd-utils-251.3"

References  
==========

[ 1 ] CVE-2021-3997  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3997  
[ 2 ] CVE-2022-3821  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3821

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-15

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-15

Gentoo Linux Security Advisory 202305-14 - A vulnerability has been discovered in uptimed which could result in root privilege escalation. Versions less than 0.4.6-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: uptimed: Root Privilege Escalation  
     Date: May 03, 2023  
     Bugs: #630810  
       ID: 202305-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in uptimed which could result in  
root privilege escalation.

Background  
==========

uptimed is a system uptime record daemon that keeps track of your  
highest uptimes.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-misc/uptimed           < 0.4.6-r1                >= 0.4.6-r1

Description  
===========

Via unnecessary file ownership modifications in the pkg_postinst ebuild  
phase, the uptimed user could change arbitrary files to be owned by the  
uptimed user at emerge-time.

Impact  
======

The uptimed user could achieve root privileges when the uptimed package  
is emerged.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All uptimed users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-misc/uptimed-0.4.6-r1"

References  
==========

[ 1 ] CVE-2020-36657  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36657

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-14

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-14

Gentoo Linux Security Advisory 202305-12 - A vulnerability has been discovered in sudo which could result in root privilege escalation. Versions less than 1.9.12_p2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: sudo: Root Privilege Escalation  
     Date: May 03, 2023  
     Bugs: #891335  
       ID: 202305-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in sudo which could result in root  
privilege escalation.

Background  
==========

sudo allows a system administrator to give users the ability to run  
commands as other users.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-admin/sudo             < 1.9.12_p2              >= 1.9.12_p2

Description  
===========

The sudoedit (aka -e) feature mishandles extra arguments passed in the  
user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR),  
allowing a local attacker to append arbitrary entries to the list of  
files to process.

Impact  
======

The improper processing of user's environment variables could lead to  
the editing of arbitrary files as root, potentially leading to root  
privilege escalation.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All sudo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.12_p2"

References  
==========

[ 1 ] CVE-2023-22809  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22809

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-12

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-12

Gentoo Linux Security Advisory 202305-11 - Multiple vulnerabilities have been found in Tor, the worst of which could result in denial of service. Versions less than 0.4.7.13 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Tor: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #808681, #852821, #890618  
       ID: 202305-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Tor, the worst of which  
could result in denial of service.

Background  
==========

Tor is an implementation of second generation Onion Routing, a  
connection-oriented anonymizing communication service.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-vpn/tor                < 0.4.7.13                >= 0.4.7.13

Description  
===========

Multiple vulnerabilities have been discovered in Tor. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Tor users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-vpn/tor-0.4.7.13"

References  
==========

[ 1 ] CVE-2021-38385  
      https://nvd.nist.gov/vuln/detail/CVE-2021-38385  
[ 2 ] CVE-2022-33903  
      https://nvd.nist.gov/vuln/detail/CVE-2022-33903  
[ 3 ] CVE-2023-23589  
      https://nvd.nist.gov/vuln/detail/CVE-2023-23589  
[ 4 ] TROVE-2021-007  
[ 5 ] TROVE-2022-001  
[ 6 ] TROVE-2022-002

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-11

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-11

Gentoo Linux Security Advisory 202305-10 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 109.0.5414.74-r1>= are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #876855, #878825, #883031, #883697, #885851, #890726, #886479, #890728, #891501, #891503  
       ID: 202305-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Chromium and its  
derivatives, the worst of which could result in remote code execution.

Background  
==========

Chromium is an open-source browser project that aims to build a safer,  
faster, and more stable way for all users to experience the web.

Google Chrome is one fast, simple, and secure browser for all your  
devices.

Microsoft Edge is a browser that combines a minimal design with  
sophisticated technology to make the web faster, safer, and easier.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-client/chromium        < 109.0.5414.74-r1>= 109.0.5414.74-r1  
  2  www-client/chromium-bin    < 109.0.5414.74      >= 109.0.5414.74  
  3  www-client/google-chrome   < 109.0.5414.74      >= 109.0.5414.74  
  4  www-client/microsoft-edge  < 109.0.1518.61      >= 109.0.1518.61

Description  
===========

Multiple vulnerabilities have been discovered in Chromium, Google  
Chrome, Microsoft Edge. Please review the CVE identifiers referenced  
below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Chromium users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-109.0.5414.74-r1"

All Chromium binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-bin-109.0.5414.74"

All Google Chrome users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-109.0.5414.74"

All Microsoft Edge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-109.0.1518.61"

References  
==========

[ 1 ] CVE-2022-3445  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3445  
[ 2 ] CVE-2022-3446  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3446  
[ 3 ] CVE-2022-3447  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3447  
[ 4 ] CVE-2022-3448  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3448  
[ 5 ] CVE-2022-3449  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3449  
[ 6 ] CVE-2022-3450  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3450  
[ 7 ] CVE-2022-3723  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3723  
[ 8 ] CVE-2022-4135  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4135  
[ 9 ] CVE-2022-4174  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4174  
[ 10 ] CVE-2022-4175  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4175  
[ 11 ] CVE-2022-4176  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4176  
[ 12 ] CVE-2022-4177  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4177  
[ 13 ] CVE-2022-4178  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4178  
[ 14 ] CVE-2022-4179  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4179  
[ 15 ] CVE-2022-4180  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4180  
[ 16 ] CVE-2022-4181  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4181  
[ 17 ] CVE-2022-4182  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4182  
[ 18 ] CVE-2022-4183  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4183  
[ 19 ] CVE-2022-4184  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4184  
[ 20 ] CVE-2022-4185  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4185  
[ 21 ] CVE-2022-4186  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4186  
[ 22 ] CVE-2022-4187  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4187  
[ 23 ] CVE-2022-4188  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4188  
[ 24 ] CVE-2022-4189  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4189  
[ 25 ] CVE-2022-4190  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4190  
[ 26 ] CVE-2022-4191  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4191  
[ 27 ] CVE-2022-4192  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4192  
[ 28 ] CVE-2022-4193  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4193  
[ 29 ] CVE-2022-4194  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4194  
[ 30 ] CVE-2022-4195  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4195  
[ 31 ] CVE-2022-4436  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4436  
[ 32 ] CVE-2022-4437  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4437  
[ 33 ] CVE-2022-4438  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4438  
[ 34 ] CVE-2022-4439  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4439  
[ 35 ] CVE-2022-4440  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4440  
[ 36 ] CVE-2022-41115  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41115  
[ 37 ] CVE-2022-44688  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44688  
[ 38 ] CVE-2022-44708  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44708  
[ 39 ] CVE-2023-0128  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0128  
[ 40 ] CVE-2023-0129  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0129  
[ 41 ] CVE-2023-0130  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0130  
[ 42 ] CVE-2023-0131  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0131  
[ 43 ] CVE-2023-0132  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0132  
[ 44 ] CVE-2023-0133  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0133  
[ 45 ] CVE-2023-0134  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0134  
[ 46 ] CVE-2023-0135  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0135  
[ 47 ] CVE-2023-0136  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0136  
[ 48 ] CVE-2023-0137  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0137  
[ 49 ] CVE-2023-0138  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0138  
[ 50 ] CVE-2023-0139  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0139  
[ 51 ] CVE-2023-0140  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0140  
[ 52 ] CVE-2023-0141  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0141  
[ 53 ] CVE-2023-21719  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21719  
[ 54 ] CVE-2023-21775  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21775  
[ 55 ] CVE-2023-21795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21795  
[ 56 ] CVE-2023-21796  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21796

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-10

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-10

Gentoo Linux Security Advisory 202305-9 - A denial of service vulnerability was discovered in rsyslog related to syslog input over the network. Versions less than 3.38.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: syslog-ng: Denial of Service  
     Date: May 03, 2023  
     Bugs: #891941  
       ID: 202305-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A denial of service vulnerability was discovered in rsyslog related to  
syslog input over the network.

Background  
==========

syslog replacement with advanced filtering features.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-admin/syslog-ng        < 3.38.1                    >= 3.38.1

Description  
===========

An integer overflow in the RFC3164 parser allows remote attackers to  
cause a denial of service via crafted syslog input that is mishandled by  
the tcp or network function.

Impact  
======

Attackers with access to input syslogs over syslog-ng's network  
functionality can cause a denial of service.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All syslog-ng users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.38.1"

References  
==========

[ 1 ] CVE-2022-38725  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38725

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac