**US DEPARTMENT OF JUSTICE, NOV. 21 —** Two Estonian citizens were arrested in Tallinn, Estonia, yesterday on an 18-count indictment for their alleged involvement in a $575 million cryptocurrency fraud and money laundering conspiracy.

The indictment was returned by a grand jury in the Western District of Washington on Oct. 27 and unsealed today.

According to court documents, Sergei Potapenko and Ivan Turõgin, both 37, allegedly defrauded hundreds of thousands of victims through a multi-faceted scheme. They induced victims to enter into fraudulent equipment rental contracts with the defendants’ cryptocurrency mining service called HashFlare. They also caused victims to invest in a virtual currency bank called Polybius Bank. In reality, Polybius was never actually a bank, and never paid out the promised dividends. Victims paid more than $575 million to Potapenko and Turõgin’s companies. Potapenko and Turõgin then used shell companies to launder the fraud proceeds and to purchase real estate and luxury cars.

“New technology has made it easier for bad actors to take advantage of innocent victims – both in the U.S. and abroad – in increasingly complex scams,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “The department is committed to preventing the public from losing more of their hard-earned money to these scams and will not allow these defendants, or others like them, to keep the fruits of their crimes.”

“The size and scope of the alleged scheme is truly astounding. These defendants capitalized on both the allure of cryptocurrency, and the mystery surrounding cryptocurrency mining, to commit an enormous Ponzi scheme,” said U.S. Attorney Nick Brown for the Western District of Washington. “They lured investors with false representations and then paid early investors off with money from those who invested later. They tried to hide their ill-gotten gain in Estonian properties, luxury cars, and bank accounts and virtual currency wallets around the world. U.S. and Estonian authorities are working to seize and restrain these assets and take the profit out of these crimes.”

"The FBI is committed to pursuing subjects across international boundaries who are utilizing increasingly complex schemes to defraud investors,” said Assistant Director Luis Quesada of the FBI’s Criminal Investigative Division. “Victims in the U.S. and abroad invested into what they believed were sophisticated virtual asset ventures, but it was all part of a fraudulent scheme and thousands of victims were harmed as a result. The FBI thanks our national and international partners for their efforts throughout the investigation to help bring justice for the victims.”

According to the indictment, Potapenko and Turõgin claimed that HashFlare was a massive cryptocurrency mining operation. Cryptocurrency mining is the process of using computers to generate cryptocurrency, such as Bitcoin, for profit. Potapenk and Turõgin offered contracts which, for a fee, purported to allow customers to rent a percentage of HashFlare’s mining operations in exchange for the virtual currency produced by their portion of the operation. HashFlare’s website enabled customers to see the amount of virtual currency their mining activity had supposedly generated. Customers from around the world, including western Washington, entered into more than $550 million worth of HashFlare contracts between 2015 and 2019.

According to the indictment, these contracts were fraudulent. HashFlare allegedly did not have the virtual currency mining equipment it claimed to have. HashFlare’s equipment allegedly performed Bitcoin mining at a rate of less than one percent of the computing power it purported to have. When investors asked to withdraw their mining proceeds, Potapenko and Turõgin were not able to pay the mined currency as promised. Instead, they either resisted making the payments, or paid off the investors using virtual currency the defendants had purchased on the open market—not currency they had mined. HashFlare closed its operations in 2019.

In May 2017, Potapenko and Turõgin offered investments in a company called Polybius, which they promised would form a bank specializing in virtual currency. They promised to pay investors dividends from Polybius’s profits. The men raised at least $25 million in this scheme and transferred most of the money to other bank accounts and virtual currency wallets they controlled. Polybius never formed a bank or paid any dividends.

The indictment also charges Potapenko and Turõgin with conspiring to launder their criminal proceeds by using shell companies and phony contracts and invoices. The money laundering conspiracy allegedly involved at least 75 real properties, six luxury vehicles, cryptocurrency wallets, and thousands of cryptocurrency mining machines.

Potapenko and Turõgin are both charged with conspiracy to commit wire fraud, 16 counts of wire fraud, and one count of conspiracy to commit money laundering. If convicted, Potapenko and Turõgin each face a maximum penalty of 20 years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The FBI is investigating the case.

The United States thanks the Cybercrime Bureau of the National Criminal Police of the Estonian Police and Border Guard for its support with this investigation. The U.S. Department of Justice’s Office of International Affairs provided extensive assistance to the investigation.

This investigation and today’s arrest demonstrate the great coordination and cooperation between U.S. and Estonian law enforcement. Estonia has been a crucial ally to disrupt this cyber-enabled crime, and the United States thanks the Estonians for their continued assistance and coordination.

Trial Attorneys Adrienne E. Rosen and Olivia Zhu of the Criminal Division’s Money Laundering and Asset Recovery Section and Assistant U.S. Attorneys Seth Wilkinson and Jehiel I. Baer for the Western District of Washington are prosecuting the case.

Individuals who believe they may have been a victim in this case should visit www.fbi.gov/hashflare for more information.

_An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law._

Two Estonian Citizens Arrested in $575 Million Cryptocurrency Fraud and Money Laundering Scheme

Gentoo Linux Security Advisory 202211-7 - An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution. Versions less than 12.7.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: sysstat: Arbitrary Code Execution  
     Date: November 22, 2022  
     Bugs: #880543  
       ID: 202211-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
An integer overflow vulnerability has been found in sysstat which could  
result in arbitrary code execution.

Background  
=========  
sysstat is a package containing a number of performance monitoring  
utilities for Linux, including sar, mpstat, iostat and sa tools.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-admin/sysstat          < 12.7.1                    >= 12.7.1

Description  
==========  
On 32 bit systems, an integer overflow can be triggered when displaying  
activity data files.

Impact  
=====  
Arbitrary code execution can be achieved via sufficiently crafted  
malicious input.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All sysstat users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.7.1"

References  
=========  
[ 1 ] CVE-2022-39377  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39377

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-07

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-07

Gentoo Linux Security Advisory 202211-6 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions less than 102.5.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: November 22, 2022  
     Bugs: #881403  
       ID: 202211-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Mozilla Firefox, the  
worst of which could result in arbitrary code execution.

Background  
=========  
Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-client/firefox         < 102.5.0:esr          >= 102.5.0:esr  
                                < 107.0:rapid          >= 107.0:rapid  
  2  www-client/firefox-bin     < 102.5.0:esr          >= 102.5.0:esr  
                                < 107.0:rapid          >= 107.0:rapid

Description  
==========  
Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.5.0"

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-102.5.0"

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-107.0"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-107.0"

References  
=========  
[ 1 ] CVE-2022-40674  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40674  
[ 2 ] CVE-2022-45403  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45403  
[ 3 ] CVE-2022-45404  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45404  
[ 4 ] CVE-2022-45405  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45405  
[ 5 ] CVE-2022-45406  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45406  
[ 6 ] CVE-2022-45407  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45407  
[ 7 ] CVE-2022-45408  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45408  
[ 8 ] CVE-2022-45409  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45409  
[ 9 ] CVE-2022-45410  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45410  
[ 10 ] CVE-2022-45411  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45411  
[ 11 ] CVE-2022-45412  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45412  
[ 12 ] CVE-2022-45413  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45413  
[ 13 ] CVE-2022-45415  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45415  
[ 14 ] CVE-2022-45416  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45416  
[ 15 ] CVE-2022-45417  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45417  
[ 16 ] CVE-2022-45418  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45418  
[ 17 ] CVE-2022-45419  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45419  
[ 18 ] CVE-2022-45420  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45420  
[ 19 ] CVE-2022-45421  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45421

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-06

Gentoo Linux Security Advisory 202211-5 - Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. Versions less than 102.5.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Thunderbird: Multiple Vulnerabilities  
     Date: November 22, 2022  
     Bugs: #881407  
       ID: 202211-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Mozilla Thunderbird,  
the worst of which could result in arbitrary code execution.

Background  
=========  
Mozilla Thunderbird is a popular open-source email client from the  
Mozilla project.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  mail-client/thunderbird    < 102.5.0                  >= 102.5.0  
  2  mail-client/thunderbird-bin  < 102.5.0                >= 102.5.0

Description  
==========  
Multiple vulnerabilities have been discovered in Mozilla Thunderbird.  
Please review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mozilla Thunderbird binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.5.0"

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.5.0"

References  
=========  
[ 1 ] CVE-2022-45403  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45403  
[ 2 ] CVE-2022-45404  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45404  
[ 3 ] CVE-2022-45405  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45405  
[ 4 ] CVE-2022-45406  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45406  
[ 5 ] CVE-2022-45408  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45408  
[ 6 ] CVE-2022-45409  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45409  
[ 7 ] CVE-2022-45410  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45410  
[ 8 ] CVE-2022-45411  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45411  
[ 9 ] CVE-2022-45412  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45412  
[ 10 ] CVE-2022-45416  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45416  
[ 11 ] CVE-2022-45418  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45418  
[ 12 ] CVE-2022-45420  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45420  
[ 13 ] CVE-2022-45421  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45421

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-05

Gentoo Linux Security Advisory 202211-8 - A vulnerability has been discovered in sudo which could result in denial of service. Versions less than 1.9.12-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: sudo: Heap-Based Buffer Overread  
     Date: November 22, 2022  
     Bugs: #879209  
       ID: 202211-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in sudo which could result in denial  
of service.

Background  
=========  
sudo allows a system administrator to give users the ability to run  
commands as other users.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-admin/sudo             < 1.9.12-r1              >= 1.9.12-r1

Description  
==========  
In certain password input handling, sudo incorrectly assumes the  
password input is at least nine bytes in size, leading to a heap buffer  
overread.

Impact  
=====  
In the worst case, the heap buffer overread can result in the denial of  
service of the sudo process.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All sudo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.12-r1"

References  
=========  
[ 1 ] CVE-2022-43995  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43995

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-08

Gentoo Linux Security Advisory 202211-11 - Multiple vulnerabilities have been found in GPL Ghostscript, the worst of which could result in arbitrary code execution. Versions less than 9.56.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GPL Ghostscript: Multiple Vulnerabilities  
     Date: November 22, 2022  
     Bugs: #852944, #812509  
       ID: 202211-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in GPL Ghostscript, the worst  
of which could result in arbitrary code execution.

Background  
=========  
Ghostscript is an interpreter for the PostScript language and for PDF.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-text/ghostscript-gpl   < 9.56.1                    >= 9.56.1

Description  
==========  
Multiple vulnerabilities have been discovered in GPL Ghostscript. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All GPL Ghostscript users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-9.56.1"

References  
=========  
[ 1 ] CVE-2021-3781  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3781  
[ 2 ] CVE-2022-2085  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2085

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-11

Gentoo Linux Security Advisory 202211-9 - A vulnerability has been found in xterm which could allow for arbitrary code execution. Versions less than 375 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: xterm: Arbitrary Code Execution  
     Date: November 22, 2022  
     Bugs: #880747  
       ID: 202211-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in xterm which could allow for arbitrary  
code execution.

Background  
=========  
xterm is a terminal emulator for the X Window system.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  x11-terms/xterm            < 375                          >= 375

Description  
==========  
xterm does not correctly handle control characters related to OSC 50  
font ops sequence handling.

Impact  
=====  
The vulnerability allows text written to the terminal to write text to  
the terminal's command line. If the terminal's shell is zsh running with  
vi line editing mode, text written to the terminal can also trigger the  
execution of arbitrary commands via writing ^G to the terminal.

Workaround  
=========  
As a workaround, users can disable xterm's usage of OSC 50 sequences by  
adding the following to the XResources configuration:

XTerm*allowFontOps: false

Resolution  
=========  
All xterm users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-terms/xterm-375"

References  
=========  
[ 1 ] CVE-2022-45063  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45063

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-09

Gentoo Linux Security Advisory 202211-10 - Multiple vulnerabilities have been found in Pillow, the worst of which could result in arbitrary code execution. Versions less than 9.3.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Pillow: Multiple Vulnerabilities  
     Date: November 22, 2022  
     Bugs: #855683, #878769, #832598, #830934, #811450, #802090  
       ID: 202211-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in Pillow, the worst of which  
could result in arbitrary code execution.

Background  
=========  
The friendly PIL fork.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-python/pillow          < 9.3.0                      >= 9.3.0

Description  
==========  
Multiple vulnerabilities have been discovered in Pillow. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Pillow users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-python/pillow-9.3.0"

References  
=========  
[ 1 ] CVE-2021-23437  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23437  
[ 2 ] CVE-2021-34552  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34552  
[ 3 ] CVE-2022-22815  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22815  
[ 4 ] CVE-2022-22816  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22816  
[ 5 ] CVE-2022-22817  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22817  
[ 6 ] CVE-2022-24303  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24303  
[ 7 ] CVE-2022-45198  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45198  
[ 8 ] CVE-2022-45199  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45199

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-10

Red Hat Security Advisory 2022-8559-01 - The hsqldb packages provide a relational database management system written in Java. The Hyper Structured Query Language Database contains a JDBC driver to support a subset of ANSI-92 SQL.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: hsqldb security update  
Advisory ID:       RHSA-2022:8559-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8559  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-41853  
====================================================================  
1. Summary:

An update for hsqldb is now available for Red Hat Enterprise Linux 6  
Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 6 ELS) - noarch  
Red Hat Enterprise Linux Server Optional (v. 6 ELS) - noarch

3. Description:

The hsqldb packages provide a relational database management system written  
in Java. The Hyper Structured Query Language Database (HSQLDB) contains a  
JDBC driver to support a subset of ANSI-92 SQL.

Security Fix(es):

* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack

6. Package List:

Red Hat Enterprise Linux Server (v. 6 ELS):

Source:  
hsqldb-1.8.0.10-13.el6_10.src.rpm

noarch:  
hsqldb-1.8.0.10-13.el6_10.noarch.rpm

Red Hat Enterprise Linux Server Optional (v. 6 ELS):

Source:  
hsqldb-1.8.0.10-13.el6_10.src.rpm

noarch:  
hsqldb-1.8.0.10-13.el6_10.noarch.rpm  
hsqldb-demo-1.8.0.10-13.el6_10.noarch.rpm  
hsqldb-javadoc-1.8.0.10-13.el6_10.noarch.rpm  
hsqldb-manual-1.8.0.10-13.el6_10.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41853  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJvtzjgjWX9erEAQjU1w/+PsYWR9Dx+uh+4feHX3PKCpDXDOxnNo9O  
K0UlAzR6/wsyH2ITI+sgcHIgVaEZH2eW7KegS+bxVC4LGW37cnF3bk1LOaHccBXt  
zd9O/Y+P63+pDLgqgHF3hoYWr20tm+fjnIy35LprMiui2P61dq21zgjEaEZJgybJ  
h4IaKCLFsEDwRc12/NNnCP27vnN8ScehBTs5dDfWEeeE6KgQ446KiPNTq2jTGIYg  
z+BOD8o52EzACRqsu7pCW7wVGMACYsteL8wBEsNACF1H3yfmIB9lzil0tNOsQYrj  
V/XhmeSjCbU+PUQxmYYt8lYfs1w7/uyz2xtb34Yy3AmaVZt8iR30PdJZ8D7j0H2c  
mDzspmf0/n1jaRjgUTadVFMY2OjSRefhEbOVXFNsMf2y/qOfgPqoSIZNJf8tRDl4  
PFGGiBK+K3Ud6IlvGtdmoEP8I2dSXD4eVHG/nlnsqgxP0KPkLT9lD0ZcyUPTXAdV  
1MFy6Od+V2p++sEgueCJ8kS9Sx7KUEezNWLZeHDLCrc7Pr68vZuw7zj0adY0gbVr  
/nAYVf6iq23nvoVRMbc+SjdyyMXQ4hrNdWA39l6dSPHzu+V27g7slZwqIYwSDilf  
6Psmzn/pZRLDUCVwMVuGyKlNdFOaltao5rRvB+nGeXtuN/OHNvWBDW6zpMUtY9ZP  
jnoZbLy6lIw=VjuI  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8559-01

After months of meticulous planning, investigators finally move in to catch AlphaBay’s mastermind red-handed. Then the case takes a tragic turn.

Tag

#mac