FitStack offers a SaaS-based platform — supporting both cloud native and on-prem environments — to take risk and vulnerability out of application development.

**MADISON, Wis., Nov. 1, 2022 /PRNewswire/ —** Today Varsity Venture Studio – a collaborative venture studio between the University of Wisconsin-Madison, the Wisconsin Alumni Research Foundation (WARF) and venture builder High Alpha Innovation – announced the public launch of FitStack (www.fitstack.dev), a proactive risk management solution for application development teams to address the ongoing challenges in managing software supply chain security.

To address these issues, co-founders Roger Cummings (CEO) and Dr. Mohannad Alhanahnah, Ph.D. (CTO) are positioning FitStack to streamline the overall DevSecOps process. Unlike passive tools that merely identify code and container vulnerability and configuration issues, the FitStack platform proactively addresses them, shows developers the changes that have been made, and ensures that modified applications will execute at runtime.

"In today's environment, it's essential for development teams to gain control, limit exposure, and reduce overall risk," explains Cummings. "FitStack is proactively driving security best practices into the earliest stages of the application development lifecycle. We are building FitStack to make sure our solution can fit into everyone's CICD pipeline in the most efficient manner. By reducing application attack surfaces, exposing application vulnerabilities, and generating compliance reports, we are protecting organizations from malicious events and delivering the insight they need to run their business."  

Cummings and Alhanahnah bring decades of leadership experience in the data, cloud, networking, and infrastructure computing industries. Cummings is a serial entrepreneur who has led five early-stage companies to successful acquisitions, assisted in raising over $1B in funding while scaling organizations worldwide. He previously served as CEO of Evidence IQ, an evidence-based data intelligence company. Alhanahnah has extensive experience in software security research with a focus on leveraging static analysis, dynamic analysis, and formal methods for securing application and machine learning. He recently completed post-doctoral research in the lab of Dr. Somesh Jha, a professor in the Department of Computer Sciences at UW-Madison and a co-founding advisor to FitStack. They have co-authored several papers on improving application safety, security and privacy.

WARF not only helped launch the company as a partner in Varsity Venture Studio, but also licensed the technology to FitStack. Greg Keenan, Senior Director of WARF Ventures, notes, "Helping campus innovators like Drs. Jha and Alhanahnah bring their patented technology to market delivers on our mission to support the commercialization of UW-Madison research for both commercial and societal impact. We are really excited about the market opportunity the company is addressing and look forward to seeing what the FitStack team accomplishes from here."

"Development teams who aren't addressing risk management are already behind the curve, but they can't do it alone," concludes Elliott Parker, CEO of High Alpha Innovation. "Roger and Mohannad's solution to such a pressing problem is the perfect fit for building a startup via Varsity Venture Studio."

**About Varsity Venture Studio**

Varsity Venture Studio, a University of Wisconsin-Madison-wide venture studio, turns ideas into funded software businesses. Varsity Venture Studio is a collaboration between the University of Wisconsin-Madison, Wisconsin Alumni Research Foundation (WARF) and venture builder High Alpha Innovation, and is the first university venture studio of its kind. Learn more about Varsity Venture Studio at varsityventurestudio.com, High Alpha Innovation at highalphainno.com, and about WARF at warf.org.

FitStack, a New Solution For Code and Container Risk Management, Launches With Support From Varsity Venture Studio

Gentoo Linux Security Advisory 202210-42 - A buffer overflow in zlib might allow an attacker to cause remote code execution. Versions less than 1.2.12-r3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-42  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: zlib: Multiple vulnerabilities  
     Date: October 31, 2022  
     Bugs: #863851, #835958  
       ID: 202210-42

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A buffer overflow in zlib might allow an attacker to cause remote code  
execution.

Background  
==========

zlib is a widely used free and patent unencumbered data compression  
library.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  sys-libs/zlib              < 1.2.12-r3              >= 1.2.12-r3

Description  
===========

Multiple vulnerabilities have been discovered in zlib. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Maliciously crafted input handled by zlib may result in remote code  
execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All zlib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.12-r3"

References  
==========

[ 1 ] CVE-2018-25032  
      https://nvd.nist.gov/vuln/detail/CVE-2018-25032  
[ 2 ] CVE-2022-37434  
      https://nvd.nist.gov/vuln/detail/CVE-2022-37434

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-42

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-42

Gentoo Linux Security Advisory 202210-41 - Multiple vulnerabilities have been found in android-tools, the worst of which could result in arbitrary code execution. Versions less than 33.0.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-41  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: android-tools: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #878281  
       ID: 202210-41

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in android-tools, the worst of  
which could result in arbitrary code execution.

Background  
==========

android-tools contains Android platform tools (adb, fastboot, and  
mkbootimg).

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-util/android-tools     < 33.0.3                    >= 33.0.3

Description  
===========

Multiple vulnerabilities have been discovered in android-tools. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All android-tools users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-util/android-tools-33.0.3"

References  
==========

[ 1 ] CVE-2022-3168  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3168  
[ 2 ] CVE-2022-20128  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20128

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-41

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-41

Gentoo Linux Security Advisory 202210-40 - Multiple vulnerabilities have been found in SQLite, the worst of which could result in arbitrary code execution. Versions less than 3.39.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-40  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: SQLite: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #777990, #863431  
       ID: 202210-40

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in SQLite, the worst of which  
could result in arbitrary code execution.

Background  
==========

SQLite is a C library that implements an SQL database engine.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-db/sqlite              < 3.39.2                    >= 3.39.2

Description  
===========

Multiple vulnerabilities have been discovered in SQLite. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All SQLite users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.39.2"

References  
==========

[ 1 ] CVE-2021-20227  
      https://nvd.nist.gov/vuln/detail/CVE-2021-20227  
[ 2 ] CVE-2022-35737  
      https://nvd.nist.gov/vuln/detail/CVE-2022-35737

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-40

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-40

Gentoo Linux Security Advisory 202210-39 - Multiple vulnerabilities have been found in libxml2, the worst of which could result in arbitrary code execution. Versions less than 2.10.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-39  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libxml2: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #877149  
       ID: 202210-39

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in libxml2, the worst of which  
could result in arbitrary code execution.

Background  
==========

libxml2 is the XML C parser and toolkit developed for the GNOME project.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/libxml2           < 2.10.3                    >= 2.10.3

Description  
===========

Multiple vulnerabilities have been discovered in libxml2. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libxml2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.10.3"

References  
==========

[ 1 ] CVE-2022-40303  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40303  
[ 2 ] CVE-2022-40304  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40304

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-39

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-39

Gentoo Linux Security Advisory 202210-38 - A vulnerability has been found in Expat which could result in denial of service. Versions less than 2.5.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-38  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Expat: Denial of Service  
     Date: October 31, 2022  
     Bugs: #878271  
       ID: 202210-38

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in Expat which could result in denial of  
service.

Background  
==========

Expat is a set of XML parsing libraries.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/expat             < 2.5.0                      >= 2.5.0

Description  
===========

In certain out-of-memory situations, Expat may free memory before it  
should, leading to a use-after-free.

Impact  
======

A use-after-free can result in denial of service.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Expat users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/expat-2.5.0"

References  
==========

[ 1 ] CVE-2022-43680  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43680

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-38

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-38

Gentoo Linux Security Advisory 202210-34 - Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions less than 102.4.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-34  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #877773  
       ID: 202210-34

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Mozilla Firefox, the worst  
of which could result in arbitrary code execution.

Background  
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-client/firefox         < 102.4.0:esr          >= 102.4.0:esr  
                                < 106.0:rapid          >= 106.0:rapid  
  2  www-client/firefox-bin     < 102.4.0:esr          >= 102.4.0:esr  
                                < 106.0:rapid          >= 106.0:rapid

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-102.4.0"

All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.4.0"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-106.0"

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-106.0"

References  
==========

[ 1 ] CVE-2022-42927  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42927  
[ 2 ] CVE-2022-42928  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42928  
[ 3 ] CVE-2022-42929  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42929  
[ 4 ] CVE-2022-42930  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42930  
[ 5 ] CVE-2022-42931  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42931  
[ 6 ] CVE-2022-42932  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42932

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-34

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-34

Gentoo Linux Security Advisory 202210-35 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. Versions less than 102.4.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-35  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Thunderbird: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #873667, #878315  
       ID: 202210-35

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Mozilla Thunderbird, the  
worst of which could result in arbitrary code execution.

Background  
==========

Mozilla Thunderbird is a popular open-source email client from the  
Mozilla project.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  mail-client/thunderbird    < 102.4.0                  >= 102.4.0  
  2  mail-client/thunderbird-bin  < 102.4.0                >= 102.4.0

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.4.0"

All Mozilla Thunderbird binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.4.0"

References  
==========

[ 1 ] CVE-2022-39236  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39236  
[ 2 ] CVE-2022-39249  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39249  
[ 3 ] CVE-2022-39250  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39250  
[ 4 ] CVE-2022-39251  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39251  
[ 5 ] CVE-2022-42927  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42927  
[ 6 ] CVE-2022-42928  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42928  
[ 7 ] CVE-2022-42929  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42929  
[ 8 ] CVE-2022-42932  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42932

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-35

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-35

Gentoo Linux Security Advisory 202210-36 - A vulnerability has been found in libjxl which could result in denial of service. Versions less than 0.7.0_pre20220825 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-36  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: libjxl: Denial of Service  
     Date: October 31, 2022  
     Bugs: #856037  
       ID: 202210-36

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in libjxl which could result in denial of  
service.

Background  
=========  
libjxl is the JPEG XL image format reference implementation.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-libs/libjxl          < 0.7.0_pre20220825>= 0.7.0_pre20220825

Description  
==========  
libjxl contains an unecessary assertion in  
jxl::LowMemoryRenderPipeline::Init.

Impact  
=====  
An attacker can cause a denial of service of the libjxl process via a  
crafted input file.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libjxl-0.7.0_pre20220825"

References  
=========  
[ 1 ] CVE-2022-34000  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34000

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-36

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-36

Gentoo Linux Security Advisory 202210-37 - Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. Versions less than 2.12.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-37  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: PJSIP: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #803614, #829894, #875863  
       ID: 202210-37

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in PJSIP, the worst of which  
could result in arbitrary code execution.

Background  
=========  
PJSIP is a free and open source multimedia communication library written  
in C language implementing standard based protocols such as SIP, SDP,  
RTP, STUN, TURN, and ICE.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-libs/pjproject         < 2.12.1                    >= 2.12.1

Description  
==========  
Multiple vulnerabilities have been discovered in PJSIP. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All PJSIP users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/pjproject-2.12.1"

References  
=========  
[ 1 ] CVE-2021-32686  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32686  
[ 2 ] CVE-2021-37706  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37706  
[ 3 ] CVE-2021-41141  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41141  
[ 4 ] CVE-2021-43804  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43804  
[ 5 ] CVE-2021-43845  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43845  
[ 6 ] CVE-2022-21722  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21722  
[ 7 ] CVE-2022-21723  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21723  
[ 8 ] CVE-2022-23608  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23608  
[ 9 ] CVE-2022-24754  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24754  
[ 10 ] CVE-2022-24763  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24763  
[ 11 ] CVE-2022-24764  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24764  
[ 12 ] CVE-2022-24786  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24786  
[ 13 ] CVE-2022-24792  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24792  
[ 14 ] CVE-2022-24793  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24793  
[ 15 ] CVE-2022-31031  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31031  
[ 16 ] CVE-2022-39244  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39244  
[ 17 ] CVE-2022-39269  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39269

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-37

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac