Gentoo Linux Security Advisory 202405-16 - A vulnerability has been discovered in Apache Commons BCEL, which can lead to remote code execution. Versions greater than or equal to 6.6.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Apache Commons BCEL: Remote Code Execution  
     Date: May 05, 2024  
     Bugs: #880447  
       ID: 202405-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Apache Commons BCEL, which can  
lead to remote code execution.

Background  
=========  
The Byte Code Engineering Library (Apache Commons BCEL™) is intended to  
give users a convenient way to analyze, create, and manipulate (binary)  
Java class files (those ending with .class).

Affected packages  
================  
Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-java/bcel  < 6.6.0       >= 6.6.0

Description  
==========  
A vulnerability has been discovered in U-Boot tools. Please review the  
CVE identifier referenced below for details.

Impact  
=====  
Please review the referenced CVE identifier for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Apache Commons BCEL users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-java/bcel-6.6.0"

References  
=========  
[ 1 ] CVE-2022-34169  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34169  
[ 2 ] CVE-2022-42920  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42920

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-16

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-16

Gentoo Linux Security Advisory 202405-15 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to remote code execution. Versions greater than or equal to 115.8.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #925122  
       ID: 202405-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Mozilla Firefox, the  
worst of which can lead to remote code execution.

Background  
=========  
Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
================  
Package                 Vulnerable     Unaffected  
----------------------  -------------  --------------  
www-client/firefox      < 115.8.0:esr  >= 115.8.0:esr  
                                       >= 123.0:rapid  
                        < 123.0        >= 123.0  
www-client/firefox-bin  < 115.8.0:esr  >= 115.8.0:esr  
                                       >= 123.0:rapid  
                        < 123.0        >= 123.0

Description  
==========  
Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mozilla Firefox rapid release users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-123.0"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-123.0"

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.8.0:esr"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-115.8.0:esr"

References  
=========  
[ 1 ] CVE-2024-1546  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1546  
[ 2 ] CVE-2024-1547  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1547  
[ 3 ] CVE-2024-1548  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1548  
[ 4 ] CVE-2024-1549  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1549  
[ 5 ] CVE-2024-1550  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1550  
[ 6 ] CVE-2024-1551  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1551  
[ 7 ] CVE-2024-1552  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1552  
[ 8 ] CVE-2024-1553  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1553  
[ 9 ] CVE-2024-1554  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1554  
[ 10 ] CVE-2024-1555  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1555  
[ 11 ] CVE-2024-1556  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1556  
[ 12 ] CVE-2024-1557  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1557

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-15

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-15

Gentoo Linux Security Advisory 202405-14 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.13_p20240322 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: QtWebEngine: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #927746  
       ID: 202405-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in QtWebEngine, the worst  
of which could lead to remote code execution.

Background  
=========  
QtWebEngine is a library for rendering dynamic web content in Qt5 and  
Qt6 C++ and QML applications.

Affected packages  
================  
Package             Vulnerable           Unaffected  
------------------  -------------------  --------------------  
dev-qt/qtwebengine  < 5.15.13_p20240322  >= 5.15.13_p20240322

Description  
==========  
Multiple vulnerabilities have been discovered in QtWebEngine. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All QtWebEngine users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-qt/qtwebengine-5.15.13_p20240322"

References  
=========  
[ 1 ] CVE-2024-0804  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0804  
[ 2 ] CVE-2024-0805  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0805  
[ 3 ] CVE-2024-0806  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0806  
[ 4 ] CVE-2024-0807  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0807  
[ 5 ] CVE-2024-0808  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0808  
[ 6 ] CVE-2024-0809  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0809  
[ 7 ] CVE-2024-0810  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0810  
[ 8 ] CVE-2024-0811  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0811  
[ 9 ] CVE-2024-0812  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0812  
[ 10 ] CVE-2024-0813  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0813  
[ 11 ] CVE-2024-0814  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0814  
[ 12 ] CVE-2024-1059  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1059  
[ 13 ] CVE-2024-1060  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1060  
[ 14 ] CVE-2024-1077  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1077  
[ 15 ] CVE-2024-1283  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1283  
[ 16 ] CVE-2024-1284  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1284

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-14

Gentoo Linux Security Advisory 202405-13 - A vulnerability has been discovered in borgmatic, which can lead to shell injection. Versions greater than or equal to 1.8.8 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: borgmatic: Shell Injection  
     Date: May 05, 2024  
     Bugs: #924892  
       ID: 202405-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in borgmatic, which can lead to  
shell injection.

Background  
=========  
borgmatic is simple, configuration-driven backup software for servers  
and workstations.

Affected packages  
================  
Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
app-backup/borgmatic  < 1.8.8       >= 1.8.8

Description  
==========  
Prevent shell injection attacks within the PostgreSQL hook, the MongoDB  
hook, the SQLite hook, the "borgmatic borg" action, and command hook  
variable/constant interpolation.

Impact  
=====  
Shell injection may be used in several borgmatic backends to execute  
arbitrary code.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All borgmatic users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-backup/borgmatic-1.8.8"

References  
=========

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-13

Gentoo Linux Security Advisory 202405-12 - Multiple vulnerabilities have been discovered in Pillow, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 10.2.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Pillow: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #889594, #903664, #916907, #922577  
       ID: 202405-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Pillow, the worst of  
which can lead to arbitrary code execution.

Background  
=========  
The friendly PIL fork.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
dev-python/pillow  < 10.2.0      >= 10.2.0

Description  
==========  
Multiple vulnerabilities have been discovered in Pillow. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Pillow users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-python/pillow-10.2.0"

References  
=========  
[ 1 ] CVE-2023-44271  
      https://nvd.nist.gov/vuln/detail/CVE-2023-44271  
[ 2 ] CVE-2023-50447  
      https://nvd.nist.gov/vuln/detail/CVE-2023-50447

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-12

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-12

Gentoo Linux Security Advisory 202405-11 - Multiple vulnerabilities have been discovered in MIT krb5, the worst of which could lead to remote code execution. Versions greater than or equal to 1.21.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: MIT krb5: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #803434, #809845, #879875, #917464  
       ID: 202405-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in MIT krb5, the worst of  
which could lead to remote code execution.

Background  
=========  
MIT krb5 is the free implementation of the Kerberos network  
authentication protocol by the Massachusetts Institute of Technology.

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
app-crypt/mit-krb5  < 1.21.2      >= 1.21.2

Description  
==========  
Multiple vulnerabilities have been discovered in MIT krb5. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All MIT krb5 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.21.2"

References  
=========  
[ 1 ] CVE-2021-36222  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36222  
[ 2 ] CVE-2021-37750  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37750  
[ 3 ] CVE-2022-42898  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42898  
[ 4 ] CVE-2023-36054  
      https://nvd.nist.gov/vuln/detail/CVE-2023-36054  
[ 5 ] CVE-2023-39975  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39975

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-11

Gentoo Linux Security Advisory 202405-10 - A vulnerability has been discovered in Setuptools, which can lead to denial of service. Versions greater than or equal to 65.5.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Setuptools: Denial of Service  
     Date: May 05, 2024  
     Bugs: #879813  
       ID: 202405-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Setuptools, which can lead to  
denial of service.

Background  
=========  
Setuptools is a manager for Python packages.

Affected packages  
================  
Package                Vulnerable    Unaffected  
---------------------  ------------  ------------  
dev-python/setuptools  < 65.5.1      >= 65.5.1

Description  
==========  
A vulnerability has been discovered in Setuptools. See the impact field.

Impact  
=====  
An inefficiency in a regular expression may end in a denial of service  
if an user is fetching malicious HTML from a package in PyPI or a custom  
PackageIndex page.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Setuptools users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-python/setuptools-65.5.1"

References  
=========  
[ 1 ] CVE-2022-40897  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40897

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-10

Gentoo Linux Security Advisory 202405-9 - Multiple vulnerabilities have been found in MediaInfo and MediaInfoLib, the worst of which could allow user-assisted remote code execution. Versions greater than or equal to 23.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: MediaInfo, MediaInfoLib: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #778992, #836564, #875374, #917612  
       ID: 202405-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in MediaInfo and MediaInfoLib,  
the worst of which could allow user-assisted remote code execution.

Background  
=========  
MediaInfo supplies technical and tag information about media files.  
MediaInfoLib contains MediaInfo libraries.

Affected packages  
================  
Package                  Vulnerable    Unaffected  
-----------------------  ------------  ------------  
media-libs/libmediainfo  < 23.10       >= 23.10  
media-video/mediainfo    < 23.10       >= 23.10

Description  
==========  
Multiple vulnerabilities have been discovered in MediaInfo and  
MediaInfoLib. Please review the CVE identifiers referenced below for  
details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All MediaInfo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-video/mediainfo-23.10"

All MediaInfolib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libmediainfo-23.10"

References  
=========

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-09

Gentoo Linux Security Advisory 202405-8 - Multiple vulnerabilities have been discovered in strongSwan, the worst of which could possibly lead to remote code execution. Versions greater than or equal to 5.9.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: strongSwan: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #818841, #832460, #878887, #899964  
       ID: 202405-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in strongSwan, the worst  
of which could possibly lead to remote code execution.

Background  
=========  
strongSwan is an IPSec implementation for Linux.

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
net-vpn/strongswan  < 5.9.10      >= 5.9.10

Description  
==========  
Multiple vulnerabilities have been discovered in strongSwan. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All strongSwan users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-vpn/strongswan-5.9.10"

References  
=========  
[ 1 ] CVE-2021-41991  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41991  
[ 2 ] CVE-2021-45079  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45079  
[ 3 ] CVE-2022-40617  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40617  
[ 4 ] CVE-2023-26463  
      https://nvd.nist.gov/vuln/detail/CVE-2023-26463

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-08

Gentoo Linux Security Advisory 202405-7 - Multiple vulnerabilities have been discovered in HTMLDOC, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 1.9.16 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: HTMLDOC: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #780489  
       ID: 202405-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in HTMLDOC, the worst of  
which can lead to arbitrary code execution.

Background  
=========  
HTMLDOC is a HTML indexer and HTML to PS and PDF converter.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
app-text/htmldoc  < 1.9.16      >= 1.9.16

Description  
==========  
Multiple vulnerabilities have been discovered in HTMLDOC. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All HTMLDOC users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/htmldoc-1.9.16"

References  
=========  
[ 1 ] CVE-2021-20308  
      https://nvd.nist.gov/vuln/detail/CVE-2021-20308  
[ 2 ] CVE-2021-23158  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23158  
[ 3 ] CVE-2021-23165  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23165  
[ 4 ] CVE-2021-23180  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23180  
[ 5 ] CVE-2021-23191  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23191  
[ 6 ] CVE-2021-23206  
      https://nvd.nist.gov/vuln/detail/CVE-2021-23206  
[ 7 ] CVE-2021-26252  
      https://nvd.nist.gov/vuln/detail/CVE-2021-26252  
[ 8 ] CVE-2021-26259  
      https://nvd.nist.gov/vuln/detail/CVE-2021-26259  
[ 9 ] CVE-2021-26948  
      https://nvd.nist.gov/vuln/detail/CVE-2021-26948  
[ 10 ] CVE-2021-33235  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33235  
[ 11 ] CVE-2021-33236  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33236  
[ 12 ] CVE-2021-40985  
      https://nvd.nist.gov/vuln/detail/CVE-2021-40985  
[ 13 ] CVE-2021-43579  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43579  
[ 14 ] CVE-2022-0137  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0137  
[ 15 ] CVE-2022-0534  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0534  
[ 16 ] CVE-2022-24191  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24191  
[ 17 ] CVE-2022-27114  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27114  
[ 18 ] CVE-2022-28085  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28085  
[ 19 ] CVE-2022-34033  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34033  
[ 20 ] CVE-2022-34035  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34035

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-07

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#web