You are here
Home > Preporuke > Sigurnosni nedostaci većeg broja programskih paketa

Sigurnosni nedostaci većeg broja programskih paketa

by ncert - 0

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201412-08
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
http://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: High
Title: Multiple packages, Multiple vulnerabilities fixed in 2010
Date: December 11, 2014
Bugs: #159556, #208464, #253822, #259968, #298067, #300375,
#300943, #302478, #307525, #307633, #315235, #316697,
#319719, #320961, #322457, #325507, #326759, #326953,
#329125, #329939, #331421, #332527, #333661
ID: 201412-08

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis
========

This GLSA contains notification of vulnerabilities found in several
Gentoo packages which have been fixed prior to January 1, 2011. The
worst of these vulnerabilities could lead to local privilege escalation
and remote code execution. Please see the package list and CVE
identifiers below for more information.

Background
==========

For more information on the packages listed in this GLSA, please see
their homepage referenced in the ebuild.

Affected packages
=================

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 dev-util/insight < 6.7.1-r1 >= 6.7.1-r1
2 dev-perl/perl-tk < 804.028-r2 >= 804.028-r2
3 dev-util/sourcenav < 5.1.4 >= 5.1.4
4 dev-lang/tk < 8.4.18-r1 >= 8.4.18-r1
5 sys-block/partimage < 0.6.8 >= 0.6.8
6 app-antivirus/bitdefender-console
<= 7.1 Vulnerable!
7 net-mail/mlmmj < 1.2.17.1 >= 1.2.17.1
8 sys-apps/acl < 2.2.49 >= 2.2.49
9 x11-apps/xinit < 1.2.0-r4 >= 1.2.0-r4
10 app-arch/gzip < 1.4 >= 1.4
11 app-arch/ncompress < 4.2.4.3 >= 4.2.4.3
12 dev-libs/liblzw < 0.2 >= 0.2
13 media-gfx/splashutils < 1.5.4.3-r3 >= 1.5.4.3-r3
14 sys-devel/m4 < 1.4.14-r1 >= 1.4.14-r1
15 kde-base/kdm < 4.3.5-r1 >= 4.3.5-r1
16 x11-libs/gtk+ < 2.18.7 >= 2.18.7
17 kde-base/kget < 4.3.5-r1 >= 4.3.5-r1
18 app-text/dvipng < 1.13 >= 1.13
19 app-misc/beanstalkd < 1.4.6 >= 1.4.6
20 sys-apps/pmount < 0.9.23 >= 0.9.23
21 sys-auth/pam_krb5 < 4.3 >= 4.3
22 app-text/gv < 3.7.1 >= 3.7.1
23 net-ftp/lftp < 4.0.6 >= 4.0.6
24 www-client/uzbl < 2010.08.05 >= 2010.08.05
25 x11-misc/slim < 1.3.2 >= 1.3.2
26 net-misc/iputils < 20100418 >= 20100418
27 media-tv/dvbstreamer < 1.1-r1 >= 1.1-r1
——————————————————————-
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
——————————————————————-
27 affected packages

Description
===========

Vulnerabilities have been discovered in the packages listed below.
Please review the CVE identifiers in the Reference section for details.

* Insight
* Perl Tk Module
* Source-Navigator
* Tk
* Partimage
* Mlmmj
* acl
* Xinit
* gzip
* ncompress
* liblzw
* splashutils
* GNU M4
* KDE Display Manager
* GTK+
* KGet
* dvipng
* Beanstalk
* Policy Mount
* pam_krb5
* GNU gv
* LFTP
* Uzbl
* Slim
* Bitdefender Console
* iputils
* DVBStreamer

Impact
======

A context-dependent attacker may be able to gain escalated privileges,
execute arbitrary code, cause Denial of Service, obtain sensitive
information, or otherwise bypass security restrictions.

Workaround
==========

There are no known workarounds at this time.

Resolution
==========

All Insight users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-util/insight-6.7.1-r1”

All Perl Tk Module users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-perl/perl-tk-804.028-r2”

All Source-Navigator users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-util/sourcenav-5.1.4”

All Tk users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-lang/tk-8.4.18-r1”

All Partimage users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=sys-block/partimage-0.6.8”

All Mlmmj users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-mail/mlmmj-1.2.17.1”

All acl users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=sys-apps/acl-2.2.49”

All Xinit users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=x11-apps/xinit-1.2.0-r4”

All gzip users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=app-arch/gzip-1.4”

All ncompress users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=app-arch/ncompress-4.2.4.3”

All liblzw users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-libs/liblzw-0.2”

All splashutils users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot -v “>=media-gfx/splashutils-1.5.4.3-r3”

All GNU M4 users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=sys-devel/m4-1.4.14-r1”

All KDE Display Manager users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=kde-base/kdm-4.3.5-r1”

All GTK+ users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=x11-libs/gtk+-2.18.7”

All KGet 4.3 users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=kde-base/kget-4.3.5-r1”

All dvipng users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=app-text/dvipng-1.13”

All Beanstalk users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=app-misc/beanstalkd-1.4.6”

All Policy Mount users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=sys-apps/pmount-0.9.23”

All pam_krb5 users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=sys-auth/pam_krb5-4.3”

All GNU gv users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=app-text/gv-3.7.1”

All LFTP users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-ftp/lftp-4.0.6”

All Uzbl users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=www-client/uzbl-2010.08.05”

All Slim users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=x11-misc/slim-1.3.2”

All iputils users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-misc/iputils-20100418”

All DVBStreamer users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=media-tv/dvbstreamer-1.1-r1”

Gentoo has discontinued support for Bitdefender Console. We recommend
that users unmerge Bitdefender Console:

# emerge –unmerge “app-antivirus/bitdefender-console”

NOTE: This is a legacy GLSA. Updates for all affected architectures
have been available since 2011. It is likely that your system is
already no longer affected by these issues.

References
==========

[ 1 ] CVE-2006-3005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3005
[ 2 ] CVE-2007-2741
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2741
[ 3 ] CVE-2008-0553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0553
[ 4 ] CVE-2008-1382
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1382
[ 5 ] CVE-2008-5907
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5907
[ 6 ] CVE-2008-6218
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6218
[ 7 ] CVE-2008-6661
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6661
[ 8 ] CVE-2009-0040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0040
[ 9 ] CVE-2009-0360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0360
[ 10 ] CVE-2009-0361
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0361
[ 11 ] CVE-2009-0946
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0946
[ 12 ] CVE-2009-2042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2042
[ 13 ] CVE-2009-2624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2624
[ 14 ] CVE-2009-3736
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3736
[ 15 ] CVE-2009-4029
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4029
[ 16 ] CVE-2009-4411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4411
[ 17 ] CVE-2009-4896
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4896
[ 18 ] CVE-2010-0001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0001
[ 19 ] CVE-2010-0436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0436
[ 20 ] CVE-2010-0732
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0732
[ 21 ] CVE-2010-0829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0829
[ 22 ] CVE-2010-1000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1000
[ 23 ] CVE-2010-1205
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1205
[ 24 ] CVE-2010-1511
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1511
[ 25 ] CVE-2010-2056
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2056
[ 26 ] CVE-2010-2060
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2060
[ 27 ] CVE-2010-2192
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2192
[ 28 ] CVE-2010-2251
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2251
[ 29 ] CVE-2010-2529
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2529
[ 30 ] CVE-2010-2809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2809
[ 31 ] CVE-2010-2945
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2945

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-08.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2

iF4EAREIAAYFAlSKM5AACgkQAnl3SfnYR/gp9gD5AQqK9DfAGmOsjmBYSxHtWUAg
j/0K3kcVEdGMPc4vDvMA/RPUS3YA5SDuBbpPfz/vvxAq9wHP0a+PVvhFktuHWD/U
=lktI
—–END PGP SIGNATURE—–

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201412-09
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
http://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: High
Title: Multiple packages, Multiple vulnerabilities fixed in 2011
Date: December 11, 2014
Bugs: #194151, #294253, #294256, #334087, #344059, #346897,
#350598, #352608, #354209, #355207, #356893, #358611,
#358785, #358789, #360891, #361397, #362185, #366697,
#366699, #369069, #370839, #372971, #376793, #381169,
#386321, #386361
ID: 201412-09

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis
========

This GLSA contains notification of vulnerabilities found in several
Gentoo packages which have been fixed prior to January 1, 2012. The
worst of these vulnerabilities could lead to local privilege escalation
and remote code execution. Please see the package list and CVE
identifiers below for more information.

Background
==========

For more information on the packages listed in this GLSA, please see
their homepage referenced in the ebuild.

Affected packages
=================

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 games-sports/racer-bin >= 0.5.0-r1 Vulnerable!
2 media-libs/fmod < 4.38.00 >= 4.38.00
3 dev-php/PEAR-Mail < 1.2.0 >= 1.2.0
4 sys-fs/lvm2 < 2.02.72 >= 2.02.72
5 app-office/gnucash < 2.4.4 >= 2.4.4
6 media-libs/xine-lib < 1.1.19 >= 1.1.19
7 media-sound/lastfmplayer
< 1.5.4.26862-r3 >= 1.5.4.26862-r3
8 net-libs/webkit-gtk < 1.2.7 >= 1.2.7
9 sys-apps/shadow < 4.1.4.3 >= 4.1.4.3
10 dev-php/PEAR-PEAR < 1.9.2-r1 >= 1.9.2-r1
11 dev-db/unixODBC < 2.3.0-r1 >= 2.3.0-r1
12 sys-cluster/resource-agents
< 1.0.4-r1 >= 1.0.4-r1
13 net-misc/mrouted < 3.9.5 >= 3.9.5
14 net-misc/rsync < 3.0.8 >= 3.0.8
15 dev-libs/xmlsec < 1.2.17 >= 1.2.17
16 x11-apps/xrdb < 1.0.9 >= 1.0.9
17 net-misc/vino < 2.32.2 >= 2.32.2
18 dev-util/oprofile < 0.9.6-r1 >= 0.9.6-r1
19 app-admin/syslog-ng < 3.2.4 >= 3.2.4
20 net-analyzer/sflowtool < 3.20 >= 3.20
21 gnome-base/gdm < 3.8.4-r3 >= 3.8.4-r3
22 net-libs/libsoup < 2.34.3 >= 2.34.3
23 app-misc/ca-certificates
< 20110502-r1 >= 20110502-r1
24 dev-vcs/gitolite < 1.5.9.1 >= 1.5.9.1
25 dev-util/qt-creator < 2.1.0 >= 2.1.0
——————————————————————-
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
——————————————————————-
25 affected packages

Description
===========

Vulnerabilities have been discovered in the packages listed below.
Please review the CVE identifiers in the Reference section for details.

* FMOD Studio
* PEAR Mail
* LVM2
* GnuCash
* xine-lib
* Last.fm Scrobbler
* WebKitGTK+
* shadow tool suite
* PEAR
* unixODBC
* Resource Agents
* mrouted
* rsync
* XML Security Library
* xrdb
* Vino
* OProfile
* syslog-ng
* sFlow Toolkit
* GNOME Display Manager
* libsoup
* CA Certificates
* Gitolite
* QtCreator
* Racer

Impact
======

A context-dependent attacker may be able to gain escalated privileges,
execute arbitrary code, cause Denial of Service, obtain sensitive
information, or otherwise bypass security restrictions.

Workaround
==========

There are no known workarounds at this time.

Resolution
==========

All FMOD Studio users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=media-libs/fmod-4.38.00”

All PEAR Mail users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-php/PEAR-Mail-1.2.0”

All LVM2 users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=sys-fs/lvm2-2.02.72”

All GnuCash users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=app-office/gnucash-2.4.4”

All xine-lib users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=media-libs/xine-lib-1.1.19”

All Last.fm Scrobbler users should upgrade to the latest version:

# emerge –sync
# emerge -a –oneshot -v “>=media-sound/lastfmplayer-1.5.4.26862-r3”

All WebKitGTK+ users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-libs/webkit-gtk-1.2.7”

All shadow tool suite users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=sys-apps/shadow-4.1.4.3”

All PEAR users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-php/PEAR-PEAR-1.9.2-r1”

All unixODBC users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-db/unixODBC-2.3.0-r1”

All Resource Agents users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot -v “>=sys-cluster/resource-agents-1.0.4-r1”

All mrouted users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-misc/mrouted-3.9.5”

All rsync users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-misc/rsync-3.0.8”

All XML Security Library users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-libs/xmlsec-1.2.17”

All xrdb users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=x11-apps/xrdb-1.0.9”

All Vino users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-misc/vino-2.32.2”

All OProfile users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-util/oprofile-0.9.6-r1”

All syslog-ng users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=app-admin/syslog-ng-3.2.4”

All sFlow Toolkit users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-analyzer/sflowtool-3.20”

All GNOME Display Manager users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=gnome-base/gdm-3.8.4-r3”

All libsoup users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-libs/libsoup-2.34.3”

All CA Certificates users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot -v “>=app-misc/ca-certificates-20110502-r1”

All Gitolite users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-vcs/gitolite-1.5.9.1”

All QtCreator users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-util/qt-creator-2.1.0”

Gentoo has discontinued support for Racer. We recommend that users
unmerge Racer:

# emerge –unmerge “games-sports/racer-bin”

NOTE: This is a legacy GLSA. Updates for all affected architectures
have been available since 2012. It is likely that your system is
already no longer affected by these issues.

References
==========

[ 1 ] CVE-2007-4370
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4370
[ 2 ] CVE-2009-4023
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023
[ 3 ] CVE-2009-4111
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111
[ 4 ] CVE-2010-0778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0778
[ 5 ] CVE-2010-1780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1780
[ 6 ] CVE-2010-1782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1782
[ 7 ] CVE-2010-1783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1783
[ 8 ] CVE-2010-1784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1784
[ 9 ] CVE-2010-1785
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1785
[ 10 ] CVE-2010-1786
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1786
[ 11 ] CVE-2010-1787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1787
[ 12 ] CVE-2010-1788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1788
[ 13 ] CVE-2010-1790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1790
[ 14 ] CVE-2010-1791
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1791
[ 15 ] CVE-2010-1792
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1792
[ 16 ] CVE-2010-1793
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1793
[ 17 ] CVE-2010-1807
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1807
[ 18 ] CVE-2010-1812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1812
[ 19 ] CVE-2010-1814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1814
[ 20 ] CVE-2010-1815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1815
[ 21 ] CVE-2010-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2526
[ 22 ] CVE-2010-2901
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2901
[ 23 ] CVE-2010-3255
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3255
[ 24 ] CVE-2010-3257
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3257
[ 25 ] CVE-2010-3259
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3259
[ 26 ] CVE-2010-3362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3362
[ 27 ] CVE-2010-3374
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3374
[ 28 ] CVE-2010-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389
[ 29 ] CVE-2010-3812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3812
[ 30 ] CVE-2010-3813
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3813
[ 31 ] CVE-2010-3999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999
[ 32 ] CVE-2010-4042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4042
[ 33 ] CVE-2010-4197
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4197
[ 34 ] CVE-2010-4198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4198
[ 35 ] CVE-2010-4204
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4204
[ 36 ] CVE-2010-4206
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4206
[ 37 ] CVE-2010-4492
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4492
[ 38 ] CVE-2010-4493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4493
[ 39 ] CVE-2010-4577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4577
[ 40 ] CVE-2010-4578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4578
[ 41 ] CVE-2011-0007
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0007
[ 42 ] CVE-2011-0465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0465
[ 43 ] CVE-2011-0482
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0482
[ 44 ] CVE-2011-0721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0721
[ 45 ] CVE-2011-0727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0727
[ 46 ] CVE-2011-0904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0904
[ 47 ] CVE-2011-0905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0905
[ 48 ] CVE-2011-1072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1072
[ 49 ] CVE-2011-1097
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1097
[ 50 ] CVE-2011-1144
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1144
[ 51 ] CVE-2011-1425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425
[ 52 ] CVE-2011-1572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1572
[ 53 ] CVE-2011-1760
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1760
[ 54 ] CVE-2011-1951
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951
[ 55 ] CVE-2011-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2471
[ 56 ] CVE-2011-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2472
[ 57 ] CVE-2011-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2473
[ 58 ] CVE-2011-2524
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2524
[ 59 ] CVE-2011-3365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365
[ 60 ] CVE-2011-3366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366
[ 61 ] CVE-2011-3367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-09.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2

iF4EAREIAAYFAlSKNBIACgkQAnl3SfnYR/jRbAD/b4WlsHDTwQ++H0IC8pp/of+u
rzVKSTKrEgCrfray8zUA/0nGbBl/Phs6ATp36yhxqJPVHkCPcMDn6qkcxJ3ODAfz
=yhKC
—–END PGP SIGNATURE—–

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201412-10
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
http://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: High
Title: Multiple packages, Multiple vulnerabilities fixed in 2012
Date: December 11, 2014
Bugs: #284536, #300903, #334475, #358787, #371320, #372905,
#399427, #401645, #427802, #428776
ID: 201412-10

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis
========

This GLSA contains notification of vulnerabilities found in several
Gentoo packages which have been fixed prior to January 1, 2013. The
worst of these vulnerabilities could lead to local privilege escalation
and remote code execution. Please see the package list and CVE
identifiers below for more information.

Background
==========

For more information on the packages listed in this GLSA, please see
their homepage referenced in the ebuild.

Affected packages
=================

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 www-apps/egroupware < 1.8.004.20120613 >= 1.8.004.20120613
2 x11-libs/vte < 0.32.2 >= 0.32.2
*>= 0.28.2-r204
*>= 0.28.2-r206
3 net-analyzer/lft < 3.33 >= 3.33
4 dev-php/suhosin < 0.9.33 >= 0.9.33
5 x11-misc/slock < 1.0 >= 1.0
6 sys-cluster/ganglia < 3.3.7 >= 3.3.7
7 net-im/gg-transport < 2.2.4 >= 2.2.4
——————————————————————-
7 affected packages

Description
===========

Vulnerabilities have been discovered in the packages listed below.
Please review the CVE identifiers in the Reference section for details.

* EGroupware
* VTE
* Layer Four Traceroute (LFT)
* Suhosin
* Slock
* Ganglia
* Jabber to GaduGadu Gateway

Impact
======

A context-dependent attacker may be able to gain escalated privileges,
execute arbitrary code, cause Denial of Service, obtain sensitive
information, or otherwise bypass security restrictions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All EGroupware users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot -v “>=www-apps/egroupware-1.8.004.20120613”

All VTE 0.32 users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=x11-libs/vte-0.32.2”

All VTE 0.28 users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=x11-libs/vte-0.28.2-r204”

All Layer Four Traceroute users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-analyzer/lft-3.33”

All Suhosin users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-php/suhosin-0.9.33”

All Slock users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=x11-misc/slock-1.0”

All Ganglia users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=sys-cluster/ganglia-3.3.7”

All Jabber to GaduGadu Gateway users should upgrade to the latest
version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-im/gg-transport-2.2.4”

NOTE: This is a legacy GLSA. Updates for all affected architectures
have been available since 2013. It is likely that your system is
already no longer affected by these issues.

References
==========

[ 1 ] CVE-2008-4776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4776
[ 2 ] CVE-2010-2713
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2713
[ 3 ] CVE-2010-3313
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3313
[ 4 ] CVE-2010-3314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3314
[ 5 ] CVE-2011-0765
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0765
[ 6 ] CVE-2011-2198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2198
[ 7 ] CVE-2012-0807
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0807
[ 8 ] CVE-2012-0808
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0808
[ 9 ] CVE-2012-1620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1620
[ 10 ] CVE-2012-2738
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2738
[ 11 ] CVE-2012-3448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3448

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-10.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2

iF4EAREIAAYFAlSKNH4ACgkQAnl3SfnYR/jzXQEAiM2gz/Lm5D0jdLP0c7Cmx645
qZtQYmSAeQMJX1XNW8sBAIaABvDPJOQTSO3SdsTZsbErmyxIgebVLW/dkWr++YyF
=N3YW
—–END PGP SIGNATURE—–

ncert
Top
More in Preporuke
Sigurnosni nedostaci programskog paketa mariadb

Otkriveni su sigurnosni nedostaci u programskom paketu mariadb za operacijski sustav Fedora. Otkriveni nedostaci potencijalnim napadačima omogućuju utjecaj na tajnost,...

Close